Merge pull request #249835 from MicrosoftDocs/main

8/30/2023 AM Publish

Author: Taojunshen

.openpublishing.publish.config.json

@@ -1091,6 +1091,7 @@
   "articles/azure-video-indexer/.openpublishing.redirection.azure-video-indexer.json",
   "articles/cloud-shell/.openpublishing.redirection.cloud-shell.json",
   "articles/communication-services/.openpublishing.redirection.communication-services.json",
+  "articles/communications-gateway/.openpublishing.redirection.communications-gateway.json",
   "articles/confidential-computing/.openpublishing.redirection.json",
   "articles/container-apps/.openpublishing.redirection.container-apps.json",
   "articles/cosmos-db/.openpublishing.redirection.cosmos-db.json",

.openpublishing.redirection.json

@@ -23792,11 +23792,6 @@
             "redirect_url": "/azure/private-5g-core/monitor-private-5g-core-with-platform-metrics",
             "redirect_document_id": false
         },
-        {
-            "source_path": "articles/communications-gateway/rotate-secrets.md",
-            "redirect_URL": "/azure/communications-gateway/whats-new",
-            "redirect_document_id": false
-        },
         {
             "source_path": "articles/batch/high-availability-disaster-recovery.md",
             "redirect_URL": "/azure/reliability/reliability-batch",
@@ -24266,6 +24261,11 @@
             "source_path_from_root": "/articles/reliability/reliability-postgre-flexible.md",
             "redirect_url": "/azure/reliability/reliability-postgresql-flexible-server",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/private-link/tutorial-private-endpoint-cosmosdb-portal.md",
+            "redirect_url": "/azure/cosmos-db/how-to-configure-private-endpoints",
+            "redirect_document_id": false
         }
     ]
 }

.openpublishing.redirection.virtual-desktop.json

@@ -194,6 +194,11 @@
             "source_path_from_root": "/articles/virtual-desktop/app-attach-glossary.md",
             "redirect_url": "/azure/virtual-desktop/what-is-app-attach",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/virtual-desktop/windows-10-multisession-faq.yml",
+            "redirect_url": "/azure/virtual-desktop/windows-multisession-faq",
+            "redirect_document_id": true
         }
     ]
 }

articles/active-directory/authentication/howto-mfa-userdevicesettings.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 07/05/2023
+ms.date: 08/29/2023
 
 ms.author: justinha
 author: justinha
@@ -58,7 +58,7 @@ Install the Microsoft.Graph.Identity.Signins PowerShell module using the followi
 
 ```powershell
 Install-module Microsoft.Graph.Identity.Signins
-Connect-MgGraph -Scopes UserAuthenticationMethod.ReadWrite.All
+Connect-MgGraph -Scopes "User.Read.all","UserAuthenticationMethod.Read.All","UserAuthenticationMethod.ReadWrite.All"
 Select-MgProfile -Name beta
 ```
 

articles/active-directory/develop/authentication-national-cloud.md

@@ -25,7 +25,7 @@ Including the global Azure cloud, Azure Active Directory (Azure AD) is deplo
 - Microsoft Azure operated by 21Vianet
 - Azure Germany ([Closed on October 29, 2021](https://www.microsoft.com/cloud-platform/germany-cloud-regions)). Learn more about [Azure Germany migration](#azure-germany-microsoft-cloud-deutschland).
 
-The individual national clouds and the global Azure cloud are cloud _instances_. Each cloud instance is separate from the others and has its own environment and _endpoints_. Cloud-specific endpoints include OAuth 2.0 access token and OpenID Connect ID token request endpoints, and URLs for app management and deployment, like the Azure portal.
+The individual national clouds and the global Azure cloud are cloud _instances_. Each cloud instance is separate from the others and has its own environment and _endpoints_. Cloud-specific endpoints include OAuth 2.0 access token and OpenID Connect ID token request endpoints, and URLs for app management and deployment.
 
 As you develop your apps, use the endpoints for the cloud instance where you'll deploy the application.
 
@@ -43,13 +43,13 @@ The following table lists the base URLs for the Azure AD endpoints used to regis
 
 ## Application endpoints
 
-You can find the authentication endpoints for your application in the Azure portal.
+You can find the authentication endpoints for your application.
 
-1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
-1. Select **Azure Active Directory**.
-1. Under **Manage**, select **App registrations**, and then select **Endpoints** in the top menu.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Application registrations**.
+1. Select **Endpoints** in the top menu.
 
-   The **Endpoints** page is displayed showing the authentication endpoints for the application registered in your Azure AD tenant.
+   The **Endpoints** page is displayed showing the authentication endpoints for the application.
 
