MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 1 addition & 0 deletions b/‎.openpublishing.publish.config.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎.openpublishing.redirection.devops-project.json
Lines changed: 119 additions & 0 deletions b/‎.openpublishing.redirection.devops-project.json
Lines changed: 119 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/active-directory-v2-protocols.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/active-directory-v2-protocols.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md
Lines changed: 41 additions & 8 deletions b/‎articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md
Lines changed: 41 additions & 8 deletions
@@ -982,6 +982,7 @@
   ".openpublishing.redirection.security-benchmark.json",
   ".openpublishing.redirection.sql-database.json",
   ".openpublishing.redirection.virtual-desktop.json",
+  ".openpublishing.redirection.devops-project.json",
   "articles/applied-ai-services/.openpublishing.redirection.applied-ai-old.json",
   "articles/applied-ai-services/.openpublishing.redirection.applied-ai-services.json",
   "articles/azure-fluid-relay/.openpublishing.redirection.fluid-relay.json",
 
@@ -0,0 +1,119 @@
+{
+    "redirections": [
+        {
+            "source_path": "articles/devops-project/azure-devops-project-aks.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-aks",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-aspnet-core.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-aspnet-core",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-cosmos-db.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-cosmos-db",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-functions.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-functions",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-github.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-github",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-go.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-go",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-java.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-java",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-nodejs.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-nodejs",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-php.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-php",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-python.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-python",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-ruby.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-ruby",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-service-fabric.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-service-fabric",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-sql-database.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-sql-database",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/azure-devops-project-vms.md",
+            "redirect_url": "/previous-versions/azure/devops-project/azure-devops-project-vms",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/devops-starter-gh-nodejs.md",
+            "redirect_url": "/previous-versions/azure/devops-project/devops-starter-gh-nodejs",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/devops-starter-gh-web-app.md",
+            "redirect_url": "/previous-versions/azure/devops-project/devops-starter-gh-web-app",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/overview.md",
+            "redirect_url": "/previous-versions/azure/devops-project/overview",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/index.md",
+            "redirect_url": "/previous-versions/azure/devops-project/overview",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/devops-project/retirement-and-migration.md",
+            "redirect_url": "/previous-versions/azure/devops-project/retirement-and-migration",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/virtual-machines/linux/tutorial-azure-devops-blue-green-strategy.md",
+            "redirect_url": "/previous-versions/azure/virtual-machines/linux/tutorial-azure-devops-blue-green-strategy",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/virtual-machines/linux/tutorial-azure-devops-canary-strategy.md",
+            "redirect_url": "/previous-versions/azure/virtual-machines/linux/tutorial-azure-devops-canary-strategy",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/virtual-machines/linux/tutorial-build-deploy-azure-pipelines.md",
+            "redirect_url": "/previous-versions/azure/virtual-machines/linux/tutorial-build-deploy-azure-pipelines",
+            "redirect_document_id": false
+          },
+          {
+            "source_path": "articles/aks/deployment-center-launcher.md",
+            "redirect_url": "/previous-versions/azure/aks/deployment-center-launcher",
+            "redirect_document_id": false
+          }          
+    ]
+  }
@@ -63,7 +63,7 @@ The endpoint URIs for your app are generated automatically when you register or
 
 Two commonly used endpoints are the [authorization endpoint](v2-oauth2-auth-code-flow.md#request-an-authorization-code) and [token endpoint](v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token). Here are examples of the `authorize` and `token` endpoints:
 
-```Bash
+```
 # Authorization endpoint - used by client to obtain authorization from the resource owner.
 https://login.microsoftonline.com/<issuer>/oauth2/v2.0/authorize
 # Token endpoint - used by client to exchange an authorization grant or refresh token for an access token.
 
@@ -8,10 +8,11 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: how-to
-ms.date: 12/19/2022
+ms.date: 03/28/2023
 ms.author: cwerner
 ms.reviewer: jmprieur, kkrishna
 ms.custom: aaddev, engagement-fy23
+
 #Customer intent: As a tenant administrator, I want to restrict an application that I have registered in Azuren-e AD to a select set of users available in my Azure AD tenant
 ---
 
@@ -21,17 +22,17 @@ Applications registered in an Azure Active Directory (Azure AD) tenant are, by d
 
 Similarly, in a [multi-tenant](howto-convert-app-to-be-multi-tenant.md) application, all users in the Azure AD tenant where the application is provisioned can access the application once they successfully authenticate in their respective tenant.
 
