MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 6 additions & 0 deletions b/‎.openpublishing.publish.config.json
Lines changed: 6 additions & 0 deletions
diff --git a/‎.openpublishing.redirection.json
Lines changed: 11 additions & 2 deletions b/‎.openpublishing.redirection.json
Lines changed: 11 additions & 2 deletions
diff --git a/‎articles/active-directory-b2c/add-api-connector.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/add-api-connector.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory-b2c/openid-connect-technical-profile.md
Lines changed: 3 additions & 2 deletions b/‎articles/active-directory-b2c/openid-connect-technical-profile.md
Lines changed: 3 additions & 2 deletions
diff --git a/‎articles/active-directory-b2c/secure-rest-api.md
Lines changed: 12 additions & 12 deletions b/‎articles/active-directory-b2c/secure-rest-api.md
Lines changed: 12 additions & 12 deletions
diff --git a/‎articles/active-directory/architecture/recoverability-overview.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/architecture/recoverability-overview.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/authentication/concept-authentication-authenticator-app.md
Lines changed: 5 additions & 5 deletions b/‎articles/active-directory/authentication/concept-authentication-authenticator-app.md
Lines changed: 5 additions & 5 deletions
diff --git a/‎articles/active-directory/authentication/fido2-compatibility.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/authentication/fido2-compatibility.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/authentication/how-to-mfa-authenticator-lite.md
Lines changed: 10 additions & 5 deletions b/‎articles/active-directory/authentication/how-to-mfa-authenticator-lite.md
Lines changed: 10 additions & 5 deletions
@@ -230,6 +230,12 @@
       "branch": "master",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "functions-docs-python-v2",
+      "url": "https://github.com/Azure-Samples/functions-docs-python-v2",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "functions-docs-powershell",
       "url": "https://github.com/Azure-Samples/functions-docs-powershell",
 
@@ -7974,11 +7974,15 @@
             "redirect_document_id": false
         },
         {
-            "source_path_from_root": "/articles/azure-functions/functions-create-first-azure-function-azure-cli.md",
-            "redirect_url": "/azure/azure-functions/create-first-function-cli-csharp",
+            "source_path_from_root": "/articles/azure-functions/functions-bindings-example.md",
+            "redirect_url": "/azure/azure-functions/functions-triggers-bindings#bindings-code-examples",
             "redirect_document_id": false
         },
         {
+            "source_path_from_root": "/articles/azure-functions/functions-create-first-azure-function-azure-cli.md",
+            "redirect_url": "/azure/azure-functions/create-first-function-cli-csharp",
+            "redirect_document_id": false
+        },        {
             "source_path_from_root": "/articles/azure-functions/functions-create-first-java-maven.md",
             "redirect_url": "/azure/azure-functions/create-first-function-cli-java",
             "redirect_document_id": false
@@ -24228,6 +24232,11 @@
             "redirect_url": "/azure/active-directory/external-identities/customers/tutorial-single-page-app-vanillajs-sign-in-sign-out",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/virtual-machines/image-builder-reliability.md",
+            "redirect_url": "/azure/reliability/reliability-image-builder.md",
+            "redirect_document_id": false 
+        },
         {
             "source_path_from_root": "/articles/bastion/bastion-connect-vm-rdp-linux.md",
             "redirect_url": "/azure/bastion/bastion-connect-vm-ssh-linux",
 
@@ -248,7 +248,7 @@ See an example of a [validation-error response](#example-of-a-validation-error-r
 ## Before sending the token (preview)
 
 > [!IMPORTANT]
-> API connectors used in this step are in preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+> API connectors used in this step are in preview. For more information about previews, see [Product Terms for Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).
 
 An API connector at this step is invoked when a token is about to be issued during sign-ins and sign-ups. An API connector for this step can be used to enrich the token with claim values from external sources.
 
