Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

.openpublishing.publish.config.json

@@ -74,6 +74,12 @@
       "branch": "main",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "ms-identity-ciam-dotnet-tutorial",
+      "url": "https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "_themes",
       "url": "https://github.com/Microsoft/templates.docs.msft",

.openpublishing.redirection.json

@@ -23967,6 +23967,26 @@
             "source_path_from_root": "/articles/active-directory/manage-apps/migrate-okta-sync-provisioning-to-azure-active-directory.md",
             "redirect_url": "/azure/active-directory/manage-apps/migrate-okta-sync-provisioning",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/networking/connectivty-interoperability-preface.md",
+            "redirect_url": "/azure/networking/manage-apps/connectivity-interoperability-preface",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/networking/connectivty-interoperability-configuration.md",
+            "redirect_url": "/azure/networking/manage-apps/connectivity-interoperability-configuration",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/networking/connectivty-interoperability-control-plane.md",
+            "redirect_url": "/azure/networking/manage-apps/connectivity-interoperability-control-plane",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/networking/connectivty-interoperability-data-plane.md",
+            "redirect_url": "/azure/networking/manage-apps/connectivity-interoperability-data-plane",
+            "redirect_document_id": false
         }
     ]
 }

.openpublishing.redirection.reliability.json

@@ -0,0 +1,11 @@
+{
+  "redirections": [
+    {
+      "source_path_from_root": "/articles/reliability/reliability-energy-data-services.md",
+      "redirect_url": "/azure/energy-data-services/reliability-energy-data-services",
+      "redirect_document_id": true
+    }  
+  ]
+}
+
+

articles/active-directory/app-provisioning/known-issues.md

@@ -167,7 +167,7 @@ The following information is a current list of known limitations with the Azure
 The following applications and directories aren't yet supported.
 
 #### Active Directory Domain Services (user or group writeback from Azure AD by using the on-premises provisioning preview)
-   - When a user is managed by Azure AD Connect, the source of authority is on-premises Azure AD. So, user attributes can't be changed in Azure AD. This preview doesn't change the source of authority for users managed by Azure AD Connect.
+   - When a user is managed by Azure AD Connect, the source of authority is on-premises Active Directory Domain Services. So, user attributes can't be changed in Azure AD. This preview doesn't change the source of authority for users managed by Azure AD Connect.
    - Attempting to use Azure AD Connect and the on-premises provisioning to provision groups or users into Active Directory Domain Services can lead to creation of a loop, where Azure AD Connect can overwrite a change that was made by the provisioning service in the cloud. Microsoft is working on a dedicated capability for group or user writeback. Upvote the UserVoice feedback on [this website](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789/) to track the status of the preview. Alternatively, you can use [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) for user or group writeback from Azure AD to Active Directory.
 
 #### Azure AD

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -171,7 +171,7 @@ The Azure AD Provisioning Services is designed to support a SCIM 2.0 user manage
 > [!IMPORTANT]
 > The behavior of the Azure AD SCIM implementation was last updated on December 18, 2018. For information on what changed, see [SCIM 2.0 protocol compliance of the Azure AD User Provisioning service](application-provisioning-config-problem-scim-compatibility.md).
 
-Within the [SCIM 2.0 protocol specification](http://www.simplecloud.info/#Specification), your application must support these requirements:
+Within the SCIM 2.0 protocol specification, your application must support these requirements:
 
 |Requirement|Reference notes (SCIM protocol)|
 |---|---|

articles/active-directory/app-proxy/application-proxy-ping-access-publishing-guide.md

@@ -38,7 +38,7 @@ This article is for people to publish an application with this scenario for the
 
 ### Install an Application Proxy connector
 
-If you've enabled Application Proxy enabled and installed a connector already, you can skip this section and go to [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy).
+If you've enabled Application Proxy and installed a connector already, you can skip this section and go to [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy).
 
 The Application Proxy connector is a Windows Server service that directs the traffic from your remote employees to your published applications. For more detailed installation instructions, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md).
 
