Merge branch 'main' into nosp

Author: lb4368

.openpublishing.publish.config.json

@@ -70,7 +70,7 @@
         },
         {
             "path_to_root": "azure_cli_scripts",
-            "url": "https://github.com/Azure-Samples/azure-cli-samples",
+            "url": "https://github.com/ggailey777/azure-cli-samples",
             "branch": "master",
             "branch_mapping": {}
         },
@@ -626,6 +626,12 @@
             "branch": "main",
             "branch_mapping": {}
         },
+        {
+            "path_to_root": "app-service-agentic-semantic-kernel-java",
+            "url": "https://github.com/Azure-Samples/app-service-agentic-semantic-kernel-java",
+            "branch": "main",
+            "branch_mapping": {}
+        },
         {
             "path_to_root": "playwright-testing-service",
             "url": "https://github.com/microsoft/playwright-testing-service",
@@ -757,6 +763,12 @@
             "url": "https://github.com/AzureADQuickStarts/WebApp-OpenIdConnect-DotNet",
             "branch": "GuidedSetup",
             "branch_mapping": {}
+        },
+        {
+            "path_to_root": "azure-policy-autogen-docs",
+            "url": "https://github.com/MicrosoftDocs/azure-policy-autogen-docs",
+            "branch": "main",
+            "branch_mapping": {}
         }
     ],
     "branch_target_mapping": {

.openpublishing.redirection.json

@@ -157,7 +157,7 @@ A claims transformation technical profile accesses the `isForgotPassword` claim.
 
 The **SelfAsserted-LocalAccountSignin-Email** technical profile **setting.forgotPasswordLinkOverride** defines the password reset claims exchange that executes in your user journey.
 
-The **LocalAccountWritePasswordUsingObjectId** technical profile **UseTechnicalProfileForSessionManagement** `SM-AAD` session manager is required for the user to preform subsequent logins successfully under [SSO](./custom-policy-reference-sso.md) conditions.
+The **LocalAccountWritePasswordUsingObjectId** technical profile **UseTechnicalProfileForSessionManagement** `SM-AAD` session manager is required for the user to perform subsequent logins successfully under [SSO](./custom-policy-reference-sso.md) conditions.
 
 ### Add the password reset sub journey
 

articles/active-directory-b2c/add-password-reset-policy.md

@@ -84,7 +84,7 @@ Manage your Azure AD B2C environment.
 | Use the Microsoft Graph API to automate the management of your B2C tenants | Microsoft Graph APIs:<br/>Manage [Identity Experience Framework](/graph/api/resources/trustframeworkpolicy?preserve-view=true&view=graph-rest-beta) (custom policies)<br/>[Keys](/graph/api/resources/trustframeworkkeyset?preserve-view=true&view=graph-rest-beta)<br/>[User Flows](/graph/api/resources/identityuserflow?preserve-view=true&view=graph-rest-beta) |
 | Integrate with Azure DevOps | A [CI/CD pipeline](deploy-custom-policies-devops.md) makes moving code between different environments easy and ensures production readiness always.   |
 | Deploy custom policy | Azure AD B2C relies on caching to deliver performance to your end users. When you deploy a custom policy using whatever method, expect a delay of up to **30 minutes** for your users to see the changes. As a result of this behavior, consider the following practices when you deploy your custom policies: <br> - If you're deploying to a development environment, set the `DeploymentMode` attribute in your custom policy file's `<TrustFrameworkPolicy>` element to `Production`. <br> - Deploy your updated policy files to a production environment when traffic in your app is low. <br> - When you deploy to a production environment to update existing policy files, upload the updated files with new names, which act as new versions of the policies. Then, update your app references to the new names/versions. You can remove the old policy files afterward or keep them as your last known good configuration for easy rollback.<br> - If you need to deploy to a production environment to update existing policy files without versioning, make the new policy backward compatible with the old policy by following some simple rules. If you need to change a technical profile, claim, or [SubJourney](subjourneys.md), create a new version of it, publish the policy, and wait for 30 minutes for Azure AD B2C caches to pick up the new version. Then, in a subsequent update, make changes to use the new version and perform another policy update. Wait for another 30 minutes, then you can delete the old version of the elements if needed. Ensure all of your business logic is inside SubJourneys.<br> - You can set the `DeploymentMode` to `Development` in a production environment to bypass the caching behavior. However, we don't recommend this practice. If you [Collect Azure AD B2C logs with Application Insights](troubleshoot-with-application-insights.md), all claims sent to and from identity providers are collected, which is a security and performance risk. |
-| Deploy app registration updates | When you modify your application registration in your Azure AD B2C tenant, such as updating the application's redirect URI, expect a delay of up to **2 hours (3600s)** for the changes to take effect in the production environment. We recommend that you modify your application registration in your production environment when traffic in your app is low.|
+| Deploy app registration updates | When you modify your application registration in your Azure AD B2C tenant, such as updating the application's redirect URI, expect a delay of up to **2 hours (7200s)** for the changes to take effect in the production environment. We recommend that you modify your application registration in your production environment when traffic in your app is low.|
 | Integrate with Azure Monitor | [Audit log events](view-audit-logs.md) are only retained for seven days. [Integrate with Azure Monitor](azure-monitor.md) to retain the logs for long-term use, or integrate with third-party security information and event management (SIEM) tools to gain insights into your environment. |
 | Setup active alerting and monitoring | [Track user behavior](./analytics-with-application-insights.md) in Azure AD B2C using Application Insights. |
 

