Merge branch 'main' of github.com:MicrosoftDocs/azure-docs-pr into data-managed-identity.md

Author: Larry Franks

articles/active-directory/app-provisioning/accidental-deletions.md

@@ -8,12 +8,12 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: how-to
 ms.workload: identity
-ms.date: 09/27/2021
+ms.date: 09/30/2022
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
 
-# Enable accidental deletions prevention in the Azure AD provisioning service (Preview)
+# Enable accidental deletions prevention in the Azure AD provisioning service
 
 The Azure AD provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users aren't disabled or deleted in an application unexpectedly.
 
@@ -32,7 +32,7 @@ threshold. Also, be sure the notification email address is completed. If the del
 When the deletion threshold is met, the job will go into quarantine and a notification email will be sent. The quarantined job can then be allowed or rejected. To learn more about quarantine behavior, see [Application provisioning in quarantine status](application-provisioning-quarantine-status.md).
 
 ## Recovering from an accidental deletion
-If you encounter an accidental deletion you'll see it on the provisioning status page.  It will say **Provisioning has been quarantined. See quarantine details for more information.**.
+If you encounter an accidental deletion you'll see it on the provisioning status page.  It will say **Provisioning has been quarantined. See quarantine details for more information**.
 
 You can click either **Allow deletes** or **View provisioning logs**.
 

articles/active-directory/develop/app-resilience-continuous-access-evaluation.md

@@ -104,11 +104,20 @@ You can test your application by signing in a user to the application then using
 When these conditions are met, the app can extract the claims challenge from the API response header as follows: 
 
 ```javascript
-const authenticateHeader = response.headers.get('www-authenticate');
-const claimsChallenge = parseChallenges(authenticateHeader).claims;
-
-// ...
+try {
+  const response = await fetch(apiEndpoint, options);
+
+  if (response.status === 401 && response.headers.get('www-authenticate')) {
+    const authenticateHeader = response.headers.get('www-authenticate');
+    const claimsChallenge = parseChallenges(authenticateHeader).claims;
+    
+    // use the claims challenge to acquire a new access token...
+  }
+} catch(error) {
+  // ...
+}
 
+// helper function to parse the www-authenticate header
 function parseChallenges(header) {
     const schemeSeparator = header.indexOf(' ');
     const challenges = header.substring(schemeSeparator + 1).split(',');
@@ -126,24 +135,20 @@ function parseChallenges(header) {
 Your app would then use the claims challenge to acquire a new access token for the resource.
 
 ```javascript
+const tokenRequest = {
+    claims: window.atob(claimsChallenge), // decode the base64 string
+    scopes: ['User.Read']
+    account: msalInstance.getActiveAccount();
+};
+
 let tokenResponse;
 
 try {
-    tokenResponse = await msalInstance.acquireTokenSilent({
-        claims: window.atob(claimsChallenge), // decode the base64 string
-        scopes: scopes,  // e.g ['User.Read', 'Contacts.Read']
-        account: account, // current active account
-    });
-
+    tokenResponse = await msalInstance.acquireTokenSilent(tokenRequest);
 } catch (error) {
      if (error instanceof InteractionRequiredAuthError) {
-        tokenResponse = await msalInstance.acquireTokenPopup({
-            claims: window.atob(claimsChallenge), // decode the base64 string
-            scopes: scopes, // e.g ['User.Read', 'Contacts.Read']
-            account: account, // current active account
-        });
+        tokenResponse = await msalInstance.acquireTokenPopup(tokenRequest);
     }
-
 }
 ```
 
@@ -154,8 +159,7 @@ const msalConfig = {
     auth: {
         clientId: 'Enter_the_Application_Id_Here', 
         clientCapabilities: ["CP1"]
-        // the remaining settings
-        // ... 
+        // remaining settings...
     }
 }
 

articles/active-directory/develop/claims-challenge.md

@@ -103,7 +103,7 @@ _clientApp = PublicClientApplicationBuilder.Create(App.ClientId)
  .WithDefaultRedirectUri()
  .WithAuthority(authority)
  .WithClientCapabilities(new [] {"cp1"})
- .Build();*
+ .Build();
 ```
 
 Those using Microsoft.Identity.Web can add the following code to the configuration file:
@@ -112,22 +112,21 @@ Those using Microsoft.Identity.Web can add the following code to the configurati
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    // the remaining settings
-    // ... 
-    "ClientCapabilities": [ "cp1" ]
+    "ClientId": 'Enter_the_Application_Id_Here' 
+    "ClientCapabilities": [ "cp1" ],
+    // remaining settings...
 },
 ```
 #### [JavaScript](#tab/JavaScript)
 
-Those using MSAL.js can add `clientCapabilities` property to the configuration object.
+Those using MSAL.js or MSAL Node can add `clientCapabilities` property to the configuration object. Note: this option is available to both public and confidential cient applications.
 