@@ -227,4 +227,4 @@ When you've completed all these steps, your application should be up and running
 
 - [Configuring PingAccess to use Azure AD as the token provider](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_configure_pa_to_use_azure_ad_as_the_token_provider)
 - [Single sign-on to applications in Azure Active Directory](../manage-apps/what-is-single-sign-on.md)
-- [Troubleshoot Application Proxy problems and error messages](application-proxy-troubleshoot.md)
+- [Troubleshoot Application Proxy problems and error messages](application-proxy-troubleshoot.md)

articles/active-directory/authentication/concept-system-preferred-multifactor-authentication.md

@@ -4,7 +4,7 @@ description: Learn how to use system-preferred multifactor authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 06/02/2023
+ms.date: 06/28/2023
 ms.author: justinha
 author: justinha
 manager: amycolannino
@@ -25,7 +25,7 @@ System-preferred MFA is a Microsoft managed setting, which is a [tristate policy
 After system-preferred MFA is enabled, the authentication system does all the work. Users don't need to set any authentication method as their default because the system always determines and presents the most secure method they registered. 
 
 >[!NOTE]
->System-preferred MFA is a key security upgrade to traditional second factor notifications. We highly recommend enabling system-preferred MFA in the near term for improved sign-in security. 
+>System-preferred MFA is an important security enhancement for users authenticating by using telecom transports. Starting July 07, 2023, the Microsoft managed value of system-preferred MFA will change from **Disabled** to **Enabled**. If you don't want to enable system-peeferred MFA, change the state from **Default** to **Disabled**, or exclude users and groups from the policy.
 
 ## Enable system-preferred MFA in the Azure portal
 
@@ -101,7 +101,7 @@ Content-Type: application/json
 
 ## Known issue
 
-[FIDO2 security keys](../develop/support-fido2-authentication.md#mobile) on mobile devices and [registration for certificate-based authentication (CBA)](concept-certificate-based-authentication.md) aren't supported due to an issue that might surface when system-preferred MFA is enabled. Until a fix is available, we recommend not using FIDO2 security keys on mobile devices or registering for CBA. To disable system-preferred MFA for these users, you can either add them to an excluded group or remove them from an included group.
+A fix for [FIDO2 security keys](../develop/support-fido2-authentication.md#mobile) is being rolled out with the change of the Microsoft managed setting to **Enabled**. As part of the rollout, we adjusted the preferred methods list, which moved certificate-based authentication (CBA) lower on the list of preferred methods. This change is necessary due to a known issue where users within the scope of CBA can't use any other available authentication method. We are actively working to address this issue, and once the fix is rolled out, CBA will return to its appropriate position on the list of preferred methods. However, tenants that use a Conditional Access policy that mandates CBA will have the ability to bypass this downgrade and be unaffected by the change.
 
 ## FAQ
 
@@ -110,19 +110,19 @@ Content-Type: application/json
 When a user signs in, the authentication process checks which authentication methods are registered for the user. The user is prompted to sign-in with the most secure method according to the following order. The order of authentication methods is dynamic. It's updated as the security landscape changes, and as better authentication methods emerge. Click the link for information about each method.
 
 1. [Temporary Access Pass](howto-authentication-temporary-access-pass.md)
-1. [Certificate-based authentication](concept-certificate-based-authentication.md)
 1. [FIDO2 security key](concept-authentication-passwordless.md#fido2-security-keys)
 1. [Microsoft Authenticator push notifications](concept-authentication-authenticator-app.md)
 1. [Time-based one-time password (TOTP)](concept-authentication-oath-tokens.md)<sup>1</sup>
 1. [Telephony](concept-authentication-phone-options.md)<sup>2</sup>
+1. [Certificate-based authentication](concept-certificate-based-authentication.md)
 
 <sup>1</sup> Includes hardware or software TOTP from Microsoft Authenticator, Authenticator Lite, or third-party applications.
 
 <sup>2</sup> Includes SMS and voice calls.
 
-### How does system-preferred MFA affect AD FS or NPS extension?
+### How does system-preferred MFA affect the NPS extension?
 
-System-preferred MFA doesn't affect users who sign in by using federation, such as Active Directory Federation Services (AD FS) or third-party providers, or Network Policy Server (NPS) extension. Those users don't see any change to their sign-in experience.
+System-preferred MFA doesn't affect users who sign in by using the Network Policy Server (NPS) extension. Those users don't see any change to their sign-in experience.
 
 ### What happens for users who aren't specified in the Authentication methods policy but enabled in the legacy MFA tenant-wide policy?
 

articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md

@@ -92,7 +92,7 @@ The following core requirements apply:
     | --- | --- |
     |`https://login.microsoftonline.com`|Authentication requests|
     |`https://enterpriseregistration.windows.net`|Azure AD Password Protection functionality|
-    |`https://autoupdate.msappproxaxy.net` | Azure AD Password Protection auto-upgrade functionality |
+    |`https://autoupdate.msappproxy.net` | Azure AD Password Protection auto-upgrade functionality |
 
 > [!NOTE]
 > Some endpoints, such as the CRL endpoint, are not addressed in this article. For a list of all supported endpoints, see [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online).

articles/active-directory/develop/multi-service-web-app-access-microsoft-graph-as-user.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: app-service
 ms.topic: tutorial
 ms.workload: identity
-ms.date: 04/25/2022
+ms.date: 06/28/2023
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.devlang: csharp, javascript
@@ -181,13 +181,26 @@ public class Startup
     // This method gets called by the runtime. Use this method to add services to the container.
     public void ConfigureServices(IServiceCollection services)
     {
-        services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
-                .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
-                    .EnableTokenAcquisitionToCallDownstreamApi()
-                        .AddMicrosoftGraph(Configuration.GetSection("Graph"))
-                        .AddInMemoryTokenCaches();
-
-        services.AddRazorPages();
+      services.AddOptions();
+      string[] initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
+
+      services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+              .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
+              .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
+                      .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
+                      .AddInMemoryTokenCaches(); 
+
+      services.AddAuthorization(options =>
+      {
+          // By default, all incoming requests will be authorized according to the default policy
+          options.FallbackPolicy = options.DefaultPolicy;
+      });
+      services.AddRazorPages()
+          .AddMvcOptions(options => {})                
+          .AddMicrosoftIdentityUI();
+
+      services.AddControllersWithViews()
+              .AddMicrosoftIdentityUI();
     }
 }
 
@@ -203,17 +216,32 @@ public class Startup
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    "Domain": "fourthcoffeetest.onmicrosoft.com",
-    "TenantId": "[tenant-id]",
-    "ClientId": "[client-id]",
-    // To call an API
-    "ClientSecret": "[secret-from-portal]", // Not required by this scenario
+    "Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",
+    "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
+    "ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
+    "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",
+    "ClientCertificates": [
+    ],
+    // the following is required to handle Continuous Access Evaluation challenges
+    "ClientCapabilities": [ "cp1" ],
     "CallbackPath": "/signin-oidc"
   },
+  "DownstreamApis": {
+    "MicrosoftGraph": {
+      // Specify BaseUrl if you want to use Microsoft graph in a national cloud.
+      // See https://learn.microsoft.com/graph/deployments#microsoft-graph-and-graph-explorer-service-root-endpoints
+      // "BaseUrl": "https://graph.microsoft.com/v1.0",
+
+      // Set RequestAppToken this to "true" if you want to request an application token (to call graph on 
+      // behalf of the application). The scopes will then automatically
+      // be ['https://graph.microsoft.com/.default'].
+      // "RequestAppToken": false
 
-  "Graph": {
-    "BaseUrl": "https://graph.microsoft.com/v1.0",
-    "Scopes": "user.read"
+      // Set Scopes to request (unless you request an app token).
+      "Scopes": [ "User.Read" ]
+
+      // See https://aka.ms/ms-id-web/downstreamApiOptions for all the properties you can set.
+    }
   },
   "Logging": {
     "LogLevel": {
@@ -240,7 +268,7 @@ using Microsoft.Extensions.Logging;
 
 // Some code omitted for brevity.
 
-[AuthorizeForScopes(Scopes = new[] { "user.read" })]
+[AuthorizeForScopes(Scopes = new[] { "User.Read" })]
 public class IndexModel : PageModel
 {
     private readonly ILogger<IndexModel> _logger;

articles/active-directory/develop/tutorial-v2-nodejs-console.md

@@ -1,6 +1,6 @@
 ---
-title: "Tutorial: Call Microsoft Graph in a Node.js console app"
-description: In this tutorial, you build a console app for calling Microsoft Graph to a Node.js console app.
+title: "Tutorial: Call Microsoft Graph in a Node.js console daemon app"
+description: In this tutorial, you build a console daemon app for calling Microsoft Graph.
 services: active-directory
 author: cilwerner
 manager: CelesteDG
@@ -13,15 +13,15 @@ ms.date: 12/12/2021
 ms.author: cwerner
 ---
 
-# Tutorial: Call the Microsoft Graph API in a Node.js console app
+# Tutorial: Call the Microsoft Graph API in a Node.js console daemon app
 
-In this tutorial, you build a console app that calls Microsoft Graph API using its own identity. The console app you build uses the [Microsoft Authentication Library (MSAL) for Node.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node).
+In this tutorial, you build a console daemon app that calls Microsoft Graph API using its own identity. The daemon app you build uses the [Microsoft Authentication Library (MSAL) for Node.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node).
 
 Follow the steps in this tutorial to:
 
 > [!div class="checklist"]
 > - Register the application in the Azure portal
-> - Create a Node.js console app project
+> - Create a Node.js console daemon app project
 > - Add authentication logic to your app
 > - Add app registration details
 > - Add a method to call a web API
@@ -38,15 +38,15 @@ First, complete the steps in [Register an application with the Microsoft identit
 
 Use the following settings for your app registration:
 
-- Name: `NodeConsoleApp` (suggested)
+- Name: `NodeDaemonApp` (suggested)
 - Supported account types: **Accounts in this organizational directory only**
 - API permissions: **Microsoft APIs** > **Microsoft Graph** > **Application Permissions** > `User.Read.All`
 - Client secret: `*********` (record this value for use in a later step - it's shown only once)
 
 ## Create the project
 
 
-1. Start by creating a directory for this Node.js tutorial project. For example, *NodeConsoleApp*.
+1. Start by creating a directory for this Node.js tutorial project. For example, *NodeDaemonApp*.
 
 1. In your terminal, change into the directory you created (the project root), and then run the following commands:
 
@@ -116,7 +116,7 @@ The *index.js* file you just created references two other node modules that you'
 At the end of the tutorial, your project's file and directory structure should look similar to this:
 
 ```
-NodeConsoleApp/
+NodeDaemonApp/
 ├── bin
 │   ├── auth.js
 │   ├── fetch.js
@@ -183,7 +183,7 @@ In the code snippet above, we first create a configuration object (*msalConfig*)
 
 ## Add app registration details
 
-Create an environment file to store the app registration details that will be used when acquiring tokens. To do so, create a file named *.env* inside the root folder of the sample (*NodeConsoleApp*), and add the following code:
+Create an environment file to store the app registration details that will be used when acquiring tokens. To do so, create a file named *.env* inside the root folder of the sample (*NodeDaemonApp*), and add the following code:
 
 ```
 # Credentials
@@ -253,7 +253,7 @@ Here, the `callApi` method is used to make an HTTP `GET` request against a prote
 
 You've completed creation of the application and are now ready to test the app's functionality.
 
-Start the Node.js console app by running the following command from within the root of your project folder:
+Start the Node.js console daemon app by running the following command from within the root of your project folder:
 
 ```console
 node . --op getUsers
@@ -292,7 +292,7 @@ The scope to request for a client credential flow is the name of the resource fo
 
 ## Next steps
 
-If you'd like to dive deeper into Node.js console application development on the Microsoft identity platform, see our multi-part scenario series:
+If you'd like to dive deeper into Node.js daemon application development on the Microsoft identity platform, see our multi-part scenario series:
 
 > [!div class="nextstepaction"]
 > [Scenario: Daemon application](scenario-daemon-overview.md)