articles/active-directory-b2c/best-practices.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: azure-active-directory
 
 ms.topic: reference
-ms.date: 06/12/2025
+ms.date: 07/09/2025
 ms.author: kengaderdus
 ms.subservice: b2c
 
@@ -65,6 +65,9 @@ Azure AD B2C page layout uses the following versions of the [jQuery library](htt
 
 ## Self-asserted page (selfasserted)
 
+**2.1.36** 
+- The CAPTCHA input now displays French accented characters correctly. This update resolves previous font encoding and localization errors that affected character rendering
+
 **2.1.35**
 - Enhanced CAPTCHA error handling now ensures that any validation failures—such as “unmatched challenge”—returned by the backend are consistently captured and displayed in the UI.
 
@@ -227,6 +230,9 @@ Azure AD B2C page layout uses the following versions of the [jQuery library](htt
 > [!TIP]
 > If you localize your page to support multiple locales, or languages in a user flow. The [localization IDs](localization-string-ids.md) article provides the list of localization IDs that you can use for the page version you select.
 
+**2.1.24**
+- This release resolves issues with French accents in the CAPTCHA input. Accented characters now appear correctly, and font and encoding limitations no longer affect their display. All French-specific characters show as intended.
+
 **2.1.23**
 - Enhanced CAPTCHA error handling now ensures that any validation failures—such as “unmatched challenge”—returned by the backend are consistently captured and displayed in the UI.
 
@@ -330,6 +336,9 @@ Azure AD B2C page layout uses the following versions of the [jQuery library](htt
 
 ## MFA page (multifactor)
 
+**1.2.22**
+- This release resolves issues with French accents in the CAPTCHA input. Accented characters now appear correctly, and font and encoding limitations no longer affect their display. All French-specific characters show as intended.
+
 **1.2.21**
 - Enhanced CAPTCHA error handling now ensures that any validation failures—such as “unmatched challenge”—returned by the backend are consistently captured and displayed in the UI. 
 

articles/active-directory-b2c/media/partner-nok-nok/nok-nok-id-token-hint-architecture-diagram.png

@@ -7,7 +7,7 @@ manager: martinco
 ms.reviewer: kengaderdus
 ms.service: azure-active-directory
 ms.topic: how-to
-ms.date: 01/26/2024
+ms.date: 06/30/2025
 ms.author: gasinh
 ms.subservice: b2c
 
@@ -21,20 +21,19 @@ In this article, you can learn how to configure the [Cloudflare Web Application
 
 ## Prerequisites
 
-To get started, you'll need:
+To get started, you need:
 
-- An Azure subscription 
-  - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/)
-- [An Azure AD B2C tenant](tutorial-create-tenant.md) linked to your Azure subscription
-- A [Cloudflare](https://dash.cloudflare.com/sign-up) account
+- An Azure subscription. If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/).
+- [An Azure AD B2C tenant](tutorial-create-tenant.md) linked to your Azure subscription.
+- A [Cloudflare](https://dash.cloudflare.com/sign-up) account.
 
 ## Scenario description
 
 Cloudflare WAF integration includes the following components:
 
-- **Azure AD B2C tenant** – The authorization server that verifies user credentials using the custom policies defined in the tenant. It's known as the identity provider
+- **Azure AD B2C tenant** – The authorization server that verifies user credentials using the custom policies defined in the tenant, known as the identity provider.
 - [**Azure Front Door**](../frontdoor/front-door-overview.md) – Enables custom domains for Azure B2C tenant. Traffic from Cloudflare WAF is routed to Azure Front Door before arriving at Azure AD B2C tenant.
-- **Cloudflare** – The web application firewall that manages traffic sent to the authorization server
+- **Cloudflare** – The web application firewall that manages traffic sent to the authorization server.
 
 ## Integrate with Azure AD B2C
 
@@ -58,6 +57,9 @@ The settings appear in the following image.
 
    ![Screenshot of proxied status.](./media/partner-cloudflare/select-proxied.png)
 
+> [!NOTE]
+> Azure Front Door-managed certificates aren't automatically renewed if your custom domain’s CNAME record points to a DNS record other than the Azure Front Door endpoint’s domain (for example, when using a third-party DNS service like Cloudflare). To renew the certificate in such cases, follow the instructions in the [Renew Azure Front Door-managed certificates](../frontdoor/domain.md#renew-azure-front-door-managed-certificates) article.
+
 ### Configure the Web Application Firewall
 
 Go to your Cloudflare settings, and use the Cloudflare content to [configure the WAF](https://www.cloudflare.com/application-services/products/waf/) and learn about other security tools. 

articles/active-directory-b2c/page-layout.md

@@ -40,7 +40,7 @@ To enable passkey authentication for your users, enable Nok Nok as an identity p
 
 The following diagram illustrates the Nok Nok solution as an IdP for Azure AD B2C by using OpenID Connect (OIDC) for passkey authentication.
 
-![Diagram of Nok Nok as IdP for Azure AD B2C using OpenID Connect (OIDC) for passkey authentication.](./media/partner-nok-nok/nok-nok-architecture-diagram.png)
+![Diagram for passkey authentication with Nok Nok as an IdP.](./media/partner-nok-nok/nok-nok-architecture-diagram.png)
 
 ### Scenario 1: Passkey registration
 1. The user navigates to the Nok Nok tutorial web app using the link provided by Nok Nok.
@@ -52,9 +52,11 @@ The following diagram illustrates the Nok Nok solution as an IdP for Azure AD B2
 ### Scenario 2: Passkey authentication
 1. The user selects the sign-in with Nok Nok Cloud button on the Azure AD B2C sign-in page.
 2. Azure AD B2C redirects the user to the Nok Nok sign-in app.
-3. The user authenticates with their passkey.
-4. The Nok Nok server validates the passkey assertion and sends an OIDC authentication response to Azure AD B2C.
-5. Based on the authentication result, Azure AD B2C either grants or denies access to the target application.
+3. The user requests passkey authentication
+4. The user authenticates with their passkey.
+5. The Nok Nok Cloud validates the passkey assertion
+6. The Nok Nok Cloud sends an OIDC authentication response to Azure AD B2C.
+7. Based on the authentication result, Azure AD B2C either grants or denies access to the target application.
 
 ## Get started with Nok Nok
 
@@ -125,6 +127,22 @@ For the following instructions, Nok Nok is a new OIDC IdP in the B2C identity pr
 
 If the flow is incomplete, confirm the user is or isn't saved in the directory.
 
+## Alternate flow for Authentication
+
+The following diagram illustrates an alternate passkey sign in or sign up flow using the ID Token Hint feature of Azure AD B2C. With this approach, an Azure custom policy verifies the ID Token Hint produced by the Nok Nok Cloud. For more details, please refer to the article, [Define an ID token hint technical profile in an Azure Active Directory B2C custom policy](./id-token-hint.md). Please contact Nok Nok support for help with integrated the required Azure custom policy.
+
+![Diagram for passkey authentication using ID Token Hint from Nok Nok.](./media/partner-nok-nok/nok-nok-id-token-hint-architecture-diagram.png)
+
+The following are the steps
+1. The user selects the sign-in with Nok Nok Cloud button.
+2. The Nok Nok Cloud request passkey authentication.
+3. The user authenticates with their passkey.
+4. The Nok Nok Cloud validates the passkey assertion.
+5. The ID Token Hint is returned.
+6. The App posts an OIDC request with the ID Token Hint to Azure AD B2C.
+7. Azure AD B2C Custom Policy verifies the ID Token Hint.
+8. Based on the authentication result, Azure AD B2C either grants or denies access to the target application.
+
 ## Next steps
 
 * [Azure AD B2C custom policy overview](./custom-policy-overview.md)

articles/active-directory-b2c/partner-cloudflare.md

@@ -75,7 +75,7 @@ In this scenario, Trusona acts as an Identity Provider (IdP) for Azure AD B2C to
 
 ## Step 1: Onboard with Trusona Authentication Cloud
 
-1.	Sign in to the [Trusona Portal](https://portal.trusona.io).
+1.	Sign in to the [Trusona Portal](https://portal.trusona.com/).
 2.	From the left navigation panel, select **Settings**
 3.	In the Settings menu, select the slider to **Enable OIDC**.
 4.	Select the appropriate **Inputs** and provide the **Redirect URL** `https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/oauth2/authresp`.

articles/active-directory-b2c/partner-nok-nok.md

@@ -60,7 +60,7 @@ The following diagram shows the implementation architecture.
 
     * [Key Vault](https://azure.microsoft.com/services/key-vault/): Store passwords
     * [App Service](https://azure.microsoft.com/services/app-service/): Host the BRIMS API and admin portal services
-    * [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/): Authenticate administrative users for the portal
+    * [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id): Authenticate administrative users for the portal
     * [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/): Store and retrieve settings
     * [Application Insights overview](/azure/azure-monitor/app/app-insights-overview) (optional): Sign in to the API and the portal