Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/develop/single-sign-on-saml-protocol.md

@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 08/24/2021
+ms.date: 02/05/2022
 ms.author: kenwith
 ms.custom: aaddev
 ms.reviewer: paulgarn
@@ -32,13 +32,13 @@ The protocol diagram below describes the single sign-on sequence. The cloud serv
 
 To request a user authentication, cloud services send an `AuthnRequest` element to Azure AD. A sample SAML 2.0 `AuthnRequest` could look like the following example:
 
-```
+```xml
 <samlp:AuthnRequest
-xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
-ID="id6c1c178c166d486687be4aaf5e482730"
-Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z"
-xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
-<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer>
+  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+  ID="id6c1c178c166d486687be4aaf5e482730"
+  Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z"
+  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer>
 </samlp:AuthnRequest>
 ```
 
@@ -61,7 +61,7 @@ The `Issuer` element in an `AuthnRequest` must exactly match one of the **Servic
 
 A SAML excerpt containing the `Issuer` element looks like the following sample:
 
-```
+```xml
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer>
 ```
 
@@ -71,7 +71,7 @@ This element requests a particular name ID format in the response and is optiona
 
 A `NameIdPolicy` element looks like the following sample:
 
-```
+```xml
 <NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
 ```
 
@@ -87,23 +87,28 @@ If `SPNameQualifier` is specified, Azure AD will include the same `SPNameQualifi
 Azure AD ignores the `AllowCreate` attribute.
 
 ### RequestedAuthnContext
+
 The `RequestedAuthnContext` element specifies the desired authentication methods. It is optional in `AuthnRequest` elements sent to Azure AD. Azure AD supports `AuthnContextClassRef` values such as `urn:oasis:names:tc:SAML:2.0:ac:classes:Password`.
 
 ### Scoping
+
 The `Scoping` element, which includes a list of identity providers, is optional in `AuthnRequest` elements sent to Azure AD.
 
 If provided, don't include the `ProxyCount` attribute, `IDPListOption` or `RequesterID` element, as they aren't supported.
 
 ### Signature
+
 A `Signature` element in `AuthnRequest` elements is optional. Azure AD does not validate signed authentication requests if a signature is present. Requestor verification is provided for by only responding to registered Assertion Consumer Service URLs.
 
 ### Subject
+
 Don't include a `Subject` element. Azure AD doesn't support specifying a subject for a request and will return an error if one is provided.
 
 ## Response
+
 When a requested sign-on completes successfully, Azure AD posts a response to the cloud service. A response to a successful sign-on attempt looks like the following sample:
 
-```
+```xml
 <samlp:Response ID="_a4958bfd-e107-4e67-b06d-0d85ade2e76a" Version="2.0" IssueInstant="2013-03-18T07:38:15.144Z" Destination="https://contoso.com/identity/inboundsso.aspx" InResponseTo="id758d0ef385634593a77bdf7e632984b6" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> https://login.microsoftonline.com/82869000-6ad1-48f0-8171-272ed18796e9/</Issuer>
   <ds:Signature xmlns:ds="https://www.w3.org/2000/09/xmldsig#">
@@ -159,7 +164,7 @@ Azure AD sets the `Issuer` element to `https://sts.windows.net/<TenantIDGUID>/`
 
 For example, a response with Issuer element could look like the following sample:
 
-```
+```xml
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> https://sts.windows.net/82869000-6ad1-48f0-8171-272ed18796e9/</Issuer>
 ```
 
@@ -171,17 +176,18 @@ The `Status` element conveys the success or failure of sign-on. It includes the
 
 The following sample is a SAML response to an unsuccessful sign-on attempt.
 
-```
+```xml
 <samlp:Response ID="_f0961a83-d071-4be5-a18c-9ae7b22987a4" Version="2.0" IssueInstant="2013-03-18T08:49:24.405Z" InResponseTo="iddce91f96e56747b5ace6d2e2aa9d4f8c" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/82869000-6ad1-48f0-8171-272ed18796e9/</Issuer>
   <samlp:Status>
     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
       <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported" />
     </samlp:StatusCode>
     <samlp:StatusMessage>AADSTS75006: An error occurred while processing a SAML2 Authentication request. AADSTS90011: The SAML authentication request property 'NameIdentifierPolicy/SPNameQualifier' is not supported.
-Trace ID: 66febed4-e737-49ff-ac23-464ba090d57c
-Timestamp: 2013-03-18 08:49:24Z</samlp:StatusMessage>
-  </samlp:Status>
+    Trace ID: 66febed4-e737-49ff-ac23-464ba090d57c
+    Timestamp: 2013-03-18 08:49:24Z</samlp:StatusMessage>
+    </samlp:Status>
+</samlp:Response>
 ```
 
 ### Assertion
@@ -192,7 +198,7 @@ In addition to the `ID`, `IssueInstant` and `Version`, Azure AD sets the followi
 
 This is set to `https://sts.windows.net/<TenantIDGUID>/`where \<TenantIDGUID> is the Tenant ID of the Azure AD tenant.
 
-```
+```xml
 <Issuer>https://sts.windows.net/82869000-6ad1-48f0-8171-272ed18796e9/</Issuer>
 ```
 
@@ -202,10 +208,10 @@ Azure AD signs the assertion in response to a successful sign-on. The `Signature
 
 To generate this digital signature, Azure AD uses the signing key in the `IDPSSODescriptor` element of its metadata document.
 
-```
+```xml
 <ds:Signature xmlns:ds="https://www.w3.org/2000/09/xmldsig#">
-      digital_signature_here
-    </ds:Signature>
+  digital_signature_here
+</ds:Signature>
 ```
 
 #### Subject
@@ -214,24 +220,24 @@ This specifies the principal that is the subject of the statements in the assert
 
 The `Method` attribute of the `SubjectConfirmation` element is always set to `urn:oasis:names:tc:SAML:2.0:cm:bearer`.
 
-```
+```xml
 <Subject>
-      <NameID>Uz2Pqz1X7pxe4XLWxV9KJQ+n59d573SepSAkuYKSde8=</NameID>
-      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-        <SubjectConfirmationData InResponseTo="id758d0ef385634593a77bdf7e632984b6" NotOnOrAfter="2013-03-18T07:43:15.144Z" Recipient="https://contoso.com/identity/inboundsso.aspx" />
-      </SubjectConfirmation>
+  <NameID>Uz2Pqz1X7pxe4XLWxV9KJQ+n59d573SepSAkuYKSde8=</NameID>
+  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+    <SubjectConfirmationData InResponseTo="id758d0ef385634593a77bdf7e632984b6" NotOnOrAfter="2013-03-18T07:43:15.144Z" Recipient="https://contoso.com/identity/inboundsso.aspx" />
+  </SubjectConfirmation>
 </Subject>
 ```
 
 #### Conditions
 
 This element specifies conditions that define the acceptable use of SAML assertions.
 
-```
+```xml
 <Conditions NotBefore="2013-03-18T07:38:15.128Z" NotOnOrAfter="2013-03-18T08:48:15.128Z">
-      <AudienceRestriction>
-        <Audience>https://www.contoso.com</Audience>
-      </AudienceRestriction>
+  <AudienceRestriction>
+    <Audience>https://www.contoso.com</Audience>
+  </AudienceRestriction>
 </Conditions>
 ```
 
@@ -244,9 +250,9 @@ The `NotBefore` and `NotOnOrAfter` attributes specify the interval during which
 
 This contains a URI that identifies an intended audience. Azure AD sets the value of this element to the value of `Issuer` element of the `AuthnRequest` that initiated the sign-on. To evaluate the `Audience` value, use the value of the `App ID URI` that was specified during application registration.
 
-```
+```xml
 <AudienceRestriction>
-        <Audience>https://www.contoso.com</Audience>
+  <Audience>https://www.contoso.com</Audience>
 </AudienceRestriction>
 ```
 
@@ -256,15 +262,15 @@ Like the `Issuer` value, the `Audience` value must exactly match one of the serv
 
 This contains claims about the subject or user. The following excerpt contains a sample `AttributeStatement` element. The ellipsis indicates that the element can include multiple attributes and attribute values.
 
-```
+```xml
 <AttributeStatement>
-      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
-        <AttributeValue>[email protected]</AttributeValue>
-      </Attribute>
-      <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
-        <AttributeValue>3F2504E0-4F89-11D3-9A0C-0305E82C3301</AttributeValue>
-      </Attribute>
-      ...
+  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
+    <AttributeValue>[email protected]</AttributeValue>
+  </Attribute>
+  <Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">
+    <AttributeValue>3F2504E0-4F89-11D3-9A0C-0305E82C3301</AttributeValue>
+  </Attribute>
+  ...
 </AttributeStatement>
 ```        
 
@@ -278,10 +284,10 @@ This element asserts that the assertion subject was authenticated by a particula
 * The `AuthnInstant` attribute specifies the time at which the user authenticated with Azure AD.
 * The `AuthnContext` element specifies the authentication context used to authenticate the user.
 
-```
+```xml
 <AuthnStatement AuthnInstant="2013-03-18T07:33:56.000Z" SessionIndex="_bf9c623d-cc20-407a-9a59-c2d0aee84d12">
-      <AuthnContext>
-        <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
-      </AuthnContext>
+  <AuthnContext>
+    <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
+  </AuthnContext>
 </AuthnStatement>
 ```

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 03/21/2022
+ms.date: 05/02/2022
 
 ms.author: mimart
 author: msmimart
@@ -262,6 +262,21 @@ With outbound settings, you select which of your users and groups will be able t
 
 1. Select **Save**.
 
+## Remove an organization
+
+When you remove an organization from your Organizational settings, the default cross-tenant access settings will go into effect for that organization.
+
+> [!NOTE]
+> If the organization is a cloud service provider for your organization (the isServiceProvider property in the Microsoft Graph [partner-specific configuration](/graph/api/resources/crosstenantaccesspolicyconfigurationpartner) is true), you won't be able to remove the organization.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or Security administrator account. Then open the **Azure Active Directory** service.
+
+1. Select **External Identities**, and then select **Cross-tenant access settings (Preview)**.
+
+1. Select the **Organizational settings** tab.
+
+1. Find the organization in the list, and then select the trash can icon on that row.
+
 ## Next steps
 
 - See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md

@@ -259,7 +259,7 @@ With outbound settings, you select which of your users and groups will be able t
 
 ## Remove an organization
 
-When you remove an organization from your Organizational settings, the default cross-tenant access settings will go into effect for all B2B collaboration with that organization.
+When you remove an organization from your Organizational settings, the default cross-tenant access settings will go into effect for that organization.
 
 > [!NOTE]
 > If the organization is a cloud service provider for your organization (the isServiceProvider property in the Microsoft Graph [partner-specific configuration](/graph/api/resources/crosstenantaccesspolicyconfigurationpartner) is true), you won't be able to remove the organization.
@@ -270,7 +270,7 @@ When you remove an organization from your Organizational settings, the default c
 
 1. Select the **Organizational settings** tab.
 
-2. Find the organization in the list, and then select the trash can icon on that row.
+1. Find the organization in the list, and then select the trash can icon on that row.
 
 ## Next steps
 

articles/active-directory/saas-apps/adobe-echosign-tutorial.md

@@ -81,7 +81,7 @@ To configure Azure AD single sign-on with Adobe Sign, perform the following step
     `https://<companyname>.echosign.com`
 
     > [!NOTE]
-    > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Adobe Sign Client support team](https://helpx.adobe.com/in/contact/support.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+    > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Adobe Sign Client support team](https://helpx.adobe.com/support.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
 
 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
 
@@ -117,16 +117,16 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 ## Configure Adobe Sign SSO
 
-1. Before configuration, contact the [Adobe Sign Client support team](https://helpx.adobe.com/in/contact/support.html) to add your domain in the Adobe Sign allowlist. Here's how to add the domain:
+1. Before configuration, contact the [Adobe Sign Client support team](https://helpx.adobe.com/support.html) to add your domain in the Adobe Sign allowlist. Here's how to add the domain:
 
-    a. The [Adobe Sign Client support team](https://helpx.adobe.com/in/contact/support.html) sends you a randomly generated token. For your domain, the token will be like the following: **adobe-sign-verification= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx**
+    a. The [Adobe Sign Client support team](https://helpx.adobe.com/support.html) sends you a randomly generated token. For your domain, the token will be like the following: **adobe-sign-verification= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx**
 
-    b. Publish the verification token in a DNS text record, and notify the [Adobe Sign Client support team](https://helpx.adobe.com/in/contact/support.html).
+    b. Publish the verification token in a DNS text record, and notify the [Adobe Sign Client support team](https://helpx.adobe.com/support.html).
 
     > [!NOTE]
     > This can take a few days, or longer. Note that DNS propagation delays mean that a value published in DNS might not be visible for an hour or more. Your IT administrator should be knowledgeable about how to publish this token in a DNS text record.
 
-    c. When you notify the [Adobe Sign Client support team](https://helpx.adobe.com/in/contact/support.html) through the support ticket, after the token is published, they validate the domain and add it to your account.
+    c. When you notify the [Adobe Sign Client support team](https://helpx.adobe.com/support.html) through the support ticket, after the token is published, they validate the domain and add it to your account.
 
     d. Generally, here's how to publish the token on a DNS record:
 

articles/azure-arc/resource-bridge/overview.md

@@ -89,7 +89,7 @@ The following private cloud environments and their versions are officially suppo
 
 * To onboard the Arc resource bridge, you are a member of the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role in the resource group.
 
-* To read, modify, and delete the resource bridge, you are a member of the **Name of role** role in the resource group.
+* To read, modify, and delete the resource bridge, you are a member of the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role in the resource group.
 
 ### Networking