MicrosoftDocs
diff --git a/‎.gitignore
Lines changed: 1 addition & 1 deletion b/‎.gitignore
Lines changed: 1 addition & 1 deletion
diff --git a/‎.openpublishing.redirection.json
Lines changed: 280 additions & 15 deletions b/‎.openpublishing.redirection.json
Lines changed: 280 additions & 15 deletions
diff --git a/‎.vscode/settings.json
Lines changed: 58 additions & 0 deletions b/‎.vscode/settings.json
Lines changed: 58 additions & 0 deletions
diff --git a/‎CODEOWNERS
Lines changed: 1 addition & 1 deletion b/‎CODEOWNERS
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory-b2c/TOC.yml
Lines changed: 13 additions & 6 deletions b/‎articles/active-directory-b2c/TOC.yml
Lines changed: 13 additions & 6 deletions
diff --git a/‎articles/active-directory-b2c/application-types.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/application-types.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory-b2c/b2clogin.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory-b2c/b2clogin.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory-b2c/claim-resolver-overview.md
Lines changed: 62 additions & 13 deletions b/‎articles/active-directory-b2c/claim-resolver-overview.md
Lines changed: 62 additions & 13 deletions
@@ -3,7 +3,6 @@
 Thumbs.db
 
 # Visual Studio and VS Code files
-.settings.json
 .vscode/*
 .vs/*
 log/
@@ -24,3 +23,4 @@ AzureMigration.ps1
 !/.vscode/extensions.json
 .gitignore
 **/.vscode/settings.json
+!/.vscode/settings.json
@@ -0,0 +1,58 @@
+{
+    "markdown.docsetLanguages": [
+        ".NET Core CLI",
+        "Apache",
+        "ASPX",
+        "AzCopy",
+        "Azure CLI",
+        "Azure CLI (Interactive)",
+        "Azure Powershell",
+        "Azure Powershell (Interactive)",
+        "Bash",
+        "C",
+        "C#",
+        "C# (Interactive)",
+        "C++",
+        "CSS",
+        "DAX Power BI",
+        "Diff",
+        "Dockerfile",
+        "DOS",
+        "F#",
+        "Go",
+        "Gradle",
+        "Groovy",
+        "HTML",
+        "HTTP",
+        "Ini",
+        "Java",
+        "JavaScript",
+        "JSON",
+        "Kotlin",
+        "Kusto",
+        "Markdown",
+        "MS Graph (Interactive)",
+        "Objective C",
+        "PHP",
+        "Plaintext no highlight",
+        "PostgreSQL & PL/pgSQL",
+        "PowerShell",
+        "PowerShell (Interactive)",
+        "Properties",
+        "Python",
+        "R",
+        "Razor CSHTML",
+        "Ruby",
+        "Scala",
+        "Shell",
+        "Solidity",
+        "SQL",
+        "Swift",
+        "Terraform (HCL)",
+        "TypeScript",
+        "VB.NET",
+        "XAML",
+        "XML",
+        "YAML"
+    ]
+}
@@ -1,6 +1,6 @@
 # Testing the new code owners feature in GitHub. Please contact Cory Fowler if you have questions.
 # Cognitive Services
-articles/cognitive-services/ @diberry @erhopf, @nitinme
+articles/cognitive-services/ @diberry @erhopf @aahill @ievangelist @patrickfarley @nitinme
 
 # DevOps
 articles/ansible/ @TomArcherMsft
 
@@ -81,6 +81,9 @@
     - name: Register a SAML service provider
       href: connect-with-saml-service-providers.md
       displayName: SP, RP, service provider, connect
+    - name: Register a Graph application
+      href: microsoft-graph-get-started.md
+      displayName: migrate, migration, microsoft graph
     - name: Add a web API application
       href: add-web-application.md
     - name: Add a native client application
@@ -101,7 +104,7 @@
         href: user-flow-self-service-password-reset.md
     - name: UX customization
       items:
-      - name: User interface customization
+      - name: Customize the UI
         href: customize-ui-overview.md
       - name: JavaScript and page layouts
         href: user-flow-javascript-overview.md
@@ -177,8 +180,6 @@
       - name: Customize the UI
         href: custom-policy-ui-customization.md
         displayName: ux, input, cors, html, css
-      - name: Customize the UI dynamically
-        href: custom-policy-ui-customization-dynamic.md
       - name: Custom email
         href: custom-email.md
         displayName: verification
@@ -353,6 +354,12 @@
       href: view-usage-reports.md
     - name: Account management
       href: manage-user-accounts-graph-api.md
+    - name: Deploy with Azure Pipelines
+      href: deploy-custom-policies-devops.md
+      displayName: azure devops, ci/cd, cicd, custom policy, policies
+    - name: Manage policies with PowerShell
+      href: manage-custom-policies-powershell.md
+      displayName: scripting, scripts, psh, custom policy
   - name: Audit logs
     href: view-audit-logs.md
   - name: Manage users - Azure portal
@@ -373,8 +380,6 @@
     items:
     - name: Migrate users
       href: user-migration.md
-    - name: Migrate users with external identities
-      href: migrate-social-identities.md
 - name: Reference
   items:
   - name: Identity Experience Framework release notes
@@ -388,9 +393,11 @@
     displayName: cookies, SameSite
   - name: Error codes
     href: error-codes.md
+  - name: Microsoft Graph API operations
+    href: microsoft-graph-operations.md
   - name: Region availability & data residency
     href: data-residency.md
-  - name: Enable billing
+  - name: Billing model
     href: billing.md
   - name: Threat management
     href: threat-management.md
 
@@ -121,7 +121,7 @@ To set up client credential flow, see [Azure Active Directory v2.0 and the OAuth
 
 #### Web API chains (on-behalf-of flow)
 
-Many architectures include a web API that needs to call another downstream web API, where both are secured by Azure AD B2C. This scenario is common in native clients that have a Web API back-end and calls a Microsoft online service such as the Microsoft Graph API or Azure AD Graph API.
+Many architectures include a web API that needs to call another downstream web API, where both are secured by Azure AD B2C. This scenario is common in native clients that have a Web API back-end and calls a Microsoft online service such as the Microsoft Graph API.
 
 This chained web API scenario can be supported by using the OAuth 2.0 JWT bearer credential grant, also known as the on-behalf-of flow.  However, the on-behalf-of flow is not currently implemented in the Azure AD B2C.
 
 
@@ -42,7 +42,7 @@ There are several modifications you might need to make to migrate your applicati
 
 * Change the redirect URL in your identity provider's applications to reference *b2clogin.com*.
 * Update your Azure AD B2C applications to use *b2clogin.com* in their user flow and token endpoint references.
-* Update any **Allowed Origins** that you've defined in the CORS settings for [user interface customization](custom-policy-ui-customization-dynamic.md).
+* Update any **Allowed Origins** that you've defined in the CORS settings for [user interface customization](custom-policy-ui-customization.md).
 
 ## Change identity provider redirect URLs
 
@@ -117,4 +117,4 @@ For migrating Azure API Management APIs protected by Azure AD B2C, see the [Migr
 [msal-dotnet]: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
 [msal-dotnet-b2c]: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics
 [msal-js]: https://github.com/AzureAD/microsoft-authentication-library-for-js
-[msal-js-b2c]: ../active-directory/develop/msal-b2c-overview.md
+[msal-js-b2c]: ../active-directory/develop/msal-b2c-overview.md
@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 02/13/2020
+ms.date: 02/17/2020
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -100,9 +100,21 @@ Any parameter name included as part of an OIDC or OAuth2 request can be mapped t
 | ----- | ----------------------- | --------|
 | {oauth2:access_token} | The access token. | N/A |
 
+
+### SAML
+
+| Claim | Description | Example |
+| ----- | ----------- | --------|
+| {SAML:AuthnContextClassReferences} | The `AuthnContextClassRef` element value, from the SAML request. | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport |
+| {SAML:NameIdPolicyFormat} | The `Format` attribute, from the `NameIDPolicy` element of the SAML request. | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
+| {SAML:Issuer} |  The SAML `Issuer` element value of the SAML request.| https://contoso.com |
+| {SAML:AllowCreate} | The `AllowCreate` attribute value, from the `NameIDPolicy` element of the SAML request. | True |
+| {SAML:ForceAuthn} | The `ForceAuthN` attribute value, from the `AuthnRequest` element of the SAML request. | True |
+| {SAML:ProviderName} | The `ProviderName` attribute value, from the `AuthnRequest` element of the SAML request.| Contoso.com |
+
 ## Using claim resolvers 
 
-You can use claims resolvers with following elements: 
+You can use claims resolvers with the following elements: 
 
 | Item | Element | Settings |
 | ----- | ----------------------- | --------|
@@ -119,16 +131,16 @@ You can use claims resolvers with following elements:
 |[RelyingParty](relyingparty.md#technicalprofile) technical profile| `OutputClaim`| 2 |
 
 Settings: 
-1. The `IncludeClaimResolvingInClaimsHandling` metadata must set to `true`
-1. The input or output claims attribute `AlwaysUseDefaultValue` must set to `true`
+1. The `IncludeClaimResolvingInClaimsHandling` metadata must be set to `true`.
+1. The input or output claims attribute `AlwaysUseDefaultValue` must be set to `true`.
 
-## How to use claim resolvers
+## Claim resolvers samples
 
 ### RESTful technical profile
 
 In a [RESTful](restful-technical-profile.md) technical profile, you may want to send the user language, policy name, scope, and client ID. Based on these claims the REST API can run custom business logic, and if necessary raise a localized error message.
 
