Merge pull request #239770 from MicrosoftDocs/main

Publish to Live Wednesday 4AM PST, 05/31

Author: PMEds28

articles/active-directory/develop/scenario-spa-acquire-token.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 06/10/2022
+ms.date: 05/18/2023
 ms.author: henrymbugua
 s.reviewer: negoe
 ms.custom: aaddev
@@ -18,7 +18,7 @@ ms.custom: aaddev
 
 # Single-page application: Acquire a token to call an API
 
-The pattern for acquiring tokens for APIs with [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js) is to first attempt a silent token request by using the `acquireTokenSilent` method. When this method is called, the library first checks the cache in browser storage to see if a non-expired access token exists and returns it. If no access token is found or the access token found has expired, it attempts to use its refresh token to get a fresh access token. If the refresh token's 24-hour lifetime has also expired, MSAL.js will open a hidden iframe to silently request a new authorization code by leveraging the existing active session with Azure AD (if any), which will then be exchanged for a fresh set of tokens (access _and_ refresh tokens). For more information about single sign-on (SSO) session and token lifetime values in Azure AD, see [Token lifetimes](configurable-token-lifetimes.md). For more information on MSAL.js cache lookup policy, see: [Acquiring an Access Token](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/acquire-token.md#acquiring-an-access-token).
+The pattern for acquiring tokens for APIs with [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js) is to first attempt a silent token request by using the `acquireTokenSilent` method. When this method is called, the library first checks the cache in browser storage to see if a non-expired access token exists and returns it. If no access token is found or the access token found has expired, it attempts to use its refresh token to get a fresh access token. If the refresh token's 24-hour lifetime has also expired, MSAL.js opens a hidden iframe to silently request a new authorization code by using the existing active session with Azure Active Directory (Azure AD) (if any), which will then be exchanged for a fresh set of tokens (access _and_ refresh tokens). For more information about single sign-on (SSO) session and token lifetime values in Azure AD, see [Token lifetimes](configurable-token-lifetimes.md). For more information on MSAL.js cache lookup policy, see: [Acquiring an Access Token](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/acquire-token.md#acquiring-an-access-token).
 
 The silent token requests to Azure AD might fail for reasons like a password change or updated conditional access policies. More often, failures are due to the refresh token's 24-hour lifetime expiring and [the browser blocking third party cookies](reference-third-party-cookies-spas.md), which prevents the use of hidden iframes to continue authenticating the user. In these cases, you should invoke one of the interactive methods (which may prompt the user) to acquire tokens:
 
@@ -31,7 +31,7 @@ The choice between a pop-up or redirect experience depends on your application f
 
 - If you don't want users to move away from your main application page during authentication, we recommend the pop-up method. Because the authentication redirect happens in a pop-up window, the state of the main application is preserved.
 
-- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/internet-explorer.md#popups).
+- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](msal-js-known-issues-ie-edge-browsers.md).
 
 You can set the API scopes that you want the access token to include when it's building the access token request. All requested scopes might not be granted in the access token. That depends on the user's consent.
 
@@ -115,7 +115,7 @@ userAgentApplication
 
 The MSAL Angular wrapper provides the HTTP interceptor, which will automatically acquire access tokens silently and attach them to the HTTP requests to APIs.
 
-You can specify the scopes for APIs in the `protectedResourceMap` configuration option. `MsalInterceptor` will request the specified scopes when automatically acquiring tokens.
+You can specify the scopes for APIs in the `protectedResourceMap` configuration option. `MsalInterceptor` requests the specified scopes when automatically acquiring tokens.
 
 ```javascript
 // In app.module.ts
@@ -201,7 +201,7 @@ Alternatively, you can explicitly acquire tokens by using the acquire-token meth
 # [Angular (MSAL.js v1)](#tab/angular1)
 
 The MSAL Angular wrapper provides the HTTP interceptor, which will automatically acquire access tokens silently and attach them to the HTTP requests to APIs.
-You can specify the scopes for APIs in the `protectedResourceMap` configuration option. `MsalInterceptor` will request the specified scopes when automatically acquiring tokens.
+You can specify the scopes for APIs in the `protectedResourceMap` configuration option. `MsalInterceptor` requests the specified scopes when automatically acquiring tokens.
 