 ```javascript
 const msalConfig = {
     auth: {
         clientId: 'Enter_the_Application_Id_Here', 
         clientCapabilities: ["CP1"]
-        // the remaining settings
-        // ... 
+        // remaining settings...
     }
 }
 
@@ -222,14 +221,15 @@ else
 
 ### [JavaScript](#tab/JavaScript)
 
+The following snippet illustrates a custom Express.js middleware:
+
 ```javascript
 const checkIsClientCapableOfClaimsChallenge = (req, res, next) => {
     // req.authInfo contains the decoded access token payload
     if (req.authInfo['xms_cc'] && req.authInfo['xms_cc'].includes('CP1')) {
           // Return formatted claims challenge as this client understands this
-          
     } else {
-            return res.status(403).json({ error: 'Client is not capable' });
+          return res.status(403).json({ error: 'Client is not capable' });
     }
 }
 

articles/active-directory/develop/mark-app-as-publisher-verified.md

@@ -31,7 +31,6 @@ If you are already enrolled in the Microsoft Partner Network (MPN) and have met
 
 For more details on specific benefits, requirements, and frequently asked questions see the [overview](publisher-verification-overview.md).
 
-
 ## Mark your app as publisher verified
 Make sure you have met the [pre-requisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified.  
 

articles/active-directory/develop/whats-new-docs.md

@@ -5,7 +5,7 @@ services: active-directory
 author: mmacy
 manager: CelesteDG
 
-ms.date: 09/01/2022
+ms.date: 09/03/2022
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
@@ -18,6 +18,19 @@ ms.custom: has-adal-ref
 
 Welcome to what's new in the Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
 
+## September 2022
+
+### New articles
+
+- [Configure a user-assigned managed identity to trust an external identity provider (preview)](workload-identity-federation-create-trust-user-assigned-managed-identity.md)
+- [Important considerations and restrictions for federated identity credentials](workload-identity-federation-considerations.md)
+
+### Updated articles
+
+- [How to use Continuous Access Evaluation enabled APIs in your applications](app-resilience-continuous-access-evaluation.md)
+- [Run automated integration tests](test-automate-integration-testing.md)
+- [Tutorial: Sign in users and call the Microsoft Graph API from a JavaScript single-page application (SPA)](tutorial-v2-javascript-spa.md)
+
 ## August 2022
 
 ### Updated articles
@@ -51,13 +64,3 @@ Welcome to what's new in the Microsoft identity platform documentation. This art
 - [Microsoft identity platform access tokens](access-tokens.md)
 - [Single-page application: Sign-in and Sign-out](scenario-spa-sign-in.md)
 - [Tutorial: Add sign-in to Microsoft to an ASP.NET web app](tutorial-v2-asp-webapp.md)
-
-## June 2022
-
-### Updated articles
-
-- [Add app roles to your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md)
-- [Azure AD Authentication and authorization error codes](reference-aadsts-error-codes.md)
-- [Microsoft identity platform refresh tokens](refresh-tokens.md)
-- [Single-page application: Acquire a token to call an API](scenario-spa-acquire-token.md)
-- [Tutorial: Sign in users and call the Microsoft Graph API in an Electron desktop app](tutorial-v2-nodejs-desktop.md)

articles/active-directory/enterprise-users/directory-delete-howto.md

@@ -30,7 +30,8 @@ You can't delete a organization in Azure AD until it passes several checks. Thes
 * There can be no multifactor authentication providers linked to the organization.
 * There can be no subscriptions for any Microsoft Online Services such as Microsoft Azure, Microsoft 365, or Azure AD Premium associated with the organization. For example, if a default Azure AD tenant was created for you in Azure, you can't delete this organization if your Azure subscription still relies on it for authentication. You also can't delete a tenant if another user has associated an Azure subscription with it.
 
-[!NOTE] Microsoft is aware that customers with certain tenant configurations may be unable to successfully delete their Azure AD organization. We are working to address this problem. In the meantime, if needed, you can contact Microsoft support for details about the issue.
+> [!NOTE]
+> Microsoft is aware that customers with certain tenant configurations may be unable to successfully delete their Azure AD organization. We are working to address this problem. In the meantime, if needed, you can contact Microsoft support for details about the issue.
 
