MicrosoftDocs
diff --git a/‎.openpublishing.redirection.healthcare-apis.json
Lines changed: 46 additions & 11 deletions b/‎.openpublishing.redirection.healthcare-apis.json
Lines changed: 46 additions & 11 deletions
diff --git a/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/error-codes.md
Lines changed: 93 additions & 93 deletions b/‎articles/active-directory-b2c/error-codes.md
Lines changed: 93 additions & 93 deletions
diff --git a/‎articles/active-directory-b2c/extensions-app.md
Lines changed: 2 additions & 1 deletion b/‎articles/active-directory-b2c/extensions-app.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎articles/active-directory-b2c/saml-service-provider.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/saml-service-provider.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/app-provisioning/known-issues.md
Lines changed: 7 additions & 3 deletions b/‎articles/active-directory/app-provisioning/known-issues.md
Lines changed: 7 additions & 3 deletions
diff --git a/‎articles/active-directory/manage-apps/plan-sso-deployment.md
Lines changed: 1 addition & 7 deletions b/‎articles/active-directory/manage-apps/plan-sso-deployment.md
Lines changed: 1 addition & 7 deletions
diff --git a/‎articles/active-directory/manage-apps/what-is-single-sign-on.md
Lines changed: 10 additions & 10 deletions b/‎articles/active-directory/manage-apps/what-is-single-sign-on.md
Lines changed: 10 additions & 10 deletions
@@ -72,11 +72,6 @@
         "redirect_url": "/azure/healthcare-apis/azure-api-for-fhir/azure-api-for-fhir-additional-settings",
         "redirect_document_id": false
     },
-    {
-        "source_path_from_root": "/articles/healthcare-apis/configure-azure-rbac.md",
-        "redirect_url": "/azure/healthcare-apis/fhir/configure-azure-rbac",
-        "redirect_document_id": true
-    },
     {
         "source_path_from_root": "/articles/healthcare-apis/configure-cross-origin-resource-sharing.md",
         "redirect_url": "/azure/healthcare-apis/fhir/configure-cross-origin-resource-sharing",
@@ -222,12 +217,7 @@
         "redirect_url": "/azure/healthcare-apis/azure-api-for-fhir/access-fhir-postman-tutorial",
         "redirect_document_id": true
     },
-    {
-        "source_path_from_root": "/articles/healthcare-apis/fhir/configure-azure-rbac.md",
-        "redirect_url": "/azure/healthcare-apis/azure-api-for-fhir/configure-azure-rbac",
-        "redirect_document_id": true
-    },
-    {
+   {
         "source_path_from_root": "/articles/healthcare-apis/fhir/configure-database.md",
         "redirect_url": "/azure/healthcare-apis/azure-api-for-fhir/configure-database",
         "redirect_document_id": true
@@ -457,5 +447,50 @@
         "redirect_url": "/azure/healthcare-apis/security-controls-policy",
         "redirect_document_id": true
     },
+    {
+        "source_path_from_root": "/articles/healthcare-apis/fhir/azure-active-directory-identity-configuration.md",
+        "redirect_url": "/azure/healthcare-apis/authentication-authorization",
+        "redirect_document_id": true
+    },
+    {
+        "source_path_from_root": "/articles/healthcare-apis/fhir/fhir-service-access-token-validation.md",
+        "redirect_url": "/azure/healthcare-apis/get-access-token",
+        "redirect_document_id": true
+    },
+    {
+        "source_path_from_root": "/articles/healthcare-apis/fhir/get-healthcare-apis-access-token-cli.md",
+        "redirect_url": "/azure/healthcare-apis/get-access-token",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/healthcare-apis/dicom/dicom-get-access-token-azure-cli.md",
+        "redirect_url": "/azure/healthcare-apis/get-access-token",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/healthcare-apis/dicom/dicom-register-service-client-application.md",
+        "redirect_url": "/azure/healthcare-apis/register-application",
+        "redirect_document_id": true
+    },
+    {
+        "source_path_from_root": "/articles/healthcare-apis/dicom/dicom-register-public-application.md",
+        "redirect_url": "/azure/healthcare-apis/register-application",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/healthcare-apis/dicom/dicom-register-confidential-client-application.md",
+        "redirect_url": "/azure/healthcare-apis/register-application",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/healthcare-apis/dicom/dicom-configure-azure-rbac.md",
+        "redirect_url": "/azure/healthcare-apis/configure-azure-rbac",
+        "redirect_document_id": true
+    },
+    {
+        "source_path_from_root": "/articles/healthcare-apis/fhir/configure-azure-rbac-for-fhir.md",
+        "redirect_url": "/azure/healthcare-apis/configure-azure-rbac",
+        "redirect_document_id": false
+    }
   ]
 }
@@ -44771,6 +44771,11 @@
       "redirect_url": "/azure/azure-monitor/essentials/tutorial-metrics",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/azure-monitor/vm/monitor-vm-azure.md",
+      "redirect_url": "/azure/virtual-machines/monitor-vm",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/load-balancer/tutorial-load-balancer-standard-manage-portal.md",
       "redirect_url": "/azure/load-balancer/quickstart-load-balancer-standard-public-portal",
 