-The following example shows a RESTful technical profile:
+The following example shows a RESTful technical profile with this scenario:
 
 ```XML
 <TechnicalProfile Id="REST">
@@ -138,12 +150,13 @@ The following example shows a RESTful technical profile:
     <Item Key="ServiceUrl">https://your-app.azurewebsites.net/api/identity</Item>
     <Item Key="AuthenticationType">None</Item>
     <Item Key="SendClaimsIn">Body</Item>
+    <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>
   </Metadata>
   <InputClaims>
-    <InputClaim ClaimTypeReferenceId="userLanguage" DefaultValue="{Culture:LCID}" />
-    <InputClaim ClaimTypeReferenceId="policyName" DefaultValue="{Policy:PolicyId}" />
-    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="{OIDC:scope}" />
-    <InputClaim ClaimTypeReferenceId="clientId" DefaultValue="{OIDC:ClientId}" />
+    <InputClaim ClaimTypeReferenceId="userLanguage" DefaultValue="{Culture:LCID}" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="policyName" DefaultValue="{Policy:PolicyId}" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="scope" DefaultValue="{OIDC:scope}" AlwaysUseDefaultValue="true" />
+    <InputClaim ClaimTypeReferenceId="clientId" DefaultValue="{OIDC:ClientId}" AlwaysUseDefaultValue="true" />
   </InputClaims>
   <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop" />
 </TechnicalProfile>
@@ -155,9 +168,9 @@ Using claim resolvers, you can prepopulate the sign-in name or direct sign-in to
 
 ### Dynamic UI customization
 
-Azure AD B2C enables you to pass query string parameters to your HTML content definition endpoints so that you can dynamically render the page content. For example, you can change the background image on the Azure AD B2C sign-up or sign-in page based on a custom parameter that you pass from your web or mobile application. For more information, see [Dynamically configure the UI by using custom policies in Azure Active Directory B2C](custom-policy-ui-customization-dynamic.md). You can also localize your HTML page based on a language parameter, or you can change the content based on the client ID.
+Azure AD B2C enables you to pass query string parameters to your HTML content definition endpoints to dynamically render the page content. For example, this allows the ability to modify the background image on the Azure AD B2C sign-up or sign-in page based on a custom parameter that you pass from your web or mobile application. For more information, see [Dynamically configure the UI by using custom policies in Azure Active Directory B2C](custom-policy-ui-customization.md). You can also localize your HTML page based on a language parameter, or you can change the content based on the client ID.
 
-The following example passes in the query string a parameter named **campaignId** with a value of `hawaii`, a **language** code of `en-US`, and **app** representing the client ID:
+The following example passes in the query string parameter named **campaignId** with a value of `hawaii`, a **language** code of `en-US`, and **app** representing the client ID:
 
 ```XML
 <UserJourneyBehaviors>
@@ -169,12 +182,23 @@ The following example passes in the query string a parameter named **campaignId*
 </UserJourneyBehaviors>
 ```
 
-As a result Azure AD B2C sends the above parameters to the HTML content page:
+As a result, Azure AD B2C sends the above parameters to the HTML content page:
 
 ```
 /selfAsserted.aspx?campaignId=hawaii&language=en-US&app=0239a9cc-309c-4d41-87f1-31288feb2e82
 ```
 
+### Content definition
+
+In a [ContentDefinition](contentdefinitions.md) `LoadUri`, you can send claim resolvers to pull content from different places, based on the parameters used. 
+
+```XML
+<ContentDefinition Id="api.signuporsignin">
+  <LoadUri>https://contoso.blob.core.windows.net/{Culture:LanguageName}/myHTML/unified.html</LoadUri>
+  ...
+</ContentDefinition>
+```
+
 ### Application Insights technical profile
 
 With Azure Application Insights and claim resolvers you can gain insights on user behavior. In the Application Insights technical profile, you send input claims that are persisted to Azure Application Insights. For more information, see [Track user behavior in Azure AD B2C journeys by using Application Insights](analytics-with-application-insights.md). The following example sends the policy ID, correlation ID, language, and the client ID to Azure Application Insights.
@@ -192,3 +216,28 @@ With Azure Application Insights and claim resolvers you can gain insights on use
   </InputClaims>
 </TechnicalProfile>
 ```
+
+### Relying party policy
+
+In a [Relying party](relyingparty.md) policy technical profile, you may want to send the tenant ID, or correlation ID to the relying party application within the JWT. 
+
+```XML
+<RelyingParty>
+    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
+    <TechnicalProfile Id="PolicyProfile">
+      <DisplayName>PolicyProfile</DisplayName>
+      <Protocol Name="OpenIdConnect" />
+      <OutputClaims>
+        <OutputClaim ClaimTypeReferenceId="displayName" />
+        <OutputClaim ClaimTypeReferenceId="givenName" />
+        <OutputClaim ClaimTypeReferenceId="surname" />
+        <OutputClaim ClaimTypeReferenceId="email" />
+        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub"/>
+        <OutputClaim ClaimTypeReferenceId="identityProvider" />
+        <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />
+        <OutputClaim ClaimTypeReferenceId="correlationId" AlwaysUseDefaultValue="true" DefaultValue="{Context:CorrelationId}" />
+      </OutputClaims>
+      <SubjectNamingInfo ClaimType="sub" />
+    </TechnicalProfile>
+  </RelyingParty>
+```