Merge branch 'MicrosoftDocs:main' into docs-editor/defender-for-storage-test-1693904391

Author: LiorTsalovich1

articles/active-directory/develop/includes/web-app-client-credentials.md

@@ -72,4 +72,8 @@ Instead of a client secret, you can provide a client certificate. The following
 }
 ```
 
-*Microsoft.Identity.Web* provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates) on GitHub.
+> [!WARNING]
+>
+> If you forget to change the `Scopes` to an array, when you try to use the `IDownstreamApi` the scopes will appear null, and `IDownstreamApi` will attempt an anonymous (unauthenticated) call to the downstream API, which will result in a `401/unauthenticated`.
+
+*Microsoft.Identity.Web* provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates) on GitHub.

articles/active-directory/develop/saml-claims-customization.md

@@ -210,10 +210,14 @@ When the following conditions occur after **Add** or **Run test** is selected, a
 
 ## Add the UPN claim to SAML tokens
 
-The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md), so you can't add it in the **Attributes & Claims** section. As a workaround, you can add it as an [optional claim](./optional-claims.md) through **App registrations** in the Azure portal.  
+The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md#saml-restricted-claim-set). If you have custom signing key configured, you can add it in the **Attributes & Claims** section.  
 
+In case there is no custom signing key configured, please refer to [SAML Restricted claim set](reference-claims-mapping-policy-type.md#saml-restricted-claim-set). You can add it as an [optional claim](./optional-claims.md) through **App registrations** in the Azure portal.
+ 
 Open the application in **App registrations**, select **Token configuration**, and then select **Add optional claim**. Select the **SAML** token type, choose **upn** from the list, and then click **Add** to add the claim to the token.
 
+Customization done in the **Attributes & Claims** section can overwrite the optional claims in the **App Registration**.
+
 ## Emit claims based on conditions
 
 You can specify the source of a claim based on user type and the group to which the user belongs.

articles/active-directory/external-identities/customers/media/how-to-define-custom-attributes/page-layouts.png

@@ -26,18 +26,17 @@ In this article, you learn how to prevent users from signing in to an applicatio
 
 To disable user sign-in, you need:
 
-- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: An administrator, or owner of the service principal.
+- An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
 
 ## Disable user sign-in
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
 :::zone pivot="portal"
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator for your directory.
-1. Search for and select **Azure Active Directory**.
-1. Select **Enterprise applications**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
 1. Search for the application you want to disable a user from signing in, and select the application.
 1. Select **Properties**.
 1. Select **No** for **Enabled for users to sign-in?**.
@@ -49,11 +48,11 @@ To disable user sign-in, you need:
 
 You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being preauthorized by Microsoft. You can manually create the service principal for the app and then disable it by using the following Microsoft Graph PowerShell cmdlet.
 
-Ensure you've installed the AzureAD module (use the command `Install-Module -Name AzureAD`). In case you're prompted to install a NuGet module or the new Azure AD V2 PowerShell module, type Y and press ENTER.
+Ensure you've installed the AzureAD module (use the command `Install-Module -Name AzureAD`). In case you're prompted to install a NuGet module or the new Azure AD V2 PowerShell module, type Y and press ENTER. You need to sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 ```PowerShell
 # Connect to Azure AD PowerShell
-Connect-AzureAD -Scopes "Application.ReadWrite.All"
+Connect-AzureAD -Scopes
 
 # The AppId of the app to be disabled
 $appId = "{AppId}"
@@ -74,7 +73,7 @@ if ($servicePrincipal) {
 
 You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being preauthorized by Microsoft. You can manually create the service principal for the app and then disable it by using the following Microsoft Graph PowerShell cmdlet.
 
-Ensure you've installed the Microsoft Graph module (use the command `Install-Module Microsoft.Graph`).
+Ensure you've installed the Microsoft Graph module (use the command `Install-Module Microsoft.Graph`). You need to sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 ```powershell
 # Connect to Microsoft Graph PowerShell
@@ -98,7 +97,7 @@ else {  $servicePrincipal = New-MgServicePrincipal -AppId $appId –AccountEnabl
 
 You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being preauthorized by Microsoft. You can manually create the service principal for the app and then disable it by using the following Microsoft Graph PowerShell cmdlet.