 ```javascript
 // app.module.ts
@@ -353,7 +353,7 @@ publicClientApplication
 
 # [JavaScript (MSAL.js v2)](#tab/javascript2)
 
-The following pattern is as described earlier but shown with a redirect method to acquire tokens interactively. You'll need to call and await `handleRedirectPromise` on page load.
+The following pattern is as described earlier but shown with a redirect method to acquire tokens interactively. You need to call and await `handleRedirectPromise` on page load.
 
 ```javascript
 const redirectResponse = await publicClientApplication.handleRedirectPromise();
@@ -392,7 +392,7 @@ if (redirectResponse !== null) {
 
 # [JavaScript (MSAL.js v1)](#tab/javascript1)
 
-The following pattern is as described earlier but shown with a redirect method to acquire tokens interactively. You'll need to register the redirect callback as mentioned earlier.
+The following pattern is as described earlier but shown with a redirect method to acquire tokens interactively. You need to register the redirect callback as mentioned earlier.
 
 ```javascript
 function authCallback(error, response) {
@@ -514,7 +514,7 @@ This code is the same as described earlier.
 
 # [React](#tab/react)
 
-If `acquireTokenSilent` fails, fallback to `acquireTokenRedirect`. This method will initiate a full-frame redirect and the response will be handled when returning to the application. When this component is rendered after returning from the redirect, `acquireTokenSilent` should now succeed as the tokens will be pulled from the cache.
+If `acquireTokenSilent` fails, fallback to `acquireTokenRedirect`. This method initiates a full-frame redirect and the response will be handled when returning to the application. When this component is rendered after returning from the redirect, `acquireTokenSilent` should now succeed as the tokens will be pulled from the cache.
 
 ```javascript
 import {

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 05/05/2023
+ms.date: 05/31/2023
 
 ms.author: mimart
 author: msmimart
@@ -185,11 +185,11 @@ With inbound settings, you select which external users and groups will be able t
 
     ![Screenshot showing trust settings.](media/cross-tenant-access-settings-b2b-collaboration/inbound-trust-settings.png)
 
-1. (This step applies to **Organizational settings** only.) Review the consent prompt option:
+1. (This step applies to **Organizational settings** only.) Review the **Automatic redemption** option:
 
-   - **Suppress consent prompts for users from the other tenant when they access apps and resources in my tenant**: Select this checkbox if you want to automatically redeem invitations so users from the specified tenant don't have to accept the consent prompt when they're added to this tenant using B2B collaboration. This setting will only suppress the consent prompt if the specified tenant checks this setting for outbound access as well.
+   - **Automatically redeem invitations with the tenant** <tenant>: Check this setting if you want to automatically redeem invitations. If so, users from the specified tenant won't have to accept the consent prompt the first time they access this tenant using cross-tenant synchronization, B2B collaboration, or B2B direct connect. This setting will only suppress the consent prompt if the specified tenant checks this setting for outbound access as well.
 
-    ![Screenshot that shows the inbound suppress consent prompt check box.](../media/external-identities/inbound-consent-prompt-setting.png)
+    ![Screenshot that shows the inbound Automatic redemption check box.](../media/external-identities/inbound-consent-prompt-setting.png)
 
 1. Select **Save**.
 
@@ -285,11 +285,11 @@ With outbound settings, you select which of your users and groups will be able t
 
 1. Select the **Trust settings** tab.
 
-1. Review the consent prompt option:
+1. Review the **Automatic redemption** option:
 
-   - **Suppress consent prompts for users from my tenant when they access apps and resources in the other tenant**: Select this checkbox if you want to automatically redeem invitations so users from this tenant don't have to accept the consent prompt when they're added to the specified tenant using B2B collaboration. This setting will only suppress the consent prompt if the specified tenant checks this setting for inbound access as well.
