Merge branch 'main' into diberry/1101-search-dotnet

Author: diberry

.openpublishing.redirection.active-directory.json

@@ -3433,17 +3433,17 @@
     },
     {
       "source_path_from_root": "/articles/active-directory/develop/active-directory-permissions.md",
-      "redirect_url": "/azure/active-directory/develop/v2-permissions-and-consent",
+      "redirect_url": "/azure/active-directory/develop/permissions-consent-overview",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/active-directory/develop/active-directory-v2-scopes.md",
-      "redirect_url": "/azure/active-directory/develop/v2-permissions-and-consent",
+      "redirect_url": "/azure/active-directory/develop/permissions-consent-overview",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/active-directory/develop/v1-permissions-and-consent.md",
-      "redirect_url": "/azure/active-directory/develop/v2-permissions-and-consent",
+      "redirect_url": "/azure/active-directory/develop/permissions-consent-overview",
       "redirect_document_id": false
     },
     {
@@ -5536,6 +5536,16 @@
       "redirect_url": "/azure/active-directory/app-proxy/application-proxy-add-on-premises-application",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/active-directory/develop/consent-framework.md",
+      "redirect_url": "/azure/active-directory/develop/application-consent-experience",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/manage-apps/consent-and-permissions-overview.md",
+      "redirect_url": "/azure/active-directory/manage-apps/user-admin-consent-overview",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/manage-apps/application-proxy-enable.md",
       "redirect_url": "/azure/active-directory/app-proxy/application-proxy-add-on-premises-application",

articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md

@@ -157,6 +157,27 @@ GET https://graph.microsoft.com/v1.0/users?$filter=startswith(certificateUserIds
 GET https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds eq '[email protected]'
 ```
             
+## Update certificate user IDs using Microsoft Graph queries
+PATCH the user object certificateUserIds value for a given userId
+
+#### Request body:
+
+```http
+PATCH https://graph.microsoft.us/v1.0/users/{id}
+Content-Type: application/json
+{
+
+    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(authorizationInfo,department)/$entity",
+    "department": "Accounting",
+    "authorizationInfo": {
+        "certificateUserIds": [
+            "X509:<PN>123456789098765@mil"
+        ]
+    }
+}
+```
+
+
 ## Next steps
 
 - [Overview of Azure AD CBA](concept-certificate-based-authentication.md)

articles/active-directory/conditional-access/concept-conditional-access-conditions.md

@@ -127,7 +127,7 @@ On Windows 7, iOS, Android, and macOS Azure AD identifies the device using a cli
 
 #### Chrome support
 
-For Chrome support in **Windows 10 Creators Update (version 1703)** or later, install the [Windows 10 Accounts](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji) or [Office Online](https://chrome.google.com/webstore/detail/office/ndjpnladcallmjemlbaebfadecfhkepb) extensions. These extensions are required when a Conditional Access policy requires device-specific details.
+For Chrome support in **Windows 10 Creators Update (version 1703)** or later, install the [Windows Accounts](https://chrome.google.com/webstore/detail/windows-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji) or [Office](https://chrome.google.com/webstore/detail/office/ndjpnladcallmjemlbaebfadecfhkepb) extensions. These extensions are required when a Conditional Access policy requires device-specific details.