 
-To disable sign-in to an application, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) with one of the roles listed in the prerequisite section.
+To disable sign-in to an application, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 You need to consent to the `Application.ReadWrite.All` permission.
 

articles/active-directory/manage-apps/disable-user-sign-in-portal.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/28/2023
+ms.date: 09/04/2023
 ms.author: jawoods
 ms.reviewer: phsignor
 zone_pivot_groups: enterprise-apps-all
@@ -41,34 +41,25 @@ Please see [Restore permissions granted to applications](restore-permissions.md)
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-You can access the Azure portal to view the permissions granted to an app. You can revoke permissions granted by admins for your entire organization, and you can get contextual PowerShell scripts to perform other actions.
+You can access the Microsoft Entra admin center to view the permissions granted to an app. You can revoke permissions granted by admins for your entire organization, and you can get contextual PowerShell scripts to perform other actions.
 
-To revoke an application's permissions that have been granted for the entire organization:
+To review an application's permissions that have been granted for the entire organization or to a specific user or group:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using one of the roles listed in the prerequisites section.
-1. Select **Azure Active Directory**, and then select **Enterprise applications**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
 1. Select the application that you want to restrict access to.
 1. Select **Permissions**. 
-1. The permissions listed in the **Admin consent** tab apply to your entire organization. Choose the permission you would like to remove, select the **...** control for that permission, and then choose **Revoke permission**.
-
-To review an application's permissions:
-
-1. Sign in to the [Azure portal](https://portal.azure.com) using one of the roles listed in the prerequisites section.
-1. Select **Azure Active Directory**, and then select **Enterprise applications**.
-1. Select the application that you want to restrict access to.
-1. Select **Permissions**. In the command bar, select **Review permissions**.
-![Screenshot of the review permissions window.](./media/manage-application-permissions/review-permissions.png)
-1. Give a reason for why you want to review permissions for the application by selecting any of the options listed after the question, **Why do you want to review permissions for this application?**
-
-Each option generates PowerShell scripts that enable you to control user access to the application and to review permissions granted to the application. For information about how to control user access to an application, see [How to remove a user's access to an application](methods-for-removing-user-access.md)
+1. To view permissions that apply to your entire organization, select the **Admin consent** tab. To view permissions granted to a specific user or group, select the **User consent** tab.
+1. To view the details of a given permission, select the permission from the list. The **Permission Details** pane opens. 
+1. To revoke a given permission, choose the permission you would like to revoke, select the **...** control for that permission, and then choose **Revoke permission**.
 
 :::zone-end
 
 :::zone pivot="aad-powershell"
 
 ## Review and revoke permissions
 
-Use the following Azure AD PowerShell script to revoke all permissions granted to an application.
+Use the following Azure AD PowerShell script to revoke all permissions granted to an application. You need to sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 ```powershell
 Connect-AzureAD 
@@ -117,7 +108,7 @@ $assignments | ForEach-Object {
 
 ## Review and revoke permissions
 
-Use the following Microsoft Graph PowerShell script to revoke all permissions granted to an application.
+Use the following Microsoft Graph PowerShell script to revoke all permissions granted to an application. You need to sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 ```powershell
 Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
@@ -171,7 +162,7 @@ $spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrin
 
 ## Review and revoke permissions
 
-To review permissions, Sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) with one of the roles listed in the prerequisite section.
+To review permissions, Sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 You need to consent to the following permissions: 
 

articles/active-directory/manage-apps/manage-application-permissions.md

@@ -25,17 +25,16 @@ In this article, you learn how to review and take action on admin consent reques
 To review and take action on admin consent requests, you need:
 
 - An Azure account. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- A designated reviewer with the appropriate role to [review admin consent requests](grant-admin-consent.md#prerequisites).
+- A Global Administrator or a designated reviewer with the appropriate role to [review admin consent requests](grant-admin-consent.md#prerequisites).
