Merge pull request #249373 from MicrosoftDocs/main

8/25/2023 AM Publish

Author: Taojunshen

articles/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources.md

@@ -17,7 +17,7 @@ ms.custom: devx-track-csharp, aaddev, devx-track-dotnet
 ---
 
 # User gets consent for several resources using MSAL.NET
-The Microsoft identity platform does not allow you to get a token for several resources at once. When using the Microsoft Authentication Library for .NET (MSAL.NET), the scopes parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the `.WithExtraScopeToConsent` builder method.
+The Microsoft identity platform does not allow you to get a token for several resources at once. When using the Microsoft Authentication Library for .NET (MSAL.NET), the *scopes* parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the `.WithExtraScopesToConsent` builder method.
 
 > [!NOTE]
 > Getting consent for several resources works for Microsoft identity platform, but not for Azure AD B2C. Azure AD B2C supports only admin consent, not user consent.
@@ -27,7 +27,7 @@ For example, if you have two resources that have 2 scopes each:
 - https:\//mytenant.onmicrosoft.com/customerapi (with 2 scopes `customer.read` and `customer.write`)
 - https:\//mytenant.onmicrosoft.com/vendorapi (with 2 scopes `vendor.read` and `vendor.write`)
 
-You should use the `.WithExtraScopeToConsent` modifier which has the *extraScopesToConsent* parameter as shown in the following example:
+You should use the `.WithExtraScopesToConsent` method which has the *extraScopesToConsent* parameter as shown in the following example:
 
 ```csharp
 string[] scopesForCustomerApi = new string[]
@@ -44,12 +44,12 @@ string[] scopesForVendorApi = new string[]
 var accounts = await app.GetAccountsAsync();
 var result = await app.AcquireTokenInteractive(scopesForCustomerApi)
                      .WithAccount(accounts.FirstOrDefault())
-                     .WithExtraScopeToConsent(scopesForVendorApi)
+                     .WithExtraScopesToConsent(scopesForVendorApi)
                      .ExecuteAsync();
 ```
 
-This will get you an access token for the first web API. Then, to access the second web API you can silently acquire the token from the token cache:
+`AcquireTokenInteractive` will return an access token for the first web API. Along with that access token, a refresh token will also be retrieved from Azure AD and cached. Then, to access the second web API, you can silently acquire the token using `AcquireTokenSilent`. MSAL will use the cached refresh token to retrieve from Azure AD the access token for the second web API.
 
 ```csharp
-AcquireTokenSilent(scopesForVendorApi, accounts.FirstOrDefault()).ExecuteAsync();
+var result = await AcquireTokenSilent(scopesForVendorApi, accounts.FirstOrDefault()).ExecuteAsync();
 ```

articles/active-directory/governance/TOC.yml

@@ -58,15 +58,15 @@
         href: /graph/tutorial-accessreviews-roleassignments?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json
     - name: Lifecycle Workflows
       items:
-      - name: Automate employee onboarding tasks - Azure portal
+      - name: Automate employee onboarding tasks - Entra portal
         href: tutorial-onboard-custom-workflow-portal.md 
       - name: Automate employee onboarding tasks - Microsoft Graph
         href: /graph/tutorial-lifecycle-workflows-onboard-custom-workflow?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json
-      - name: Offboarding employees in real-time - Azure portal
+      - name: Offboarding employees in real-time - Entra portal
         href: tutorial-offboard-custom-workflow-portal.md
       - name: Offboarding employees in real-time - Microsoft Graph
         href: /graph/tutorial-lifecycle-workflows-offboard-custom-workflow?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json
-      - name: Automate employee offboarding tasks - Azure portal
+      - name: Automate employee offboarding tasks - Entra portal
         href: tutorial-scheduled-leaver-portal.md  
       - name: Automate employee offboarding tasks - Microsoft Graph
         href: /graph/tutorial-lifecycle-workflows-scheduled-leaver?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json

articles/active-directory/governance/entitlement-management-access-package-approval-policy.md

@@ -52,9 +52,11 @@ Follow these steps to specify the approval settings for requests for the access
 
 **Prerequisite role:** Global administrator, Identity Governance administrator, User administrator, Catalog owner, or Access package manager
 
-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
 
-1. In the left menu, select **Access packages** and then open the access package.
+1. Browse to **Identity governance** > **Entitlement management** > **Access package**.
+
+1. On the **Access packages** page open an access package.
 
 1. Either select a policy to edit or add a new policy to the access package
     1. Select **Policies** and then **Add policy** if you want to create a new policy.

articles/active-directory/governance/entitlement-management-access-package-assignments.md

@@ -37,9 +37,11 @@ To use entitlement management and assign users to access packages, you must have
 
 **Prerequisite role:** Global administrator, Identity Governance administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager
 
-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
 
-1. In the left menu, select **Access packages** and then open the access package.
+1. Browse to **Identity governance** > **Entitlement management** > **Access package**.
+
+1. On the **Access packages** page open an access package.
 
 1. Select **Assignments** to see a list of active assignments.
 
@@ -77,9 +79,11 @@ In some cases, you might want to directly assign specific users to an access pac
 
 **Prerequisite role:** Global administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager
 
-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
+
+1. Browse to **Identity governance** > **Entitlement management** > **Access package**.
 
-1. In the left menu, select **Access packages** and then open the access package.
+1. On the **Access packages** page open an access package.
 
 1. In the left menu, select **Assignments**.
 
@@ -117,9 +121,11 @@ Entitlement management also allows you to directly assign external users to an a
 
 **Prerequisite role:** Global administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager
 
-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
 
-1. In the left menu, select **Access packages** and then open the access package in which you want to add a user.
+1. Browse to **Identity governance** > **Entitlement management** > **Access package**.
+
+1. On the **Access packages** page open an access package.
 
