MicrosoftDocs
diff --git a/‎articles/active-directory/app-proxy/application-proxy-faq.yml
Lines changed: 8 additions & 5 deletions b/‎articles/active-directory/app-proxy/application-proxy-faq.yml
Lines changed: 8 additions & 5 deletions
diff --git a/‎articles/active-directory/develop/reference-claims-mapping-policy-type.md
Lines changed: 25 additions & 1 deletion b/‎articles/active-directory/develop/reference-claims-mapping-policy-type.md
Lines changed: 25 additions & 1 deletion
diff --git a/‎articles/active-directory/fundamentals/service-accounts-principal.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/fundamentals/service-accounts-principal.md
Lines changed: 1 addition & 1 deletion
@@ -9,7 +9,7 @@ metadata:
   ms.subservice: app-proxy
   ms.workload: identity
   ms.topic: reference
-  ms.date: 04/27/2021
+  ms.date: 12/17/2021
   ms.author: kenwith
   ms.reviewer: ashishj
 
@@ -270,11 +270,14 @@ sections:
   - name: WebSocket
     questions:
       - question: |
-         Does WebSocket support work for applications other than QlikSense and Remote Desktop Web Client (HTML5)?
+         Does Azure AD Application Proxy support the WebSocket protocol?
         answer: |
-              Currently, WebSocket protocol support is still in public preview and it may not work for other applications. Some customers have had mixed success using WebSocket protocol with other applications.
-          
-              Features (Eventlogs, PowerShell and Remote Desktop Services) in Windows Admin Center (WAC) do not work through Azure AD Application Proxy presently.
+              Applications that use the WebSocket protocol, for example QlikSense and Remote Desktop Web Client (HTML5), are now supported. The following are known limitations:
+              * Application proxy discards the cookie that is set on the server response while opening the WebSocket connection.
+              * There is no SSO applied to the WebSocket request.
+              * Features (Eventlogs, PowerShell and Remote Desktop Services) in the Windows Admin Center (WAC) do not work through Azure AD Application Proxy.
+              
+              The WebSocket application doesn't have any unique publishing requirements, and can be [published](application-proxy-add-on-premises-application.md) the same way as all your other Application Proxy applications. 
           
   - name: Link translation
     questions:
 
@@ -332,6 +332,29 @@ The ID element identifies which property on the source provides the value for th
 > [!NOTE]
 > Names and URIs of claims in the restricted claim set cannot be used for the claim type elements. For more information, see the "Exceptions and restrictions" section later in this article.
 
+### Group Filter (Preview)
+
+**String:** GroupFilter
+
+**Data type:** JSON blob
+
+**Summary:** Use this property to apply a filter on the user’s groups to be included in the group claim. This can be a useful means of reducing the token size.
+
+**MatchOn:** The **MatchOn** property identifies the group attribute on which to apply the filter. 
+
+Set the **MatchOn** property to one of the follwoing values:
+
+- "displayname": The group display name.
+- "samaccountname": The On-premises SAM Account Name
+
+**Type:** The **Type** property selects the type of filter you wish to apply to the attribute selected by the **MatchOn** property. 
+
+Set the **Type** property to one of the following values:
+
+- "prefix": Include groups where the **MatchOn** property starts with the provided **Value** property.
+- "suffix": Include groups where the **MatchOn** property ends with the provided **Value** property.
+- "contains": Include groups where the **MatchOn** property contains with the provided **Value** property.
+
 ### Claims transformation
 
 **String:** ClaimsTransformation
@@ -353,10 +376,11 @@ Based on the method chosen, a set of inputs and outputs is expected. Define the
 |Join|string1, string2, separator|outputClaim|Joins input strings by using a separator in between. For example: string1:"[email protected]" , string2:"sandbox" , separator:"." results in outputClaim:"[email protected]"|
 |ExtractMailPrefix|Email or UPN|extracted string|ExtensionAttributes 1-15 or any other Schema Extensions which are storing a UPN or email address value for the user e.g. [email protected]. Extracts the local part of an email address. For example: mail:"[email protected]" results in outputClaim:"foo". If no \@ sign is present, then the original input string is returned as is.|
 
-**InputClaims:** Use an InputClaims element to pass the data from a claim schema entry to a transformation. It has two attributes: **ClaimTypeReferenceId** and **TransformationClaimType**.
+**InputClaims:** Use an InputClaims element to pass the data from a claim schema entry to a transformation. It has three attributes: **ClaimTypeReferenceId**, **TransformationClaimType** and **TreatAsMultiValue** (Preview)
 
 - **ClaimTypeReferenceId** is joined with ID element of the claim schema entry to find the appropriate input claim.
 - **TransformationClaimType** is used to give a unique name to this input. This name must match one of the expected inputs for the transformation method.
+- **TreatAsMultiValue** is a Boolean flag indicating if the transform should be applied to all values or just the first. By default, transformations will only be applied to the first element in a multi value claim, by setting this value to true it ensures it is applied to all. ProxyAddresses and groups are 2 examples for input claims that you would likely want to treat as a multi value. 
 
 **InputParameters:** Use an InputParameters element to pass a constant value to a transformation. It has two attributes: **Value** and **ID**.
 
 
@@ -96,7 +96,7 @@ Mitigate potential challenges using the following information.
 
 |Challenges | Mitigations|
 | - | - |
-| Detect the user that consented to a multi-tenant app, and detect illicit consent grants to a multi-tenant app | Run the following PowerShell to find multi-tenant apps.<br>`Get-AzureADServicePrincipal -All:$true ? {$_.Tags -eq WindowsAzureActiveDirectoryIntegratedApp"}`<br>Disable user consent. <br>Allow user consent from verified publishers, for selected permissions (recommended) <br> Use conditional access to block service principals from untrusted locations. Configure them under the user context, and their tokens should be used to trigger the service principal.|
+| Detect the user that consented to a multi-tenant app, and detect illicit consent grants to a multi-tenant app | Run the following PowerShell to find multi-tenant apps.<br>`Get-AzureADServicePrincipal -All:$true ? {$_.Tags -eq WindowsAzureActiveDirectoryIntegratedApp"}`<br>Disable user consent. <br>Allow user consent from verified publishers, for selected permissions (recommended) <br> Configure them under the user context, and their tokens should be used to trigger the service principal.|
 |Use of a hard-coded shared secret in a script using a service principal.|Use a certificate or Azure Key Vault.|
 |Tracking who is using the certificate or the secret| Monitor the service principal's sign-ins using the Azure AD sign-in logs.|
 Can't manage service principals' sign-in with Conditional Access.| Monitor the sign-ins using the Azure AD sign-in logs