Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into 1597213-Part1

Author: damabe

articles/active-directory-b2c/active-directory-b2c-apps.md

@@ -128,12 +128,12 @@ This chained web API scenario can be supported by using the OAuth 2.0 JWT bearer
 
 Do not edit Azure AD B2C applications in these ways:
 
-- On other application management portals such as the [Application Registration Portal](https://apps.dev.microsoft.com/).
+- On other application management portals such as the [Application Registration Portal](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade).
 - Using Graph API or PowerShell.
 
 If you edit the Azure AD B2C application outside of the Azure portal, it becomes a faulted application and is no longer usable with Azure AD B2C. Delete the application and create it again.
 
-To delete the application, go to the [Application Registration Portal](https://apps.dev.microsoft.com/) and delete the application there. In order for the application to be visible, you need to be the owner of the application (and not just an admin of the tenant).
+To delete the application, go to the [Application Registration Portal](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) and delete the application there. In order for the application to be visible, you need to be the owner of the application (and not just an admin of the tenant).
 
 ## Next steps
 

articles/active-directory-b2c/active-directory-b2c-overview-custom.md

@@ -51,7 +51,7 @@ The customer identity and access management (CIAM) service in Azure includes:
 
 Azure AD B2C interacts with identity providers, users, other systems, and with the local user directory in sequence to achieve an identity task. For example, sign in a user, register a new user, or reset a password. The Identity Experience Framework and a policy (also called a user journey or a trust framework policy) establishes multi-party trust and explicitly defines the actors, the actions, the protocols, and the sequence of steps to complete.
 
-The Identity Experience Framework is a fully configurable, policy-driven, cloud-based Azure platform that orchestrates trust between entities in standard protocol formats such as OpenID Connect, OAuth, SAML, WSFed, and a few non-standard ones, for example REST API-based system-to-system claims exchanges. The framework creates user-friendly, white-labeled experiences that support HTML and CSS.
+The Identity Experience Framework is a fully configurable, policy-driven, cloud-based Azure platform that orchestrates trust between entities in standard protocol formats such as OpenID Connect, OAuth, SAML, and a few non-standard ones, for example REST API-based system-to-system claims exchanges. The framework creates user-friendly, white-labeled experiences that support HTML and CSS.
 
 A custom policy is represented as one or several XML-formatted files that refer to each other in a hierarchical chain. The XML elements define the claims schema, claims transformations, content definitions, claims providers, technical profiles, and user journey orchestration steps, among other elements. A custom policy is accessible as one or several XML files that are executed by the Identity Experience Framework when invoked by a relying party. Developers configuring custom policies must define the trusted relationships in careful detail to include metadata endpoints, exact claims exchange definitions, and configure secrets, keys, and certificates as needed by each identity provider.
 

articles/active-directory-b2c/active-directory-b2c-reference-audit-logs.md

@@ -16,95 +16,124 @@ ms.custom: fasttrack-edit
 
 # Accessing Azure AD B2C audit logs
 
-Azure Active Directory B2C (Azure AD B2C) emits audit logs containing activity information about B2C resources, issued tokens, and administrator access. This article provides a brief overview of the information available through audit logs and instructions on how to access this data for your Azure AD B2C tenant.
+Azure Active Directory B2C (Azure AD B2C) emits audit logs containing activity information about B2C resources, tokens issued, and administrator access. This article provides a brief overview of the information available in audit logs and instructions on how to access this data for your Azure AD B2C tenant.
 
-> [!IMPORTANT]
-> Audit logs are only retained for seven days. Plan to download and store your logs using one of the methods shown below if you require a longer retention period.
+Audit log events are only retained for **seven days**. Plan to download and store your logs using one of the methods shown below if you require a longer retention period.
 
 > [!NOTE]
-> You cannot see user sign-ins for individual Azure AD B2C applications under the **Users** section of the **Azure Active Directory** or **Azure AD B2C** blades. The sign-ins there will show user activity, but cannot be correlated back to the B2C application that the user signed in to. You must use the audit logs for that, as explained further in this article.
+> You can't see user sign-ins for individual Azure AD B2C applications under the **Users** section of the **Azure Active Directory** or **Azure AD B2C** pages in the Azure portal. The sign-in events there show user activity, but can't be correlated back to the B2C application that the user signed in to. You must use the audit logs for that, as explained further in this article.
 
