Merge pull request #207106 from MicrosoftDocs/main

8/05 PM Publish

Author: huypub

articles/active-directory-b2c/extensions-app.md

@@ -31,15 +31,33 @@ To verify that the b2c-extensions-app is present:
 
 ## Recover the extensions app
 
-If you accidentally deleted the b2c-extensions-app, you have 30 days to recover it. You can restore the app using the Graph API:
+If you accidentally deleted the `b2c-extensions-app`, you have 30 days to recover it.
 
+> [!NOTE]
+> An application can only be restored if it has been deleted within the last 30 days. If it has been more than 30 days, data will be permanently lost. For more assistance, file a support ticket.
+
+### Recover the extensions app using the Azure portal
+
+1. Sign in to your Azure AD B2C tenant.
+2. Search for and open **App registrations**.
+1. Select the **Deleted applications** tab and identify the `b2c-extensions-app` from the list of recently deleted applications.
+1. Select **Restore app registration**.
+
+You should now be able to [see the restored app](#verifying-that-the-extensions-app-is-present) in the Azure portal.
+
+### Recover the extensions app using Microsoft Graph
+To restore the app using Microsoft Graph, you must restore both the application and the service principal.
+
+To restore the application:
 1. Browse to [https://developer.microsoft.com/en-us/graph/graph-explorer](https://developer.microsoft.com/en-us/graph/graph-explorer).
 1. Log in to the site as a global administrator for the Azure AD B2C directory that you want to restore the deleted app for. This global administrator must have an email address similar to the following: `username@{yourTenant}.onmicrosoft.com`.
-1. Issue an HTTP GET against the URL `https://graph.microsoft.com/beta/directory/deleteditems/microsoft.graph.application`. This operation will list all of the applications that have been deleted within the past 30 days.
-1. Find the application in the list where the name begins with 'b2c-extensions-app’ and copy its `objectid` property value.
-1. Issue an HTTP POST against the URL `https://graph.microsoft.com/beta/directory/deleteditems/{id}/restore`. Replace the `{id}` portion of the URL with the `objectid` from the previous step.
+1. Issue an HTTP GET against the URL `https://graph.microsoft.com/v1.0/directory/deleteditems/microsoft.graph.application`. This operation will list all of the applications that have been deleted within the past 30 days. You can also use the URL `https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.application?$filter=displayName eq 'b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.'` to filter by the app's **displayName** property.
+1. Find the application in the list where the name begins with `b2c-extensions-app` and copy its `id` property value.
+1. Issue an HTTP POST against the URL `https://graph.microsoft.com/v1.0/directory/deleteditems/{id}/restore`. Replace the `{id}` portion of the URL with the `id` from the previous step.]
 
-You should now be able to [see the restored app](#verifying-that-the-extensions-app-is-present) in the Azure portal.
+To restore the service principal:
+1. Issue an HTTP GET against the URL `https://graph.microsoft.com/v1.0/directory/deleteditems/microsoft.graph.servicePrincipal`. This operation will list all of the service principals that have been deleted within the past 30 days. You can also use the URL `https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.servicePrincipal?$filter=displayName eq 'b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.'` to filter by the app's **displayName** property.
+1. Find the service principal in the list where the name begins with `b2c-extensions-app` and copy its `id` property value.
+1. Issue an HTTP POST against the URL `https://graph.microsoft.com/v1.0/directory/deleteditems/{id}/restore`. Replace the `{id}` portion of the URL with the `id` from the previous step.
 
-> [!NOTE]
-> An application can only be restored if it has been deleted within the last 30 days. If it has been more than 30 days, data will be permanently lost. For more assistance, file a support ticket.
+You should now be able to [see the restored app](#verifying-that-the-extensions-app-is-present) in the Azure portal.

articles/active-directory-b2c/microsoft-graph-operations.md

@@ -141,24 +141,25 @@ The top-level resource for policy keys in the Microsoft Graph API is the [Truste
 - [Create oauth2Permission Grant](/graph/api/resources/oauth2permissiongrant)
 - [Delete application](/graph/api/application-delete)
 
-## Application extension properties
+## Application extension (directory extension) properties
 
-- [Create extension properties](/graph/api/application-post-extensionproperty)
-- [List extension properties](/graph/api/application-list-extensionproperty)
-- [Get an extension property](/graph/api/extensionproperty-get)
-- [Delete extension property](/graph/api/extensionproperty-delete)
-- [Get available extension properties](/graph/api/directoryobject-getavailableextensionproperties)
+Application extension properties are also known as directory or Azure AD extensions. To manage them in Azure AD B2C, use the [identityUserFlowAttribute resource type](/graph/api/resources/identityuserflowattribute) and its associated methods.
 