 
 ## Review and take action on admin consent requests
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
 To review the admin consent requests and take action:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as one of the registered reviewers of the admin consent workflow.
-1. Search for and select **Azure Active Directory**.
-1. From the navigation menu, select **Enterprise applications**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator) who is a designated reviewer.
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
 1. Under **Activity**, select **Admin consent requests**.
 1. Select **My Pending** tab to view and act on the pending requests. 
 1. Select the application that is being requested from the list.

articles/active-directory/manage-apps/review-admin-consent-requests.md

@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory application management"
 description: "New and updated documentation for the Azure Active Directory application management."
-ms.date: 08/01/2023
+ms.date: 09/04/2023
 ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: reference
@@ -15,6 +15,18 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory (Azure AD) application management documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Azure AD](../fundamentals/whats-new.md).
 
+## August 2023
+### New articles
+
+- [Manage app consent policies for group owners](manage-group-owner-consent-policies.md) - New how-to guide on how to manage group owner consent policies.
+
+### Updated articles
+
+- [Properties of an enterprise application](application-properties.md) - Updates on the user requirement property
+- [Configure group and team owner consent to applications](configure-user-consent-groups.md) - Updates to examples for configuring group and team owner consent
+- [Configure how users consent to applications](configure-user-consent.md) - Updates to examples for configuring user consent
+- [Manage app consent policies](manage-app-consent-policies.md) - Updates to examples for managing app consent policies
+- [Review the application activity report](migrate-adfs-application-activity.md) - Updates to stale local links
 ## July 2023
 
 ### New articles
@@ -49,26 +61,3 @@ The following PowerShell sample was added:
 - [Configure Datawiza for Azure AD Multi-Factor Authentication and single sign-on to Oracle EBS](datawiza-sso-mfa-oracle-ebs.md)
 - [Tutorial: Configure F5 BIG-IP Access Policy Manager for Kerberos authentication](f5-big-ip-kerberos-advanced.md)
 - [Tutorial: Configure F5 BIG-IP Easy Button for Kerberos single sign-on](f5-big-ip-kerberos-easy-button.md)
-## May 2023
-
-### New articles
-
-- [Phase 2: Classify apps and plan pilot](migrate-adfs-classify-apps-plan-pilot.md)
-- [Phase 1: Discover and scope apps](migrate-adfs-discover-scope-apps.md)
-- [Phase 4: Plan management and insights](migrate-adfs-plan-management-insights.md)
-- [Phase 3: Plan migration and testing](migrate-adfs-plan-migration-test.md)
-- [Represent AD FS security policies in Azure Active Directory: Mappings and examples](migrate-adfs-represent-security-policies.md)
-- [SAML-based single sign-on: Configuration and Limitations](migrate-adfs-saml-based-sso.md)
-
-### Updated articles
-
-- [Tutorial: Migrate Okta sync provisioning to Azure AD Connect synchronization](migrate-okta-sync-provisioning.md)
-- [Application management videos](app-management-videos.md)
-- [Understand the stages of migrating application authentication from AD FS to Azure AD](./migrate-adfs-apps-stages.md)
-- [Plan application migration to Azure Active Directory](./migrate-adfs-apps-phases-overview.md)
-- [Tutorial: Migrate Okta sync provisioning to Azure AD Connect-based synchronization](./migrate-okta-sync-provisioning.md)
-- [Tutorial: Configure F5 BIG-IP Easy Button for SSO to Oracle JDE](f5-big-ip-oracle-jde-easy-button.md)
-- [Tutorial: Configure F5 BIG-IP Easy Button for SSO to Oracle PeopleSoft](f5-big-ip-oracle-peoplesoft-easy-button.md)
-- [Tutorial: Configure Cloudflare with Azure Active Directory for secure hybrid access](./cloudflare-integration.md)
-- [Tutorial: Configure F5 BIG-IP Easy Button for SSO to SAP ERP](f5-big-ip-sap-erp-easy-button.md)
-- [Tutorial: Migrate Okta federation to Azure Active Directory-managed authentication](migrate-okta-federation.md)