Merge pull request #191952 from MicrosoftDocs/main

3/16 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -25215,7 +25215,7 @@
     },
     {
       "source_path_from_root": "/articles/azure-sql/managed-instance/azure-app-sync-network-configuration.md",
-      "redirect_url": "/azure/azure-sql/managed-instance/index.yml",
+      "redirect_url": "/azure/azure-sql/managed-instance/",
       "redirect_document_id": false
     },    
     {

articles/active-directory-b2c/partner-bindid.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 07/26/2021
+ms.date: 03/16/2022
 
 ms.author: justinha
 author: justinha
@@ -48,7 +48,7 @@ [email protected],1234567,2234567abcdef2234567abcdef,60,Contoso,HardwareKey
 ```  
 
 > [!NOTE]
-> Make sure you include the header row in your CSV file. If a UPN has a single quote, escape it with another single quote. For example, if the UPN is my’[email protected], change it to my’’[email protected] when uploading the file.
+> Make sure you include the header row in your CSV file. 
 
 Once properly formatted as a CSV file, a Global Administrator can then sign in to the Azure portal, navigate to **Azure Active Directory > Security > MFA > OATH tokens**, and upload the resulting CSV file.
 

articles/active-directory/authentication/concept-authentication-oath-tokens.md

@@ -98,6 +98,7 @@ Run the following steps in each domain and forest in your organization that cont
 1. Open a PowerShell prompt using the Run as administrator option.
 1. Run the following PowerShell commands to create a new Azure AD Kerberos Server object both in your on-premises Active Directory domain and in your Azure Active Directory tenant.
 
+### Example 1 prompt for all credentials
    > [!NOTE]
    > Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
 
@@ -117,6 +118,7 @@ Run the following steps in each domain and forest in your organization that cont
    Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
    ```
 
+### Example 2 prompt for cloud credential
    > [!NOTE]
    > If you're working on a domain-joined machine with an account that has domain administrator privileges, you can skip the "-DomainCredential" parameter. If the "-DomainCredential" parameter isn't provided, the current Windows login credential is used to access your on-premises Active Directory Domain Controller.
 
@@ -134,6 +136,7 @@ Run the following steps in each domain and forest in your organization that cont
    Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred
    ```
 
+### Example 3 prompt for all credentials using modern authentication
    > [!NOTE]
    > If your organization protects password-based sign-in and enforces modern authentication methods such as multifactor authentication, FIDO2, or smart card technology, you must use the `-UserPrincipalName` parameter with the User Principal Name (UPN) of a global administrator.
    > - Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
@@ -156,6 +159,26 @@ Run the following steps in each domain and forest in your organization that cont
    Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred
    ```
 
+### Example 4 prompt for cloud credentials using modern authentication
+   > [!NOTE]
+   > If you are working on a domain-joined machine with an account that has domain administrator privileges and your organization protects password-based sign-in and enforces modern authentication methods such as multifactor authentication, FIDO2, or smart card technology, you must use the `-UserPrincipalName` parameter with the User Principal Name (UPN) of a global administrator. And you can skip the "-DomainCredential" parameter.
+   > - Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
+   > - Replace `[email protected]` in the following example with the UPN of a global administrator.
+
+   ```powershell
+   # Specify the on-premises Active Directory domain. A new Azure AD
+   # Kerberos Server object will be created in this Active Directory domain.
+   $domain = "contoso.corp.com"
+
+   # Enter a UPN of an Azure Active Directory global administrator
+   $userPrincipalName = "[email protected]"
+
+   # Create the new Azure AD Kerberos Server object in Active Directory
+   # and then publish it to Azure Active Directory.
+   # Open an interactive sign-in prompt with given username to access the Azure AD.
+   Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName
+   ```
+
 ### View and verify the Azure AD Kerberos Server
 
 You can view and verify the newly created Azure AD Kerberos Server by using the following command:
@@ -263,6 +286,12 @@ Make sure that enough DCs are patched to respond in time to service your resourc
 > [!NOTE]
 > The `/keylist` switch in the `nltest` command is available in client Windows 10 v2004 and later.
 
+### What if I have a CloudTGT but it never gets exchange for a OnPremTGT when I am using Windows Hello for Business Cloud Trust?
+
+Make sure that the user you are signed in as, is a member of the groups of users that can use FIDO2 as an authentication method, or enable it for all users.