 1. In the left menu, select **Assignments**.
 
@@ -195,9 +201,11 @@ You can remove an assignment that a user or an administrator had previously requ
 
 **Prerequisite role:** Global administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager
 
-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
+
+1. Browse to **Identity governance** > **Entitlement management** > **Access package**.
 
-1. In the left menu, select **Access packages** and then open the access package.
+1. On the **Access packages** page open an access package.
 
 1. In the left menu, select **Assignments**.
 

articles/active-directory/governance/entitlement-management-access-package-auto-assignment-policy.md

@@ -42,33 +42,35 @@ To create a policy for an access package, you need to start from the access pack
 
 **Prerequisite role:** Global administrator or Identity Governance administrator
 
-1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
 
-1. In the left menu, click **Access packages** and then open the access package.
+1. Browse to **Identity governance** > **Entitlement management** > **Access package**.
 
-1. Click **Policies** and then **Add auto-assignment policy** to create a new policy.
+1. On the **Access packages** page open an access package.
 
-1. In the first tab, you'll specify the rule.  Click **Edit**.
+1. Select **Policies** and then **Add auto-assignment policy** to create a new policy.
+
+1. In the first tab, you'll specify the rule. Select **Edit**.
 
 1. Provide a dynamic membership rule, using the [membership rule builder](../enterprise-users/groups-dynamic-membership.md) or by clicking **Edit** on the rule syntax text box.
 
    > [!NOTE]
-   > The rule builder might not be able to display some rules constructed in the text box, and validating a rule currently requires the you to be in the Global administrator role. For more information, see [rule builder in the Azure portal](../enterprise-users/groups-create-rule.md#rule-builder-in-the-azure-portal).
+   > The rule builder might not be able to display some rules constructed in the text box, and validating a rule currently requires the you to be in the Global administrator role. For more information, see [rule builder in the Entra admin center](../enterprise-users/groups-create-rule.md#rule-builder-in-the-azure-portal).
 
     ![Screenshot of an access package automatic assignment policy rule configuration.](./media/entitlement-management-access-package-auto-assignment-policy/auto-assignment-rule-configuration.png)
 
-1. Click **Save** to close the dynamic membership rule editor.
+1. Select **Save** to close the dynamic membership rule editor.
 1. By default, the checkboxes to automatically create and remove assignments should remain checked.
 1. If you wish users to retain access for a limited time after they go out of scope, you can specify a duration in hours or days. For example, when an employee leaves the sales department, you may wish to allow them to continue to retain access for 7 days to allow them to use sales apps and transfer ownership of their resources in those apps to another employee.
-1. Click **Next** to open the **Custom Extensions** tab.
+1. Select **Next** to open the **Custom Extensions** tab.
 
 1. If you have [custom extensions](entitlement-management-logic-apps-integration.md) in your catalog you wish to have run when the policy assigns or removes access, you can add them to this policy.  Then click next to open the **Review** tab.
 
 1. Type a name and a description for the policy.
 
     ![Screenshot of an access package automatic assignment policy review tab.](./media/entitlement-management-access-package-auto-assignment-policy/auto-assignment-review.png)
 
-1. Click **Create** to save the policy.
+1. Select **Create** to save the policy.
 
    > [!NOTE]
    > At this time, Entitlement management will automatically create a dynamic security group corresponding to each policy, in order to evaluate the users in scope. This group should not be modified except by Entitlement Management itself.  This group may also be modified or deleted automatically by Entitlement Management, so don't use this group for other applications or scenarios.

articles/active-directory/governance/entitlement-management-access-package-create.md

@@ -1,6 +1,6 @@
 ---
 title: Create an access package in entitlement management
-description: Learn how to create an access package of resources that you want to share in Azure Active Directory entitlement management.
+description: Learn how to create an access package of resources that you want to share in Microsoft Entra entitlement management.
 services: active-directory
 documentationCenter: ''
 author: owinfreyATL
@@ -56,15 +56,13 @@ Then once the access package is created, you can [change the hidden setting](ent
 
 To complete the following steps, you need a role of global administrator, Identity Governance administrator, user administrator, catalog owner, or access package manager.
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
 
-1. Select **Azure Active Directory**, and then select **Identity Governance**.
-
-1. On the left menu, select **Access packages**.
+1. Browse to **Identity governance** > **Entitlement management** > **Access package**.
 
 1. Select **New access package**.
 
-    ![Screenshot that shows the button for creating a new access package in the Azure portal.](./media/entitlement-management-shared/access-packages-list.png)
+    ![Screenshot that shows the button for creating a new access package in the Microsoft Entra admin center.](./media/entitlement-management-shared/access-packages-list.png)
 
 ## Configure basics
 

articles/active-directory/governance/entitlement-management-access-package-edit.md

@@ -32,9 +32,11 @@ Follow these steps to change the **Hidden** setting for an access package.
 
 **Prerequisite role:** Global administrator, Identity Governance administrator, User administrator, Catalog owner, or Access package manager
 
-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
 
-1. In the left menu, select **Access packages** and then open the access package.
+1. Browse to **Identity governance** > **Entitlement management** > **Access package**.
+
+1. On the **Access packages** page open an access package.
 
 1. On the Overview page, select **Edit**.
 
@@ -50,9 +52,11 @@ An access package can only be deleted if it has no active user assignments. Foll
 
 **Prerequisite role:** Global administrator, User administrator, Catalog owner, or Access package manager
 
-1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](../roles/permissions-reference.md#identity-governance-administrator).
+
+1. Browse to **Identity governance** > **Entitlement management** > **Access package**.
 
-1. In the left menu, select **Access packages** and then open the access package.
+1. On the **Access packages** page open the access package.
 
 1. In the left menu, select **Assignments** and remove access for all users.