Syncing with main. Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into work-licensenote-fix

Author: Heidilohr

.openpublishing.redirection.json

@@ -1,5 +1,10 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/backup/backup-center-community.md",
+            "redirect_url": "/azure/backup/backup-center-overview",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/api-management/developer-portal-widget-contribution-guidelines.md",
             "redirect_url": "/azure/api-management/developer-portal-extend-custom-functionality",
@@ -7018,6 +7023,11 @@
             "redirect_url": "/azure/azure-functions/functions-event-grid-blob-trigger",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/azure-functions-supported-features.md",
+            "redirect_url": "/azure/azure-functions/functions-monitoring",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-government/documentation-government-k8.md",
             "redirect_url": "/azure/azure-government",
@@ -18273,6 +18283,11 @@
             "redirect_url": "/azure/sentinel/sap/sap-solution-log-reference",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/sentinel/monitor-sentinel-health.md",
+            "redirect_url": "/azure/sentinel/enable-monitoring",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/service-bus/index.md",
             "redirect_url": "/azure/service-bus-messaging/index",

articles/active-directory-b2c/configure-authentication-sample-react-spa-app.md

@@ -7,7 +7,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 08/25/2022
+ms.date: 11/17/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -167,13 +167,12 @@ export const protectedResources = {
 Now that the web API is registered and you've defined its scopes, configure the web API code to work with your Azure AD B2C tenant. Open the *3-Authorization-II/2-call-api-b2c/API* folder with Visual Studio Code. 
 
 
-In the sample folder, open the *config.json* file. This file contains information about your Azure AD B2C identity provider. The web API app uses this information to validate the access token that the web app passes as a bearer token. Update the following properties of the app settings:
+In the sample folder, open the *authConfig.js* file. This file contains information about your Azure AD B2C identity provider. The web API app uses this information to validate the access token that the web app passes as a bearer token. Update the following properties of the app settings:
 
 |Section  |Key  |Value  |
 |---------|---------|---------|
 |credentials|tenantName| Your Azure AD B2C [domain/tenant name](tenant-management.md#get-your-tenant-name). For example: `contoso.ommicrosoft.com`.|
 |credentials|clientID| The web API application ID from step [2.1](#21-register-the-web-api-application). In the [earlier diagram](#app-registration), it's the application with **App ID: 2**.|
-|credentials| issuer| (Optional) The token issuer `iss` claim value. Azure AD B2C by default returns the token in the following format: `https://<your-tenant-name>.b2clogin.com/<your-tenant-ID>/v2.0/`. Replace `<your-tenant-name>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). Replace `<your-tenant-ID>` with your [Azure AD B2C tenant ID](tenant-management.md#get-your-tenant-id). |
 |policies|policyName|The user flow or custom policy that you created in [step 1](#step-1-configure-your-user-flow). If your application uses multiple user flows or custom policies, specify only one. For example, use the sign-up or sign-in user flow.|
 | protectedRoutes| scopes | The scopes of your web API application registration from [step 2.5](#25-grant-permissions). |
 
@@ -184,7 +183,6 @@ Your final configuration file should look like the following JSON:
     "credentials": {
         "tenantName": "<your-tenant-name>.ommicrosoft.com",
         "clientID": "<your-webapi-application-ID>",
-        "issuer": "https://<your-tenant-name>.b2clogin.com/<your-tenant-ID>/v2.0/"
     },
     "policies": {
         "policyName": "b2c_1_susi"

articles/active-directory-b2c/identity-provider-azure-ad-multi-tenant.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/10/2022
+ms.date: 11/17/2022
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -133,7 +133,6 @@ You can define Azure AD as a claims provider by adding Azure AD to the **ClaimsP
           </CryptographicKeys>
           <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
-            <OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
             <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
             <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
             <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
@@ -208,4 +207,4 @@ If the sign-in process is successful, your browser is redirected to `https://jwt
 - Learn how to [pass the Azure AD token to your application](idp-pass-through-user-flow.md).
 - Check out the Azure AD multi-tenant federation [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#azure-active-directory), and how to pass Azure AD access token [Live demo](https://github.com/azure-ad-b2c/unit-tests/tree/main/Identity-providers#azure-active-directory-with-access-token)
 
-::: zone-end
+::: zone-end

articles/active-directory-b2c/relyingparty.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 06/26/2022
+ms.date: 11/17/2022
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -144,7 +144,8 @@ The **UserJourneyBehaviors** element contains the following elements:
 | JourneyFraming | 0:1| Allows the user interface of this policy to be loaded in an iframe. |
 | ScriptExecution| 0:1| The supported [JavaScript](javascript-and-page-layout.md) execution modes. Possible values: `Allow` or `Disallow` (default).
 
