Skip to content

Commit a5d28b1

Browse files
authored
Merge pull request #190373 from MicrosoftDocs/main
3/02 PM Publish
2 parents 608b45c + 6941e29 commit a5d28b1

File tree

113 files changed

+1263
-2068
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

113 files changed

+1263
-2068
lines changed

.openpublishing.publish.config.json

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -807,6 +807,12 @@
807807
"branch": "master",
808808
"branch_mapping": {}
809809
},
810+
{
811+
"path_to_root": "ms-identity-dotnetcore-b2c-account-management",
812+
"url": "https://github.com/Azure-Samples/ms-identity-dotnetcore-b2c-account-management",
813+
"branch": "master",
814+
"branch_mapping": {}
815+
},
810816
{
811817
"path_to_root": "msdocs-python-flask-webapp-quickstart",
812818
"url": "https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart",

articles/active-directory-b2c/conditional-access-user-flow.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ To add a Conditional Access policy, disable security defaults:
9191
1. Sign in to the [Azure portal](https://portal.azure.com/).
9292
1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
9393
1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
94-
1. Under **Azure services**, select **Azure AD B2C**. Or use the search box to find and select **Azure AD B2C**.
94+
1. Under **Azure services**, select **Azure Active Directory**. Or use the search box to find and select **Azure Active Directory**.
9595
1. Select **Properties**, and then select **Manage Security defaults**.
9696

9797
![Disable the security defaults](media/conditional-access-user-flow/disable-security-defaults.png)

articles/active-directory-b2c/microsoft-graph-operations.md

Lines changed: 3 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,7 @@ For more information about accessing Azure AD B2C audit logs, see [Accessing Azu
167167
When you want to manage Microsoft Graph, you can either do it as the application using the application permissions, or you can use delegated permissions. For delegated permissions, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource. Application permissions are used by apps that do not require a signed in user present and thus require application permissions. Because of this, only administrators can consent to application permissions.
168168

169169
> [!NOTE]
170-
> Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph.
170+
> Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph API.
171171
## Code sample: How to programmatically manage user accounts
172172

173173
This code sample is a .NET Core console application that uses the [Microsoft Graph SDK](/graph/sdks/sdks-overview) to interact with Microsoft Graph API. Its code demonstrates how to call the API to programmatically manage users in an Azure AD B2C tenant.
@@ -212,46 +212,11 @@ The `RunAsync` method in the _Program.cs_ file:
212212
1. Initializes the auth provider using [OAuth 2.0 client credentials grant](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md) flow. With the client credentials grant flow, the app is able to get an access token to call the Microsoft Graph API.
213213
1. Sets up the Microsoft Graph service client with the auth provider:
214214

215-
```csharp
216-
// Read application settings from appsettings.json (tenant ID, app ID, client secret, etc.)
217-
AppSettings config = AppSettingsFile.ReadFromJsonFile();
218-
219-
// Initialize the client credential auth provider
220-
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
221-
.Create(config.AppId)
222-
.WithTenantId(config.TenantId)
223-
.WithClientSecret(config.ClientSecret)
224-
.Build();
225-
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
226-
227-
// Set up the Microsoft Graph service client with client credentials
228-
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
229-
```
215+
:::code language="csharp" source="~/ms-identity-dotnetcore-b2c-account-management/src/Program.cs" id="ms_docref_set_auth_provider":::
230216

231217
The initialized *GraphServiceClient* is then used in _UserService.cs_ to perform the user management operations. For example, getting a list of the user accounts in the tenant:
232218

233-
```csharp
234-
public static async Task ListUsers(GraphServiceClient graphClient)
235-
{
236-
Console.WriteLine("Getting list of users...");
237-
238-
// Get all users (one page)
239-
var result = await graphClient.Users
240-
.Request()
241-
.Select(e => new
242-
{
243-
e.DisplayName,
244-
e.Id,
245-
e.Identities
246-
})
247-
.GetAsync();
248-
249-
foreach (var user in result.CurrentPage)
250-
{
251-
Console.WriteLine(JsonConvert.SerializeObject(user));
252-
}
253-
}
254-
```
219+
:::code language="csharp" source="~/ms-identity-dotnetcore-b2c-account-management/src/Services/UserService.cs" id="ms_docref_get_list_of_user_accounts":::
255220