-<!--
-#Hiding this note because user flows and extension attributes are different things in Microsoft Graph.
+- [Create user flow attribute](/graph/api/identityuserflowattribute-post)
+- [List user flow attributes](/graph/api/identityuserflowattribute-list)
+- [Get a user flow attribute](/graph/api/identityuserflowattribute-get)
+- [Update a user flow attribute](/graph/api/identityuserflowattribute-update)
+- [Delete a user flow attribute](/graph/api/identityuserflowattribute-delete)
 
-Azure AD B2C provides a directory that can hold 100 custom attributes per user. For user flows, these extension properties are [managed by using the Azure portal](user-flow-custom-attributes.md). For custom policies, Azure AD B2C creates the property for you, the first time the policy writes a value to the extension property.
--->
+You can store up to 100 directory extension values per user. To manage the directory extension properties for a user, use the following [User APIs](/graph/api/resources/user) in Microsoft Graph.
 
-Azure AD B2C provides a directory that can hold 100 extension values per user. To manage the extension values for a user, use the following [User APIs](/graph/api/resources/user) in Microsoft Graph.
+- [Update user](/graph/api/user-update): To write or remove the value of the directory extension property from the user object.
+- [Get a user](/graph/api/user-get): To retrieve the value of the directory extension for the user. The property will be returned by default through the `beta` endpoint, but only on `$select` through the `v1.0` endpoint.
 
-- [Update user](/graph/api/user-update): To write or remove the extension property value from the user.
-- [Get a user](/graph/api/user-get): To retrieve the extension property value for the user. The extension property will be returned by default through the `beta` endpoint, but only on `$select` through the `v1.0` endpoint.
+For user flows, these extension properties are [managed by using the Azure portal](user-flow-custom-attributes.md). For custom policies, Azure AD B2C creates the property for you, the first time the policy writes a value to the extension property.
+
+> [!NOTE]
+> In Azure AD, directory extensions are managed through the [extensionProperty resource type](/graph/api/resources/extensionproperty) and its associated methods. However, because they are used in B2C through the `b2c-extensions-app` app which should not be updated, they are managed in Azure AD B2C using the [identityUserFlowAttribute resource type](/graph/api/resources/identityuserflowattribute) and its associated methods.
 
 ## Audit logs
 
@@ -174,6 +175,15 @@ For more information about accessing Azure AD B2C audit logs, see [Accessing Azu
 - [Update a Conditional Access policy](/graph/api/conditionalaccesspolicy-update)
 - [Delete a Conditional Access policy](/graph/api/conditionalaccesspolicy-delete)
 
+## Retrieve or restore deleted users and applications
+
+Deleted items can only be restored if they were deleted within the last 30 days.
+
+- [List deleted items](/graph/api/directory-deleteditems-list)
+- [Get a deleted item](/graph/api/directory-deleteditems-get)
+- [Restore a deleted item](/graph/api/directory-deleteditems-restore)
+- [Permanently delete a deleted item](/graph/api/directory-deleteditems-delete)
+
 ## How to programmatically manage Microsoft Graph
 
 When you want to manage Microsoft Graph, you can either do it as the application using the application permissions, or you can use delegated permissions. For delegated permissions, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource. Application permissions are used by apps that do not require a signed in user present and thus require application permissions. Because of this, only administrators can consent to application permissions.

articles/active-directory-b2c/user-flow-custom-attributes.md

@@ -29,7 +29,7 @@ Your Azure AD B2C directory comes with a [built-in set of attributes](user-profi
 
 The terms *extension property*, *custom attribute*, and *custom claim* refer to the same thing in the context of this article. The name varies depending on the context, such as application, object, or policy.
 
