Merge pull request #176880 from MicrosoftDocs/master

10/21 AM Publish

Author: huypub

.github/workflows/stale.yml

@@ -20,7 +20,7 @@ jobs:
         exempt-pr-labels: keep-open
         operations-per-run: 1200
         ascending: true
-        start-date: '2020-07-09'
+        start-date: '2021-04-13'
         stale-pr-message: >
           This pull request has been inactive for at least 14 days.
           If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation) for instructions.

articles/active-directory-b2c/add-sign-up-and-sign-in-policy.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 08/24/2021
+ms.date: 10/21/2021
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -66,7 +66,7 @@ The sign-up and sign-in user flow handles both sign-up and sign-in experiences w
 
    * Under **Local accounts**, select one of the following: **Email signup**, **User ID signup**, **Phone signup**, **Phone/Email signup**, or **None**. [Learn more](sign-in-options.md).
    * Under **Social identity providers**, select any of the external social or enterprise identity providers you've set up. [Learn more](add-identity-provider.md).
-1. Under **Multifactor authentication**, if you want to require users to verify their identity with a second authentication method, choose the method type and when  to enforce multi-factor authentication (MFA). [Learn more](multi-factor-authentication.md).
+1. Under **Multifactor authentication**, if you want to require users to verify their identity with a second authentication method, choose the method type and when  to enforce multifactor authentication (MFA). [Learn more](multi-factor-authentication.md).
 1. Under **Conditional access**, if you've configured Conditional Access policies for your Azure AD B2C tenant and you want to enable them for this user flow, select the **Enforce conditional access policies** check box. You don't need to specify a policy name. [Learn more](conditional-access-user-flow.md?pivots=b2c-user-flow).
 1. Under **User attributes and token claims**, choose the attributes you want to collect from the user during sign-up and the claims you want returned in the token. For the full list of values, select **Show more**, choose the values, and then select **OK**.
 
@@ -78,6 +78,10 @@ The sign-up and sign-in user flow handles both sign-up and sign-in experiences w
 1. Select **Create** to add the user flow. A prefix of *B2C_1* is automatically prepended to the name.
 1. Follow the steps to [handle the flow for "Forgot your password?"](add-password-reset-policy.md?pivots=b2c-user-flow.md#self-service-password-reset-recommended) within the sign-up or sign-in policy.
 
+
+### Re-order the sign up form
+Learn [how to re-order user flow input fields for local accounts](customize-ui.md#re-order-input-fields-in-the-sign-up-form)
+
 ### Test the user flow
 
 1. Select the user flow you created to open its overview page, then select **Run user flow**.

articles/active-directory-b2c/custom-policy-overview.md

@@ -156,7 +156,7 @@ You get started with Azure AD B2C custom policy:
 
 1. [Create an Azure AD B2C tenant](tutorial-create-tenant.md)
 1. [Register a web application](tutorial-register-applications.md) using the Azure portal so you'll be able to test your policy.
-1. Add the necessary [policy keys](tutorial-create-user-flows.md?pivots=b2c-custom-policy#add-signing-and-encryption-keys) and [register the Identity Experience Framework applications](tutorial-create-user-flows.md?pivots=b2c-custom-policy#register-identity-experience-framework-applications).
+1. Add the necessary [policy keys](tutorial-create-user-flows.md?pivots=b2c-custom-policy#add-signing-and-encryption-keys-for-identity-experience-framework-applications) and [register the Identity Experience Framework applications](tutorial-create-user-flows.md?pivots=b2c-custom-policy#register-identity-experience-framework-applications).
 1. [Get the Azure AD B2C policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#get-the-starter-pack) and upload to your tenant. 
 1. After you upload the starter pack, [test your sign-up or sign-in policy](tutorial-create-user-flows.md?pivots=b2c-custom-policy#test-the-custom-policy).
 1. We recommend you to download and install [Visual Studio Code](https://code.visualstudio.com/) (VS Code). Visual Studio Code is a lightweight but powerful source code editor, which runs on your desktop and is available for Windows, macOS, and Linux. With VS Code, you can quickly navigate through and edit your Azure AD B2C custom policy XML files by installing the [Azure AD B2C extension for VS Code](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c)

articles/active-directory-b2c/customize-ui.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/15/2021
+ms.date: 10/21/2021
 ms.custom: "project-no-code, b2c-support"
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -278,6 +278,24 @@ The following example shows the content definitions with their corresponding the
 