256221
[Make API calls using the Microsoft Graph SDKs](/graph/sdks/create-requests) includes information on how to read and write information from Microsoft Graph, use `$select` to control the properties returned, provide custom query parameters, and use the `$filter` and `$orderBy` query parameters.
257222

articles/active-directory/app-provisioning/functions-for-customizing-application-data.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1049,7 +1049,7 @@ Example: Based on the user's first name, middle name and last name, you need to
10491049
SingleAppRoleAssignment([appRoleAssignments])
10501050

10511051
**Description:**
1052-
Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application. This function is required to convert the appRoleAssignments object into a single role name string. The best practice is to ensure only one appRoleAssignment is assigned to one user at a time, and if multiple roles are assigned the role string returned may not be predictable.
1052+
Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application. This function is required to convert the appRoleAssignments object into a single role name string. The best practice is to ensure only one appRoleAssignment is assigned to one user at a time. This function is not supported in scenarios where users have multiple app role assignments.
10531053

10541054
**Parameters:**
10551055

articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ Before combined registration, users registered authentication methods for Azure
2121

2222
> [!NOTE]
2323
> Starting on August 15th 2020, all new Azure AD tenants will be automatically enabled for combined registration.
24-
> After Sept. 30th, 2022, all existing Azure AD tenants will be automatically enabled for combined registration. After this date tenants will be unable to utilize the sepperate legacy registration workflows for MFA and SSPR.
24+
> After Sept. 30th, 2022, all existing Azure AD tenants will be automatically enabled for combined registration. After this date tenants will be unable to utilize the separate legacy registration workflows for MFA and SSPR.
2525
2626
This article outlines what combined security registration is. To get started with combined security registration, see the following article:
2727

articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ Before combined registration, users registered authentication methods for Azure
2121

2222
> [!NOTE]
2323
> Starting on August 15th 2020, all new Azure AD tenants will be automatically enabled for combined registration. Tenants created after this date will be unable to utilize the legacy registration workflows.
24-
> After Sept. 30th, 2022, all existing Azure AD tenants will be automatically enabled for combined registration. After this date tenants will be unable to utilize the sepperate legacy registration workflows for MFA and SSPR.
24+
> After Sept. 30th, 2022, all existing Azure AD tenants will be automatically enabled for combined registration. After this date tenants will be unable to utilize the separate legacy registration workflows for MFA and SSPR.
2525
2626
To make sure you understand the functionality and effects before you enable the new experience, see the [Combined security information registration concepts](concept-registration-mfa-sspr-combined.md).
2727

articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-all-reports.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,12 +28,12 @@ This article provides you with a list and description of the system reports avai
2828

2929
## Download a system report
3030

31-
1. In the CloudKnox home page, select the **Reports** tab, and then select the **Systems reports** subtab.
31+
1. In the CloudKnox home page, select the **Reports** tab, and then select the **Systems Reports** subtab.
3232
1. In the **Report Name** column, find the report you want, and then select the down arrow to the right of the report name to download the report.
3333

3434
Or, from the ellipses **(...)** menu, select **Download**.
3535

36-
The following message displays: **Successfully started to generate on demand report.**
36+
The following message displays: **Successfully Started To Generate On Demand Report.**
3737

3838

3939
## Summary of available system reports

articles/active-directory/external-identities/google-federation.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ services: active-directory
77
ms.service: active-directory
88
ms.subservice: B2B
99
ms.topic: how-to
10-
ms.date: 02/24/2022
10+
ms.date: 03/02/2022
1111

1212
ms.author: mimart
1313
author: msmimart
@@ -184,6 +184,9 @@ First, create a new project in the Google Developers Console to obtain a client
184184

185185
1. You can leave your project at a publishing status of **Testing** and add test users to the OAuth consent screen. Or you can select the **Publish app** button on the OAuth consent screen to make the app available to any user with a Google Account.
186186

187+
> [!NOTE]
188+
> In some cases, your app might require verification by Google (for example, if you update the application logo). For more information, see Google's [verification status help](https://support.google.com/cloud/answer/10311615#verification-status).
189+
187190
## Step 2: Configure Google federation in Azure AD
188191

189192
You'll now set the Google client ID and client secret. You can use the Azure portal or PowerShell to do so. Be sure to test your Google federation configuration by inviting yourself. Use a Gmail address and try to redeem the invitation with your invited Google account.

articles/active-directory/external-identities/invite-internal-users.md

Lines changed: 27 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ services: active-directory
66
ms.service: active-directory
77
ms.subservice: B2B
88
ms.topic: how-to
9-
ms.date: 09/10/2021
9+
ms.date: 03/02/2022
1010

1111
ms.author: mimart
1212
author: msmimart
@@ -37,15 +37,35 @@ Sending an invitation to an existing internal account lets you retain that user
3737
> In Azure AD Connect sync, there’s a default rule that writes the [onPremisesUserPrincipalName attribute](../hybrid/reference-connect-sync-attributes-synchronized.md#notes) to the user object. Because the presence of this attribute can prevent a user from signing in using external credentials, we block internal-to-external conversions for user objects with this attribute. If you’re using Azure AD Connect and you want to be able to invite internal users to B2B collaboration, you'll need to [modify the default rule](../hybrid/how-to-connect-sync-change-the-configuration.md) so the onPremisesUserPrincipalName attribute isn’t written to the user object.
3838
## How to invite internal users to B2B collaboration
3939

40-
You can use PowerShell or the invitation API to send a B2B invitation to the internal user. Make sure the email address you want to use for the invitation is set as the external email address on the internal user object.
40+
You can use the Azure portal, PowerShell, or the invitation API to send a B2B invitation to the internal user. Some things to note:
4141

42-
- You must use the the email address in the User.Mail property for the invitation.
43-
- The domain in the user’s Mail property must match the account they’re using to sign in. Otherwise, some services such as Teams won't be able to authenticate the user.
42+
- Before you invite the user, make sure the `User.Mail` property of the internal user object (the user's **Email** property in the Azure portal) is set to the external email address they'll use for B2B collaboration.
4443

45-
By default, the invitation will send the user an email letting them know they’ve been invited, but you can suppress this email and send your own instead.
44+
- When you invite the user, an invitation is sent to the user via email. If you're using PowerShell or the invitation API, you can suppress this email by setting `SendInvitationMessage` to `False`. Then you can notify the user in another way. [Learn more about the invitation API](customize-invitation-api.md).
4645

47-
> [!NOTE]
48-
> To send your own email or other communication, you can use `New-AzureADMSInvitation` with `-SendInvitationMessage:$false` to invite users silently, and then send your own email message to the converted user. See [Azure AD B2B collaboration API and customization](customize-invitation-api.md).
46+
- When the user redeems the invitation, the account they're using must match the domain in the `User.Mail` property. Otherwise, some services, such as Teams, won't be able to authenticate the user.
47+
48+
## Use the Azure portal to send a B2B invitation
49+
50+
1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or User administrator account for the directory.
51+
1. Select the **Azure Active Directory** service.
52+
1. Select **Users**.
53+
1. Find the user in the list or use the search box. Then select the user.
54+
1. On the user's profile page, in the **Identity** section, select **Manage B2B collaboration**.
55+
56+
![Screenshot of the user profile](media/invite-internal-users/manage-b2b-collaboration-link.png)
57+
58+
> [!NOTE]
59+
> If you see **Invitation accepted** instead of **Manage B2B collaboration**, the user has already been invited to use external credentials for B2B collaboration.
60+
61+
1. Next to **Invite internal user to B2B collaboration?** select **Yes**, and then select **Done**.
62+
63+
![Screenshot showing the invite internal user radio button](media/invite-internal-users/invite-internal-user-selector.png)
64+
65+
> [!NOTE]
66+
> If the option is unavailable, make sure the user's **Email** property is set to the external email address they should use for B2B collaboration.
67+
68+
1. A confirmation message appears and an invitation is sent to the user via email. The user is then able to redeem the invitation using their external credentials.
4969

5070
## Use PowerShell to send a B2B invitation
5171

15 KB
Loading

0 commit comments

Comments
 (0)