 ## Overview of activities available in the B2C category of audit logs
 
 The **B2C** category in audit logs contains the following types of activities:
 
 |Activity type |Description  |
 |---------|---------|
-|Authorization |Activities concerning the authorization of a user to access B2C resources (for example, an administrator accessing a list of B2C policies)         |
-|Directory |Activities related to directory attributes retrieved when an administrator signs in using the Azure portal |
-|Application | CRUD operations on B2C applications |
-|Key |CRUD operations on keys stored in B2C key container |
-|Resource |CRUD operations on B2C resources (for example, policies and identity providers)
-|Authentication |Validation of user credentials and token issuance|
+|Authorization |Activities concerning the authorization of a user to access B2C resources (for example, an administrator accessing a list of B2C policies).         |
+|Directory |Activities related to directory attributes retrieved when an administrator signs in using the Azure portal. |
+|Application | Create, read, update, and delete (CRUD) operations on B2C applications. |
+|Key |CRUD operations on keys stored in a B2C key container. |
+|Resource |CRUD operations on B2C resources. For example, policies and identity providers.
+|Authentication |Validation of user credentials and token issuance.|
 
-> [!NOTE]
-> For user object CRUD activities, refer to the **Core Directory** category.
+For user object CRUD activities, refer to the **Core Directory** category.
 
 ## Example activity
 
-The example below shows the data captured when a user signs in with an external identity provider:
-    ![Example of Audit Log Activity Details page in Azure portal](./media/active-directory-b2c-reference-audit-logs/audit-logs-example.png)
+This example image from the Azure portal shows the data captured when a user signs in with an external identity provider, in this case, Facebook:
+
+![Example of Audit Log Activity Details page in Azure portal](./media/active-directory-b2c-reference-audit-logs/audit-logs-example.png)
 
 The activity details panel contains the following relevant information:
 
 |Section|Field|Description|
 |-------|-----|-----------|
-| Activity | Name | Which activity took place. For example, "Issue an id_token to the application" (which concludes the actual user sign-in). |
-| Initiated By (Actor) | ObjectId | The **Object ID** of the B2C application that the user is signing in to (this identifier is not visible in the Azure portal but it's accessible via the Graph API for example). |
+| Activity | Name | Which activity took place. For example, *Issue an id_token to the application*, which concludes the actual user sign-in. |
+| Initiated By (Actor) | ObjectId | The **Object ID** of the B2C application that the user is signing in to. This identifier is not visible in the Azure portal, but is accessible via the Microsoft Graph API. |
 | Initiated By (Actor) | Spn | The **Application ID** of the B2C application that the user is signing in to. |
 | Target(s) | ObjectId | The **Object ID** of the user that is signing in. |
 | Additional Details | TenantId | The **Tenant ID** of the Azure AD B2C tenant. |
 | Additional Details | PolicyId | The **Policy ID** of the user flow (policy) being used to sign the user in. |
 | Additional Details | ApplicationId | The **Application ID** of the B2C application that the user is signing in to. |
 
-## Accessing audit logs through the Azure portal
+## View audit logs in the Azure portal
 
-1. Go to the [Azure portal](https://portal.azure.com). Make sure you are in your B2C directory.
-2. Click on **Azure Active Directory** in the favorites bar on the left
+The Azure portal provides access to the audit log events in your Azure AD B2C tenant.
 
-    ![Azure Active Directory button highlighted in left-hand portal menu](./media/active-directory-b2c-reference-audit-logs/audit-logs-portal-aad.png)
+1. Sign in to the [Azure portal](https://portal.azure.com)
+1. Switch to the directory that contains your Azure AD B2C tenant, and then browse to **Azure AD B2C**.
+1. Under **Activities** in the left menu, select **Audit logs**.
 
-1. Under **Activity**, click on **Audit Logs**
+A list of activity events logged over the last seven days is displayed.
 
-    ![Audit Logs button highlighted in Activity section of menu](./media/active-directory-b2c-reference-audit-logs/audit-logs-portal-section.png)
+![Example filter with two activity events in Azure portal](media/active-directory-b2c-reference-audit-logs/audit-logs-example-filter.png)
 
-2. In the **Category** dropbox, select **B2C**
-3. Click on **Apply**
+Several filtering options are available, including:
 
-    ![Category and Apply button highlighted in Audit Log filter](./media/active-directory-b2c-reference-audit-logs/audit-logs-portal-category.png)
+* **Activity Resource Type** - Filter by the activity types shown in the table in the [Overview of activities available](#overview-of-activities-available-in-the-b2c-category-of-audit-logs) section.
+* **Date** - Filter the date range of the activities shown.
 
