Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into heidist-partner

Author: HeidiSteen

.openpublishing.publish.config.json

@@ -845,6 +845,7 @@
     "articles/purview/.openpublishing.redirection.purview.json",
     "articles/service-bus-messaging/.openpublishing.redirection.service-bus-messaging.json",
     "articles/stream-analytics/.openpublishing.redirection.stream-analytics.json",
-    "articles/virtual-machines/.openpublishing.redirection.virtual-machines.json"
+    "articles/virtual-machines/.openpublishing.redirection.virtual-machines.json",
+    "articles/mysql/.openpublishing.redirection.mysql.json"
   ]
 }

.openpublishing.redirection.active-directory.json

@@ -7,6 +7,8 @@
     href: overview.md
   - name: Technical and feature overview
     href: technical-overview.md
+  - name: Supported Azure AD features
+    href: supported-azure-ad-features.md
   - name: What's new in docs?
     href: whats-new-docs.md
 - name: Quickstarts
@@ -26,7 +28,9 @@
     href: tutorial-register-applications.md
   - name: 3 - Create user flows and custom policies
     href: tutorial-create-user-flows.md
-  - name: Clean up and delete tenant
+  - name: 4 - Manage your tenant
+    href: tenant-management.md
+  - name: 5 - Clean up and delete tenant
     href: tutorial-delete-tenant.md
 - name: Samples
   items:
@@ -82,14 +86,14 @@
     href: user-overview.md
   - name: User profile attributes
     href: user-profile-attributes.md
+  - name: Roles and resource access control
+    href: roles-resource-access-control.md
   - name: Identity Protection and Conditional Access
     href: conditional-access-identity-protection-overview.md
   - name: Policy keys
     href: policy-keys-overview.md
 - name: How-to guides
   items:
-  - name: Manage your tenant
-    href: tenant-management.md
   - name: App integration
     items:
     - name: ASP.NET Core web app

.openpublishing.redirection.json

@@ -111,7 +111,7 @@ The **OutputClaim** element contains the following attributes:
 | ClaimTypeReferenceId | Yes | A reference to a ClaimType already defined in the ClaimsSchema section in the policy.
 | TransformationClaimType | Yes | An identifier to reference a transformation claim type. Each claim transformation has its own values. See the [claims transformation reference](#claims-transformations-reference) for a complete list of the available values. |
 
-If input claim and the output claim are the same type (string, or boolean), you can use the same input claim as the output claim. In this case, the claims transformation changes the input claim with the output value.
+Input and output claims used in claims transformation need to be distinct. The same input claim cannot be used as the output claim.
 
 ## Example
 

articles/active-directory-b2c/TOC.yml

@@ -59,7 +59,7 @@ Before you follow the procedures in this article, make sure that your computer i
 
 * [Visual Studio Code](https://code.visualstudio.com/) or another code editor.
 * [Node.js runtime](https://nodejs.org/en/download/) and [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
-* [Angular LCI](https://angular.io/cli).
+* [Angular CLI](https://angular.io/cli).
 
 ## Step 1: Configure your user flow
 

articles/active-directory-b2c/claimstransformations.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/15/2021
+ms.date: 10/08/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
@@ -58,6 +58,11 @@ To configure your user flow token lifetime:
 1. Under **Token lifetime**, adjust the properties to fit the needs of your application.
 1. Click **Save**.
 
+
+
+:::image type="content" source="./media/configure-tokens/configure-tokens.png" alt-text="configure user flows tokens in Azure portal.":::
+
+
 ::: zone-end
 
 ::: zone pivot="b2c-custom-policy"

articles/active-directory-b2c/configure-authentication-sample-angular-spa-app.md

@@ -28,7 +28,7 @@ zone_pivot_groups: b2c-policy-type
 
 ::: zone pivot="b2c-custom-policy"
 
-For a simpler sing-up or sign-in experience, you can avoid redirecting users to a separate sing-up or sign-in page, or generating a pop-up window. By using the inline frame <iframe> HTML element, you can embed the Azure AD B2C sign-in user interface directly into your web application. 
+For a simpler sign-up or sign-in experience, you can avoid redirecting users to a separate sign-up or sign-in page, or generating a pop-up window. By using the inline frame <iframe> HTML element, you can embed the Azure AD B2C sign-in user interface directly into your web application. 
 
 > [!TIP]
 > Use the <iframe> HTML element to embed the [sign-up or sign-in](add-sign-up-and-sign-in-policy.md), [edit profile](add-profile-editing-policy.md), or [change password](add-password-change-policy.md) custom policies into your web or single page app.

articles/active-directory-b2c/configure-tokens.md

@@ -218,7 +218,7 @@ error=user_authentication_required
 If you receive this error in the iframe request, the user must interactively sign in again to retrieve a new token.
 
 ## Refresh tokens
-ID tokens and access tokens both expire after a short period of time. Your app must be prepared to refresh these tokens periodically.  To refresh either type of token, perform the same hidden iframe request we used in an earlier example, by using the `prompt=none` parameter to control Azure AD steps.  To receive a new `id_token` value, be sure to use `response_type=id_token` and `scope=openid`, and a `nonce` parameter.
+ID tokens and access tokens both expire after a short period of time. Your app must be prepared to refresh these tokens periodically. Implicit flows do not allow you to obtain a refresh token due to security reasons. To refresh either type of token, use the implicit flow in a hidden HTML iframe element. In the authorization request include the  `prompt=none` parameter. To receive a new id_token value, be sure to use `response_type=id_token` and `scope=openid`, and a `nonce` parameter.
 
 ## Send a sign-out request
 When you want to sign the user out of the app, redirect the user to Azure AD to sign out. If you don't redirect the user, they might be able to reauthenticate to your app without entering their credentials again because they have a valid single sign-on session with Azure AD.