Merge pull request #194532 from MicrosoftDocs/main

Merge to main, 4AM

Author: v-ccolin

.gitignore

@@ -24,4 +24,3 @@ AzureMigration.ps1
 .gitignore
 **/.vscode/settings.json
 *.pdn
-articles/azure-cache-for-redis/media/cache-managed-identity/Screenshot 2022-01-20 092913.pdn

.openpublishing.publish.config.json

@@ -861,6 +861,7 @@
       "branch": "main",
       "branch_mapping": {}
     }
+
   ],
   "branch_target_mapping": {
     "live": [

.openpublishing.redirection.json

@@ -618,6 +618,11 @@
       "redirect_url": "/azure/azure-arc/kubernetes/quickstart-connect-cluster",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/azure-arc/kubernetes/deploy-azure-iot-edge-workloads.md",
+      "redirect_url": "/azure/azure-arc/kubernetes/",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cognitive-services/whats-new-docs.md",
       "redirect_url": "/azure/cognitive-services/what-are-cognitive-services",

articles/active-directory-b2c/TOC.yml

@@ -273,6 +273,8 @@
       href: identity-provider-linkedin.md
     - name: Microsoft Account
       href: identity-provider-microsoft-account.md
+    - name: Mobile ID
+      href: identity-provider-mobile-id.md
     - name: PingOne (PingIdentity)
       href: identity-provider-ping-one.md
       displayName: Ping identity

articles/active-directory-b2c/add-identity-provider.md

@@ -6,7 +6,7 @@ author: kengaderdus
 manager: CelesteDG
 
 ms.author: kengaderdus
-ms.date: 12/02/2021
+ms.date: 04/08/2022
 ms.custom: mvc
 ms.topic: how-to
 ms.service: active-directory
@@ -43,6 +43,7 @@ You typically use only one identity provider in your applications, but you have
 * [Google](identity-provider-google.md)
 * [LinkedIn](identity-provider-linkedin.md)
 * [Microsoft Account](identity-provider-microsoft-account.md)
+* [Mobile ID](identity-provider-mobile-id.md)
 * [PingOne](identity-provider-ping-one.md) (PingIdentity)
 * [QQ](identity-provider-qq.md)
 * [Salesforce](identity-provider-salesforce.md)