-Azure AD B2C allows you to extend the set of attributes stored on each user account. You can also read and write these attributes by using the [Microsoft Graph API](microsoft-graph-operations.md).
+Azure AD B2C allows you to extend the set of attributes stored on each user account. You can also read and write these attributes by using the [Microsoft Graph API](microsoft-graph-operations.md#application-extension-directory-extension-properties).
 
 ## Prerequisites
 
@@ -58,7 +58,7 @@ The custom attribute is now available in the list of **User attributes** and for
 1. Select **Application claims** and then select the custom attribute.
 1. Select **Save**.
 
-Once you've created a new user using a user flow, which uses the newly created custom attribute, the object can be queried in [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). Alternatively you can use the [Run user flow](./tutorial-create-user-flows.md) feature on the user flow to verify the customer experience. You should now see **ShoeSize** in the list of attributes collected during the sign-up journey, and see it in the token sent back to your application.
+Once you've created a new user using the user flow, you can use the [Run user flow](./tutorial-create-user-flows.md) feature on the user flow to verify the customer experience. You should now see **ShoeSize** in the list of attributes collected during the sign-up journey, and see it in the token sent back to your application.
 
 ::: zone-end
 
@@ -144,7 +144,7 @@ You can create these attributes by using the portal UI before or after you use t
 |Name     |Used in |
 |---------|---------|
 |`extension_loyaltyId`  | Custom policy|
-|`extension_<b2c-extensions-app-guid>_loyaltyId`  | [Microsoft Graph API](microsoft-graph-operations.md)|
+|`extension_<b2c-extensions-app-guid>_loyaltyId`  | [Microsoft Graph API](microsoft-graph-operations.md#application-extension-directory-extension-properties)|
 
 The following example demonstrates the use of custom attributes in an Azure AD B2C custom policy claim definition.
 
@@ -179,22 +179,22 @@ The following example demonstrates the use of a custom attribute in Azure AD B2C
 
 ## Manage extension attributes through Microsoft Graph
 
-You can use the Microsoft Graph API to create and manage extension attributes then set the values for a user.
+You can use Microsoft Graph to create and manage the custom attributes then set the values for a user. Extension attributes are also called directory or Azure AD extensions.
 
-Extension attributes in the Microsoft Graph API are named by using the convention `extension_ApplicationClientID_attributename`, where the `ApplicationClientID` is equivalent to the **appId** but without the hyphens. For example, if the **appId** of the `b2c-extensions-app` application is `25883231-668a-43a7-80b2-5685c3f874bc` and the **attributename** is `loyaltyId`, then the extension attribute will be named `extension_25883231668a43a780b25685c3f874bc_loyaltyId`.
+Custom attributes (directory extensions) in the Microsoft Graph API are named by using the convention `extension_{appId-without-hyphens}_{extensionProperty-name}` where `{appId-without-hyphens}` is the stripped version of the **appId** (called Client ID on the Azure AD B2C portal) for the `b2c-extensions-app` with only characters 0-9 and A-Z. For example, if the **appId** of the `b2c-extensions-app` application is `25883231-668a-43a7-80b2-5685c3f874bc` and the attribute name is `loyaltyId`, then the custom attribute will be named `extension_25883231668a43a780b25685c3f874bc_loyaltyId`.
 
-Learn how to [manage extension attributes in your Azure AD B2C tenant](microsoft-graph-operations.md#application-extension-properties) using the Microsoft Graph API. 
+Learn how to [manage extension attributes in your Azure AD B2C tenant](microsoft-graph-operations.md#application-extension-directory-extension-properties) using the Microsoft Graph API. 
 
 ## Remove extension attribute
 
-Unlike built-in attributes, extension/custom attributes can be removed. The extension attributes' values can also be removed. 
+Unlike built-in attributes, custom attributes can be removed. The extension attributes' values can also be removed. 
 
 > [!Important]
-> Before you remove the extension/custom attribute, for each account in the directory, set the extension attribute value to `null`.  In this way you explicitly remove the extension attributes’s values. Then continue to remove the extension attribute itself. Extension/custom attribute is queryable using MS Graph API. 
+> Before you remove the custom attribute, for each account in the directory, set the extension attribute value to `null`.  In this way you explicitly remove the extension attributes’s values. Then continue to remove the extension attribute itself. Custom attributes can be queries using Microsoft Graph API. 
 
