Merge pull request #77632 from MicrosoftDocs/master

5/22 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -27889,6 +27889,11 @@
       "redirect_url": "/azure/active-directory/governance/manage-programs-controls",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/active-directory/governance/manage-programs-controls.md",
+      "redirect_url": "/azure/active-directory/governance/create-access-review",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/active-directory/active-directory-azure-ad-controls-manage-user-access-with-access-reviews.md",
       "redirect_url": "/azure/active-directory/governance/manage-user-access-with-access-reviews",
@@ -27904,6 +27909,11 @@
       "redirect_url": "/azure/active-directory/governance/retrieve-access-review",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/active-directory/governance/retrieve-access-review.md",
+      "redirect_url": "/azure/active-directory/governance/complete-access-review",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/active-directory/active-directory-tou.md",
       "redirect_url": "/azure/active-directory/conditional-access/terms-of-use",

articles/active-directory/authentication/concept-authentication-methods.md

@@ -162,7 +162,7 @@ OATH hardware tokens are being supported as part of a public preview. For more i
 Once tokens are acquired they must be uploaded in a comma-separated values (CSV) file format including the UPN, serial number, secret key, time interval, manufacturer, and model as the example below shows.
 
 ```csv
-upn,serial number,secret key,timeinterval,manufacturer,model
+upn,serial number,secret key,time interval,manufacturer,model
 [email protected],1234567,1234567890abcdef1234567890abcdef,60,Contoso,HardwareKey
 ```
 

articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md

@@ -40,7 +40,7 @@ Complete these steps to enable combined registration:
 > Starting in March 2019, the phone call options won't be available to Multi-Factor Authentication and SSPR users in free/trial Azure AD tenants. SMS messages are not affected by this change. The phone call options will still be available to users in paid Azure AD tenants.
 
 > [!NOTE]
-> After you enable combined registration, users who register or confirm their phone number or mobile app through the new experience can use them for Multi-Factor Authentication and SSPR, if those methods are enabled in the Multi-Factor Authentication and SSPR policies. If you then disable this experience, users who go to the previous SSPR registration page at `https:/aka.ms/ssprsetup` will be required to perform multi-factor authentication before they can access the page.
+> After you enable combined registration, users who register or confirm their phone number or mobile app through the new experience can use them for Multi-Factor Authentication and SSPR, if those methods are enabled in the Multi-Factor Authentication and SSPR policies. If you then disable this experience, users who go to the previous SSPR registration page at `https://aka.ms/ssprsetup` will be required to perform multi-factor authentication before they can access the page.
 
 If you have configured the Site to Zone Assignment List in Internet Explorer, the following sites have to be in the same zone:
 
@@ -89,4 +89,4 @@ The following policy applies to all selected users, who attempt to register usin
 
 [Troubleshooting combined security info registration](howto-registration-mfa-sspr-combined-troubleshoot.md)
 
-[What is the location condition in Azure Active Directory conditional access?](../conditional-access/location-condition.md)
+[What is the location condition in Azure Active Directory conditional access?](../conditional-access/location-condition.md)

articles/active-directory/develop/active-directory-optional-claims.md

@@ -13,7 +13,7 @@ ms.devlang: na
 ms.topic: article
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 03/27/2019
+ms.date: 05/22/2019
 ms.author: ryanwi
 ms.reviewer: paulgarn, hirsin
 ms.custom: aaddev
@@ -122,6 +122,9 @@ This OptionalClaims object causes the ID token returned to the client to include
 
 You can configure optional claims for your application by modifying the application manifest (See example below). For more info, see the [Understanding the Azure AD application manifest article](reference-app-manifest.md).
 
