Merge branch 'master' into release-ie-converge

Author: v-alje

.openpublishing.publish.config.json

@@ -826,6 +826,7 @@
     ".openpublishing.redirection.media-services.json",
     ".openpublishing.redirection.security-benchmark.json",
     ".openpublishing.redirection.synapse-analytics.json",
+    "articles/azure-fluid-relay/.openpublishing.redirection.fluid-relay.json",
     "articles/azure-relay/.openpublishing.redirection.relay.json",
     "articles/communication-services/.openpublishing.redirection.communication-services.json",
     "articles/cosmos-db/.openpublishing.redirection.cosmos-db.json",

.openpublishing.redirection.active-directory.json

@@ -10509,6 +10509,11 @@
             "source_path": "articles/active-directory/privileged-identity-management/pim-resource-roles-start-access-review.md",
             "redirect_url": "/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review",
             "redirect_document_id": false
-        }
+        },
+        {
+            "source_path_from_root": "/articles/active-directory-b2c/troubleshoot-custom-policies.md",
+            "redirect_url": "/azure/active-directory-b2c/troubleshoot",
+            "redirect_document_id": false
+          }
     ]
 }

articles/active-directory-b2c/TOC.yml

@@ -398,15 +398,13 @@
       displayName: rest claims exchange
     - name: Secure an API connector
       href: secure-rest-api.md
-  - name: Custom policy
+  - name: Troubleshooting
     items:
-    - name: Troubleshooting
-      items:
-      - name: Collect logs using Application Insights
-        href: troubleshoot-with-application-insights.md
-        displayName: troubleshooting, app insights
-      - name: Troubleshooting custom policies
-        href: troubleshoot-custom-policies.md
+    - name: Collect logs using Application Insights
+      href: troubleshoot-with-application-insights.md
+      displayName: troubleshooting, app insights
+    - name: Troubleshooting and error handling
+      href: troubleshoot.md
   - name: UserInfo endpoint
     href: userinfo-endpoint.md
   - name: Partner integration

articles/active-directory-b2c/add-password-reset-policy.md

@@ -335,6 +335,9 @@ Custom policies are a set of XML files that you upload to your Azure AD B2C tena
 
 ::: zone-end
 
+## Troubleshoot Azure AD B2C user flows and custom policies
+Your application needs to handle certain errors coming from Azure B2C service. Learn [how to troubleshoot Azure AD B2C's user flows and custom policies](troubleshoot.md).
+
 ## Next steps
 
 Set up a [force password reset](force-password-reset.md).

articles/active-directory-b2c/troubleshoot-with-application-insights.md

@@ -13,10 +13,21 @@ ms.date: 09/20/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
+zone_pivot_groups: b2c-policy-type
 ---
 
 # Collect Azure Active Directory B2C logs with Application Insights
 
+[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
+
+::: zone pivot="b2c-user-flow"
+
+[!INCLUDE [active-directory-b2c-limited-to-custom-policy](../../includes/active-directory-b2c-limited-to-custom-policy.md)]
+
+::: zone-end
+
+::: zone pivot="b2c-custom-policy"
+
 This article provides steps for collecting logs from Active Directory B2C (Azure AD B2C) so that you can diagnose problems with your custom policies. Application Insights provides a way to diagnose exceptions and visualize application performance issues. Azure AD B2C includes a feature for sending data to Application Insights.
 
