MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 16 additions & 1 deletion b/‎.openpublishing.redirection.json
Lines changed: 16 additions & 1 deletion
diff --git a/‎articles/active-directory/develop/reference-claims-mapping-policy-type.md
Lines changed: 109 additions & 35 deletions b/‎articles/active-directory/develop/reference-claims-mapping-policy-type.md
Lines changed: 109 additions & 35 deletions
diff --git a/‎articles/active-directory/external-identities/customers/how-to-register-ciam-app.md
Lines changed: 19 additions & 6 deletions b/‎articles/active-directory/external-identities/customers/how-to-register-ciam-app.md
Lines changed: 19 additions & 6 deletions
@@ -13841,7 +13841,7 @@
         {
             "source_path_from_root": "/articles/load-balancer/use-existing-lb-vmss-cli.md",
             "redirect_url": "/azure/load-balancer/configure-vm-scale-set-cli",
-            "redirect_document_id": ""
+            "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/load-balancer/load-balancer-get-started-internet-classic-portal.md",
@@ -23998,6 +23998,21 @@
             "redirect_url": "/azure/networking/manage-apps/connectivity-interoperability-data-plane",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/operator-nexus/howto-hybrid-aks.md",
+            "redirect_url": "/azure/operator-nexus/howto-kubernetes-cluster-agent-pools",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/operator-nexus/template-virtualized-network-function-deployment.md",
+            "redirect_url": "/azure/operator-nexus/quickstarts-tenant-workload-deployment",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/operator-nexus/template-cloud-native-network-function-deployment.md",
+            "redirect_url": "/azure/operator-nexus/quickstarts-kubernetes-cluster-deployment-cli",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/container-registry/github-action-scan.md",
             "redirect_url": "/azure/developer/github/",
 
@@ -44,6 +44,7 @@ The following claims are in the restricted claim set for a JWT.
 - `acr`
 - `acrs`
 - `actor`
+- `actortoken`
 - `ageGroup`
 - `aio`
 - `altsecid`
@@ -55,41 +56,68 @@ The following claims are in the restricted claim set for a JWT.
 - `appctxsender`
 - `appid`
 - `appidacr`
+- `assertion`
 - `at_hash`
+- `aud`
+- `auth_data`
 - `auth_time`
+- `authorization_code`
 - `azp`
 - `azpacr`
+- `bk_claim`
+- `bk_enclave`
+- `bk_pub`
+- `brk_client_id`
+- `brk_redirect_uri`
 - `c_hash`
 - `ca_enf`
 - `ca_policy_result`
-- `capolids_latebind`
 - `capolids`
+- `capolids_latebind`
 - `cc`
+- `cert_token_use`
+- `child_client_id`
+- `child_redirect_uri`
+- `client_id`
+- `client_ip`
+- `cloud_graph_host_name`
+- `cloud_instance_host_name`
+- `cloud_instance_name`
+- `CloudAssignedMdmId`
 - `cnf`
 - `code`
-- `controls_auds`
 - `controls`
+- `controls_auds`
 - `credential_keys`
+- `csr`
+- `csr_type`
 - `ctry`
 - `deviceid`
+- `dns_names`
 - `domain_dns_name`
 - `domain_netbios_name`
 - `e_exp`
 - `email`
 - `endpoint`
 - `enfpolids`
+- `exp`
 - `expires_on`
+- `extn. as prefix`
 - `fido_auth_data`
-- `fwd_appidacr`
+- `fido_ver`
 - `fwd`
+- `fwd_appidacr`
+- `grant_type`
 - `graph`
 - `group_sids`
 - `groups`
 - `hasgroups`
+- `hash_alg`
 - `haswids`
 - `home_oid`
 - `home_puid`
 - `home_tid`
+- `iat`
 - `identityprovider`
 - `idp`
 - `idtyp`
@@ -98,16 +126,23 @@ The following claims are in the restricted claim set for a JWT.
 - `inviteTicket`
 - `ipaddr`
 - `isbrowserhostedapp`
+- `iss`
 - `isViral`
+- `jwk`
+- `key_id`
+- `key_type`
 - `login_hint`
 - `mam_compliance_url`
 - `mam_enrollment_url`
 - `mam_terms_of_use_url`
 - `mdm_compliance_url`
 - `mdm_enrollment_url`
 - `mdm_terms_of_use_url`
+- `msgraph_host`
 - `msproxy`
 - `nameid`
+- `nbf`
+- `netbios_name`
 - `nickname`
 - `nonce`
 - `oid`
@@ -116,25 +151,35 @@ The following claims are in the restricted claim set for a JWT.
 - `onprem_sid`
 - `openid2_id`
 - `origin_header`
+- `password`
 - `platf`
 - `polids`
 - `pop_jwk`
 - `preferred_username`
+- `previous_refresh_token`
 - `primary_sid`
 - `prov_data`
 - `puid`
 - `pwd_exp`
 - `pwd_url`
 - `rdp_bt`
+- `redirect_uri`
+- `refresh_token`
 - `refresh_token_issued_on`
 - `refreshtoken`
+- `request_nonce`
+- `resource`
 - `rh`
+- `role`
 - `roles`
+- `rp_id`
 - `rt_type`
+- `scope`
 - `scp`
 - `secaud`
 - `sid`
 - `sid`
+- `signature`
 - `signin_state`
 - `source_anchor`
 - `src1`
@@ -145,6 +190,7 @@ The following claims are in the restricted claim set for a JWT.
 - `tbidv2`
 - `tenant_ctry`
 - `tenant_display_name`
+- `tenant_id`
 - `tenant_region_scope`
 - `tenant_region_sub_scope`
 - `thumbnail_photo`
@@ -154,60 +200,88 @@ The following claims are in the restricted claim set for a JWT.
 - `ttr`
 - `unique_name`
 - `upn`
+- `user_agent`
 - `user_setting_sync_url`
+- `username`
 - `uti`
 - `ver`
 - `verified_primary_email`
 - `verified_secondary_email`
 - `vnet`
+- `vsm_binding_key`
 - `wamcompat_client_info`
 - `wamcompat_id_token`
 - `wamcompat_scopes`
 - `wids`
+- `win_ver`
+- `x5c_ca`
 - `xcb2b_rclient`
 - `xcb2b_rcloud`
 - `xcb2b_rtenant`
 - `ztdid`
 