    Use the endpoint that matches the authentication protocol you're using in conjunction with the **Application (client) ID** to craft the authentication request specific to your application.
 

articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md

@@ -164,6 +164,8 @@ This access token is a v1.0-formatted token for Microsoft Graph. This is because
 
 An error response is returned by the token endpoint when trying to acquire an access token for the downstream API, if the downstream API has a Conditional Access policy (such as [multifactor authentication](../authentication/concept-mfa-howitworks.md)) set on it. The middle-tier service should surface this error to the client application so that the client application can provide the user interaction to satisfy the Conditional Access policy.
 
+To [surface this error back](https://datatracker.ietf.org/doc/html/rfc6750#section-3.1) to the client, the middle-tier service will reply with HTTP 401 Unauthorized and with a WWW-Authenticate HTTP header containing the error and the claim challenge. The client must parse this header and acquire a new token from the token issuer, by presenting the claims challenge if one exists. Clients should not retry to access the middle-tier service using a cached access token.
+
 ```json
 {
     "error":"interaction_required",

articles/active-directory/external-identities/claims-mapping.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 11/24/2022
+ms.date: 08/30/2023
 
 ms.author: cmulligan
 author: csmulligan
@@ -32,7 +32,16 @@ There are two possible reasons why you might need to edit the claims that are is
 
 For information about how to add and edit claims, see [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/saml-claims-customization.md).
 
-For B2B collaboration users, mapping NameID and UPN cross-tenant are prevented for security reasons.
+## UPN claims behavior for B2B users
+
+If you need to issue the UPN value as an application token claim, the actual claim mapping may behave differently for B2B users. If the B2B user authenticates with an external Azure AD identity and you issue user.userprincipalname as the source attribute, Azure AD instead issues the mail attribute.  
+
+For example, let’s say you invite an external user whose email is `[email protected]` and whose identity exists in an external Azure AD tenant. James’ UPN in the inviting tenant is created from the invited email and the inviting tenant's original default domain. So, let’s say James’ UPN becomes `James_contoso.com#EXT#@fabrikam.onmicrosoft.com`. For the SAML application that issues user.userprincipalname as the NameID, the value passed for James is `[email protected]`.  
+
+All [other external identity types](redemption-experience.md#invitation-redemption-flow) such as SAML/WS-Fed, Google, Email OTP issues the UPN value rather than the email value when you issue user.userprincipalname as a claim. If you want the actual UPN to be issued in the token claim for all B2B users, you can set user.localuserprincipalname as the source attribute instead. 
+
+>[!NOTE]
+>The behavior mentioned in this section is same for both cloud-only B2B users and synced users who were [invited/converted to B2B collaboration](invite-internal-users.md). 
 
 ## Next steps
 

articles/active-directory/external-identities/cross-tenant-access-overview.md

@@ -19,6 +19,9 @@ ms.collection: M365-identity-device-management
 Azure AD organizations can use External Identities cross-tenant access settings to manage how they collaborate with other Azure AD organizations and other Microsoft Azure clouds through B2B collaboration and [B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md). [Cross-tenant access settings](cross-tenant-access-settings-b2b-collaboration.md) give you granular control over how external Azure AD organizations collaborate with you (inbound access) and how your users collaborate with external Azure AD organizations (outbound access). These settings also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and hybrid Azure AD joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Azure AD organizations.
 
 This article describes cross-tenant access settings, which are used to manage B2B collaboration and B2B direct connect with external Azure AD organizations, including across Microsoft clouds. More settings are available for B2B collaboration with non-Azure AD identities (for example, social identities or non-IT managed external accounts). These [external collaboration settings](external-collaboration-settings-configure.md) include options for restricting guest user access, specifying who can invite guests, and allowing or blocking domains.
+
+> [!IMPORTANT]
+> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
  
 ## Manage external access with inbound and outbound settings
 

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -18,6 +18,9 @@ ms.collection: M365-identity-device-management
 
 Use External Identities cross-tenant access settings to manage how you collaborate with other Azure AD organizations through B2B collaboration. These settings determine both the level of *inbound* access users in external Azure AD organizations have to your resources, and the level of *outbound* access your users have to external organizations. They also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and hybrid Azure AD joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Azure AD organizations. For details and planning considerations, see [Cross-tenant access in Azure AD External Identities](cross-tenant-access-overview.md).
 
+> [!IMPORTANT]
+> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
+
 ## Before you begin
 
   > [!CAUTION]

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md

@@ -27,6 +27,9 @@ Use cross-tenant access settings to manage how you collaborate with other Azure
 
 Learn more about using cross-tenant access settings to [manage B2B direct connect](b2b-direct-connect-overview.md#managing-cross-tenant-access-for-b2b-direct-connect).
 
+> [!IMPORTANT]
+> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
+
 ## Before you begin
 
 - Review the [Important considerations](cross-tenant-access-overview.md#important-considerations) section in the [cross-tenant access overview](cross-tenant-access-overview.md) before configuring your cross-tenant access settings.