-You will see a list of activities logged over the last seven days.
+If you select a row in the list, the activity details for the event are displayed.
 
-- Use the **Activity Resource Type** dropdown to filter by the activity types outlined above
-- Use the **Date Range** dropdown to filter the date range of the activities shown
-- If you click on a specific row in the list, a contextual box on the right will show you additional attributes associated with the activity
-- Click on **Download** to download the activities as a csv file
+To download the list of activity events in a comma-separated values (CSV) file, select **Download**.
 
-> [!NOTE]
-> You can also see the audit logs by navigating to **Azure AD B2C** rather than **Azure Active Directory** in the favorites bar on the left. Under **Activities**, click on **Audit logs**, where you will find the same logs with similar filtering capabilities.
-
-## Accessing audit logs through the Azure AD reporting API
+## Get audit logs with the Azure AD reporting API
 
 Audit logs are published to the same pipeline as other activities for Azure Active Directory, so they can be accessed through the [Azure Active Directory reporting API](https://docs.microsoft.com/graph/api/directoryaudit-list). For more information, see [Get started with the Azure Active Directory reporting API](../active-directory/reports-monitoring/concept-reporting-api.md).
 
-### Prerequisites
+### Enable reporting API access
+
+To allow script- or application-based access to the Azure AD reporting API, you need an Azure Active Directory application registered in your Azure AD B2C tenant with the following API permissions:
+
+* Microsoft Graph
+  * Application: Read all audit log data
+
+You can enable these permissions on an existing Azure Active Directory application registration within your B2C tenant, or create a new one specifically for use with audit log automation.
+
+To create a new application, assign the required API permissions, and create a client secret, perform the following steps:
+
+1. Register application in Azure Active Directory
+    1. Sign in to the [Azure portal](https://portal.azure.com) and switch to the directory that contains your Azure AD B2C tenant.
+    1. Select **Azure Active Directory** (*not* Azure AD B2C) from the left menu. Or, select **All services**, then search for and select **Azure Active Directory**.
+    1. Under **Manage** in the left menu, select **App registrations (Legacy)**.
+    1. Select **New application registration**
+    1. Enter a name for the application. For example, *Audit Log App*.
+    1. Enter any valid URL in **Sign-on URL**. For example, *https://localhost*. This endpoint does not need to be reachable, but needs to be a valid URL.
+    1. Select **Create**.
+    1. Record the **Application ID** that appears on the **Registered app** page. You need this value for authentication in automation scripts like the example PowerShell script shown in a later section.
+1. Assign API access permissions
+    1. On the **Registered app** overview page, select **Settings**.
+    1. Under **API ACCESS**, select **Required permissions**.
+    1. Select **Add**, and then **Select an API**.
+    1. Select **Microsoft Graph**, and then **Select**.
+    1. Under **APPLICATION PERMISSIONS**, select **Read all audit log data**.
+    1. Select the **Select** button, and then select **Done**.
+    1. Select **Grant permissions**, and then select **Yes**.
+1. Create client secret
+    1. Under **API ACCESS**, select **Keys**.
+    1. Enter a description for the key in the **Key description** box. For example, *Audit Log Key*.
+    1. Select a validity **Duration**, then select **Save**.
+    1. Record the key's **VALUE**. You need this value for authentication in automation scripts like the example PowerShell script shown in a later section.
 
-To authenticate to the Azure AD reporting API you first need to register an application. Make sure to follow the steps in [Prerequisites to access the Azure AD reporting APIs](https://azure.microsoft.com/documentation/articles/active-directory-reporting-api-getting-started/).
+You now have an application with the required API access, an application ID, and a key that you can use in your automation scripts. See the PowerShell script section later in this article for an example of how you can get activity events with a script.
 
-### Accessing the API
+### Access the API
 
-To download the Azure AD B2C audit logs via the API, you'll want to filter the logs to the **B2C** category. To filter by category, use the query string parameter when calling the Azure AD reporting API endpoint, as shown below:
+To download Azure AD B2C audit log events via the API, filter the logs on the `B2C` category. To filter by category, use the `filter` query string parameter when you call the Azure AD reporting API endpoint.
 
 ```HTTP
-https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?filter=loggedByService eq 'B2C' and activityDateTime gt 2019-09-10T02:28:17Z
+https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=loggedByService eq 'B2C' and activityDateTime gt 2019-09-10T02:28:17Z
 ```
 
 ### PowerShell script
 
-The following script provides an example of using PowerShell to query the Azure AD reporting API and outputting the results to a JSON file:
+The following PowerShell script shows an example of how to query the Azure AD reporting API. After querying the API, it prints the logged events to standard output, then writes the JSON output to a file.
+
+You can try this script in the [Azure Cloud Shell](../cloud-shell/overview.md). Be sure to update it with your application ID, key, and the name of your Azure AD B2C tenant.
 
 ```powershell
-# This script requires the registration of a Web Application in Azure Active Directory (see https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-reporting-api)
+# This script requires the registration of a Web Application in Azure Active Directory:
+# https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-reporting-api
 
 # Constants
 $ClientID       = "your-client-application-id-here"       # Insert your application's Client ID, a GUID (registered by Global Admin)
@@ -144,3 +173,72 @@ if ($oauth.access_token -ne $null) {
     Write-Host "ERROR: No Access Token"
 }
 ```
+
+Here's the JSON representation of the example activity event shown earlier in the article:
+
+```JSON
+{
+    "id": "B2C_DQO3J_4984536",
+    "category": "Authentication",
+    "correlationId": "00000000-0000-0000-0000-000000000000",
+    "result": "success",
+    "resultReason": "N/A",
+    "activityDisplayName": "Issue an id_token to the application",
+    "activityDateTime": "2019-09-14T18:13:17.0618117Z",
+    "loggedByService": "B2C",
+    "operationType": "",
+    "initiatedBy": {
+        "user": null,
+        "app": {
+            "appId": "00000000-0000-0000-0000-000000000000",
+            "displayName": null,
+            "servicePrincipalId": null,
+            "servicePrincipalName": "00000000-0000-0000-0000-000000000000"
+        }
+    },
+    "targetResources": [
+        {
+            "id": "00000000-0000-0000-0000-000000000000",
+            "displayName": null,
+            "type": "User",
+            "userPrincipalName": null,
+            "groupType": null,
+            "modifiedProperties": []
+        }
+    ],
+    "additionalDetails": [
+        {
+            "key": "TenantId",
+            "value": "test.onmicrosoft.com"
+        },
+        {
+            "key": "PolicyId",
+            "value": "B2C_1A_signup_signin"
+        },
+        {
+            "key": "ApplicationId",
+            "value": "00000000-0000-0000-0000-000000000000"
+        },
+        {
+            "key": "Client",
+            "value": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"
+        },
+        {
+            "key": "IdentityProviderName",
+            "value": "facebook"
+        },
+        {
+            "key": "IdentityProviderApplicationId",
+            "value": "0000000000000000"
+        },
+        {
+            "key": "ClientIpAddress",
+            "value": "127.0.0.1"
+        }
+    ]
+}
+```
+
+## Next steps
+
+You can automate other administration tasks, for example, [manage users with .NET](active-directory-b2c-devquickstarts-graph-dotnet.md).

articles/active-directory-b2c/claimsschema.md

@@ -67,7 +67,7 @@ The **Protocol** element contains the following attributes:
 
 | Attribute | Required | Description |
 | --------- | -------- | ----------- |
-| Name | Yes | The name of a valid protocol supported by Azure AD B2C. Possible values are:  OAuth1, OAuth2, SAML2, OpenIdConnect, WsFed, or WsTrust. |
+| Name | Yes | The name of a valid protocol supported by Azure AD B2C. Possible values are:  OAuth1, OAuth2, SAML2, OpenIdConnect. |
 | PartnerClaimType | Yes | The claim type name to be used. |
 
 In the following example, when the Identity Experience Framework interacts with a SAML2 identity provider or relying party application, the **surname** claim is mapped to `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`, with OpenIdConnect and OAuth2, the claim is mapped to `family_name`.

articles/active-directory-b2c/media/active-directory-b2c-reference-audit-logs/audit-logs-example-filter.png

@@ -33,7 +33,6 @@ A technical profile enables these types of scenarios:
 - [RESTful provider](restful-technical-profile.md) - Call to REST API services, such as validate user input, enrich user data, or integrate with line-of-business applications.
 - [SAML2](saml-technical-profile.md) - Federation with any SAML protocol identity provider.
 - [Self-Asserted](self-asserted-technical-profile.md) - Interact with the user. For example, collect the user's credential to sign in, render the sign-up page, or password reset.
-- **WsFed** - Federation with any WsFed protocol identity provider.
 - [Session management](active-directory-b2c-reference-sso-custom.md) - Handle different types of sessions.
 - **Application insights**