Merge branch 'main' into release-ga-managed-grafana

Author: v-alje

articles/active-directory/develop/active-directory-schema-extensions.md

@@ -59,10 +59,11 @@ For example, here is a claims-mapping policy to emit a single claim from a direc
 
 Where *xxxxxxx* is the appID (or Client ID) of the application that the extension was registered with.
 
+> [!WARNING]
+> When you define a claims mapping policy for a directory extension attribute, use the `ExtensionID` property instead of the `ID` property within the body of the `ClaimsSchema` array, as shown in the example above.
+
 > [!TIP]
 > Case consistency is important when setting directory extension attributes on objects. Extension attribute names aren't cases sensitive when being set up, but they are case sensitive when being read from the directory by the token service.  If an extension attribute is set on a user object with the name "LegacyId" and on another user object with the name "legacyid", when the attribute is mapped to a claim using the name "LegacyId" the data will be successfully retrieved and the claim included in the token for the first user but not the second.
->
-> The "Id" parameter in the claims schema used for built-in directory attributes is "ExtensionID" for directory extension attributes.
 
 ## Next steps
 - Learn how to [add custom or additional claims to the SAML 2.0 and JSON Web Tokens (JWT) tokens](active-directory-optional-claims.md).

articles/active-directory/develop/custom-rbac-for-developers.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity 
-ms.date: 06/16/2022
+ms.date: 08/19/2022
 ms.custom: template-concept
 ms.author: davidmu
 ms.reviewer: john.garland, maggie.marxen, ian.bennett, marsma
@@ -43,7 +43,9 @@ Developers have the flexibility to provide their own implementation for how role
 
 ### App roles
 
-Azure AD supports declaring app roles for an application. When a user signs into an application, Azure AD includes a [roles claim](./access-tokens.md#payload-claims) for each role that the user has been granted for that application. Applications receive the tokens that contain the role claims and then can use the information for permission assignments. The roles assigned to the user determine the level of access to resources and functionality.
+Azure AD allows you to [define app roles](./howto-add-app-roles-in-azure-ad-apps.md) for your application and assign those roles to users and other applications. The roles you assign to a user or application define their level of access to the resources and operations in your application.
+
+When Azure AD issues an access token for an authenticated user or application, it includes the names of the roles you've assigned the entity (the user or application) in the access token's [`roles`](./access-tokens.md#payload-claims) claim. An application like a web API that receives that access token in a request can then make authorization decisions based on the values in the `roles` claim.
 
 ### Groups
 
@@ -79,5 +81,5 @@ Although either app roles or groups can be used for authorization, key differenc
 
 ## Next steps
 
-- [How to add app roles to your application and receive them in the token](./howto-add-app-roles-in-azure-ad-apps.md).
-- [Azure Identity Management and access control security best practices](../../security/fundamentals/identity-management-best-practices.md).
+- [How to add app roles to your application and receive them in the token](./howto-add-app-roles-in-azure-ad-apps.md)
+- [Azure Identity Management and access control security best practices](../../security/fundamentals/identity-management-best-practices.md)

articles/active-directory/develop/multi-service-web-app-access-microsoft-graph-as-app.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: app-service-web
 ms.topic: tutorial
 ms.workload: identity
-ms.date: 04/25/2022
+ms.date: 08/19/2022
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.devlang: csharp, javascript
@@ -90,7 +90,7 @@ webAppName="SecureWebApp-20201106120003"
 
 spId=$(az resource list -n $webAppName --query [*].identity.principalId --out tsv)
 
-graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].objectId --out tsv)
+graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].id --out tsv)
 
 appRoleId=$(az ad sp list --display-name "Microsoft Graph" --query "[0].appRoles[?value=='User.Read.All' && contains(allowedMemberTypes, 'Application')].id" --output tsv)
 

articles/active-directory/develop/reply-url.md

@@ -45,6 +45,8 @@ This table shows the maximum number of redirect URIs you can add to an app regis
 | Microsoft work or school accounts in any organization's Azure Active Directory (Azure AD) tenant | 256 | `signInAudience` field in the application manifest is set to either *AzureADMyOrg* or *AzureADMultipleOrgs* |
 | Personal Microsoft accounts and work and school accounts | 100 | `signInAudience` field in the application manifest is set to *AzureADandPersonalMicrosoftAccount* |
 
+The maximum number of redirect URIS can't be raised for [security reasons](#restrictions-on-wildcards-in-redirect-uris). If your scenario requires more redirect URIs than the maximum limit allowed, consider the following [state parameter approach](#use-a-state-parameter) as the solution.
+
 ## Maximum URI length
 
 You can use a maximum of 256 characters for each redirect URI you add to an app registration.

articles/active-directory/fundamentals/auth-header-based.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 10/10/2020
+ms.date: 08/19/2022
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"

articles/active-directory/fundamentals/auth-kcd.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 10/10/2020
+ms.date: 08/19/2022
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
@@ -50,4 +50,4 @@ There is a need to provide remote access, protect with pre-authentication, and p
 
 * [Kerberos Constrained Delegation for single sign-on to your apps with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md) 
 
-* [Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md)
+* [Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md)

articles/active-directory/fundamentals/auth-ldap.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 10/10/2020
+ms.date: 08/19/2022
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"

articles/active-directory/fundamentals/auth-oauth2.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 10/10/2020
+ms.date: 08/19/2022
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"

articles/active-directory/fundamentals/auth-oidc.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 10/10/2020
+ms.date: 08/19/2022
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"

articles/active-directory/fundamentals/auth-password-based-sso.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 10/10/2020
+ms.date: 08/19/2022
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
@@ -45,4 +45,4 @@ You need to protect with pre-authentication and provide SSO through password vau
 
 * [Configure password based SSO for cloud applications ](../manage-apps/configure-password-single-sign-on-non-gallery-applications.md)
 
-* [Configure password-based SSO for on-premises applications with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-password-vaulting.md)
+* [Configure password-based SSO for on-premises applications with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-password-vaulting.md)