@@ -1,5 +1,6 @@
 ---
 title: Extensions app in Azure Active Directory B2C  
+titleSuffix: Azure AD B2C
 description: Restoring the b2c-extensions-app.
 services: active-directory-b2c
 author: kengaderdus
@@ -13,7 +14,7 @@ ms.author: kengaderdus
 ms.subservice: B2C
 ---
 
-# Azure AD B2C: Extensions app 
+# Extensions app in Azure AD B2C
 
 When an Azure AD B2C directory is created, an app called **b2c-extensions-app** is automatically created inside the new directory. This app is visible in *App registrations*. It is used by the Azure AD B2C service to store information about users and custom attributes. If the app is deleted, Azure AD B2C will not function correctly and your production environment will be affected.
 
 
@@ -427,7 +427,7 @@ The following SAML application scenarios are supported via your own metadata end
 * Specify multiple logout URLs or POST binding for the logout URL in the application or service principal object.
 * Specify a signing key to verify relying party requests in the application or service principal object.
 * Specify a token encryption key in the application or service principal object.
-* Specify IdP-initiated sign-on, where the identity provider is Azure AD B2C.
+* [Specify IdP-initiated sign-on, where the identity provider is Azure AD B2C](saml-service-provider-options.md#configure-idp-initiated-flow).
 
 ## Next steps
 
 
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: troubleshooting
-ms.date: 07/07/2021
+ms.date: 11/18/2021
 ms.reviewer: arvinh
 ---
 
@@ -116,8 +116,8 @@ The following attributes and objects aren't supported:
    - Reference attributes (for example, manager).
    - Groups.
    - Complex anchors (for example, ObjectTypeName+UserName).
-   - On-premises applications are sometimes not federated with Azure AD and require local passwords. The on-premises provisioning preview *doesn't support provisioning one-time passwords or synchronizing passwords* between Azure AD and third-party applications.
-   - The **export_password** virtual attribute, **SetPassword**, and **ChangePassword** operations aren't supported.
+   - Binary attributes.
+   - On-premises applications are sometimes not federated with Azure AD and require local passwords. The on-premises provisioning preview does not support password synchronization. Provisioning one-time passwords is supported. Please ensure that you are using the [Redact](https://docs.microsoft.com/azure/active-directory/app-provisioning/functions-for-customizing-application-data#redact) function to redact the passwords from the logs. The passwords are not exported on the initial call to the application, but rather a second call with set password.   
 
 #### SSL certificates
    The Azure AD ECMA Connector Host currently requires either an SSL certificate to be trusted by Azure or the provisioning agent to be used. The certificate subject must match the host name the Azure AD ECMA Connector Host is installed on.
@@ -128,5 +128,9 @@ The following attributes and objects aren't supported:
 #### Attribute discovery and mapping
    The attributes that the target application supports are discovered and surfaced in the Azure portal in **Attribute Mappings**. Newly added attributes will continue to be discovered. If an attribute type has changed, for example, string to Boolean, and the attribute is part of the mappings, the type won't change automatically in the Azure portal. Customers will need to go into advanced settings in mappings and manually update the attribute type.
 