+   - **Automatically redeem invitations with the tenant** <tenant>: Check this setting if you want to automatically redeem invitations. If so, users from this tenant don't have to accept the consent prompt the first time they access the specified tenant using cross-tenant synchronization, B2B collaboration, or B2B direct connect. This setting will only suppress the consent prompt if the specified tenant checks this setting for inbound access as well.
 
-    ![Screenshot that shows the outbound suppress consent prompt check box.](../media/external-identities/outbound-consent-prompt-setting.png)
+    ![Screenshot that shows the outbound Automatic redemption check box.](../media/external-identities/outbound-consent-prompt-setting.png)
 
 1. Select **Save**.
 

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 05/05/2023
+ms.date: 05/31/2023
 
 ms.author: mimart
 author: msmimart
@@ -179,11 +179,11 @@ With inbound settings, you select which external users and groups will be able t
 
     ![Screenshot showing inbound trust settings.](media/cross-tenant-access-settings-b2b-direct-connect/inbound-trust-settings.png)
 
-1. (This step applies to **Organizational settings** only.) Review the consent prompt option:
+1. (This step applies to **Organizational settings** only.) Review the **Automatic redemption** option:
 
-   - **Suppress consent prompts for users from the other tenant when they access apps and resources in my tenant**: Select this checkbox if you want to automatically redeem invitations so users from the specified tenant don't have to accept the consent prompt when they access resources in this tenant using B2B direct connect. This setting will only suppress the consent prompt if the specified tenant checks this setting for outbound access as well.
+   - **Automatically redeem invitations with the tenant** <tenant>: Check this setting if you want to automatically redeem invitations. If so, users from the specified tenant won't have to accept the consent prompt the first time they access this tenant using cross-tenant synchronization, B2B collaboration, or B2B direct connect. This setting will only suppress the consent prompt if the specified tenant checks this setting for outbound access as well.
 
-    ![Screenshot that shows the inbound suppress consent prompt check box.](../media/external-identities/inbound-consent-prompt-setting.png)
+    ![Screenshot that shows the inbound Automatic redemption check box.](../media/external-identities/inbound-consent-prompt-setting.png)
 
 1. Select **Save**.
 
@@ -272,11 +272,11 @@ With outbound settings, you select which of your users and groups will be able t
 
 1. Select the **Trust settings** tab.
 
-1. Review the consent prompt option:
+1. Review the **Automatic redemption** option:
 
-   - **Suppress consent prompts for users from my tenant when they access apps and resources in the other tenant**: Select this checkbox if you want to automatically redeem invitations so users from this tenant don't have to accept the consent prompt when they access resources in the specified tenant using B2B direct connect. This setting will only suppress the consent prompt if the specified tenant checks this setting for inbound access as well.
+   - **Automatically redeem invitations with the tenant** <tenant>: Check this setting if you want to automatically redeem invitations. If so, users from this tenant don't have to accept the consent prompt the first time they access the specified tenant using cross-tenant synchronization, B2B collaboration, or B2B direct connect. This setting will only suppress the consent prompt if the specified tenant checks this setting for inbound access as well.
 
-    ![Screenshot that shows the outbound suppress consent prompt check box.](../media/external-identities/outbound-consent-prompt-setting.png)
+    ![Screenshot that shows the outbound Automatic redemption check box.](../media/external-identities/outbound-consent-prompt-setting.png)
 
 1. Select **Save**.
 

articles/active-directory/includes/automatic-redemption-include.md

@@ -11,12 +11,11 @@ ms.author: rolyon
 ms.custom: include file
 ---
 
-The automatic redemption setting is an inbound and outbound organizational trust setting to automatically redeem invitations so users don't have to accept the consent prompt the first time they access the resource/target tenant. This setting is a check box with the following name depending on whether it's inbound or outbound:
+The automatic redemption setting is an inbound and outbound organizational trust setting to automatically redeem invitations so users don't have to accept the consent prompt the first time they access the resource/target tenant. This setting is a check box with the following name:
 
-- **Suppress consent prompts for users from the other tenant when they access apps and resources in my tenant**
-- **Suppress consent prompts for users from my tenant when they access apps and resources in the other tenant**
+- **Automatically redeem invitations with the tenant** <tenant>
 
-:::image type="content" source="../media/external-identities/inbound-consent-prompt-setting.png" alt-text="Screenshot that shows the inbound suppress consent prompt check box." lightbox="../media/external-identities/inbound-consent-prompt-setting.png":::
+:::image type="content" source="../media/external-identities/inbound-consent-prompt-setting.png" alt-text="Screenshot that shows the inbound Automatic redemption check box." lightbox="../media/external-identities/inbound-consent-prompt-setting.png":::
 
 #### Compare setting for different scenarios
 

articles/active-directory/manage-apps/app-management-videos.md

@@ -33,11 +33,9 @@ ___
     :::column-end:::
 :::row-end:::
 
-
-
 ## Consent and permissions for admins
 
-Learn about the options available for managing consent to applications in a tenant. Learn how about delegated permissions and how to revoke previously consented permissions to mitigate risks posed by malicious applications.
+Learn the options available for managing consent to applications in a tenant. Learn about delegated permissions and how to revoke previously consented permissions to mitigate risks posed by malicious applications.
 ___
 
 :::row:::
@@ -69,8 +67,8 @@ ___
     :::column-end:::
 :::row-end:::
 
-
 ## Assigning owners and users to an enterprise app
+
 Learn about who can assign owners to service principals, how to assign these owners, permissions that owners have, and what to do when an owner leaves the organization.
 Learn how to assign users and, groups to an enterprise application and how and why an enterprise app may show up in a tenant. 
 ___
@@ -97,9 +95,42 @@ ___
         >[!Video https://www.youtube.com/embed/NhbcVt5xOVI]
     :::column-end:::
     :::column:::
-
     :::column-end:::
     :::column:::
+    :::column-end:::
+:::row-end:::
+
+## Phases of migrating apps from ADFS to Azure AD
 
+Learn about the different phases of migrating apps from ADFS to Azure AD and the steps involved in each phase. View a demo on how to migrate a simple app from ADFS to Azure AD and the steps you need to take to ensure a successful migration.
+
+___
+
+:::row:::
+    :::column:::
+        1 - [Phase 1 and 2: Discover, scope, and classify apps and plan pilot](https://www.youtube.com/watch?v=PxLIacDpHh4)(4:05)
+    :::column-end:::
+    :::column:::
+        >[!VIDEO https://www.youtube.com/embed/PxLIacDpHh4]
+    :::column-end:::
+     :::column:::
+        2 - [Phase 3: Plan migration and testing](https://www.youtube.com/watch?v=PvI4Q4P_HfU)(5:39)
+    :::column-end:::
+    :::column:::
+        >[!Video https://www.youtube.com/embed/PvI4Q4P_HfU]
+    :::column-end:::
+:::row-end:::
+:::row:::
+    :::column:::
+        3 - [Phase 4: Plan management and insights](https://www.youtube.com/watch?v=8aUIuOXeDxw)(7:02)
+    :::column-end:::
+    :::column:::
+        >[!Video https://www.youtube.com/embed/8aUIuOXeDxw]
+    :::column-end:::
+    :::column:::
+        4 - [Active Directory Federation Services (AD FS) decommission guide](https://www.youtube.com/watch?v=D0M-N-RQw0I)(11:18)
+    :::column-end:::
+    :::column:::
+        >[!Video https://www.youtube.com/embed/D0M-N-RQw0I]
     :::column-end:::
 :::row-end:::

articles/active-directory/media/automatic-redemption-include/automatic-redemption-setting.png

@@ -19,7 +19,7 @@
     items:
     - name: Portal
       href: cross-tenant-synchronization-configure.md
-    - name: Graph API
+    - name: PowerShell or Graph API
       href: cross-tenant-synchronization-configure-graph.md
   - name: Scoping users or groups to be provisioned
     href: ../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md?toc=/azure/active-directory/multi-tenant-organizations/toc.json&pivots=cross-tenant-synchronization