-
+When you use the above elements, you need add them to your **UserJourneyBehaviors** element in the order specified in the table. For example, the **JourneyInsights** element must be added before (above) the **ScriptExecution** element. 
+ 
 ### SingleSignOn
 
 The **SingleSignOn** element contains the following attributes:

articles/active-directory-b2c/service-limits.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
 ms.author: kengaderdus
-ms.date: 10/27/2022
+ms.date: 11/14/2022
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
 ---
@@ -168,7 +168,7 @@ The following table lists the administrative configuration limits in the Azure A
 |Levels of [inheritance](custom-policy-overview.md#inheritance-model) in custom policies     |10         |
 |Number of policies per Azure AD B2C tenant (user flows + custom policies)     |200          |
 |Maximum policy file size      |1024 KB          |
-|Number of API connectors per tenant     |19         |
+|Number of API connectors per tenant     |20         |
 
 <sup>1</sup> See also [Azure AD service limits and restrictions](../active-directory/enterprise-users/directory-service-limits-restrictions.md).
 

articles/active-directory/authentication/how-to-mfa-server-migration-utility.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 11/14/2022
+ms.date: 11/16/2022
 
 ms.author: justinha
 author: justinha
@@ -191,7 +191,7 @@ The MFA Server Migration utility targets a single Azure AD group for all migrati
 
 To begin the migration process, enter the name or GUID of the Azure AD group you want to migrate. Once complete, press Tab or click outside the window and the utility will begin searching for the appropriate group. The window will populate all users in the group. A large group can take several minutes to finish.
 
-To view user attribute data for a user, highlight the user, and select **View**:
+To view attribute data for a user, highlight the user, and select **View**:
 
 :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/view-user.png" alt-text="Screenshot of how to view use settings.":::
 
@@ -202,7 +202,10 @@ The settings option allows you to change the settings for the migration process:
 :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/settings.png" alt-text="Screenshot of settings.":::
 
 - Migrate – This setting allows you to specify which method(s) should be migrated for the selection of users
-- User Match – Allows you to specify a different on-premises Active Directory attribute for matching Azure AD UPN instead of the default match to userPrincipalName
+- User Match – Allows you to specify a different on-premises Active Directory attribute for matching Azure AD UPN instead of the default match to userPrincipalName:
+  - The migration utility tries direct matching to UPN before using the on-premises Active Directory attribute.  
+  - If no match is found, it calls a Windows API to find the Azure AD UPN and get the SID, which it uses to search the MFA Server user list. 
+  - If the Windows API doesn’t find the user or the SID isn’t found in the MFA Server, then it will use the configured Active Directory attribute to find the user in the on-premises Active Directory, and then use the SID to search the MFA Server user list.
 - Automatic synchronization – Starts a background service that will continually monitor any authentication method changes to users in the on-premises MFA Server, and write them to Azure AD at the specified time interval defined
 
 The migration process can be an automatic process, or a manual process.
@@ -367,7 +370,7 @@ Content-Type: application/json
 }
 ```
 
-Set the **Staged Rollout for Azure MFA** to **Off**. Users will once again be redirected to your on-premises federation server for MFA. 
+Users will no longer be redirected to your on-premises federation server for MFA, whether they’re targeted by the Staged Rollout tool or not. Note this can take up to 24 hours to take effect.
 
 >[!NOTE]
 >The update of the domain federation setting can take up to 24 hours to take effect. 
@@ -443,7 +446,8 @@ If the upgrade had issues, follow these steps to roll back:
    }
    ```
 
-Users will no longer be redirected to your on-premises federation server for MFA, whether they’re targeted by the Staged Rollout tool or not. Note this can take up to 24 hours to take effect.
+
+Set the **Staged Rollout for Azure MFA** to **Off**. Users will once again be redirected to your on-premises federation server for MFA. 
 
 
 ## Next steps

articles/active-directory/develop/v2-oauth2-device-code.md

@@ -9,29 +9,31 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 06/25/2021
+ms.date: 11/15/2022
 ms.author: ludwignick
 ms.reviewer: marsma
-ms.custom: aaddev
+ms.custom: aaddev, engagement-fy23
 ---
 
 # Microsoft identity platform and the OAuth 2.0 device authorization grant flow
 
-The Microsoft identity platform supports the [device authorization grant](https://tools.ietf.org/html/rfc8628), which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or printer.  To enable this flow, the device has the user visit a webpage in their browser on another device to sign in.  Once the user signs in, the device is able to get access tokens and refresh tokens as needed.
+The Microsoft identity platform supports the [device authorization grant](https://tools.ietf.org/html/rfc8628), which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.
 
-This article describes how to program directly against the protocol in your application.  When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL) instead to [acquire tokens and call secured web APIs](authentication-flows-app-scenarios.md#scenarios-and-supported-authentication-flows).  Also take a look at the [sample apps that use MSAL](sample-v2-code.md).
+This article describes how to program directly against the protocol in your application.  When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL) instead to [acquire tokens and call secured web APIs](authentication-flows-app-scenarios.md#scenarios-and-supported-authentication-flows). You can refer to [sample apps that use MSAL](sample-v2-code.md) for examples.
 
 [!INCLUDE [try-in-postman-link](includes/try-in-postman-link.md)]
 
 ## Protocol diagram
 
-The entire device code flow looks similar to the next diagram. We describe each of the steps later in this article.
+The entire device code flow is shown in the following diagram. Each step is explained throughout this article.
 
 ![Device code flow](./media/v2-oauth2-device-code/v2-oauth-device-flow.svg)
 
 ## Device authorization request
 
-The client must first check with the authentication server for a device and user code that's used to initiate authentication. The client collects this request from the `/devicecode` endpoint. In this request, the client should also include the permissions it needs to acquire from the user. From the moment this request is sent, the user has only 15 minutes to sign in (the usual value for `expires_in`), so only make this request when the user has indicated they're ready to sign in.
+The client must first check with the authentication server for a device and user code that's used to initiate authentication. The client collects this request from the `/devicecode` endpoint. In the request, the client should also include the permissions it needs to acquire from the user. 
+
+From the moment the request is sent, the user has 15 minutes to sign in. This is the default value for `expires_in`. The request should only be made when the user has indicated they're ready to sign in.
 