+
+> [!NOTE]
+> Even if you are not explicitly using a security key to sign-in to your device, the underlying technology is dependent on the FIDO2 infrastructure requirements.
 
 ### Do FIDO2 security keys work in a Windows login with RODC present in the hybrid environment?
 

articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md

@@ -104,28 +104,10 @@ Run the [IdFix tool](/office365/enterprise/prepare-directory-attributes-for-sync
 
 2. The PowerShell execution policy on the local server must be set to Undefined or RemoteSigned.
 
-3. If there's a firewall between your servers and Azure AD, configure the following items:
-    - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
-
-      | Port number | How it's used |
-      | --- | --- |
-      | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate.  |
-      | **443** | Handles all outbound communication with the service. |
-      | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |
-
-    - If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
-    - If your firewall or proxy allows you to specify safe suffixes, add connections to \*.msappproxy.net and \*.servicebus.windows.net. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
-   - If you are installing against the **US government** cloud, and your firewall or proxy allows you to specify safe suffixes, add connections to:
-       - *.microsoftonline.us
-       - *.microsoft.us
-       - *.msappproxy.us 
-       - *.windowsazure.us
-    
-    - Your agents need access to login.windows.net and login.microsoftonline.com for initial registration. Open your firewall for those URLs as well.
-    - For certificate validation, unblock the following URLs: mscrl.microsoft.com:80, crl.microsoft.com:80, ocsp.msocsp.com:80, and www\.microsoft.com:80. These URLs are used for certificate validation with other Microsoft products, so you might already have these URLs unblocked.
-
-    >[!NOTE]
-    > Installing the cloud provisioning agent on Windows Server Core is not supported.
+3. If there's a firewall between your servers and Azure AD, configure see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.  
+
+>[!NOTE]
+> Installing the cloud provisioning agent on Windows Server Core is not supported.
 
 ### Additional requirements
 
@@ -150,6 +132,47 @@ To enable TLS 1.2, follow these steps.
     ```
 
 1. Restart the server.
+
+## Firewall and Proxy requirements
+If there's a firewall between your servers and Azure AD, configure the following items:
+
+- Ensure that agents can make *outbound* requests to Azure AD over the following ports:
+
+   | Port number | How it's used |
+   | --- | --- |
+   | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate.  |
+   | **443** | Handles all outbound communication with the service. |
+   | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |
+ 
+- If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
+- If your firewall or proxy allows you to specify safe suffixes, add connections: 
+
+#### [Public Cloud](#tab/public-cloud)
+
+
+  |URL |How it's used|
+  |-----|-----|
+  |&#42;.msappproxy.net</br>&#42;.servicebus.windows.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
+  |&#42;.microsoftonline.com</br>&#42;.microsoft.com</br>&#42;.msappproxy.com</br>&#42;.windowsazure.com|The agent uses these URLs to communicate with the Azure AD cloud service. |
+   |`mscrl.microsoft.com:80` </br>`crl.microsoft.com:80` </br>`ocsp.msocsp.com:80` </br>`www.microsoft.com:80`| The agent uses these URLs to verify certificates.|
+   |login.windows.net</br>|The agent uses these URLs during the registration process.
+
+
+
+#### [U.S. Government Cloud](#tab/us-government-cloud)
+
+ |URL |How it's used|
+ |-----|-----|
+ |&#42;.msappproxy.us</br>&#42;.servicebus.usgovcloudapi.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
+ |`mscrl.microsoft.us:80` </br>`crl.microsoft.us:80` </br>`ocsp.msocsp.us:80` </br>`www.microsoft.us:80`| The agent uses these URLs to verify certificates.|
+ |login.windows.us </br>secure.aadcdn.microsoftonline-p.com </br>&#42;.microsoftonline.us </br>&#42;.microsoftonline-p.us </br>&#42;.msauth.net </br>&#42;.msauthimages.net </br>&#42;.msecnd.net</br>&#42;.msftauth.net </br>&#42;.msftauthimages.net</br>&#42;.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctldl.windowsupdate.us:80| The agent uses these URLs during the registration process.
+
+
+
+
+- If you are unable to add connections, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
+
+---
 ## NTLM requirement
 
 You should not enable NTLM on the Windows Server that is running the Azure AD Connect Provisioning Agent and if it is enabled you should make sure you disable it. 