 ::: zone pivot="b2c-user-flow"
 
-Use the following steps to remove extension/custom attribute from a user flow in your:
+Use the following steps to remove a custom attribute from a user flow in your:
 
 1. Sign in to the [Azure portal](https://portal.azure.com/) as the global administrator of your Azure AD B2C tenant.
 2. Make sure you're using the directory that contains your Azure AD B2C tenant:
@@ -208,7 +208,7 @@ Use the following steps to remove extension/custom attribute from a user flow in
 
 ::: zone pivot="b2c-custom-policy"
 
-Use the [Microsoft Graph API](microsoft-graph-operations.md#application-extension-properties) to delete the extension attribute from the application or to delete the extension attribute from the user.
+Use the [Microsoft Graph API](microsoft-graph-operations.md#application-extension-directory-extension-properties) to manage the custom attributes.
 
 ::: zone-end
 
@@ -222,4 +222,4 @@ Follow the guidance for how to [add claims and customize user input using custom
 
 <!-- LINKS -->
 [ms-graph]: /graph/
-[ms-graph-api]: /graph/api/overview
+[ms-graph-api]: /graph/api/overview

articles/active-directory/authentication/concept-sspr-howitworks.md

@@ -177,6 +177,13 @@ Consider the following example scenario:
 * Administrator *A* resets their password by using SSPR.
 * Administrators *B*, *C*, and *D* receive an email alerting them of the password reset.
 
+> [!NOTE]
+> Email notifications from the SSPR service will be sent from the following addresses based on the Azure cloud you are working with: 
+> - Public: [email protected]
+> - China: [email protected] 
+> - Government: [email protected]
+
+> If you observe issues in receiving notifications, please check your spam settings. 
 ## On-premises integration
 
 If you have a hybrid environment, you can configure Azure AD Connect to write password change events back from Azure AD to an on-premises directory.

articles/active-directory/authentication/howto-sspr-deployment.md

@@ -189,6 +189,13 @@ Set **Number of days before users is asked to reconfirm their authentication inf
 
 Configure both the **Notify users on password resets** and the **Notify all admins when other admins reset their password** to **Yes**. Selecting **Yes** on both increases security by ensuring that users are aware when their password is reset. It also ensures that all admins are aware when an admin changes a password. If users or admins receive a notification and they haven't initiated the change, they can immediately report a potential security issue.
 
+> [!NOTE]
+> Email notifications from the SSPR service will be sent from the following addresses based on the Azure cloud you are working with: 
+> - Public: [email protected]
+> - China: [email protected] 
+> - Government: [email protected]
+> If you observe issues in receiving notifications, please check your spam settings. 
+
 ### Customization settings
 
 It's critical to customize the helpdesk email or URL to ensure users who experience problems can get help immediately. Set this option to a common helpdesk email address or web page that your users are familiar with. 

articles/active-directory/develop/single-sign-on-saml-protocol.md

@@ -101,7 +101,9 @@ A `Signature` element in `AuthnRequest` elements is optional. Azure AD does not
 
 ### Subject
 
-Don't include a `Subject` element. Azure AD doesn't support specifying a subject for a request and will return an error if one is provided.
+Don't include a `Subject` element. Azure AD doesn't support specifying a subject in `AuthnRequest` and will return an error if one is provided.
+
+A subject can instead be provided by adding a `login_hint` parameter to the HTTP request to the single sign-on URL, with the subject's NameID as the parameter value.
 
 ## Response
 

articles/active-directory/governance/create-access-review.md

@@ -133,7 +133,6 @@ If you are reviewing access to an application, then before creating the review,
 
 1. In the **Enable review decision helpers** section choose whether you want your reviewer to receive recommendations during the review process:
     1. If you select **No sign-in within 30 days**, users who have signed in during the previous 30-day period are recommended for approval. Users who haven't signed in during the past 30 days are recommended for denial. This 30-day interval is irrespective of whether the sign-ins were interactive or not. The last sign-in date for the specified user will also display along with the recommendation.
-    1. If you select **Peer outlier**, approvers will be recommended to keep or deny access to users based on the access the users' peers have. If a user doesn't have the same access as their peers, the system will recommend that the reviewer deny them access.
 
    > [!NOTE]
    > If you create an access review based on applications, your recommendations are based on the 30-day interval period depending on when the user last signed in to the application rather than the tenant.