 ```HTTP
 // Line breaks are for legibility only.
@@ -46,7 +48,7 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e
 
 | Parameter | Condition | Description |
 | --- | --- | --- |
-| `tenant` | Required | Can be /common, /consumers, or /organizations.  It can also be the directory tenant that you want to request permission from in GUID or friendly name format.  |
+| `tenant` | Required | Can be `/common`, `/consumers`, or `/organizations`. It can also be the directory tenant that you want to request permission from in GUID or friendly name format.  |
 | `client_id` | Required | The **Application (client) ID** that the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |
 | `scope` | Required | A space-separated list of [scopes](v2-permissions-and-consent.md) that you want the user to consent to.  |
 
@@ -68,19 +70,17 @@ A successful response will be a JSON object containing the required information
 
 ## Authenticating the user
 
-After receiving the `user_code` and `verification_uri`, the client displays these to the user, instructing them to sign in using their mobile phone or PC browser.
+After receiving the `user_code` and `verification_uri`, the client displays these to the user, instructing them to use their mobile phone or PC browser to sign in.
 
-If the user authenticates with a personal account (on /common or /consumers), they will be asked to sign in again in order to transfer authentication state to the device.  They will also be asked to provide consent, to ensure they are aware of the permissions being granted.  This does not apply to work or school accounts used to authenticate.
+If the user authenticates with a personal account, using `/common` or `/consumers`, they'll be asked to sign in again in order to transfer authentication state to the device. This is because the device is unable to access the user's cookies. They'll also be asked to consent to the permissions requested by the client. This however doesn't apply to work or school accounts used to authenticate. 
 
 While the user is authenticating at the `verification_uri`, the client should be polling the `/token` endpoint for the requested token using the `device_code`.
 
 ```HTTP
 POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
 Content-Type: application/x-www-form-urlencoded
 
-grant_type=urn:ietf:params:oauth:grant-type:device_code
-&client_id=6731de76-14a6-49ae-97bc-6eba6914391e
-&device_code=GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8...
+grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=6731de76-14a6-49ae-97bc-6eba6914391e&device_code=GMMhmHCXhWEzkobqIHGG_EnNYYsAkukHspeYUk9E8...
 ```
 
 | Parameter | Required | Description|
@@ -92,14 +92,14 @@ grant_type=urn:ietf:params:oauth:grant-type:device_code
 
 ### Expected errors
 
-The device code flow is a polling protocol so your client must expect to receive errors before the user has finished authenticating.
+The device code flow is a polling protocol so errors served to the client must be expected prior to completion of user authentication.
 
 | Error | Description | Client Action |
 | ------ | ----------- | -------------|
 | `authorization_pending` | The user hasn't finished authenticating, but hasn't canceled the flow. | Repeat the request after at least `interval` seconds. |
-| `authorization_declined` | The end user denied the authorization request.| Stop polling, and revert to an unauthenticated state.  |
+| `authorization_declined` | The end user denied the authorization request.| Stop polling and revert to an unauthenticated state.  |
 | `bad_verification_code`| The `device_code` sent to the `/token` endpoint wasn't recognized. | Verify that the client is sending the correct `device_code` in the request. |
-| `expired_token` | At least `expires_in` seconds have passed, and authentication is no longer possible with this `device_code`. | Stop polling and revert to an unauthenticated state. |
+| `expired_token` | Value of `expires_in` has been exceeded and authentication is no longer possible with `device_code`. | Stop polling and revert to an unauthenticated state. |
 
 ### Successful authentication response
 
@@ -119,8 +119,8 @@ A successful token response will look like:
 | Parameter | Format | Description |
 | --------- | ------ | ----------- |
 | `token_type` | String| Always `Bearer`. |
-| `scope` | Space separated strings | If an access token was returned, this lists the scopes the access token is valid for. |
-| `expires_in`| int | Number of seconds before the included access token is valid for. |
+| `scope` | Space separated strings | If an access token was returned, this lists the scopes in which the access token is valid for. |
+| `expires_in`| int | Number of seconds the included access token is valid for. |
 | `access_token`| Opaque string | Issued for the [scopes](v2-permissions-and-consent.md) that were requested.  |
 | `id_token`   | JWT | Issued if the original `scope` parameter included the `openid` scope.  |
 | `refresh_token` | Opaque string | Issued if the original `scope` parameter included `offline_access`.  |