-Tenant administrators and developers often have requirements where an application must be restricted to a certain set of users. There are two ways to restrict an application to a certain set of users or security groups:
+Tenant administrators and developers often have requirements where an application must be restricted to a certain set of users or apps (services). There are two ways to restrict an application to a certain set of users, apps or security groups:
 
 - Developers can use popular authorization patterns like [Azure role-based access control (Azure RBAC)](howto-implement-rbac-for-apps.md).
 - Tenant administrators and developers can use built-in feature of Azure AD.
 
 ## Supported app configurations
 
-The option to restrict an app to a specific set of users or security groups in a tenant works with the following types of applications:
+The option to restrict an app to a specific set of users, apps or security groups in a tenant works with the following types of applications:
 
 - Applications configured for federated single sign-on with SAML-based authentication.
-- Application proxy applications that use Azure AD pre-authentication.
+- Application proxy applications that use Azure AD preauthentication.
 - Applications built directly on the Azure AD application platform that use OAuth 2.0/OpenID Connect authentication after a user or admin has consented to that application.
 
 ## Update the app to require user assignment
@@ -41,28 +42,60 @@ To update an application to require user assignment, you must be owner of the ap
 1. Sign in to the [Azure portal](https://portal.azure.com/)
 1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch the tenant in which you want to register an application.
 1. Search for and select **Azure Active Directory**.
-1. Under **Manage**, select **Enterprise Applications** > **All applications**.
+1. Under **Manage**, select **Enterprise Applications** then select **All applications**.
 1. Select the application you want to configure to require assignment. Use the filters at the top of the window to search for a specific application.
 1. On the application's **Overview** page, under **Manage**, select **Properties**.
 1. Locate the setting **Assignment required?** and set it to **Yes**. When this option is set to **Yes**, users and services attempting to access the application or services must first be assigned for this application, or they won't be able to sign-in or obtain an access token.
 1. Select **Save** on the top bar.
 
 When an application requires assignment, user consent for that application isn't allowed. This is true even if users consent for that app would have otherwise been allowed. Be sure to [grant tenant-wide admin consent](../manage-apps/grant-admin-consent.md) to apps that require assignment.
 
-## Assign the app to users and groups
+## Assign the app to users and groups to restrict access
 
 Once you've configured your app to enable user assignment, you can go ahead and assign the app to users and groups.
 
-1. Under **Manage**, select the **Users and groups** > **Add user/group** .
+1. Under **Manage**, select the **Users and groups** then select **Add user/group**.
 1. Select the **Users** selector.
 
-   A list of users and security groups will be shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.
+   A list of users and security groups are shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.
 
 1. Once you're done selecting the users and groups, select **Select**.
 1. (Optional) If you have defined app roles in your application, you can use the **Select role** option to assign the app role to the selected users and groups.
 1. Select **Assign** to complete the assignments of the app to the users and groups.
 1. Confirm that the users and groups you added are showing up in the updated **Users and groups** list.
 
+## Restrict access to an app (resource) by assigning other services (client apps)
+
+Follow the steps in this section to secure app-to-app authentication access for your tenant.
+
+1.	Navigate to Service Principal sign-in logs in your tenant to find services authenticating to access resources in your tenant.
+1.	Check using app ID if a Service Principal exists for both resource and client apps in your tenant that you wish to manage access.
+      ```powershell
+      Get-MgServicePrincipal `
+      -Filter "AppId eq '$appId'"
+      ```
+1.	Create a Service Principal using app ID, if it doesn't exist:
+      ```powershell
+      New-MgServicePrincipal `
+      -AppId $appId
+      ```
+1.	Explicitly assign client apps to resource apps (this functionality is available only in API and not in the Azure AD Portal):
+      ```powershell
+      $clientAppId = “[guid]”
+                     $clientId = (Get-MgServicePrincipal -Filter "AppId eq '$clientAppId'").Id
+      New-MgServicePrincipalAppRoleAssignment `
+      -ServicePrincipalId $clientId `
+      -PrincipalId $clientId `
+      -ResourceId (Get-MgServicePrincipal -Filter "AppId eq '$appId'").Id `
+      -AppRoleId "00000000-0000-0000-0000-000000000000"
+      ```
+1.	Require assignment for the resource application to restrict access only to the explicitly assigned users or services.
+      ```powershell
+      Update-MgServicePrincipal -ServicePrincipalId (Get-MgServicePrincipal -Filter "AppId eq '$appId'").Id -AppRoleAssignmentRequired:$true
+      ```
+   > [!NOTE]
+   > If you don't want tokens to be issued for an application or if you want to block an application from being accessed by users or services in your tenant, create a service principal for the application and [disable user sign-in](../manage-apps/disable-user-sign-in-portal.md) for it.
+
 ## More information
 
 For more information about roles and security groups, see: