Merge branch 'main' into release-apim-retirement-202209

Author: v-alje

.openpublishing.publish.config.json

@@ -287,19 +287,19 @@
     {
       "path_to_root": "azure-search-javascript-samples",
       "url": "https://github.com/Azure-Samples/azure-search-javascript-samples",
-      "branch": "master",
+      "branch": "main",
       "branch_mapping": {}
     },
     {
       "path_to_root": "azure-search-dotnet-samples",
       "url": "https://github.com/Azure-Samples/azure-search-dotnet-samples",
-      "branch": "master",
+      "branch": "main",
       "branch_mapping": {}
     },
     {
       "path_to_root": "azure-search-python-samples",
       "url": "https://github.com/Azure-Samples/azure-search-python-samples",
-      "branch": "master",
+      "branch": "main",
       "branch_mapping": {}
     },
     {
@@ -374,12 +374,6 @@
       "branch": "master",
       "branch_mapping": {}
     },
-    {
-      "path_to_root": "media-services-v3-dotnet-quickstarts",
-      "url": "https://github.com/Azure-Samples/media-services-v3-dotnet-quickstarts",
-      "branch": "master",
-      "branch_mapping": {}
-    },
     {
       "path_to_root": "media-services-v3-dotnet-tutorials",
       "url": "https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials",

articles/active-directory/authentication/concept-authentication-methods.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 08/17/2022
+ms.date: 09/17/2022
 
 ms.author: justinha
 author: justinha
@@ -21,7 +21,7 @@ ms.custom: contperf-fy20q4
 
 Microsoft recommends passwordless authentication methods such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app because they provide the most secure sign-in experience. Although a user can sign-in using other common methods such as a username and password, passwords should be replaced with more secure authentication methods.
 
-![Table of the strengths and preferred authentication methods in Azure AD](media/concept-authentication-methods/authentication-methods.png)
+:::image type="content" border="true" source="media/concept-authentication-methods/authentication-methods.png" alt-text="Illustration of the strengths and preferred authentication methods in Azure AD." :::
 
 Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to an SMS or phone call.
 
@@ -40,6 +40,7 @@ The following table outlines the security considerations for the available authe
 | Windows Hello for Business     | High     | High      | High         |
 | Microsoft Authenticator app    | High     | High      | High         |
 | FIDO2 security key             | High     | High      | High         |
+| Certificate-based authentication (preview)| High | High | High       |
 | OATH hardware tokens (preview) | Medium   | Medium    | High         |
 | OATH software tokens           | Medium   | Medium    | High         |
 | SMS                            | Medium   | High      | Medium       |
@@ -65,13 +66,14 @@ The following table outlines when an authentication method can be used during a
 | Windows Hello for Business     | Yes                    | MFA\*                      |
 | Microsoft Authenticator app    | Yes                    | MFA and SSPR              |
 | FIDO2 security key             | Yes                    | MFA                       |
+| Certificate-based authentication (preview) | Yes        | No              |
 | OATH hardware tokens (preview) | No                     | MFA and SSPR              |
 | OATH software tokens           | No                     | MFA and SSPR              |
 | SMS                            | Yes                    | MFA and SSPR              |
 | Voice call                     | No                     | MFA and SSPR              |
 | Password                       | Yes                    |                           |
 
-> \* Windows Hello for Business, by itself, does not serve as a step-up MFA credential. For example, an MFA Challenge from Sign-in Frequency or SAML Request containing forceAuthn=true. Windows Hello for Business can serve as a step-up MFA credential by being used in FIDO2 authentication. This requires users to be enabled for FIDO2 authentication to work sucessfully.
+> \* Windows Hello for Business, by itself, does not serve as a step-up MFA credential. For example, an MFA Challenge from Sign-in Frequency or SAML Request containing forceAuthn=true. Windows Hello for Business can serve as a step-up MFA credential by being used in FIDO2 authentication. This requires users to be enabled for FIDO2 authentication to work successfully.
 
 All of these authentication methods can be configured in the Azure portal, and increasingly using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
 
@@ -80,6 +82,7 @@ To learn more about how each authentication method works, see the following sepa
 * [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview)
 * [Microsoft Authenticator app](concept-authentication-authenticator-app.md)
 * [FIDO2 security key](concept-authentication-passwordless.md#fido2-security-keys)
+* [Certificate-based authentication](concept-certificate-based-authentication.md)
 * [OATH hardware tokens (preview)](concept-authentication-oath-tokens.md#oath-hardware-tokens-preview)
 * [OATH software tokens](concept-authentication-oath-tokens.md#oath-software-tokens)
 * [SMS sign-in](howto-authentication-sms-signin.md) and [verification](concept-authentication-phone-options.md#mobile-phone-verification)

articles/active-directory/authentication/media/concept-authentication-methods/authentication-methods.png

@@ -9,10 +9,10 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 11/22/2021
+ms.date: 09/07/2022
 ms.author: ryanwi
 ms.custom: aaddev, identityplatformtop40, contperf-fy21q1
-ms.reviewer: ludwignick, marsma
+ms.reviewer: ludwignick, sreyanthmora, marsma
 ---
 # Configurable token lifetimes in the Microsoft identity platform (preview)
 

articles/active-directory/develop/active-directory-configurable-token-lifetimes.md

@@ -23,7 +23,7 @@ Azure Active Directory (Azure AD) supports two types of authentication for servi
 For testing, you can use a self-signed public certificate instead of a Certificate Authority (CA)-signed certificate. This article shows you how to use Windows PowerShell to create and export a self-signed certificate.
 
 > [!CAUTION]
-> Using a self-signed certificate is only recommended for development, not production.
+> Self-signed certificates are not trusted by default and they can be difficult to maintain. Also, they may use outdated hash and cipher suites that may not be strong. For better security, purchase a certificate signed by a well-known certificate authority.
 
 You configure various parameters for the certificate. For example, the cryptographic and hash algorithms, the certificate validity period, and your domain name. Then export the certificate with or without its private key depending on your application needs. 
 

articles/active-directory/develop/howto-create-self-signed-certificate.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/22/2021
+ms.date: 09/06/2022
 ms.author: ergreenl
 #Customer intent: As an administrator of an Azure AD tenant, I want to learn more about the properties of an enterprise application that I can configure.
 ---

articles/active-directory/manage-apps/application-properties.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: troubleshooting
-ms.date: 07/11/2017
+ms.date: 09/06/2022
 ms.author: ergreenl
 ms.collection: M365-identity-device-management
 ---
@@ -17,7 +17,14 @@ ms.collection: M365-identity-device-management
 
 In this scenario, Azure Active Directory (Azure AD) signs the user in. But the application displays an error message and doesn't let the user finish the sign-in flow. The problem is that the app didn't accept the response that Azure AD issued.
 
-There are several possible reasons why the app didn't accept the response from Azure AD. If the error message doesn't clearly identify what's missing from the response, try the following:
+There are several possible reasons why the app didn't accept the response from Azure AD. If there is an error message or code displayed, use the following resources to diagnose the error:
+
+* [Azure AD Authentication and authorization error codes](../develop/reference-aadsts-error-codes.md)
+
+* [Troubleshooting consent prompt errors](application-sign-in-unexpected-user-consent-error.md)
+
+
+If the error message doesn't clearly identify what's missing from the response, try the following:
 
 - If the app is the Azure AD gallery, verify that you followed the steps in [How to debug SAML-based single sign-on to applications in Azure AD](./debug-saml-sso-issues.md).
 
@@ -58,13 +65,13 @@ To add an attribute in the Azure AD configuration that will be sent in the Azure
 
    The next time that the user signs in to the app, Azure AD will send the new attribute in the SAML response.
 
-## The app doesn't identify the user
+## The app cannot identify the user
 
 Signing in to the app fails because the SAML response is missing an attribute such as a role. Or it fails because the app expects a different format or value for the **NameID** (User Identifier) attribute.
 
 If you're using [Azure AD automated user provisioning](../app-provisioning/user-provisioning.md) to create, maintain, and remove users in the app, verify that the user has been provisioned to the SaaS app. For more information, see [No users are being provisioned to an Azure AD Gallery application](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md).
 
-## Add an attribute to the Azure AD app configuration
+### Add an attribute to the Azure AD app configuration
 
 To change the User Identifier value, follow these steps:
 
@@ -87,7 +94,7 @@ To change the User Identifier value, follow these steps:
 
 8. Under **User attributes**, select the unique identifier for the user from the **User Identifier** drop-down list.
 
-## Change the NameID format
+### Change the NameID format
 
 If the application expects another format for the **NameID** (User Identifier) attribute, see [Editing nameID](../develop/active-directory-saml-claims-customization.md#editing-nameid) to change the NameID format.
 
@@ -155,4 +162,8 @@ To change the signing algorithm, follow these steps:
 
 ## Next steps
 
-[How to debug SAML-based single sign-on to applications in Azure AD](./debug-saml-sso-issues.md).
+* [How to debug SAML-based single sign-on to applications in Azure AD](./debug-saml-sso-issues.md).
+
+* [Azure AD Authentication and authorization error codes](../develop/reference-aadsts-error-codes.md)
+
+* [Troubleshooting consent prompt errors](application-sign-in-unexpected-user-consent-error.md)

articles/active-directory/manage-apps/application-sign-in-problem-application-error.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: troubleshooting
-ms.date: 07/11/2017
+ms.date: 09/06/2022
 ms.author: ergreenl
 ms.reviewer: phsignor, yuhko
 ms.collection: M365-identity-device-management
@@ -31,31 +31,27 @@ This error occurs when a user who is not a Global Administrator attempts to use
 
 This error can also occur when a user is prevented from consenting to an application due to Microsoft detecting that the permissions request is risky. In this case, an audit event will also be logged with a Category of "ApplicationManagement", Activity Type of "Consent to application" and Status Reason of "Risky application detected".
 
-Another scenario in which this error might occur is when the user assignment is required for the application, but no administrator consent was provided. In this case, the administrator must first provide administrator consent.
+Another scenario in which this error might occur is when the user assignment is required for the application, but no administrator consent was provided. In this case, the administrator must first provide tenant-wide admin consent for the application.
 
 ## Policy prevents granting permissions error
 
 * **AADSTS90093:** An administrator of <tenantDisplayName> has set a policy that prevents you from granting <name of app> the permissions it is requesting. Contact an administrator of <tenantDisplayName>, who can grant permissions to this app on your behalf.
 
-This error occurs when a Global Administrator turns off the ability for users to consent to applications, then a non-administrator user attempts to use an application that requires consent. This error can be resolved by an administrator granting access to the application on behalf of their organization.
+This error can occur when a Global Administrator turns off the ability for users to consent to applications, then a non-administrator user attempts to use an application that requires consent. This error can be resolved by an administrator granting access to the application on behalf of their organization.
 
 ## Intermittent problem error
 
 * **AADSTS90090:** It looks like the sign-in process encountered an intermittent problem recording the permissions you attempted to grant to <clientAppDisplayName>. try again later.
 
 This error indicates that an intermittent service side issue has occurred. It can be resolved by attempting to consent to the application again.
 
-## Resource not available error
 
-* **AADSTS65005:** The app <clientAppDisplayName> requested permissions to access a resource <resourceAppDisplayName> that is not available.
-
-Contact the application developer.
 
 ## Resource not available in tenant error
 
 * **AADSTS65005:** <clientAppDisplayName> is requesting access to a resource <resourceAppDisplayName> that is not available in your organization <tenantDisplayName>.
 
-Ensure that this resource is available or contact an administrator of <tenantDisplayName>.
+Ensure that these resources that provide the permissions requested are available in your tenant or contact an administrator of <tenantDisplayName>. Otherwise, there is a misconfiguration in how the application requests resources, and you should contact the application developer.
 
 ## Permissions mismatch error
 
@@ -91,3 +87,5 @@ End-users will not be able to grant consent to apps that have been detected as r
 [Apps, permissions, and consent in Azure Active Directory (v1 endpoint)](../develop/quickstart-register-app.md)<br>
 
 [Scopes, permissions, and consent in the Azure Active Directory (v2.0 endpoint)](../develop/v2-permissions-and-consent.md)
+
+[Unexpected consent prompt when signing in to an application](application-sign-in-unexpected-user-consent-prompt.md)