+
 > [!NOTE]
 > Any claim starting with `xms_` is restricted.
 
 ### SAML restricted claim set
 
 The following table lists the SAML claims that are in the restricted claim set.
 
-| Claim type (URI) |
-| ----- |
-|`http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged`|
-|`http://schemas.microsoft.com/2014/02/devicecontext/claims/isknown`|
-|`http://schemas.microsoft.com/2014/03/psso`|
-|`http://schemas.microsoft.com/2014/09/devicecontext/claims/iscompliant`|
-|`http://schemas.microsoft.com/claims/authnmethodsreferences`|
-|`http://schemas.microsoft.com/claims/groups.link`|
-|`http://schemas.microsoft.com/identity/claims/accesstoken`|
-|`http://schemas.microsoft.com/identity/claims/acct`|
-|`http://schemas.microsoft.com/identity/claims/agegroup`|
-|`http://schemas.microsoft.com/identity/claims/aio`|
-|`http://schemas.microsoft.com/identity/claims/identityprovider`|
-|`http://schemas.microsoft.com/identity/claims/objectidentifier`|
-|`http://schemas.microsoft.com/identity/claims/openid2_id`|
-|`http://schemas.microsoft.com/identity/claims/puid`|
-|`http://schemas.microsoft.com/identity/claims/tenantid`|
-|`http://schemas.microsoft.com/identity/claims/xms_et`|
-|`http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant`|
-|`http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod`|
-|`http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration`|
-|`http://schemas.microsoft.com/ws/2008/06/identity/claims/groups`|
-|`http://schemas.microsoft.com/ws/2008/06/identity/claims/role`|
-|`http://schemas.microsoft.com/ws/2008/06/identity/claims/wids`|
-|`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`|
-| `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` |
-| `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` |
-| `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid` |
-| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid` |
-| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname` |
-| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`  |
-| `http://schemas.microsoft.com/ws/2008/06/identity/claims/role` |
+Restricted Claim type (URI):
+- `http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged`
+- `http://schemas.microsoft.com/2014/02/devicecontext/claims/isknown`
+- `http://schemas.microsoft.com/2014/03/psso`
+- `http://schemas.microsoft.com/2014/09/devicecontext/claims/iscompliant`
+- `http://schemas.microsoft.com/claims/authnmethodsreferences`
+- `http://schemas.microsoft.com/claims/groups.link`
+- `http://schemas.microsoft.com/identity/claims/accesstoken`
+- `http://schemas.microsoft.com/identity/claims/acct`
+- `http://schemas.microsoft.com/identity/claims/agegroup`
+- `http://schemas.microsoft.com/identity/claims/aio`
+- `http://schemas.microsoft.com/identity/claims/identityprovider`
+- `http://schemas.microsoft.com/identity/claims/objectidentifier`
+- `http://schemas.microsoft.com/identity/claims/openid2_id`
+- `http://schemas.microsoft.com/identity/claims/puid`
+- `http://schemas.microsoft.com/identity/claims/scope`
+- `http://schemas.microsoft.com/identity/claims/tenantid`
+- `http://schemas.microsoft.com/identity/claims/xms_et`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/confirmationkey`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlywindowsdevicegroup`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/expired`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/groups`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/ispersistent`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/role`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/role`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/samlissuername`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/wids`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdeviceclaim`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdevicegroup`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsfqbnversion`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowssubauthority`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsuserclaim`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecision`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname`
+- `http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor`
+
 
 These claims are restricted by default, but aren't restricted if you [set the AcceptMappedClaims property](saml-claims-customization.md) to `true` in your app manifest *or* have a [custom signing key](saml-claims-customization.md):
 
 
@@ -4,7 +4,7 @@ description: Learn about how to register an app in the customer tenant.
 services: active-directory
 author: csmulligan
 ms.author: cmulligan
-manager: celestedg
+manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: ciam
@@ -71,7 +71,7 @@ This app signs in users. You can add delegated permissions to it, by following t
 
 [!INCLUDE [grant permision for signing in users](../customers/includes/register-app/grant-api-permission-sign-in.md)] 
 
-### If you want to call an API follow the steps below (optional):
+### To call an API follow the steps below (optional):
 [!INCLUDE [grant permisions for calling an API](../customers/includes/register-app/grant-api-permission-call-api.md)] 
 
 If you'd like to learn how to expose the permissions by adding a link, go to the [Web API](how-to-register-ciam-app.md?tabs=webapi) section.
@@ -122,7 +122,7 @@ This app signs in users. You can add delegated permissions to it, by following t
 ### Create a client secret 
 [!INCLUDE [add a client secret](../customers/includes/register-app/add-app-client-secret.md)]
 
-### If you want to call an API follow the steps below (optional):
+### To call an API follow the steps below (optional):
 [!INCLUDE [grant permissions for calling an API](../customers/includes/register-app/grant-api-permission-call-api.md)] 
 
 ## Next steps
@@ -139,7 +139,7 @@ This app signs in users. You can add delegated permissions to it, by following t
 
 [!INCLUDE [expose permissions](../customers/includes/register-app/add-api-scopes.md)]
 
-### If you want to add app roles follow the steps below (optional):
+### To add app roles follow the steps below (optional):
 
 [!INCLUDE [configure app roles](../customers/includes/register-app/add-app-role.md)]
 
@@ -181,7 +181,7 @@ The following steps show you how to register your app in the admin center:
 ### Add delegated permissions
 [!INCLUDE [grant permission for signing in users](../customers/includes/register-app/grant-api-permission-sign-in.md)]
 
-### If you want to call an API follow the steps below (optional):
+### To call an API follow the steps below (optional):
 [!INCLUDE [grant permissions for calling an API](../customers/includes/register-app/grant-api-permission-call-api.md)] 
 
 ## Next steps
@@ -194,7 +194,7 @@ The following steps show you how to register your app in the admin center:
 
 [!INCLUDE [register daemon app](../customers/includes/register-app/register-daemon-app.md)]
 
-### If you want to call an API follow the steps below (optional)
+### To call an API follow the steps below (optional)
 A daemon app signs-in as itself using the [OAuth 2.0 client credentials flow](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow), you add application permissions, which is required by apps that authenticate as themselves:
 
 [!INCLUDE [register daemon app](../customers/includes/register-app/grant-api-permissions-app-permissions.md)]
@@ -203,3 +203,16 @@ A daemon app signs-in as itself using the [OAuth 2.0 client credentials flow](/a
 
 - Learn more about a [daemon app that calls a web API in the daemon's name](/azure/active-directory/develop/authentication-flows-app-scenarios#daemon-app-that-calls-a-web-api-in-the-daemons-name)
 - [Create a sign-up and sign-in user flow](how-to-user-flow-sign-up-sign-in-customers.md)
+
+# [Microsoft Graph API](#tab/graphapi)
+## How to register a Microsoft Graph API application?
+[!INCLUDE [register client app](../customers/includes/register-app/register-client-app-common.md)]
+
+### Grant API Access to your application
+[!INCLUDE [grant api access to app](../customers/includes/register-app/grant-api-access-app.md)]
+
+### Create a client secret 
+[!INCLUDE [add app client secret](../customers/includes/register-app/add-app-client-secret.md)]
+
+## Next steps
+- Learn more how to manage [Azure Active Directory for customers resources with Microsoft Graph](microsoft-graph-operations.md)