 
 To automatically deploy this extension to Chrome browsers, create the following registry key:
 

articles/active-directory/develop/TOC.yml

@@ -35,24 +35,27 @@
       items:
         - name: Permissions and consent overview
           href: permissions-consent-overview.md
+        - name: Delegated access
+          href: delegated-access-primer.md
+        - name: Scopes and permissions
+          href: scopes-oidc.md
         - name: "Authorization options: ACLs, RBAC, ABAC"
           href: authorization-basics.md
         - name: RBAC for app developers
           href: custom-rbac-for-developers.md
-        - name: Scopes, permissions, and consent
-          displayName: Scopes
-          href: v2-permissions-and-consent.md
+        - name: Requesting permissions through consent
+          href: consent-types-developer.md
         - name: Application consent experiences
           displayName: App consent experiences
           href: application-consent-experience.md
-        - name: Consent framework
-          href: consent-framework.md
         - name: Conditional Access dev guide
           href: v2-conditional-access-dev-guide.md
           displayName: ca
         - name: Conditional Access auth context
           href: developer-guide-conditional-access-authentication-context.md
           displayName: ca
+        - name: Permissions and consent framework
+          href: v2-permissions-and-consent.md
     - name: App registrations and workload identities
       displayName: App configuration
       items:

articles/active-directory/develop/access-tokens.md

@@ -324,4 +324,4 @@ Check out [Primary Refresh Tokens](../devices/concept-primary-refresh-token.md)
 ## Next steps
 
 - Learn about [`id_tokens` in Azure AD](id-tokens.md).
-- Learn about permission and consent ( [v1.0](../azuread-dev/v1-permissions-consent.md), [v2.0](v2-permissions-and-consent.md)).
+- Learn about permission and consent ( [v1.0](../azuread-dev/v1-permissions-consent.md), [v2.0](permissions-consent-overview.md)).

articles/active-directory/develop/active-directory-v2-protocols.md

@@ -53,7 +53,7 @@ Your client app needs a way to trust the security tokens issued to it by the Mic
 
 When you register your app in Azure AD, the Microsoft identity platform automatically assigns it some values, while others you configure based on the application's type.
 
-Two the most commonly referenced app registration settings are:
+Two of the most commonly referenced app registration settings are:
 
 * **Application (client) ID** - Also called _application ID_ and _client ID_, this value is assigned to your app by the Microsoft identity platform. The client ID uniquely identifies your app in the identity platform and is included in the security tokens the platform issues.
 * **Redirect URI** - The authorization server uses a redirect URI to direct the resource owner's *user-agent* (web browser, mobile app) to another destination after completing their interaction. For example, after the end-user authenticates with the authorization server. Not all client types use redirect URIs.

articles/active-directory/develop/application-consent-experience.md

@@ -2,24 +2,21 @@
 title: Azure AD app consent experiences
 description: Learn more about the Azure AD consent experiences to see how you can use it when managing and developing applications on Azure AD
 services: active-directory
-author: rwike77
+author: omondiatieno
 manager: CelesteDG
-
 ms.service: active-directory
 ms.subservice: develop
 ms.custom: aaddev 
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 04/18/2022
-ms.author: ryanwi
-ms.reviewer: jesakowi, asteen
+ms.date: 11/01/2022
+ms.author: jomondi
+ms.reviewer: jesakowi, asteen, jawoods
 ---
 
-# Understanding Azure AD application consent experiences
-
-Learn more about the Azure Active Directory (Azure AD) application consent user experience. So you can intelligently manage applications for your organization and/or develop applications with a more seamless consent experience.
+# Consent experience for applications in Azure Active Directory
 
-## Consent and permissions
+In this article, you'll learn about the Azure Active Directory (Azure AD) application consent user experience. You'll then be able to intelligently manage applications for your organization and/or develop applications with a more seamless consent experience.
 
 Consent is the process of a user granting authorization to an application to access protected resources on their behalf. An admin or user can be asked for consent to allow access to their organization/individual data.
 
@@ -42,50 +39,87 @@ The following diagram and table provide information about the building blocks of
 | 2 | Title | The title changes based on whether the users are going through the user or admin consent flow. In user consent flow, the title will be “Permissions requested” while in the admin consent flow the title will have an additional line “Accept for your organization”. |
 | 3 | App logo | This image should help users have a visual cue of whether this app is the app they intended to access. This image is provided by application developers and the ownership of this image isn't validated. |
 | 4 | App name | This value should inform users which application is requesting access to their data. Note this name is provided by the developers and the ownership of this app name isn't validated.|
-| 5 | Publisher name and verification | The blue "verified" badge means that the app publisher has verified their identity using a Microsoft Partner Network account and has completed the verification process. If the app is publisher verified, the publisher name is displayed.  If the app is not publisher verified, "Unverified" is displayed instead of a publisher name. For more information, read about [Publisher Verification](publisher-verification-overview.md). Selecting the publisher name displays more app info as available, such as the publisher name, publisher domain, date created, certification details, and reply URLs. |
+| 5 | Publisher name and verification | The blue "verified" badge means that the app publisher has verified their identity using a Microsoft Partner Network account and has completed the verification process. If the app is publisher verified, the publisher name is displayed.  If the app isn't publisher verified, "Unverified" is displayed instead of a publisher name. For more information, read about [Publisher Verification](publisher-verification-overview.md). Selecting the publisher name displays more app info as available, such as the publisher name, publisher domain, date created, certification details, and reply URLs. |
 | 6 |  Microsoft 365 Certification | The Microsoft 365 Certification logo means that an app has been vetted against controls derived from leading industry standard frameworks, and that strong security and compliance practices are in place to protect customer data.  For more information, read about [Microsoft 365 Certification](/microsoft-365-app-certification/docs/enterprise-app-certification-guide).|
 | 7 | Publisher information  | Displays whether the application is published by Microsoft. |
-| 8 | Permissions | This list contains the permissions being requested by the client application. Users should always evaluate the types of permissions being requested to understand what data the client application will be authorized to access on their behalf if they accept. As an application developer it is best to request access, to the permissions with the least privilege. |
+| 8 | Permissions | This list contains the permissions being requested by the client application. Users should always evaluate the types of permissions being requested to understand what data the client application will be authorized to access on their behalf if they accept. As an application developer it's best to request access, to the permissions with the least privilege. |
 | 9 | Permission description | This value is provided by the service exposing the permissions. To see the permission descriptions, you must toggle the chevron next to the permission. |
 | 10 | https://myapps.microsoft.com | This is the link where users can review and remove any non-Microsoft applications that currently have access to their data. |
 | 11 | Report it here | This link is used to report a suspicious app if you don't trust the app, if you believe the app is impersonating another app, if you believe the app will misuse your data, or for some other reason. |
 
-## App requires a permission within the user's scope of authority
+## Common scenarios and consent experiences
 
-A common consent scenario is that the user accesses an app which requires a permission set that is within the user's scope of authority. The user is directed to the user consent flow.
+The following section describes the common scenarios and the expected consent experience for each of them.
+### App requires a permission that the user has the right to grant
 
-Admins will see an additional control on the traditional consent prompt that will allow them consent on behalf of the entire tenant. The control will be defaulted to off, so only when admins explicitly check the box will consent be granted on behalf of the entire tenant. As of today, this check box will only show for the Global Admin role, so Cloud Admin and App Admin will not see this checkbox.
+In this consent scenario, the user accesses an app that requires a permission set that is within the user's scope of authority. The user is directed to the user consent flow.
+
+Admins will see an additional control on the traditional consent prompt that will allow to give consent on behalf of the entire tenant. The control will be defaulted to off, so only when admins explicitly check the box will consent be granted on behalf of the entire tenant. The check box will only show for the Global Admin role, so Cloud Admin and App Admin won't see this checkbox.
 
 :::image type="content" source="./media/application-consent-experience/consent_prompt_1a.png" alt-text="Consent prompt for scenario 1a":::
 
 Users will see the traditional consent prompt.
 
 :::image type="content" source="./media/application-consent-experience/consent_prompt_1b.png" alt-text="Screenshot that shows the traditional consent prompt.":::
 
-## App requires a permission outside of the user's scope of authority
+### App requires a permission that the user has no right to grant
 
-Another common consent scenario is that the user accesses an app which requires at least one permission that is outside the user's scope of authority.
+In this consent scenario, the user accesses an app that requires at least one permission that is outside the user's scope of authority.
 
 Admins will see an additional control on the traditional consent prompt that will allow them consent on behalf of the entire tenant.
 
 :::image type="content" source="./media/application-consent-experience/consent_prompt_1a.png" alt-text="Consent prompt for scenario 1a":::
 
-Non-admin users will be blocked from granting consent to the application, and they will be told to ask their admin for access to the app.
+Non-admin users will be blocked from granting consent to the application, and they'll be told to ask their admin for access to the app. If admin consent workflow is enabled in the user's tenant, non-admin users are able to submit a request for admin approval from the consent prompt. For more information on admin consent workflow, see [Admin consent workflow](../manage-apps/admin-consent-workflow-overview.md).
 
 :::image type="content" source="./media/application-consent-experience/consent_prompt_2b.png" alt-text="Screenshot of the consent prompt telling the user to ask an admin for access to the app.":::
 
-## User is directed to the admin consent flow
+### User is directed to the admin consent flow
 
-Another common scenario is when the user navigates to or is directed to the admin consent flow.
+In this consent scenario, the user navigates to or is directed to the admin consent flow.
 
 Admin users will see the admin consent prompt. The title and the permission descriptions changed on this prompt, the changes highlight the fact that accepting this prompt will grant the app access to the requested data on behalf of the entire tenant.
 
 :::image type="content" source="./media/application-consent-experience/consent_prompt_3a.png" alt-text="Consent prompt for scenario 3a":::
 
-Non-admin users will be blocked from granting consent to the application, and they will be told to ask their admin for access to the app.
+Non-admin users will be blocked from granting consent to the application, and they'll be told to ask their admin for access to the app.
 
 :::image type="content" source="./media/application-consent-experience/consent_prompt_2b.png" alt-text="Screenshot of the consent prompt telling the user to ask an admin for access to the app.":::
 
+### Admin consent through the Azure portal
+
+In this scenario, an administrator consents to all of the permissions that an application requests, which can include delegated permissions on behalf of all users in the tenant. The Administrator grants consent through the **API permissions** page of the application registration in the [Azure portal](https://portal.azure.com).
+
+ :::image type="content" source="./media/consent-framework/grant-consent.png" alt-text="Screenshot of explicit admin consent through the Azure portal." lightbox="./media/consent-framework/grant-consent.png":::
+
+All users in that tenant won't see the consent dialog unless the application requires new permissions. To learn which administrator roles can consent to delegated permissions, see [Administrator role permissions in Azure AD](../roles/permissions-reference.md).
+
+   > [!IMPORTANT]
+   > Granting explicit consent using the **Grant permissions** button is currently required for single-page applications (SPA) that use MSAL.js. Otherwise, the application fails when the access token is requested.
+
+## Common Issues
+This section outlines the common issues with the consent experience and possible troubleshooting tips.
+
+- 403 error
+
+  - Is this a [delegated scenario](permissions-consent-overview.md)? What permissions does a user have? 
+  - Are necessary permissions added to use the endpoint? 
+  - Check the [token](https://jwt.ms/) to see if it has necessary claims to call the endpoint.
+  - What permissions have been consented to? Who consented? 
+
+- User is unable to consent
+
+  - Check if tenant admin has disabled user consent for your organization
+  - Confirm if the permissions you requesting are admin-restricted permissions.
+
+- User is still blocked even after admin has consented
+
+  - Check if [static permissions](consent-types-developer.md) are configured to be a superset of permissions requested dynamically.
+  - Check if user assignment is required for the app.
+
+## Troubleshoot known errors
+
+For troubleshooting steps, see [Unexpected error when performing consent to an application](../manage-apps/application-sign-in-unexpected-user-consent-error.md).
 ## Next steps
 
 - Get a step-by-step overview of [how the Azure AD consent framework implements consent](./quickstart-register-app.md).