+#### Provisioning agent
+- The agent does not currently support auto update for the on-prem application provisioning scenario. We are actively working to close this gap and ensure that auto update is enabled by default and required for all customers. 
+- The same provisioning agent cannot be used for on-prem app provisioning and cloud sync / HR- driven provisioning. 
+
 ## Next steps
 [How provisioning works](how-provisioning-works.md)
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/22/2021
+ms.date: 11/18/2021
 ms.author: davidmu
 ms.reviewer: ergreenl
 ms.collection: M365-identity-device-management
@@ -52,12 +52,6 @@ You change that certificate duration in the Azure portal. Make sure to document
 - Owner On-Call for application troubleshooting support
 - Closely monitored email distribution list for certificate-related change notifications
 
-You can use the following methods to manage your certificates:
-
-- **Automatic certificate rollover** - Signing key rollover is supported in Azure AD. While signing key rollover is the preferred method for managing certificates, not all applications support this scenario.
-
-- **Manually update** - Every application has its own certificate that expires based on how it's defined. Before the application’s certificate expires, create a new certificate and send it to the application provider. This information can be pulled from the federation metadata. For more information, see [Federation metadata](../azuread-dev/azure-ad-federation-metadata.md). 
-
 Set up a process for how you'll handle a certificate change between Azure AD and your application. By having this process in place, you can help prevent or minimize an outage due to a certificate expiring or a forced certificate rollover. For more information, see [Manage certificates for federated single sign-on in Azure Active Directory](manage-certificates-for-federated-single-sign-on.md).
 
 ## Communications
 
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: overview
-ms.date: 09/22/2021
+ms.date: 11/18/2021
 ms.author: davidmu
 ms.reviewer: ergreenl
 ms.custom: contperf-fy21q1, contperf-fy22q2
@@ -18,7 +18,7 @@ ms.custom: contperf-fy21q1, contperf-fy22q2
 
 # What is single sign-on in Azure Active Directory?
 
-This article provides you with information about the single sign-on (SSO) options that are available to you, and an introduction to planning a single sign-on deployment when using Azure Active Directory (Azure AD). Single sign-on is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems. Using SSO means a user doesn't have to sign in to every application they use. With SSO, users can access all needed applications without being required to authenticate using different credentials. 
+This article provides you with information about the single sign-on (SSO) options that are available to you, and an introduction to planning a single sign-on deployment when using Azure Active Directory (Azure AD). Single sign-on is an authentication method that allows users to sign in using one set of credentials to multiple independent software systems. Using SSO means a user doesn't have to sign in to every application they use. With SSO, users can access all needed applications without being required to authenticate using different credentials. For a brief introduction, see [Azure Active Directory single sign-on](https://azure.microsoft.com/services/active-directory/sso/#overview).
 
 Many applications already exist in Azure AD that you can use with SSO. You have several options for SSO depending on the needs of the application and how it is implemented. Take time to plan your SSO deployment before you create applications in Azure AD. The management of applications can be made easier by using the My Apps portal.
 
@@ -28,21 +28,21 @@ Choosing an SSO method depends on how the application is configured for authenti
 
 - **Federation** - When you set up SSO to work between multiple identity providers, it's called federation. An SSO implementation based on federation protocols improves security, reliability, end-user experiences, and implementation. 
 
-    With federated single sign-on, Azure AD authenticates the user to the application by using their Azure AD account. This method is supported for SAML 2.0, WS-Federation, or OpenID Connect applications. Federated SSO is the richest mode of SSO. Use federated SSO with Azure AD when an application supports it, instead of password-based SSO and Active Directory Federation Services (AD FS).
+    With federated single sign-on, Azure AD authenticates the user to the application by using their Azure AD account. This method is supported for [SAML 2.0](../develop/single-sign-on-saml-protocol.md), WS-Federation, or [OpenID Connect](../develop/v2-protocols-oidc.md) applications. Federated SSO is the richest mode of SSO. Use federated SSO with Azure AD when an application supports it, instead of password-based SSO and Active Directory Federation Services (AD FS).
 
     There are some scenarios where the SSO option is not present for an enterprise application. If the application was registered using **App registrations** in the portal, then the single sign-on capability is configured to use OpenID Connect and OAuth by default. In this case, the single sign-on option won't appear in the navigation under enterprise applications.
 
     Single sign-on is not available when an application is hosted in another tenant. Single sign-on is also not available if your account doesn't have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal). Permissions can also cause a scenario where you can open single sign-on but won't be able to save.
 
     > [!VIDEO https://www.youtube.com/embed/CjarTgjKcX8]
 
-- **Password** - On-premises applications can use password-based, Integrated Windows Authentication, header-based, linked-based methods for SSO. The on-premises choices work when applications are configured for Application Proxy.
+- **Password** - On-premises applications can use a password-based method for SSO. This choice works when applications are configured for Application Proxy.
 