 The detailed activity logs described here should be enabled **ONLY** during the development of your custom policies.
@@ -189,4 +200,6 @@ To improve your production environment performance and better user experience, i
 
 ## Next steps
 
-- Learn how to [troubleshoot Azure AD B2C custom policies](troubleshoot-custom-policies.md)
+- Learn how to [troubleshoot Azure AD B2C custom policies](troubleshoot.md)
+
+::: zone-end

articles/active-directory-b2c/troubleshoot-custom-policies.md renamed to articles/active-directory-b2c/troubleshoot.md

@@ -1,5 +1,5 @@
 ---
-title: Troubleshoot custom policies in Azure Active Directory B2C
+title: Troubleshoot custom policies and user flows in Azure Active Directory B2C
 description: Learn about approaches to solving errors when working with custom policies in Azure Active Directory B2C.
 services: active-directory-b2c
 author: msmimart
@@ -8,12 +8,39 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: troubleshooting
-ms.date: 05/25/2021
+ms.date: 10/08/2021
 ms.author: mimart
 ms.subservice: B2C
+zone_pivot_groups: b2c-policy-type
 ---
 
-# Troubleshoot Azure AD B2C custom policies
+# Troubleshoot Azure AD B2C custom policies and user flows
+
+[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
+
+Your application needs to handle certain errors coming from Azure B2C service. This article highlights some of the common errors and how to handle them.
+
+::: zone pivot="b2c-user-flow"
+
+## Password reset error
+
+This error occurs when the [self-service password reset experience](add-password-reset-policy.md#self-service-password-reset-recommended) isn't enabled in a user flow. Thus, selecting the **Forgot your password?** link doesn't trigger a password reset user flow. Instead, the error code `AADB2C90118` is returned to your application.
+
+There are 2 solutions to this problem:  
+  - Respond back with a new authentication request using Azure AD B2C password reset user flow.
+  - Use recommended [self service password resect (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended).  
+
+
+## User canceled the operation
+Azure AD B2C service can also return an error to your application when a user cancels an operation. The following are examples of scenarios where a user performs a cancel operation: 
+-  A user policy uses the recommended [self service password resect (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended) with a consumer local account. The user selects the **Forgot your password?** link , and then selects **Cancel** button before the user flow experience completes. In this case, Azure AD B2C service returns error code `AADB2C90091` to your application. 
+- A user chooses to authenticate with an external identity provider such as [LinkedIn](identity-provider-linkedin.md). The user select **Cancel** button before authenticating to the identity provider itself. In this case, Azure AD B2C service returns error code `AADB2C90273` to your application. Learn more about [error codes Azure Active Directory B2C service return](error-codes.md).
+
+To handle this error, fetch the **error description** for the user and respond back with a new authentication request with the same user flow. 
+
+::: zone-end
+
+::: zone pivot="b2c-custom-policy"
 
 If you use Azure Active Directory B2C (Azure AD B2C) [custom policies](custom-policy-overview.md), you might experience challenges with policy language XML format or runtime issues. This article describes some tools and tips that can help you discover and resolve issues. 
 
@@ -383,7 +410,7 @@ The cause for this error is similar to the one for the claim error. Check the pr
 
 ### User is currently logged as a user of 'yourtenant.onmicrosoft.com' tenant...
 
-You login with an account from a tenant that is different than the policy you try to upload. For example, you sign-in with [email protected], while your policy `TenantId` is set to `fabrikam.onmicrosoft.com`.
+You login with an account from a tenant that is different than the policy you try to upload. For example, your sign-in with [email protected], while your policy `TenantId` is set to `fabrikam.onmicrosoft.com`.
 
 ```xml
 <TrustFrameworkPolicy ...
@@ -462,6 +489,9 @@ To fix this type of error, when you upload the policy, select the **Overwrite th
 
 ![Screenshot that demonstrates how to overwrite the custom policy if it already exists.](./media/troubleshoot-custom-policies/overwrite-custom-policy-if-exists.png)
 
+::: zone-end
+
+
 
 ## Next steps
 

articles/active-directory-b2c/user-flow-custom-attributes.md

@@ -202,7 +202,7 @@ Use the following steps to remove extension/custom attribute from a user flow:
     1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the Directory name list, and then select **Switch**
 1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
 1. Select **User attributes**, and then select the attribute you want to delete.
-1. Select **Delete**
+1. Select **Delete**, and then select **Yes** to confirm.
 
 ::: zone-end
 

articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md

@@ -85,9 +85,6 @@ $domain = "contoso.corp.com"
 # Enter an Azure Active Directory global administrator username and password.
 $cloudCred = Get-Credential
 
-If you have MFA enabled for Global administrator, Please remove "-Cloudcredential $cloudCred"
-you will see web-based popup and complete the U/P and MFA there
-
 # Enter a domain administrator username and password.
 $domainCred = Get-Credential
 
@@ -96,6 +93,29 @@ $domainCred = Get-Credential
 Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
 ```
 