+> [!IMPORTANT]
+> Access tokens are **always** generated using the manifest of the resource, not the client.  So in the request `...scope=https://graph.microsoft.com/user.read...` the resource is Graph.  Thus, the access token is created using the Graph manifest, not the client's manifest.  Changing the manifest for your application will never cause tokens for Graph to look different.  In order to validate that your `accessToken` changes are in effect, request a token for your application, not another app.  
+
 **Sample schema:**
 
 ```json

articles/active-directory/develop/msal-compare-msal-js-and-adal-js.md

@@ -60,7 +60,7 @@ In v2.0, using the `https://login.microsoftonline.com/common` authority, will al
 
     v2.0: scope = https://graph.microsoft.com/User.Read
 
-    You can request scopes for any resource API using the URI of the API in this format: appidURI/scope For example: https://mytenant.onmicrosoft.com/myapi/api.read
+    You can request scopes for any resource API using the URI of the API in this format: appidURI/scope For example: https:\//mytenant.onmicrosoft.com/myapi/api.read
 
     Only for the MS Graph API, a scope value `user.read` maps to https://graph.microsoft.com/User.Read and can be used interchangeably.
 

articles/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources.md

@@ -29,8 +29,8 @@ The Microsoft identity platform endpoint does not allow you to get a token for s
 
 For example, if you have two resources that have 2 scopes each:
 
-- https://mytenant.onmicrosoft.com/customerapi (with 2 scopes `customer.read` and `customer.write`)
-- https://mytenant.onmicrosoft.com/vendorapi (with 2 scopes `vendor.read` and `vendor.write`)
+- https:\//mytenant.onmicrosoft.com/customerapi (with 2 scopes `customer.read` and `customer.write`)
+- https:\//mytenant.onmicrosoft.com/vendorapi (with 2 scopes `vendor.read` and `vendor.write`)
 
 You should use the `.WithExtraScopeToConsent` modifier which has the *extraScopesToConsent* parameter as shown in the following example:
 

articles/active-directory/develop/quickstart-v1-android.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: mobile-android
 ms.devlang: java
 ms.topic: quickstart
-ms.date: 09/24/2018
+ms.date: 05/21/2019
 ms.author: ryanwi
 ms.reviewer: brandwe, jmprieur, saeeda
 ms.custom: aaddev
@@ -84,18 +84,17 @@ You will need to have a native client application registered with Microsoft usin
     - Select ***Azure Active Directory*** > ***App Registrations***.
 
 2. Create the app
-    - Select **New application registration**.
+    - Select **New registration**.
     - Enter an app name in the **Name** field.
-    - In **Application type** select **Native**.
-    - In **Redirect URI**, enter `http://localhost`.
+    - Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**.
+    - In **Redirect URI**, select **Public client (mobile and desktop)** from the dropdown and enter `http://localhost`.
+    - Click **Register**.
 
 3. Configure Microsoft Graph
-    - Select **Settings > Required permissions**.
-    - Select **Add**, inside **Select an API** select ***Microsoft Graph***.
-    - Select the permission **Sign in and read user profile**, then hit **Select** to save.
-        - This permission maps to the `User.Read` scope.
-    - Optional: Inside **Required permissions > Windows Azure Active Directory**, remove the selected permission **Sign in and read user profile**. This will avoid the user consent page listing the permission twice.
-
+    - Select **API permissions**.
+    - Select **Add a permission**, inside **Select an API** select ***Microsoft Graph***.
+    - Under **Delegated permissions**, select the permission **User.Read**, then hit **Add** to save.        
+    
 4. Congrats! Your app is successfully configured. In the next section, you'll need:
     - `Application ID`
     - `Redirect URI`

articles/active-directory/develop/quickstart-v1-dotnet.md

@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: dotnet
 ms.topic: quickstart
-ms.date: 09/24/2018
+ms.date: 05/21/2019
 ms.author: ryanwi
 ms.reviewer: jmprieur
 ms.custom: aaddev
@@ -54,13 +54,15 @@ To enable your app to get tokens, register your app in your Azure AD tenant and
 1. Sign in to the [Azure portal](https://portal.azure.com).
 2. On the top bar, select your account and under the **Directory** list, choose the Active Directory tenant where you wish to register your application.
 3. Select on **All services** in the left-hand nav, and choose **Azure Active Directory**.
-4. On **App registrations**, choose **Add**.
-5. Follow the prompts and create a new **Native** client application.
-    * The **Name** of the application will describe your application to end users
-    * The **Redirect Uri** is a scheme and string combination that Azure AD will use to return token responses. Enter a value specific to your application, for example, `http://DirectorySearcher`.
+4. On **App registrations**, choose **New registration**.
+5. Follow the prompts to create a new client application.
+    * **Name** is the application name and describes your application to end users.
+    * Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**.
+    * **Redirect URI** is a scheme and string combination that Azure AD uses to return token responses. Enter a value that is specific to your application (for example, `http://DirectorySearcher`) and is based on the previous redirect URI information. Also select **Public client (mobile and desktop)** from the dropdown. 
 
 6. Once you've completed registration, AAD will assign your app a unique Application ID. You'll need this value in the next sections, so copy it from the application page.
-7. From the **Settings** page, choose **Required permissions** and choose **Add**. Select **Microsoft Graph** as the API, and under **Delegated permissions** add the **Read directory data** permission. Setting this permission enables your application to query the Graph API for users.
+7. From the **API permissions** page, select **Add a permission**. Inside **Select an API** select ***Microsoft Graph***.
+8. Under **Delegated permissions**, select the permission **User.Read**, then hit **Add** to save. This permission sets up your application to query the Azure AD Graph API for users.
 
 ## Step 2: Install and configure ADAL
 

articles/active-directory/develop/quickstart-v1-ios.md

@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: mobile-ios
 ms.devlang: objective-c
 ms.topic: quickstart
-ms.date: 09/24/2018
+ms.date: 05/21/2019
 ms.author: ryanwi
 ms.custom: aaddev
 ms.reviewer: brandwe
@@ -73,12 +73,13 @@ To set up your app to get tokens, you need to register the app in your Azure AD
 1. Sign in to the [Azure portal](https://portal.azure.com).
 2. On the top bar, select your account. Under the **Directory** list, choose the Active Directory tenant where you want to register your application.
 3. Select **All services** in the leftmost navigation pane, and then select **Azure Active Directory**.
-4. Select **App registrations**, and then select **Add**.
-5. Follow the prompts to create a new **Native** client application.
+4. Select **App registrations**, and then select **New registration**.
+5. Follow the prompts to create a new client application.
     * **Name** is the application name and describes your application to end users.
-    * **Redirect URI** is a scheme and string combination that Azure AD uses to return token responses. Enter a value that is specific to your application and is based on the previous redirect URI information.
+    * **Redirect URI** is a scheme and string combination that Azure AD uses to return token responses. Enter a value that is specific to your application and is based on the previous redirect URI information. Also select **Public client (mobile and desktop)** from the dropdown.
 6. After you've completed the registration, Azure AD assigns your app a unique application ID. You'll need this value in the next sections, so copy it from the application tab.
-7. From the **Settings** page, select **Required permissions > Add > Microsoft Graph**, and then under **Delegated permissions** add the **Read directory data** permission. This permission sets up your application to query the Azure AD Graph API for users.
+7. From the **API permissions** page, select **Add a permission**. Inside **Select an API** select ***Microsoft Graph***.
+8. Under **Delegated permissions**, select the permission **User.Read**, then hit **Add** to save. This permission sets up your application to query the Azure AD Graph API for users.
 
 ## Step 3: Install and configure ADAL
 

articles/active-directory/develop/quickstart-v1-xamarin.md

@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: mobile-xamarin
 ms.devlang: dotnet
 ms.topic: quickstart
-ms.date: 09/24/2018
+ms.date: 05/22/2019
 ms.author: ryanwi
 ms.reviewer: jmprieur
 ms.custom: aaddev
@@ -53,14 +53,14 @@ To enable the app to get tokens, you first need to register it in your Azure AD
 1. Sign in to the [Azure portal](https://portal.azure.com).
 2. On the top bar, click your account. Then, under the **Directory** list, select the Active Directory tenant where you want to register the app.
 3. Click **All services** in the left pane, and then select **Azure Active Directory**.
-4. Click **App registrations**, and then select **Add**.
-5. To create a new **Native Client Application**, follow the prompts.
+4. Click **App registrations**, and then select **New registration**.
+5. To create a new client application, follow the prompts.
    * **Name** describes the app to users.
+   * Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**.
    * **Redirect URI** is a scheme and string combination that Azure AD uses to return token responses. Enter a value (for example, `http://DirectorySearcher`).
 6. After you’ve completed registration, Azure AD assigns the app a unique application ID. Copy the value from the **Application** tab, because you'll need it later.
-7. On the **Settings** page, select **Required Permissions**, and then select **Add**.
-8. Select **Microsoft Graph** as the API. Under **Delegated Permissions**, add the **Read Directory Data** permission. 
-   This action enables the app to query the Graph API for users.
+7. From the **API permissions** page, select **Add a permission**. Inside **Select an API** select ***Microsoft Graph***.
+8. Under **Delegated permissions**, select the permission **User.Read**, then hit **Add** to save. This permission sets up your application to query the Azure AD Graph API for users.
 
 ## Step 3: Install and configure ADAL