 ::: zone-end
 
+::: zone pivot="b2c-user-flow"
+
+## Re-order input fields in the sign-up form
+To re-order the input fields on the sign-up page for local accounts form, follow these steps:
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
+1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
+1. In the Azure portal, search for and select **Azure AD B2C**.
+1. In the left menu, select **User flows**.
+1. Select a user flow (for local accounts only) that you want to re-order its input fields.
+1. In the left menu, select **Page layouts**
+1. In the table, select the row **Local account sign up page**.
+1. Under **User attributes**, select the input field you want to re-order, and drag (up or down) and drop or use use the **Move Up** or **Move down** controls to achieve the desired order. 
+1. At the top of the page, select **Save**.
+![Page layout field order in Azure AD B2C in the Azure portal](media/customize-ui/portal-02-page-layout-fields.png)
+
+::: zone-end
+
 ## Next steps
 
 Find more information about how you can customize the user interface of your applications in [Customize the user interface of your application in Azure Active Directory B2C](customize-ui-with-html.md).

articles/active-directory-b2c/identity-provider-azure-ad-multi-tenant.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/16/2021
+ms.date: 10/21/2021
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -34,6 +34,9 @@ This article shows you how to enable sign-in for users using the multi-tenant en
 
 [!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
 
+> [!NOTE]
+> In this article, it assumed that **SocialAndLocalAccounts** starter pack is used in the previous steps mentioned in pre-requisite.  
+
 ## Register an Azure AD app
 
 To enable sign-in for users with an Azure AD account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [Azure portal](https://portal.azure.com). For more information, see [Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
@@ -70,7 +73,7 @@ If you want to get the `family_name`, and `given_name` claims from Azure AD, you
 1. Select **Add optional claim**.
 1. For the **Token type**, select **ID**.
 1. Select the optional claims to add, `family_name`, and `given_name`.
-1. Click **Add**.
+1. Select **Add**. If **Turn on the Microsoft Graph email permission (required for claims to appear in token)** appears, enable it, and then select **Add** again.
 
 ## [Optional] Verify your app authenticity
 
@@ -97,7 +100,7 @@ To enable users to sign in using an Azure AD account, you need to define Azure A
 
 You can define Azure AD as a claims provider by adding Azure AD to the **ClaimsProvider** element in the extension file of your policy.
 
-1. Open the *TrustFrameworkExtensions.xml* file.
+1. Open the *SocialAndLocalAccounts/**TrustFrameworkExtensions.xml*** file.
 1. Find the **ClaimsProviders** element. If it does not exist, add it under the root element.
 1. Add a new **ClaimsProvider** as follows:
 
@@ -164,7 +167,7 @@ To obtain the values, look at the OpenID Connect discovery metadata for each of
 
 Perform these steps for each Azure AD tenant that should be used to sign in:
 
-1. Open your browser and go to the OpenID Connect metadata URL for the tenant. Find the **issuer** object and record its value. It should look similar to `https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/`.
+1. Open your browser and go to the OpenID Connect metadata URL for the tenant. Find the **issuer** object and record its value. It should look similar to `https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/.well-known/openid-configuration`.
 1. Copy and paste the value into the **ValidTokenIssuerPrefixes** key. Separate multiple issuers with a comma. An example with two issuers appears in the previous `ClaimsProvider` XML sample.
 