 ## Delete the organization
 

articles/active-directory/enterprise-users/licensing-ps-examples.md

@@ -1,6 +1,6 @@
 ---
 
-title: PowerShell and Graph examples for group licensing - Azure AD | Microsoft Docs
+title: PowerShell and Microsoft Graph examples for group licensing - Azure AD | Microsoft Docs
 description: PowerShell + Graph examples and scenarios for Azure Active Directory group-based licensing
 services: active-directory
 keywords: Azure AD licensing
@@ -17,7 +17,7 @@ ms.reviewer: sumitp
 ms.collection: M365-identity-device-management
 ---
 
-# PowerShell and Graph examples for group-based licensing in Azure AD
+# PowerShell and Microsoft Graph examples for group-based licensing in Azure AD
 
 Full functionality for group-based licensing in Azure Active Directory (Azure AD), part of Microsoft Entra, is available through the [Azure portal](https://portal.azure.com), and currently there are some useful tasks that can be performed using the existing [MSOnline PowerShell
 cmdlets](/powershell/module/msonline) and Microsoft Graph. This document provides examples of what is possible.

articles/active-directory/fundamentals/users-default-permissions.md

@@ -56,7 +56,7 @@ You can restrict default permissions for member users in the following ways:
 | **Allow users to connect work or school account with LinkedIn** | Setting this option to **No** prevents users from connecting their work or school account with their LinkedIn account. For more information, see [LinkedIn account connections data sharing and consent](../enterprise-users/linkedin-user-consent.md). |
 | **Create security groups** | Setting this option to **No** prevents users from creating security groups. Global administrators and user administrators can still create security groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). |
 | **Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). |
-| **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It does not restrict access to Azure AD data using PowerShell or other clients such as Visual Studio. <br>It does not restrict access as long as a user is assigned a custom role (or any role). <br>It does not restrict access to Entra Portal. </p><p></p><p>**When should I use this switch?** <br>Use this to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Do not use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management will block non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management will target access to all Azure management. |
+| **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It does not restrict access to Azure AD data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It does not restrict access as long as a user is assigned a custom role (or any role). <br>It does not restrict access to Entra Portal. </p><p></p><p>**When should I use this switch?** <br>Use this to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Do not use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management will block non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management will target access to all Azure management. |
 | **Read other users** | This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag does not prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`. |
 
 > [!NOTE]

articles/active-directory/governance/lifecycle-workflow-tasks.md

@@ -20,27 +20,7 @@ Lifecycle Workflows come with many pre-configured tasks that are designed to aut
 Lifecycle Workflow's built-in tasks each include an identifier, known as **taskDefinitionID**, and can be used to create either new workflows from scratch, or inserted into workflow templates so that they fit the needs of your organization. For more information on templates available for use with Lifecycle Workflows, see: [Lifecycle Workflow Templates](lifecycle-workflow-templates.md).
 
 
-
-Lifecycle Workflows currently support the following tasks:
-
-|Task  |taskdefinitionID  |Category  |
-|---------|---------|---------|
-|[Send welcome email to new hire](lifecycle-workflow-tasks.md#send-welcome-email-to-new-hire)     |   70b29d51-b59a-4773-9280-8841dfd3f2ea      | Joiner         |
-|[Generate Temporary Access Pass and send via email to user's manager](lifecycle-workflow-tasks.md#generate-temporary-access-pass-and-send-via-email-to-users-manager)     |  1b555e50-7f65-41d5-b514-5894a026d10d       | Joiner         |