articles/active-directory-b2c/identity-provider-mobile-id.md

@@ -0,0 +1,201 @@
+---
+title: Set up sign-up and sign-in with Mobile ID 
+titleSuffix: Azure AD B2C
+description: Provide sign-up and sign-in to customers with Mobile ID in your applications using Azure Active Directory B2C.
+services: active-directory-b2c
+author: kengaderdus
+manager: celestedg
+
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 04/08/2022
+ms.author: kengaderdus
+ms.subservice: B2C
+zone_pivot_groups: b2c-policy-type
+---
+
+# Set up sign-up and sign-in with Mobile ID using Azure Active Directory B2C
+
+[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
+
+In this article, you learn how to provide sign-up and sign-in to customers with [Mobile ID](https://www.mobileid.ch) in your applications using Azure Active Directory B2C (Azure AD B2C). The Mobile ID solution protects access to your company data and applications with a comprehensive end-to- end solution for a strong multi-factor authentication (MFA). You add the Mobile ID to your user flows or custom policy using OpenID Connect protocol. 
+
+## Prerequisites
+
+[!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
+
+## Create a Mobile ID application
+
+To enable sign-in for users with Mobile ID in Azure AD B2C, you need to create an application. To create Mobile ID application, follow these steps:
+
+1. Contact [Mobile ID support](https://www.mobileid.ch/en/contact).
+1. Provide the Mobile ID the information about your Azure AD B2C tenant:
+
+
+    |Key  |Note  |
+    |---------|---------|
+    |Redirect URI     | Provide the `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp` URI. If you use a [custom domain](custom-domain.md), enter `https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp`. Replace `your-tenant-name` with the name of your tenant, and `your-domain-name` with your custom domain. |
+    |Token endpoint authentication method|  `client_secret_post`|
+
+
+1. After the app is registered, the following information will be provided by the Mobile ID. Use this information to configure your user flow, or custom policy.
+
+    |Key  |Note  |
+    |---------|---------|
+    | Client ID | The Mobile ID client ID. For example, 11111111-2222-3333-4444-555555555555. |
+    | Client Secret| The Mobile ID client secret.| 
+
+
+::: zone pivot="b2c-user-flow"
+
+## Configure Mobile ID as an identity provider
+
+1. Make sure you're using the directory that contains Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your Azure AD B2C tenant.
+1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+1. Select **Identity providers**, and then select **New OpenID Connect provider**.
+1. Enter a **Name**. For example, enter *Mobile ID*.
+1. For **Metadata url**, enter the URL Mobile ID OpenId well-known configuration endpoint. For example:
+
+    ```http
+    https://openid.mobileid.ch/.well-known/openid-configuration
+    ```
+
+1. For **Client ID**, enter the Mobile ID Client ID.
+1. For **Client secret**, enter the Mobile ID client secret.
+1. For the **Scope**, enter the `openid, profile, phone, mid_profile`.
+1. Leave the default values for **Response type** (`code`), and **Response mode** (`form_post`).
+1. (Optional) For the **Domain hint**, enter `mobileid.ch`. For more information, see [Set up direct sign-in using Azure Active Directory B2C](direct-signin.md#redirect-sign-in-to-a-social-provider).
+1. Under **Identity provider claims mapping**, select the following claims:
+
+    - **User ID**: *sub*
+    - **Display name**: *name*
+
+
+1. Select **Save**.
+
+## Add Mobile ID identity provider to a user flow 
+
+At this point, the Mobile ID identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Mobile ID identity provider to a user flow:
+
+1. In your Azure AD B2C tenant, select **User flows**.
+1. Select the user flow that you want to add the Mobile ID identity provider.
+1. Under the **Social identity providers**, select **Mobile ID**.
+1. Select **Save**.
+1. To test your policy, select **Run user flow**.
+1. For **Application**, select the web application named *testapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.
+1. Select the **Run user flow** button.
+1. From the sign-up or sign-in page, select **Mobile ID** to sign in with Mobile ID.
+
+If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+
+::: zone-end
+
+::: zone pivot="b2c-custom-policy"
+
+## Create a policy key
+
+You need to store the client secret that you received from Mobile ID in your Azure AD B2C tenant.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+2. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your tenant.
+3. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+4. On the Overview page, select **Identity Experience Framework**.
+5. Select **Policy Keys** and then select **Add**.
+6. For **Options**, choose `Manual`.
+7. Enter a **Name** for the policy key. For example, `Mobile IDSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.
+8. In **Secret**, enter your Mobile ID client secret.
+9. For **Key usage**, select `Signature`.
+10. Select **Create**.
+
+## Configure Mobile ID as an identity provider
+
+To enable users to sign in using a Mobile ID, you need to define the Mobile ID as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.
+
+You can define a Mobile ID as a claims provider by adding it to the **ClaimsProviders** element in the extension file of your policy.
+
+1. Open the *TrustFrameworkExtensions.xml*.
+2. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element.
+3. Add a new **ClaimsProvider** as follows:
+
+    ```xml
+    <ClaimsProvider>
+    <Domain>mobileid.ch</Domain>
+    <DisplayName>Mobile-ID</DisplayName>
+    <TechnicalProfiles>
+      <TechnicalProfile Id="MobileID-OAuth2">
+      <DisplayName>Mobile-ID</DisplayName>
+      <Protocol Name="OAuth2" />
+      <Metadata>
+        <Item Key="ProviderName">Mobile-ID</Item>
+         <Item Key="authorization_endpoint">https://m.mobileid.ch/oidc/authorize</Item>
+          <Item Key="AccessTokenEndpoint">https://openid.mobileid.ch/token</Item>
+          <Item Key="ClaimsEndpoint">https://openid.mobileid.ch/userinfo</Item>
+          <Item Key="scope">openid, profile, phone, mid_profile</Item>
+          <Item Key="HttpBinding">POST</Item>
+          <Item Key="UsePolicyInRedirectUri">false</Item>
+          <Item Key="token_endpoint_auth_method">client_secret_post</Item>
+          <Item Key="BearerTokenTransmissionMethod">AuthorizationHeader</Item>
+          <Item Key="client_id">Your application ID</Item>
+        </Metadata>
+        <CryptographicKeys>
+          <Key Id="client_secret" StorageReferenceId="B2C_1A_MobileIdSecret" />
+        </CryptographicKeys>
+        <OutputClaims>
+          <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub"/>
+          <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>
+          <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="mobileid.ch" />
+          <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
+        </OutputClaims>
+        <OutputClaimsTransformations>
+          <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
+          <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
+          <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
+          <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
+        </OutputClaimsTransformations>
+        <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
+        </TechnicalProfile>
+      </TechnicalProfiles>
+    </ClaimsProvider>
+    ```
+
+4. Set **client_id** to the Mobile ID client ID.
+5. Save the file.
+
+[!INCLUDE [active-directory-b2c-add-identity-provider-to-user-journey](../../includes/active-directory-b2c-add-identity-provider-to-user-journey.md)]
+
+
+```xml
+<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
+  <ClaimsProviderSelections>
+    ...
+    <ClaimsProviderSelection TargetClaimsExchangeId="MobileIDExchange" />
+  </ClaimsProviderSelections>
+  ...
+</OrchestrationStep>
+
+<OrchestrationStep Order="2" Type="ClaimsExchange">
+  ...
+  <ClaimsExchanges>
+    <ClaimsExchange Id="MobileIDExchange" TechnicalProfileReferenceId="MobileID-OAuth2" />
+  </ClaimsExchanges>
+</OrchestrationStep>
+```
+
+[!INCLUDE [active-directory-b2c-configure-relying-party-policy](../../includes/active-directory-b2c-configure-relying-party-policy-user-journey.md)]
+
+## Test your custom policy
+
+1. Select your relying party policy, for example `B2C_1A_signup_signin`.
+1. For **Application**, select a web application that you [previously registered](tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.
+1. Select the **Run now** button.
+1. From the sign-up or sign-in page, select **Mobile ID** to sign in with Mobile ID.
+
+If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+
+
+::: zone-end
+
+## Next steps
+
+Learn how to [pass Mobile ID token to your application](idp-pass-through-user-flow.md).

articles/active-directory-b2c/page-layout.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 09/22/2021
+ms.date: 04/08/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -52,6 +52,10 @@ Azure AD B2C page layout uses the following versions of the [jQuery library](htt
 
 ## Self-asserted page (selfasserted)
 
+**2.1.9**
+
+- TOTP multifactor authentication support. Adding links that allows users to download and install the Microsoft authenticator app to complete the enrollment of the TOTP on the authenticator.
+
 **2.1.8**
 
 - The claim name is added to the `class` attribute of the `<li>` HTML element that surrounding the user's attribute input elements. The class name allows you to create a CSS selector to select the parent `<li>` for a certain user attribute input element. The following HTML markup shows the class attribute for the sign-up page:
@@ -139,6 +143,16 @@ Azure AD B2C page layout uses the following versions of the [jQuery library](htt
 > [!TIP]
 > If you localize your page to support multiple locales, or languages in a user flow. The [localization IDs](localization-string-ids.md) article provides the list of localization IDs that you can use for the page version you select.
 
+
+**2.1.7**
+
+- Accessibility fix - correcting to the tab index
+
+**2.1.6**
+
+- Accessibility fix - set the focus on the input field for verification. 
+- Updates to the UI elements and CSS classes
+
 **2.1.5**
 - Fixed an issue on tab order when idp selector template is used on sign in page.
 - Fixed an encoding issue on sign-in link text.

articles/active-directory-b2c/saml-issuer-technical-profile.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 10/12/2020
+ms.date: 04/08/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -67,6 +67,7 @@ The CryptographicKeys element contains the following attributes:
 | --------- | -------- | ----------- |
 | MetadataSigning | Yes | The X509 certificate (RSA key set) to use to sign SAML metadata. Azure AD B2C uses this key to sign the metadata. |
 | SamlMessageSigning| Yes| Specify the X509 certificate (RSA key set) to use to sign SAML messages. Azure AD B2C uses this key to signing the response `<samlp:Response>` send to the relying party.|
+| SamlAssertionSigning| No| Specify the X509 certificate (RSA key set) to use to sign SAML assertion `<saml:Assertion>` element of the SAML token. If not provided, the `SamlMessageSigning` cryptographic key is used instead.|
 
 ## Session management
 

articles/advisor/advisor-overview.md

@@ -2,7 +2,7 @@
 title: Introduction to Azure Advisor
 description: Use Azure Advisor to optimize your Azure deployments.
 ms.topic: overview
-ms.date: 09/27/2020
+ms.date: 04/07/2022
 ---
 
 # Introduction to Azure Advisor
@@ -25,7 +25,7 @@ The Advisor dashboard displays personalized recommendations for all your subscri
 * **Security**: To detect threats and vulnerabilities that might lead to security breaches. For more information, see [Advisor Security recommendations](advisor-security-recommendations.md).
 * **Performance**: To improve the speed of your applications. For more information, see [Advisor Performance recommendations](advisor-performance-recommendations.md).
 * **Cost**: To optimize and reduce your overall Azure spending. For more information, see [Advisor Cost recommendations](advisor-cost-recommendations.md).
-* **Operational Excellence**: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. . For more information, see [Advisor Operational Excellence recommendations](advisor-operational-excellence-recommendations.md).
+* **Operational Excellence**: To help you achieve process and workflow efficiency, resource manageability and deployment best practices. For more information, see [Advisor Operational Excellence recommendations](advisor-operational-excellence-recommendations.md).
 
   ![Advisor recommendation types](./media/advisor-overview/advisor-dashboard.png)
 

articles/aks/TOC.yml

@@ -185,7 +185,7 @@
           href: node-updates-kured.md
         - name: Configure an AKS cluster
           href: cluster-configuration.md
-        - name: Custom node configuration (preview)
+        - name: Custom node configuration
           href: custom-node-configuration.md
         - name: Integrate ACR with an AKS cluster
           href: cluster-container-registry-integration.md
@@ -264,7 +264,7 @@
                   href: managed-aad.md
                 - name: Azure AD integration (legacy)
                   href: azure-ad-integration-cli.md
-                - name: Enable GMSA integration (Preview)
+                - name: Enable GMSA integration
                   href: use-group-managed-service-accounts.md
             - name: Use Azure RBAC for Kubernetes authorization
               href: manage-azure-rbac.md