articles/active-directory/cloud-sync/how-to-prerequisites.md

@@ -24,10 +24,16 @@ The OBO flow only works for user principals at this time. A service principal ca
 
 This article describes how to program directly against the protocol in your application. When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL) instead to [acquire tokens and call secured web APIs](authentication-flows-app-scenarios.md#scenarios-and-supported-authentication-flows).  Also take a look at the [sample apps that use MSAL](sample-v2-code.md).
 
-As of May 2018, some implicit-flow derived `id_token` can't be used for OBO flow. Single-page apps (SPAs) should pass an **access** token to a middle-tier confidential client to perform OBO flows instead. For more info about which clients can perform OBO calls, see [limitations](#client-limitations).
-
 [!INCLUDE [try-in-postman-link](includes/try-in-postman-link.md)]
 
+## Client limitations
+
+As of May 2018, some implicit-flow derived `id_token` can't be used for OBO flow. Single-page apps (SPAs) should pass an **access** token to a middle-tier confidential client to perform OBO flows instead.
+
+If a client uses the implicit flow to get an id_token, and that client also has wildcards in a reply URL, the id_token can't be used for an OBO flow.  However, access tokens acquired through the implicit grant flow can still be redeemed by a confidential client even if the initiating client has a wildcard reply URL registered.
+
+Additionally, applications with custom signing keys cannot be used as middle-tier API's in the OBO flow (this includes enterprise applications configured for single sign-on). This will result in an error because tokens signed with a key controlled by the client cannot be safely accepted.
+
 ## Protocol diagram
 
 Assume that the user has been authenticated on an application using the [OAuth 2.0 authorization code grant flow](v2-oauth2-auth-code-flow.md) or another login flow. At this point, the application has an access token *for API A* (token A) with the user's claims and consent to access the middle-tier web API (API A). Now, API A needs to make an authenticated request to the downstream web API (API B).
@@ -262,10 +268,6 @@ A tenant admin can guarantee that applications have permission to call their req
 
 In some scenarios, you may only have a single pairing of middle-tier and front-end client. In this scenario, you may find it easier to make this a single application, negating the need for a middle-tier application altogether. To authenticate between the front-end and the web API, you can use cookies, an id_token, or an access token requested for the application itself. Then, request consent from this single application to the back-end resource.
 
-## Client limitations
-
-If a client uses the implicit flow to get an id_token, and that client also has wildcards in a reply URL, the id_token can't be used for an OBO flow.  However, access tokens acquired through the implicit grant flow can still be redeemed by a confidential client even if the initiating client has a wildcard reply URL registered.
-
 ## Next steps
 
 Learn more about the OAuth 2.0 protocol and another way to perform service to service auth using client credentials.

articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md

@@ -95,3 +95,5 @@ For more information about app registration and authentication flow, see:
 
 - [Register an application with the Microsoft identity platform](quickstart-register-app.md)
 - [Authentication flows and application scenarios](authentication-flows-app-scenarios.md)
+
+<!-- _This article was originally contributed by [Umesh Barapatre](https://github.com/umeshbarapatre)._ -->

articles/active-directory/develop/v2-saml-bearer-assertion.md

@@ -30,8 +30,13 @@ The following information describes implementation of Pass-through Authenticatio
 
 Before you deploy the Pass-through Authentication agent, verify whether a firewall exists between your servers and Azure AD. If your firewall or proxy allows Domain Name System (DNS) blocked or safe programs, add the following connections.
 
-> [!NOTE]
-> The following guidance also applies to installing the [Azure AD Application Proxy connector](../app-proxy/what-is-application-proxy.md) for Azure Government environments.
+> [!IMPORTANT]
+> The following guidance applies only to the following:
+> - the pass-through authentication agent
+> - [Azure AD Application Proxy connector](../app-proxy/what-is-application-proxy.md) 
+>
+> For information on URLS for the Azure Active Directory Connect Provisioning Agent see the [installation pre-requisites](../cloud-sync/how-to-prerequisites.md)  for cloud sync.
+
 
 |URL |How it's used|
 |-----|-----|

articles/active-directory/hybrid/reference-connect-government-cloud.md

@@ -130,6 +130,8 @@
       href: workbook-conditional-access-gap-analyzer.md
     - name: Cross-tenant access activity 
       href: workbook-cross-tenant-access-activity.md
+    - name: Sign-ins using legacy authentication  
+      href: workbook-legacy authentication.md
     - name: Risk analysis
       href: workbook-risk-analysis.md
     - name: Sensitive Operations Report