 
@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/04/2021
+ms.date: 08/22/2023
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -88,7 +88,7 @@ The technical profile also returns claims that aren't returned by the identity p
 | MarkAsFailureOnStatusCode5xx | No | Indicates whether a request to an external service should be marked as a failure if the Http status code is in the 5xx range. The default is `false`. |
 | DiscoverMetadataByTokenIssuer | No | Indicates whether the OIDC metadata should be discovered by using the issuer in the JWT token.If you need to build the metadata endpoint URL based on Issuer, set this to `true`.|
 | IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. |
-|token_endpoint_auth_method| No | Specifies how Azure AD B2C sends the authentication header to the token endpoint. Possible values: `client_secret_post` (default), and `client_secret_basic` (public preview), `private_key_jwt` (public preview). For more information, see [OpenID Connect client authentication section](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). |
+|token_endpoint_auth_method| No | Specifies how Azure AD B2C sends the authentication header to the token endpoint. Possible values: `client_secret_post` (default), and `client_secret_basic` (public preview), `private_key_jwt`. For more information, see [OpenID Connect client authentication section](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). |
 |token_signing_algorithm| No | Specifies the signing algorithm to use when `token_endpoint_auth_method` is set to `private_key_jwt`. Possible values: `RS256` (default) or `RS512`.|
 | SingleLogoutEnabled | No | Indicates whether during sign-in the technical profile attempts to sign out from federated identity providers. For more information, see [Azure AD B2C session sign-out](./session-behavior.md#sign-out).  Possible values: `true` (default), or `false`. |
 |ReadBodyClaimsOnIdpRedirect| No| Set to `true` to read claims from response body on identity provider redirect. This metadata is used with [Apple ID](identity-provider-apple-id.md), where claims return in the response payload.|
@@ -134,3 +134,4 @@ Examples:
 - [Add Microsoft Account (MSA) as an identity provider using custom policies](identity-provider-microsoft-account.md)
 - [Sign in by using Azure AD accounts](identity-provider-azure-ad-single-tenant.md)
 - [Allow users to sign in to a multi-tenant Azure AD identity provider using custom policies](identity-provider-azure-ad-multi-tenant.md)
+
@@ -230,8 +230,6 @@ The following XML snippet is an example of a RESTful technical profile configure
 
 ## OAuth2 bearer authentication 
 
-[!INCLUDE [b2c-public-preview-feature](../../includes/active-directory-b2c-public-preview.md)]
-
 Bearer token authentication is defined in [OAuth2.0 Authorization Framework: Bearer Token Usage (RFC 6750)](https://www.rfc-editor.org/rfc/rfc6750.txt). In bearer token authentication, Azure AD B2C sends an HTTP request with a token in the authorization header.
 
 ```http
@@ -243,7 +241,6 @@ A bearer token is an opaque string. It can be a JWT access token or any string t
 - **Bearer token**. To be able to send the bearer token in the Restful technical profile, your policy needs to first acquire the bearer token and then use it in the RESTful technical profile.  
 - **Static bearer token**. Use this approach when your REST API issues a long-term access token. To use a static bearer token, create a policy key and make a reference from the RESTful technical profile to your policy key. 
 
-
 ## Using OAuth2 Bearer  
 
 The following steps demonstrate how to use client credentials to obtain a bearer token and pass it into the Authorization header of the REST API calls.  
@@ -488,15 +485,18 @@ Add the validation technical profile reference to the sign up technical profile,
 
 
 
+
+
 For example:
-    ```XML
-    <ValidationTechnicalProfiles>
-       ....
-       <ValidationTechnicalProfile ReferenceId="REST-AcquireAccessToken" />
-       ....
-    </ValidationTechnicalProfiles>
-    ```
-    
+```ruby
+```XML
+<ValidationTechnicalProfiles>
+   ....
+   <ValidationTechnicalProfile ReferenceId="REST-AcquireAccessToken" />
+   ....
+</ValidationTechnicalProfiles>
+```
+```
 
 ::: zone-end
 
@@ -531,7 +531,6 @@ To configure a REST API technical profile with API key authentication, create th
 1. For **Key usage**, select **Encryption**.
 1. Select **Create**.
 
-
 ### Configure your REST API technical profile to use API key authentication
 
 After creating the necessary key, configure your REST API technical profile metadata to reference the credentials.
@@ -584,3 +583,4 @@ The following XML snippet is an example of a RESTful technical profile configure
 ::: zone pivot="b2c-custom-policy"
 - Learn more about the [Restful technical profile](restful-technical-profile.md) element in the custom policy reference.
 ::: zone-end
+
@@ -124,15 +124,15 @@ Microsoft Graph APIs are highly customizable based on your organizational needs.
 
 *Securely store these configuration exports with access provided to a limited number of admins.
 
-The [Azure AD Exporter](https://github.com/microsoft/azureadexporter) can provide most of the documentation you need:
+The [Entra Exporter](https://github.com/microsoft/entraexporter) can provide most of the documentation you need:
 
 - Verify that you've implemented the desired configuration.
 - Use the exporter to capture current configurations.
 - Review the export, understand the settings for your tenant that aren't exported, and manually document them.
 - Store the output in a secure location with limited access.
 
 > [!NOTE]
-> Settings in the legacy multifactor authentication portal for Application Proxy and federation settings might not be exported with the Azure AD Exporter, or with the Microsoft Graph API.
+> Settings in the legacy multifactor authentication portal for Application Proxy and federation settings might not be exported with the Entra Exporter, or with the Microsoft Graph API.
 The [Microsoft 365 Desired State Configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) module uses Microsoft Graph and PowerShell to retrieve the state of many of the configurations in Azure AD. This information can be used as reference information or, by using PowerShell Desired State Configuration scripting, to reapply a known good state.
 
  Use [Conditional Access Graph APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies.
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 06/06/2023
+ms.date: 07/21/2023
 
 ms.author: justinha
 author: justinha
@@ -42,12 +42,12 @@ To get started with passwordless sign-in, see [Enable passwordless sign-in with
 
 The Authenticator app can help prevent unauthorized access to accounts and stop fraudulent transactions by pushing a notification to your smartphone or tablet. Users view the notification, and if it's legitimate, select **Verify**. Otherwise, they can select **Deny**.
 
-![Screenshot of example web browser prompt for Authenticator app notification to complete sign-in process.](media/tutorial-enable-azure-mfa/tutorial-enable-azure-mfa-browser-prompt.png)
+> [!NOTE]
+> Starting in August, 2023, sign-ins from unfamiliar locations no longer generate notifications. Similar to how unfamiliar locations work in [Smart lockout](howto-password-smart-lockout.md), a location becomes "familiar" during the first 14 days of use, or the first 10 sign-ins. If the location is unfamiliar, or if the relevant Google or Apple service responsible for push notifications isn't available, users won't see their notification as usual. In that case, they should open Microsoft Authenticator, or Authenticator Lite in a relevant companion app like Outlook, refresh by either pulling down or hitting **Refresh**, and approve the request. 
 
-In some rare instances where the relevant Google or Apple service responsible for push notifications is down, users may not receive their push notifications. In these cases users should manually navigate to the Microsoft Authenticator app (or relevant companion app like Outlook), refresh by either pulling down or hitting the refresh button, and approve the request. 
+![Screenshot of example web browser prompt for Authenticator app notification to complete sign-in process.](media/tutorial-enable-azure-mfa/tutorial-enable-azure-mfa-browser-prompt.png)
 
-> [!NOTE]
-> If your organization has staff working in or traveling to China, the *Notification through mobile app* method on Android devices doesn't work in that country/region as Google play services(including push notifications) are blocked in the region. However iOS notification do work. For Android devices ,alternate authentication methods should be made available for those users.
+In China, the *Notification through mobile app* method on Android devices doesn't work because as Google play services (including push notifications) are blocked in the region. However, iOS notifications do work. For Android devices, alternate authentication methods should be made available for those users.
 
 ## Verification code from mobile app
 
 
@@ -74,7 +74,7 @@ The following tables show which transports are supported for each platform. Supp
 |---------|------|-----|-----|
 | Edge    | &#10060; | &#10060; | &#10060; |
 | Chrome  | &#x2705; | &#10060; | &#10060; |
-| Firefox | &#10060; | &#10060; | &#10060; |
+| Firefox | &#x2705; | &#10060; | &#10060; |
 
 
 ### iOS
 
@@ -25,11 +25,13 @@ Microsoft Authenticator Lite is another surface for Azure Active Directory (Azur
 Users receive a notification in Outlook mobile to approve or deny sign-in, or they can copy a TOTP to use during sign-in. 
 
 >[!NOTE]
->This is an important security enhancement for users authenticating via telecom transports. On June 26, the Microsoft managed value of this feature changed from ‘disabled’ to ‘enabled’. If you no longer wish for this feature to be enabled, move the state from 'default' to‘disabled’ or set users to include and exclude groups. 
+>These are important security enhancements for users authenticating via telecom transports:
+>- On June 26, the Microsoft managed value of this feature changed from ‘disabled’ to ‘enabled’ in the Authentication methods policy. If you no longer wish for this feature to be enabled, move the state from 'default' to ‘disabled’ or scope it to only a group of users.
+>- Starting September 18, Authenticator Lite will be enabled as part of the *Notification through mobile app* verification option in the per-user MFA policy. If you don't want this feature enabled, you can disable it in the Authentication methods policy following the steps below.
 
 ## Prerequisites
 
-- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for some users or groups by using the modern Authentication methods policy. You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API. Organizations with an active MFA server or that have not started migration from per-user MFA are not eligible for this feature.
+- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for all users or select groups. We recommend enabling Microsoft Authenticator by using the modern [Authentication methods policy](concept-authentication-methods-manage.md#authentication-methods-policy). You can edit the Authentication methods policy by using the Azure portal or Microsoft Graph API. Organizations with an active MFA server are not eligible for this feature.
 
   >[!TIP]
   >We recommend that you also enable [system-preferred multifactor authentication (MFA)](concept-system-preferred-multifactor-authentication.md) when you enable Authenticator Lite. With system-preferred MFA enabled, users try to sign-in with Authenticator Lite before they try less secure telephony methods like SMS or voice call. 
@@ -45,7 +47,7 @@ Users receive a notification in Outlook mobile to approve or deny sign-in, or th
 
 ## Enable Authenticator Lite
 
-By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings). On June 26, the Microsoft managed value of this feature changed from ‘disabled’ to ‘enabled’
+By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings) in the Authentication methods policy. On June 26, the Microsoft managed value of this feature changed from ‘disabled’ to ‘enabled’. Authenticator Lite is also included as part of the *Notification through mobile app* verification option in the per-user MFA policy.
 
 ### Disabling Authenticator Lite in Azure portal UX
 
@@ -54,9 +56,9 @@ To disable Authenticator Lite in the Azure portal, complete the following steps:
   1. In the Azure portal, click Azure Active Directory > Security > Authentication methods > Microsoft Authenticator.
      In the Entra admin center, on the sidebar select Azure Active Directory > Protect & Secure > Authentication methods > Microsoft Authenticator.
 
-  2. On the Enable and Target tab, click Yes and All users to enable the Authenticator policy for everyone or add selected users and groups. Set the Authentication mode for these users/groups to Any or Push.
+  2. On the Enable and Target tab, click Enable and All users to enable the Authenticator policy for everyone or add select groups. Set the Authentication mode for these users/groups to Any or Push.
 
-  Only users who are enabled for Microsoft Authenticator here can be enabled to use Authenticator Lite for sign-in, or excluded from it. Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application.
+Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application.
 
 <img width="1112" alt="Microsoft Entra admin center Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png">
 
@@ -65,6 +67,9 @@ To disable Authenticator Lite in the Azure portal, complete the following steps:
 
 <img width="664" alt="Authenticator Lite configuration settings" src="https://user-images.githubusercontent.com/108090297/228603364-53f2581f-a4e0-42ee-8016-79b23e5eff6c.png">
 
+>[!NOTE]
+> If your organization still manages authentication methods in the per-user MFA policy, you'll need to disable *Notification through mobile app* as a verification option there in addition to the steps above. We recommend doing this only after you've enabled Microsoft Authenticator in the Authentication methods policy. You can contine to manage the remainder of your authentication methods in the per-user MFA policy while Microsoft Authenticator is managed in the modern Authentication methods policy. However, we recommend [migrating](how-to-authentication-methods-manage.md) management of all authentication methods to the modern Authentication methods policy. The ability to manage authentication methods in the per-user MFA policy will be retired September 30, 2024.
+
 ### Enable Authenticator Lite via Graph APIs
 
 | Property | Type | Description |