 [!INCLUDE [active-directory-b2c-add-identity-provider-to-user-journey](../../includes/active-directory-b2c-add-identity-provider-to-user-journey.md)]

articles/active-directory-b2c/media/customize-ui/portal-02-page-layout-fields.png

@@ -141,7 +141,7 @@ If you want to enable users to edit their profile in your application, you use a
 > This article explains how to set up your tenant manually. You can automate the entire process from this article. Automating will deploy the Azure AD B2C [SocialAndLocalAccountsWithMFA starter pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack), which will provide Sign Up and Sign In, Password Reset and Profile Edit journeys. To automate the walkthrough below, visit the [IEF Setup App](https://aka.ms/iefsetup) and follow the instructions.
 
 
-## Add signing and encryption keys
+## Add signing and encryption keys for Identity Experience Framework applications
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
@@ -272,33 +272,6 @@ Add the application IDs to the extensions file *TrustFrameworkExtensions.xml*.
 1. Replace both instances of `ProxyIdentityExperienceFrameworkAppId` with the application ID of the ProxyIdentityExperienceFramework application that you created earlier.
 1. Save the file.
 
-## Upload the policies
-
-1. Select the **Identity Experience Framework** menu item in your B2C tenant in the Azure portal.
-1. Select **Upload custom policy**.
-1. In this order, upload the policy files:
-    1. *TrustFrameworkBase.xml*
-    2. *TrustFrameworkLocalization.xml*
-    3. *TrustFrameworkExtensions.xml*
-    4. *SignUpOrSignin.xml*
-    5. *ProfileEdit.xml*
-    6. *PasswordReset.xml*
-
-As you upload the files, Azure adds the prefix `B2C_1A_` to each.
-
-> [!TIP]
-> If your XML editor supports validation, validate the files against the `TrustFrameworkPolicy_0.3.0.0.xsd` XML schema that is located in the root directory of the starter pack. XML schema validation identifies errors before uploading.
-
-## Test the custom policy
-
-1. Under **Custom policies**, select **B2C_1A_signup_signin**.
-1. For **Select application** on the overview page of the custom policy, select the web application named *webapp1* that you previously registered.
-1. Make sure that the **Reply URL** is `https://jwt.ms`.
-1. Select **Run now**.
-1. Sign up using an email address. Don't use **Facebook** option yet. 
-1. Select **Run now** again.
-1. Sign in with the same account to confirm that you have the correct configuration.
-
 ## Add Facebook as an identity provider
 
 The **SocialAndLocalAccounts** starter pack includes Facebook social sign in. Facebook is *not* required for using custom policies, but we use it here to demonstrate how you can enable federated social login in a custom policy.
@@ -324,7 +297,7 @@ Add your Facebook application's [App Secret](identity-provider-facebook.md) as a
 1. Select **Create**.
 
 ### Update TrustFrameworkExtensions.xml in custom policy starter pack
-1. In the `SocialAndLocalAccounts/`**`TrustFrameworkExtensions.xml`** file, replace the value of `client_id` with the Facebook application ID:
+In the `SocialAndLocalAccounts/`**`TrustFrameworkExtensions.xml`** file, replace the value of `client_id` with the Facebook application ID and save changes.
 
    ```xml
    <TechnicalProfile Id="Facebook-OAUTH">
@@ -333,11 +306,34 @@ Add your Facebook application's [App Secret](identity-provider-facebook.md) as a
        <Item Key="client_id">00000000000000</Item>
    ```
 
-1. Upload the *TrustFrameworkExtensions.xml* file to your tenant.
-1. Under **Custom policies**, select **B2C_1A_signup_signin**.
-1. Select **Run now** and select Facebook to sign in with Facebook and test the custom policy.
 