-    With password-based SSO, users sign in to the application with a username and password the first time they access it. After the first sign-on, Azure AD provides the username and password to the application. Password-based SSO enables secure application password storage and replay using a web browser extension or mobile app. This option uses the existing sign-in process provided by the application, enables an administrator to manage the passwords, and doesn't require the user to know the password.
+    With password-based SSO, users sign in to the application with a username and password the first time they access it. After the first sign-on, Azure AD provides the username and password to the application. Password-based SSO enables secure application password storage and replay using a web browser extension or mobile app. This option uses the existing sign-in process provided by the application, enables an administrator to manage the passwords, and doesn't require the user to know the password. For more information, see [Add password-based single sign-on to an application](configure-password-single-sign-on-non-gallery-applications.md).
 
 - **Linked** - Linked sign-on can provide a consistent user experience while you migrate applications over a period of time. If you're migrating applications to Azure AD, you can use linked-based SSO to quickly publish links to all the applications you intend to migrate. Users can find all the links in the My Apps or Microsoft 365 portals.
 
-    After a user has authenticated with a linked application, an account needs to be created before the user is provided single sign-on access. Provisioning this account can either occur automatically, or it can occur manually by an administrator. You cannot apply conditional access policies or multifactor authentication to a linked application because a linked application does not provide single sign-on capabilities through Azure AD. When you configure a linked application, you are simply adding a link that appears for launching the application.
+    After a user has authenticated with a linked application, an account needs to be created before the user is provided single sign-on access. Provisioning this account can either occur automatically, or it can occur manually by an administrator. You cannot apply conditional access policies or multifactor authentication to a linked application because a linked application does not provide single sign-on capabilities through Azure AD. When you configure a linked application, you are simply adding a link that appears for launching the application. For more information, see [Add linked single sign-on to an application](configure-linked-sign-on.md).
 
 - **Disabled** - When SSO is disabled, it isn't available for the application. When single sign-on is disabled, users might need to authenticate twice. First, users authenticate to Azure AD, and then they sign in to the application.
 
@@ -56,15 +56,15 @@ Choosing an SSO method depends on how the application is configured for authenti
 
 ## Plan SSO deployment
 
-Web applications are hosted by various companies and made available as a service. Some popular examples of web applications include Microsoft 365, GitHub, and Salesforce, and there are thousands of others. People access web applications using a web browser on their computer. Single sign-on makes it possible for people to navigate between the various web applications without having to sign in multiple times.
+Web applications are hosted by various companies and made available as a service. Some popular examples of web applications include Microsoft 365, GitHub, and Salesforce. There are thousands of others. People access web applications using a web browser on their computer. Single sign-on makes it possible for people to navigate between the various web applications without having to sign in multiple times. For more information, see [Plan a single sign-on deployment](plan-sso-deployment.md).
 
-How you implement SSO depends on where the application is hosted. Hosting matters because of the way network traffic is routed to access the application. Users don't need to use the Internet to access on-premises applications (hosted on a local network). If the application is hosted in the cloud, users need the Internet to use it. Cloud hosted applications are also called Software as a Service (SaaS) applications.
+How you implement SSO depends on where the application is hosted. Hosting matters because of the way network traffic is routed to access the application. Users don't need to use the Internet to access on-premises applications (hosted on a local network). If the application is hosted in the cloud, users need the Internet to use it. Cloud hosted applications are also called [Software as a Service (SaaS) applications](../saas-apps/tutorial-list.md).
 
-For cloud applications, federation protocols are used. You can also use single sign-on for on-premises applications. You can use Application Proxy to configure access for your on-premises application. For more information, see Remote access to on-premises applications through Azure AD Application Proxy.
+For cloud applications, federation protocols are used. You can also use single sign-on for on-premises applications. You can use Application Proxy to configure access for your on-premises application. For more information, see [Remote access to on-premises applications through Azure AD Application Proxy](../app-proxy/application-proxy.md).
 
 ## My Apps
 
-If you're a user of an application, you likely don't care much about SSO details. You just want to use the applications that make you productive without having to type your password so much. You can find and manage your applications at the My Apps portal.	
+If you're a user of an application, you likely don't care much about SSO details. You just want to use the applications that make you productive without having to type your password so much. You can find and manage your applications at the My Apps portal.	For more information, see [Sign in and start apps from the My Apps portal](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
 
 ## Next steps