+> [!NOTE]
+> If your organization protects password-based sign-in and enforces modern authentication methods such as MFA, FIDO2, or Smart Card, you must use the "-UserPrincipalName" parameter with the User Principal Name of a Global administrator.
+>    - Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
+>    - Replace `[email protected]` in the following example with the User Principal Name of a Global administrator.
+
+```powerShell
+Import-Module ".\AzureAdKerberos.psd1"
+
+# Specify the on-premises Active Directory domain. A new Azure AD
+# Kerberos Server object will be created in this Active Directory domain.
+$domain = "contoso.corp.com"
+
+# Enter a User Principal Name of Azure Active Directory global administrator
+$userPrincipalName = "[email protected]"
+
+# Enter a domain administrator username and password.
+$domainCred = Get-Credential
+
+# Create the new Azure AD Kerberos Server object in Active Directory
+# and then publish it to Azure Active Directory.
+Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred
+```
+
 ### Viewing and verifying the Azure AD Kerberos Server
 
 You can view and verify the newly created Azure AD Kerberos Server using the following command:

articles/active-directory/develop/id-tokens.md

@@ -76,7 +76,7 @@ The table below shows the claims that are in most ID tokens by default (except w
 |`iat` |  int, a UNIX timestamp | "Issued At" indicates when the authentication for this token occurred.  |
 |`idp`|String, usually an STS URI | Records the identity provider that authenticated the subject of the token. This value is identical to the value of the Issuer claim unless the user account not in the same tenant as the issuer - guests, for instance. If the claim isn't present, it means that the value of `iss` can be used instead.  For personal accounts being used in an organizational context (for instance, a personal account invited to an Azure AD tenant), the `idp` claim may be 'live.com' or an STS URI containing the Microsoft account tenant `9188040d-6c67-4c5b-b112-36a304b66dad`. |
 |`nbf` |  int, a UNIX timestamp | The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.|
-|`exp` |  int, a UNIX timestamp | The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.  It's important to note that in certain circumstances, a resource may reject the token before this time. Fo example, if a change in authentication is required or a token revocation has been detected. |
+|`exp` |  int, a UNIX timestamp | The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.  It's important to note that in certain circumstances, a resource may reject the token before this time. For example, if a change in authentication is required or a token revocation has been detected. |
 | `c_hash`| String |The code hash is included in ID tokens only when the ID token is issued with an OAuth 2.0 authorization code. It can be used to validate the authenticity of an authorization code. To understand how to do this validation, see the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken). |
 |`at_hash`| String |The access token hash is included in ID tokens only when the ID token is issued from the `/authorize` endpoint with an OAuth 2.0 access token. It can be used to validate the authenticity of an access token. To understand how to do this validation, see the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken). This is not returned on ID tokens from the `/token` endpoint. |
 |`aio` | Opaque String | An internal claim used by Azure AD to record data for token reuse. Should be ignored.|

articles/active-directory/manage-apps/assign-app-owners.md

@@ -4,14 +4,14 @@ titleSuffix: Azure AD
 description: Assign owners to applications in Azure Active Directory
 services: active-directory
 documentationcenter: ''
-author: davidmu1
+author: saipradeepb23
 manager: celesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: app-mgmt
 ms.topic: how-to
 ms.date: 08/03/2021
-ms.author: davidmu
+ms.author: saibandaru
 #Customer intent: As an Azure AD administrator, I want to assign owners to enterprise applications.
 
 ---