+## Upload the policies
 
+1. Select the **Identity Experience Framework** menu item in your B2C tenant in the Azure portal.
+1. Select **Upload custom policy**.
+1. In this order, upload the policy files:
+    1. *TrustFrameworkBase.xml*
+    2. *TrustFrameworkLocalization.xml*
+    3. *TrustFrameworkExtensions.xml*
+    4. *SignUpOrSignin.xml*
+    5. *ProfileEdit.xml*
+    6. *PasswordReset.xml*
+
+As you upload the files, Azure adds the prefix `B2C_1A_` to each.
+
+> [!TIP]
+> If your XML editor supports validation, validate the files against the `TrustFrameworkPolicy_0.3.0.0.xsd` XML schema that is located in the root directory of the starter pack. XML schema validation identifies errors before uploading.
+
+## Test the custom policy
+
+1. Under **Custom policies**, select **B2C_1A_signup_signin**.
+1. For **Select application** on the overview page of the custom policy, select the web application named *webapp1* that you previously registered.
+1. Make sure that the **Reply URL** is `https://jwt.ms`.
+1. Select **Run now**.
+1. Sign up using an email address.
+1. Select **Run now** again.
+1. Sign in with the same account to confirm that you have the correct configuration.
+1. Select **Run now** again, and select Facebook to sign in with Facebook and test the custom policy.
 ::: zone-end
 
 ## Next steps

articles/active-directory-b2c/media/customize-ui/portal-02-page-layout-select.png

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 07/16/2021
+ms.date: 10/16/2021
 ms.author: billmath
 ms.reviewer: arvinh
 ---
@@ -56,7 +56,7 @@ To provision users to SCIM-enabled apps:
 * Ensure your [SCIM](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010) implementation meets the [Azure AD SCIM requirements](use-scim-to-provision-users-and-groups.md).
 
   Azure AD offers open-source [reference code](https://github.com/AzureAD/SCIMReferenceCode/wiki) that developers can use to bootstrap their SCIM implementation. The code is as is.
-* Support the /schemaDiscovery endpoint to reduce configuration required in the Azure portal. 
+* Support the /schemas endpoint to reduce configuration required in the Azure portal. 
 
 ## Next steps
 

articles/active-directory-b2c/tutorial-create-user-flows.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 07/02/2021
+ms.date: 10/21/2021
 
 ms.author: justinha
 author: justinha
@@ -34,11 +34,6 @@ People who enabled phone sign-in from the Microsoft Authenticator app see a mess
 To use passwordless phone sign-in with the Microsoft Authenticator app, the following prerequisites must be met:
 
 - Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help the Authenticator app to prevent unauthorized access to accounts and stop fraudulent transactions. The Authenticator app automatically generates codes when set up to do push notifications so a user has a backup sign-in method even if their device doesn't have connectivity. 
-  
-  Azure Multi-Factor Auth Connector must be enabled to allow users to register for push notifications for phone sign-in.
-
-  ![Screenshot of Azure Multi-Factor Auth Connector enabled.](media/howto-authentication-passwordless-phone/connector.png)
-
 - Latest version of Microsoft Authenticator installed on devices running iOS 8.0 or greater, or Android 6.0 or greater.
 - The device on which the Microsoft Authenticator app is installed must be registered within the Azure AD tenant to an individual user. 
 
@@ -49,10 +44,6 @@ To use passwordless phone sign-in with the Microsoft Authenticator app, the foll
 
 To use passwordless authentication in Azure AD, first enable the combined registration experience, then enable users for the passwordless method.
 
-### Enable the combined registration experience
-
-Registration features for passwordless authentication methods rely on the combined registration feature. To let users complete the combined registration themselves, follow the steps to [enable combined security information registration](howto-registration-mfa-sspr-combined.md).
-
 ### Enable passwordless phone sign-in authentication methods
 
 Azure AD lets you choose which authentication methods can be used during the sign-in process. Users then register for the methods they'd like to use. The **Microsoft Authenticator** authentication method policy manages both the traditional push MFA method, as well as the passwordless authentication method.