Merge branch 'main' into eur/speech-containers

Author: eric-urban

.openpublishing.redirection.api-management.json

@@ -149,6 +149,16 @@
         "source_path_from_root": "/articles/api-management/validation-policies.md",
         "redirect_url": "/azure/api-management/api-management-policies#validation-policies",
         "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/authorizations-how-to.md",
+        "redirect_url": "/azure/api-management/authorizations-how-to-github",
+        "redirect_document_id": false
+    },
+    {
+        "source_path_from_root": "/articles/api-management/authorizations-reference.md",
+        "redirect_url": "/azure/api-management/authorizations-configure-common-providers",
+        "redirect_document_id": false
     }
   ]
 }

.openpublishing.redirection.azure-monitor.json

@@ -1,6 +1,11 @@
 {
     "redirections": [
-         {
+        {
+            "source_path_from_root": "/articles/azure-monitor/snapshot-debugger/snapshot-collector-release-notes.md",
+            "redirect_url": "/azure/azure-monitor/snapshot-debugger/snapshot-debugger#release-notes-for-microsoftapplicationinsightssnapshotcollector",
+            "redirect_document_id": false
+        },
+        {
             "source_path_from_root": "/articles/azure-monitor/best-practices.md",
             "redirect_url": "/azure/azure-monitor/getting-started",
             "redirect_document_id": false

articles/active-directory-b2c/whats-new-docs.md

@@ -15,6 +15,29 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md) and [Azure AD B2C developer release notes](custom-policy-developer-notes.md)
 
+## March 2023
+
+### Updated articles
+
+- [Configure SAML identity provider options with Azure Active Directory B2C](identity-provider-generic-saml-options.md)
+- [Tutorial: Configure BioCatch with Azure Active Directory B2C](partner-biocatch.md)
+- [Tutorial: Configure Nok Nok Passport with Azure Active Directory B2C for passwordless FIDO2 authentication](partner-nok-nok.md)
+- [Pass an identity provider access token to your application in Azure Active Directory B2C](idp-pass-through-user-flow.md)
+- [Tutorial: Configure Haventec Authenticate with Azure Active Directory B2C for single-step, multi-factor passwordless authentication](partner-haventec.md)
+- [Configure Trusona Authentication Cloud with Azure Active Directory B2C](partner-trusona.md)
+- [Tutorial: Configure IDEMIA Mobile ID with Azure Active Directory B2C](partner-idemia.md)
+- [Configure Azure Active Directory B2C with Bluink eID-Me for identity verification](partner-eid-me.md)
+- [Tutorial: Configure Azure Active Directory B2C with BlokSec for passwordless authentication](partner-bloksec.md)
+- [Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall](partner-azure-web-application-firewall.md)
+- [Tutorial to configure Saviynt with Azure Active Directory B2C](partner-saviynt.md)
+- [Tutorial: Configure Keyless with Azure Active Directory B2C](partner-keyless.md)
+- [Tutorial: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel](azure-sentinel.md)
+- [Configure authentication in a sample Python web app by using Azure AD B2C](configure-authentication-sample-python-web-app.md)
+- [Billing model for Azure Active Directory B2C](billing.md)
+- [Azure Active Directory B2C: Region availability & data residency](data-residency.md)
+- ['Azure AD B2C: Frequently asked questions (FAQ)'](faq.yml)
+- [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md)
+ 
 ## February 2023
 
 ### Updated articles

articles/active-directory-domain-services/migrate-from-classic-vnet.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 04/17/2023
 
 ms.author: justinha
 author: justinha
@@ -44,7 +44,11 @@ Microsoft doesn't guarantee consistent SMS or voice-based Azure AD Multi-Factor
 
 ### Text message verification
 
-With text message verification during SSPR or Azure AD Multi-Factor Authentication, an SMS is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface.
+With text message verification during SSPR or Azure AD Multi-Factor Authentication, a Short Message Service (SMS) text is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface. 
+
+Android users can enable Rich Communication Services (RCS) on their devices. RCS offers encryption and other improvements over SMS. For Android, MFA text messages may be sent over RCS rather than SMS. The MFA text message is similar to SMS, but RCS messages have more Microsoft branding and a verified checkmark so users know they can trust the message.
+
+:::image type="content" source="media/concept-authentication-methods/brand.png" alt-text="Screenshot of Microsoft branding in RCS messages.":::
 
 ### Phone call verification
 

articles/active-directory/authentication/concept-authentication-phone-options.md

@@ -26,7 +26,7 @@ See [How the sample works](#how-the-sample-works) for an illustration.
 ## Prerequisites
 
 * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-* [Visual Studio 2019](https://visualstudio.microsoft.com/vs/)
+* [Visual Studio 2022](https://visualstudio.microsoft.com/vs/)
 * [.NET Framework 4.7.2+](https://dotnet.microsoft.com/download/visual-studio-sdks)
 
 ## Register and download the app
@@ -71,11 +71,11 @@ If you want to manually configure your application and code sample, use the foll
 3. Depending on the version of Visual Studio, you might need to right-click the project **AppModelv2-WebApp-OpenIDConnect-DotNet** and then select **Restore NuGet packages**.
 4. Open the Package Manager Console by selecting **View** > **Other Windows** > **Package Manager Console**. Then run `Update-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform -r`.
 
-5. Edit *Web.config* and replace the parameters `ClientId`, `Tenant`, and `redirectUri` with:
-   ```xml
-   <add key="ClientId" value="Enter_the_Application_Id_here" />
-   <add key="Tenant" value="Enter_the_Tenant_Info_Here" />
-   <add key="redirectUri" value="https://localhost:44368/" />
+5. Edit *appsettings.json* and replace the parameters `ClientId`, `Tenant`, and `redirectUri` with:
+   ```json
+   "ClientId" :"Enter_the_Application_Id_here" />
+   "TenantId": "Enter_the_Tenant_Info_Here" />
+   "RedirectUri" :"https://localhost:44368/" />
    ```
    In that code:
 
@@ -100,48 +100,30 @@ This section gives an overview of the code required to sign in users. This overv
 You can set up the authentication pipeline with cookie-based authentication by using OpenID Connect in ASP.NET with OWIN middleware packages. You can install these packages by running the following commands in Package Manager Console within Visual Studio:
 
 ```powershell
-Install-Package Microsoft.Owin.Security.OpenIdConnect
+Install-Package Microsoft.Identity.Web.Owin
+Install-Package Microsoft.Identity.Web.MicrosoftGraph
 Install-Package Microsoft.Owin.Security.Cookies
-Install-Package Microsoft.Owin.Host.SystemWeb
 ```
 
 ### OWIN startup class
 
 The OWIN middleware uses a *startup class* that runs when the hosting process starts. In this quickstart, the *startup.cs* file is in the root folder. The following code shows the parameters that this quickstart uses:
 
 ```csharp
-public void Configuration(IAppBuilder app)
-{
-    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
-
-    app.UseCookieAuthentication(new CookieAuthenticationOptions());
-    app.UseOpenIdConnectAuthentication(
-        new OpenIdConnectAuthenticationOptions
-        {
-            // Sets the client ID, authority, and redirect URI as obtained from Web.config
-            ClientId = clientId,
-            Authority = authority,
-            RedirectUri = redirectUri,
-            // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it's using the home page
-            PostLogoutRedirectUri = redirectUri,
-            Scope = OpenIdConnectScope.OpenIdProfile,
-            // ResponseType is set to request the code id_token, which contains basic information about the signed-in user
-            ResponseType = OpenIdConnectResponseType.CodeIdToken,
-            // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
-            // To only allow users from a single organization, set ValidateIssuer to true and the 'tenant' setting in Web.config to the tenant name
-            // To allow users from only a list of specific organizations, set ValidateIssuer to true and use the ValidIssuers parameter
-            TokenValidationParameters = new TokenValidationParameters()
-            {
-                ValidateIssuer = false // Simplification (see note below)
-            },
-            // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to the OnAuthenticationFailed method
-            Notifications = new OpenIdConnectAuthenticationNotifications
-            {
-                AuthenticationFailed = OnAuthenticationFailed
-            }
-        }
-    );
-}
+    public void Configuration(IAppBuilder app)
+    {
+        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
+
+        app.UseCookieAuthentication(new CookieAuthenticationOptions());
+        OwinTokenAcquirerFactory factory = TokenAcquirerFactory.GetDefaultInstance<OwinTokenAcquirerFactory>();
+
+        app.AddMicrosoftIdentityWebApp(factory);
+        factory.Services
+            .Configure<ConfidentialClientApplicationOptions>(options => { options.RedirectUri = "https://localhost:44368/"; })
+            .AddMicrosoftGraph()
+            .AddInMemoryTokenCaches();
+        factory.Build();
+    }
 ```
 
 |Where  | Description |
@@ -155,10 +137,6 @@ public void Configuration(IAppBuilder app)
 | `TokenValidationParameters`     | A list of parameters for token validation. In this case, `ValidateIssuer` is set to `false` to indicate that it can accept sign-ins from any personal, work, or school account type. |
 | `Notifications`     | A list of delegates that can be run on `OpenIdConnect` messages. |
 
-
-> [!NOTE]
-> Setting `ValidateIssuer = false` is a simplification for this quickstart. In real applications, validate the issuer. See the samples to understand how to do that.
-
 ### Authentication challenge
 
 You can force a user to sign in by requesting an authentication challenge in your controller:
@@ -182,6 +160,24 @@ public void SignIn()
 
 You can protect a controller or controller actions by using the `[Authorize]` attribute. This attribute restricts access to the controller or actions by allowing only authenticated users to access the actions in the controller. An authentication challenge will then happen automatically when an unauthenticated user tries to access one of the actions or controllers decorated by the `[Authorize]` attribute.
 
+### Call Microsoft Graph from the controller
+
+You can call Microsoft Graph from the controller by getting the instance of GraphServiceClient using the `GetGraphServiceClient` extension method on the controller, like in the following code:
+
+```csharp
+    try
+    { 
+        var me = await this.GetGraphServiceClient().Me.Request().GetAsync();
+        ViewBag.Username = me.DisplayName;
+    }
+    catch (ServiceException graphEx) when (graphEx.InnerException is MicrosoftIdentityWebChallengeUserException)
+    {
+        HttpContext.GetOwinContext().Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
+        return View();
+    }
+```
+
+
 [!INCLUDE [Help and support](../../../../../includes/active-directory-develop-help-support-include.md)]
 
 ## Next steps

articles/active-directory/authentication/media/concept-authentication-methods/brand.png

@@ -10,7 +10,7 @@ metadata:
   ms.subservice: app-mgmt
   ms.workload: identity
   ms.topic: landing-page
-  ms.date: 07/08/2021
+  ms.date: 04/17/2023
   author: CelesteDG
   ms.author: CelesteDG
 
@@ -89,6 +89,8 @@ landingContent:
         links:
           - text: Identity governance
             url: ../governance/identity-governance-overview.md
+          - text: User and admin consent
+            url: user-admin-consent-overview.md
       - linkListType: how-to-guide
         links:
           - text: Assign roles
@@ -139,6 +141,8 @@ landingContent:
             url: ../reports-monitoring/howto-download-logs.md
           - text: Set up access reviews
             url: ../governance/deploy-access-reviews.md
+          - text: Assign owners
+            url: assign-app-owners.md
   - title: Remote access to on-premises apps
     linkLists:
       - linkListType: concept
@@ -147,7 +151,7 @@ landingContent:
             url: ../app-proxy/application-proxy.md
       - linkListType: how-to-guide
         links:
-          - text: Application Proxy deployment
+          - text: Plan application Proxy deployment
             url: ../app-proxy/application-proxy-deployment-plan.md
           - text: Set up connectors
             url: ../app-proxy/application-proxy-connectors.md

articles/active-directory/develop/includes/web-app/quickstart-aspnet.md

@@ -35,7 +35,7 @@ Administrators, users, or Microsoft security researchers may flag OAuth applicat
 When Azure AD disables an OAuth application, the following actions occur:
 
 - The malicious application and related service principals are placed into a fully disabled state. Any new token requests or requests for refresh tokens are denied, but existing access tokens are still valid until their expiration.
-- The disabled state is surfaced through an exposed property called *disabledByMicrosoftStatus* on the related [application](/graph/api/resources/application) and [service principal](/graph/api/resources/serviceprincipal) resource types in Microsoft Graph.
+- These applications will show `DisabledDueToViolationOfServicesAgreement` on the `disabledByMicrosoftStatus` property on the related [application](/graph/api/resources/application) and [service principal](/graph/api/resources/serviceprincipal) resource types in Microsoft Graph. To prevent them from being instantiated in your organization again in the future, you cannot delete these objects.
 - An email is sent to a global administrator when a user in an organization consented to an application before it was disabled. The email specifies the action taken and recommended steps they can do to investigate and improve their security posture.
 
 ## Recommended response and remediation
@@ -73,3 +73,4 @@ Administrators should be in control of application use by providing the right in
 - [Managing access to applications](./what-is-access-management.md)
 - [Restrict user consent operations in Azure AD](../../security/fundamentals/steps-secure-identity.md#restrict-user-consent-operations)
 - [Compromised and malicious applications investigation](/security/compass/incident-response-playbook-compromised-malicious-app)
+

articles/active-directory/manage-apps/index.yml

@@ -522,6 +522,28 @@ $smssignin = Get-MgUserAuthenticationPhoneMethod -UserId $userId
 ##### End the script
 ```
 
+#### Symptom - Users fail to provision with error "AzureActiveDirectoryForbidden"
+
+Users in scope fail to provision. The provisioning logs details include the following error message:
+
+```
+The provisioning service was forbidden from performing an operation on Azure Active Directory, which is unusual. 
+A simultaneous change to the target object may have occurred, in which case, the operation might succeed when it is retried.
+Alternatively, the target of the operation, or one of its properties, may be mastered on-premises, in which case, 
+the provisioning service is not permitted to update it, and the corresponding source entry should be removed from the provisioning service's scope.
+Otherwise, authorizations may have been customized in such a way as to prevent the provisioning service from modifying the target object or one of its properties; 
+if so, then, again, the corresponding source entry should be removed from scope. 
+This operation was retried 0 times. 
+```
+
+**Cause**
+
+This error indicates the Guest invite settings in the target tenant are configured with the most restrictive setting: "No one in the organization can invite guest users including admins (most restrictive)".
+
+**Solution**
+
+Change the Guest invite settings in the target tenant to a less restrictive setting. For more information, see [Configure external collaboration settings](../external-identities/external-collaboration-settings-configure.md).
+
 ## Next steps
 
 - [Tutorial: Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md)