-|[Add user to groups](lifecycle-workflow-tasks.md#add-user-to-groups)     |    22085229-5809-45e8-97fd-270d28d66910     | Joiner, Leaver
-|[Add user to teams](lifecycle-workflow-tasks.md#add-user-to-teams)      |  e440ed8d-25a1-4618-84ce-091ed5be5594       | Joiner, Leaver
-|[Enable user account](lifecycle-workflow-tasks.md#enable-user-account)     |    6fc52c9d-398b-4305-9763-15f42c1676fc     | Joiner, Leaver
-|[Run a custom task extension](lifecycle-workflow-tasks.md#run-a-custom-task-extension)    |    4262b724-8dba-4fad-afc3-43fcbb497a0e    | Joiner, Leaver
-|[Disable user account](lifecycle-workflow-tasks.md#disable-user-account)     |   1dfdfcc7-52fa-4c2e-bf3a-e3919cc12950      | Leaver
-|[Remove user from selected group](lifecycle-workflow-tasks.md#remove-user-from-selected-groups)     |   1953a66c-751c-45e5-8bfe-01462c70da3c      | Leaver
-|[Remove users from all groups](lifecycle-workflow-tasks.md#remove-users-from-all-groups)     |    b3a31406-2a15-4c9a-b25b-a658fa5f07fc     | Leaver
-|[Remove user from teams](lifecycle-workflow-tasks.md#remove-user-from-teams)    |    06aa7acb-01af-4824-8899-b14e5ed788d6     | Leaver        |
-|[Remove user from all teams](lifecycle-workflow-tasks.md#remove-users-from-all-teams)     |    81f7b200-2816-4b3b-8c5d-dc556f07b024     | Leaver        |
-|[Remove all license assignments from user](lifecycle-workflow-tasks.md#remove-all-license-assignments-from-user)     | 8fa97d28-3e52-4985-b3a9-a1126f9b8b4e         | Leaver
-|[Delete user](lifecycle-workflow-tasks.md#delete-user)    |    8d18588d-9ad3-4c0f-99d0-ec215f0e3dff     | Leaver         |
-|[Send email to manager before user last day](lifecycle-workflow-tasks.md#send-email-to-manager-before-user-last-day)    |    52853a3e-f4e5-4eb8-bb24-1ac09a1da935     | Leaver         |
-|[Send email on users last day](lifecycle-workflow-tasks.md#send-email-on-users-last-day)    |    9c0a1eaf-5bda-4392-9d9e-6e155bb57411     | Leaver         |
-|[Send offboarding email to users manager after their last day](lifecycle-workflow-tasks.md#send-offboarding-email-to-users-manager-after-their-last-day)    |    6f22ddd4-b3a5-47a4-a846-0d7c201a49ce     | Leaver         |
+[!INCLUDE [Lifecylce Workflows tasks table](../../../includes/lifecycle-workflows-tasks-table.md)]
 
 ## Common task parameters (preview)
 

articles/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md

@@ -275,7 +275,7 @@ This PowerShell script will tighten permissions for the AD Connector Account pro
 - Disable inheritance on the specified object 
 - Remove all ACEs on the specific object, except ACEs specific to SELF as we want to keep the default permissions intact when it comes to SELF. 
 
-  The -ADConnectorAccountDN parameter is the AD account whose permissions need to be tightened. This is typically the MSOL_nnnnnnnnnnnn domain account that is configured in the AD DS Connector (see Determine your AD DS Connector Account). The -Credential parameter is necessary to specify the Administrator account that has the necessary privileges to restrict Active Directory permissions on the target AD object. This is typically the Enterprise or Domain Administrator.  
+  The -ADConnectorAccountDN parameter is the AD account whose permissions need to be tightened. This is typically the MSOL_nnnnnnnnnnnn domain account that is configured in the AD DS Connector (see Determine your AD DS Connector Account). The -Credential parameter is necessary to specify the Administrator account that has the necessary privileges to restrict Active Directory permissions on the target AD object (this account must be different from the ADConnectorAccountDN account). This is typically the Enterprise or Domain Administrator.  
 
 ``` powershell
 Set-ADSyncRestrictedPermissions [-ADConnectorAccountDN] <String> [-Credential] <PSCredential> [-DisableCredentialValidation] [-WhatIf] [-Confirm] [<CommonParameters>] 
@@ -285,7 +285,7 @@ For Example:
 
 ``` powershell
 $credential = Get-Credential 
-Set-ADSyncRestrictedPermissions -ADConnectorAccountDN'CN=ADConnectorAccount,CN=Users,DC=Contoso,DC=com' -Credential $credential  
+Set-ADSyncRestrictedPermissions -ADConnectorAccountDN 'CN=ADConnectorAccount,CN=Users,DC=Contoso,DC=com' -Credential $credential  
 ```
 
 This cmdlet will set the following permissions: