Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into work-urls-fix

Author: Heidilohr

articles/active-directory-b2c/access-tokens.md

@@ -79,6 +79,9 @@ client_id=<application-ID>
 &scope=<application-ID-URI>/<scope-name>
 &response_type=code
 ```
+This is the interactive part of the flow, where you take action. You're asked to complete the user flow's workflow. This might involve entering your username and password in a sign in form or any other number of steps. The steps you complete depend on how the user flow is defined.
+
+If you're testing this GET HTTP request, use your browser. 
 
 The response with the authorization code should be similar to this example:
 
@@ -100,8 +103,10 @@ grant_type=authorization_code
 &redirect_uri=https://jwt.ms
 &client_secret=2hMG2-_:y12n10vwH...
 ```
- 
-You should see something similar to the following response:
+
+If you're testing this POST HTTP request, you can use any HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview.md) or [Postman](https://www.postman.com/).
+
+A successful token response looks like this:
 
 ```json
 {

articles/active-directory-b2c/authorization-code-flow.md

@@ -40,7 +40,7 @@ The authorization code flow for single page applications requires some additiona
 The `spa` redirect type is backwards compatible with the implicit flow. Apps currently using the implicit flow to get tokens can move to the `spa` redirect URI type without issues and continue using the implicit flow.
 
 ## 1. Get an authorization code
-The authorization code flow begins with the client directing the user to the `/authorize` endpoint. This is the interactive part of the flow, where the user takes action. In this request, the client indicates in the `scope` parameter the permissions that it needs to acquire from the user. The following three examples (with line breaks for readability) each use a different user flow.
+The authorization code flow begins with the client directing the user to the `/authorize` endpoint. This is the interactive part of the flow, where the user takes action. In this request, the client indicates in the `scope` parameter the permissions that it needs to acquire from the user. The following three examples (with line breaks for readability) each use a different user flow. If you're testing this GET HTTP request, use your browser. 
 
 
 ```http
@@ -129,6 +129,8 @@ grant_type=authorization_code&client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6&sco
 | redirect_uri |Required |The redirect URI of the application where you received the authorization code. |
 | code_verifier | recommended | The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). |
 
+If you're testing this POST HTTP request, you can use any HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview.md) or [Postman](https://www.postman.com/).
+
 A successful token response looks like this:
 
 ```json

articles/active-directory-b2c/custom-policy-reference-sso.md

@@ -25,7 +25,7 @@ To use a custom domain and your tenant ID in the authentication URL, follow the
 
 The following JavaScript code shows the MSAL configuration object *before* the change: 
 
-```Javascript
+```javascript
 const msalConfig = {
     auth: {
       ...
@@ -39,7 +39,7 @@ const msalConfig = {
 
 The following JavaScript code shows the MSAL configuration object *after* the change: 
 
-```Javascript
+```javascript
 const msalConfig = {
     auth: {
       ...
@@ -123,11 +123,13 @@ After logout, the user is redirected to the URI specified in the `post_logout_re
 To support a secured logout redirect URI, follow the steps below:
 
 1. Create a globally accessible variable to store the `id_token`.
+
     ```javascript
     let id_token = "";
     ```
     
 1. In the MSAL `handleResponse` function, parse the `id_token` from the `authenticationResult` object into the `id_token` variable.
+
     ```javascript
     function handleResponse(response) {
         if (response !== null) {
@@ -140,6 +142,7 @@ To support a secured logout redirect URI, follow the steps below:
     ```
     
 1. In the `signOut` function, add the `id_token_hint` parameter to the **logoutRequest** object.
+
     ```javascript
     function signOut() {
         const logoutRequest = {

articles/active-directory-b2c/enable-authentication-spa-app-options.md

@@ -162,7 +162,7 @@ Follow these guidelines when you customize the interface of your application usi
 
 A common way to help your customers with their sign-up success is to allow them to see what they’ve entered as their password. This option helps users sign up by enabling them to easily see and make corrections to their password if needed. Any field of type password has a checkbox with a **Show password** label.  This enables the user to see the password in plain text. Include this code snippet into your sign-up or sign-in template for a self-asserted page:
 
-```Javascript
+```javascript
 function makePwdToggler(pwd){
   // Create show-password checkbox
   var checkbox = document.createElement('input');
@@ -208,7 +208,7 @@ setupPwdTogglers();
 
 Include the following code into your page where you want to include a **Terms of Use** checkbox. This checkbox is typically needed in your local account sign-up and social account sign-up pages.
 
-```Javascript
+```javascript
 function addTermsOfUseLink() {
     // find the terms of use label element
     var termsOfUseLabel = document.querySelector('#api label[for="termsOfUse"]');

articles/active-directory-b2c/javascript-and-page-layout.md

@@ -76,7 +76,7 @@ The technical profile also returns claims that aren't returned by the identity p
 | IdTokenAudience | No | The audience of the id_token. If specified, Azure AD B2C checks whether the `aud` claim in a token returned by the identity provider is equal to the one specified in the IdTokenAudience metadata.  |
 | METADATA | Yes | A URL that points to an OpenID Connect identity provider configuration document, which is also known as OpenID well-known configuration endpoint. The URL can contain the `{tenant}` expression, which is replaced with the tenant name.  |
 | authorization_endpoint | No | A URL that points to an OpenID Connect identity provider configuration authorization endpoint. The value of authorization_endpoint metadata takes precedence over the `authorization_endpoint` specified in the OpenID well-known configuration endpoint. The URL can contain the `{tenant}` expression, which is replaced with the tenant name. |
-| end_session_endpoint | No | The URL of the end session endpoint. The value of authorization_endpoint metadata takes precedence over the `end_session_endpoint` specified in the OpenID well-known configuration endpoint. |
+| end_session_endpoint | No | The URL of the end session endpoint. The value of `end_session_endpoint` metadata takes precedence over the `end_session_endpoint` specified in the OpenID well-known configuration endpoint. |
 | issuer | No | The unique identifier of an OpenID Connect identity provider. The value of issuer metadata takes precedence over the `issuer` specified in the OpenID well-known configuration endpoint.  If specified, Azure AD B2C checks whether the `iss` claim in a token returned by the identity provider is equal to the one specified in the issuer metadata. |
 | ProviderName | No | The name of the identity provider.  |
 | response_types | No | The response type according to the OpenID Connect Core 1.0 specification. Possible values: `id_token`, `code`, or `token`. |

articles/active-directory-b2c/media/custom-policy-reference-sso/azure-ad-b2c-session-providers.png

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 12/06/2021
+ms.date: 02/03/2022
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -196,6 +196,19 @@ If one of the above four events occurs and the target application does not suppo
 
 If you see an attribute IsSoftDeleted in your attribute mappings, it is used to determine the state of the user and whether to send an update request with active = false to soft delete the user.
 
+**Deprovisioning events**
+
+The following table describes how you can configure deprovisioning actions with the Azure AD provisioning service. These rules are written with the non-gallery / custom application in mind, but generally apply to applications in the gallery. However, the behavior for gallery applications can differ as they have been optimized to meet the needs of the application. For example, the Azure AD provisioning service may always sende a request to hard delete users in certain applications rather than soft deleting, if the target application doesn't support soft deleting users. 
+
+|Scenario|How to configure in Azure AD|
+|--|--|
+|If a user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in, do nothing.|Remove isSoftDeleted from the attribute mappings and / or set the [skip out of scope deletions](skip-out-of-scope-deletions.md) property to true.|
+|If a user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in, set a specific attribute to true / false.|Map isSoftDeleted to the attribute that you would like to set to false.|
+|When a user is disabled in Azure AD, unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in, send a DELETE request to the target application.|This is currently supported for a limited set of gallery applications where the functionality is required. It is not configurable by customers.|
+|When a user is deleted in Azure AD, do nothing in the target application.|Ensure that "Delete" is not selected as one of the target object actions in the [attriubte configuration experience](skip-out-of-scope-deletions.md).|
+|When a user is deleted in Azure AD, set the value of an attribute in the target application.|Not supported.|
+|When a user is deleted in Azure AD, delete the user in the target application|This is supported. Ensure that Delete is selected as one of the target object actions in the [attribute configuration experience](skip-out-of-scope-deletions.md).|
+
 **Known limitations**
 
 * If a user that was previously managed by the provisioning service is unassigned from an app, or from a group assigned to an app we will send a disable request. At that point, the user is not managed by the service and we will not send a delete request when they are deleted from the directory.

articles/active-directory-b2c/openid-connect-technical-profile.md

@@ -32,7 +32,7 @@ Set the `redirect_uri` property on config to a simple page, that does not requir
 
 ## Initialization in your main app file
 
-If your app is structured such that there is one central Javascript file that defines the app's initialization, routing, and other stuff, you can conditionally load your app modules based on whether the app is loading in an `iframe` or not. For example:
+If your app is structured such that there is one central JavaScript file that defines the app's initialization, routing, and other stuff, you can conditionally load your app modules based on whether the app is loading in an `iframe` or not. For example:
 
 In AngularJS: app.js
 

articles/active-directory/app-provisioning/how-provisioning-works.md

@@ -40,7 +40,7 @@ catch(MsalUiRequiredException ex)
 }
 ```
 
-## [Javascript](#tab/javascript)
+## [JavaScript](#tab/javascript)
 
 ```javascript
 return myMSALObj.acquireTokenSilent(request).catch(error => {