Merge pull request #177624 from MicrosoftDocs/master

10/26 AM Publish

Author: huypub

articles/active-directory-b2c/saml-service-provider.md

@@ -313,10 +313,10 @@ For SAML apps, you need to configure several properties in the application regis
 
 When your SAML application makes a request to Azure AD B2C, the SAML AuthN request includes an `Issuer` attribute. The value of this attribute is typically the same as the application's metadata `entityID` value. Azure AD B2C uses this value to look up the application registration in the directory and read the configuration. For this lookup to succeed, `identifierUri` in the application registration must be populated with a value that matches the `Issuer` attribute.
 
-In the registration manifest, find the `identifierURIs` parameter and add the appropriate value. This value will be the same value that's configured in the SAML AuthN requests for `EntityId` at the application, and the `entityID` value in the application's metadata. You will also need to find the `accessTokenAcceptedVersion` paramater and set the value to `2`.
+In the registration manifest, find the `identifierURIs` parameter and add the appropriate value. This value will be the same value that's configured in the SAML AuthN requests for `EntityId` at the application, and the `entityID` value in the application's metadata. You will also need to find the `accessTokenAcceptedVersion` parameter and set the value to `2`.
 
 > [!IMPORTANT]
-> If you do not update the `accessTokenAcceptedVersion` to `2` you will recive an error message requiring a verfied domain.
+> If you do not update the `accessTokenAcceptedVersion` to `2` you will recieve an error message requiring a verified domain.
 
 The following example shows the `entityID` value in the SAML metadata:
 

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -11,7 +11,7 @@ ms.date: 06/25/2021
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: karenhoran
-ms.reviewer: calebb
+ms.reviewer: calebb, sandeo
 
 ms.collection: M365-identity-device-management
 ---
@@ -59,12 +59,26 @@ A device can be marked as compliant by Intune (for any device OS) or by third-pa
 
 Devices must be registered in Azure AD before they can be marked as compliant. More information about device registration can be found in the article, [What is a device identity](../devices/overview.md).
 
+**Remarks**
+
+- The **Require device to be marked as compliant** requirement:
+   - Only supports Windows Windows current (Windows 10+), iOS, Android and macOS devices registered with Azure AD and enrolled with Intune.
+   - For devices enrolled with third-party MDM systems, see [Support third-party device compliance partners in Intune](/mem/intune/protect/device-compliance-partners).
+   - Conditional Access cannot consider Microsoft Edge in InPrivate mode as a compliant device.
+
+
 ### Require hybrid Azure AD joined device
 
 Organizations can choose to use the device identity as part of their Conditional Access policy. Organizations can require that devices are hybrid Azure AD joined using this checkbox. For more information about device identities, see the article [What is a device identity?](../devices/overview.md).
 
 When using the [device-code OAuth flow](../develop/v2-oauth2-device-code.md), the require managed device grant control or a device state condition are not supported. This is because the device performing authentication cannot provide its device state to the device providing a code and the device state in the token is locked to the device performing authentication. Use the require multi-factor authentication grant control instead.
 
+**Remarks**
+
+- The **Require hybrid Azure AD joined device** requirement:
+   - Only supports domain joined Windows down-level (pre Windows 10) and Windows current (Windows 10+) devices.
+   - Conditional Access cannot consider Microsoft Edge in InPrivate mode as a hybrid Azure AD joined device.
+
 ### Require approved client app
 
 Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app. These approved client apps support [Intune app protection policies](/intune/app-protection-policy) independent of any mobile-device management (MDM) solution.

articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md

@@ -9,21 +9,23 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/24/2018
+ms.date: 10/18/2021
 ms.author: kkrishna
 ms.reviewer: jmprieur
 ms.custom: aaddev
 #Customer intent: As a tenant administrator, I want to restrict an application that I have registered in Azuren-e AD to a select set of users available in my Azure AD tenant
 ---
+
 # Restrict your Azure AD app to a set of users in an Azure AD tenant
 
 Applications registered in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who authenticate successfully.
 
-Similarly, in case of a [multi-tenant](howto-convert-app-to-be-multi-tenant.md) app, all users in the Azure AD tenant where this app is provisioned will be able to access this application once they successfully authenticate in their respective tenant.
+Similarly, in a [multi-tenant](howto-convert-app-to-be-multi-tenant.md) application, all users in the Azure AD tenant where the application is provisioned can access the application once they successfully authenticate in their respective tenant.
 
-Tenant administrators and developers often have requirements where an app must be restricted to a certain set of users. Developers can accomplish the same by using popular authorization patterns like Azure role-based access control (Azure RBAC), but this approach requires a significant amount of work on part of the developer.
+Tenant administrators and developers often have requirements where an application must be restricted to a certain set of users. There are two ways to restrict an application to a certain set of users or security groups:
 
-Tenant administrators and developers can restrict an app to a specific set of users or security groups in the tenant by using this built-in feature of Azure AD as well.
+- Developers can use popular authorization patterns like [Azure role-based access control (Azure RBAC)](howto-implement-rbac-for-apps.md).
+- Tenant administrators and developers can use built-in feature of Azure AD.
 
 ## Supported app configurations
 
@@ -33,43 +35,39 @@ The option to restrict an app to a specific set of users or security groups in a
 - Application proxy applications that use Azure AD pre-authentication.
 - Applications built directly on the Azure AD application platform that use OAuth 2.0/OpenID Connect authentication after a user or admin has consented to that application.
 
-     > [!NOTE]
-     > This feature is available for web app/web API and enterprise applications only. Apps that are registered as [native](./quickstart-register-app.md) cannot be restricted to a set of users or security groups in the tenant.
-
 ## Update the app to require user assignment
 
-To update an application to require user assignment, you must be owner of the application under Enterprise apps, or be assigned one of **Global administrator**,  **Application administrator** or **Cloud application administrator** directory roles.
+To update an application to require user assignment, you must be owner of the application under Enterprise apps, or be assigned one of **Global administrator**, **Application administrator**, or **Cloud application administrator** directory roles.
 
 1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
-1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch the tenant in which you want to register an application.
 1. Search for and select **Azure Active Directory**.
 1. Under **Manage**, select **Enterprise Applications** > **All applications**.
 1. Select the application you want to configure to require assignment. Use the filters at the top of the window to search for a specific application.
 1. On the application's **Overview** page, under **Manage**, select **Properties**.
 1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users and services attempting to access the application or services must first be assigned for this application, or they won't be able to sign-in or obtain an access token.
 1. Select **Save**.
 
-> [!NOTE]
-> When an application requires assignment, user consent for that application is not allowed. This is true even if users consent for that app would have otherwise been allowed. Be sure to [grant tenant-wide admin consent](../manage-apps/grant-admin-consent.md) to apps that require assignment. 
+When an application requires assignment, user consent for that application isn't allowed. This is true even if users consent for that app would have otherwise been allowed. Be sure to [grant tenant-wide admin consent](../manage-apps/grant-admin-consent.md) to apps that require assignment.
 
 ## Assign the app to users and groups
 
 Once you've configured your app to enable user assignment, you can go ahead and assign the app to users and groups.
 
 1. Under **Manage**, select the **Users and groups** > **Add user/group** .
-1. Select the **Users** selector. 
+1. Select the **Users** selector.
 
-     A list of users and security groups will be shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.
+   A list of users and security groups will be shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.
 
-1. Once you are done selecting the users and groups, select **Select**.
-1. (Optional) If you have defined app roles in your application, you can use the **Select role** option to assign the app role to the selected users and groups. 
-1. Select **Assign** to complete the assignments of the app to the users and groups. 
+1. Once you're done selecting the users and groups, select **Select**.
+1. (Optional) If you have defined app roles in your application, you can use the **Select role** option to assign the app role to the selected users and groups.
+1. Select **Assign** to complete the assignments of the app to the users and groups.
 1. Confirm that the users and groups you added are showing up in the updated **Users and groups** list.
 
 ## More information
 
+For more information about roles and security groups, see:
+
 - [How to: Add app roles in your application](./howto-add-app-roles-in-azure-ad-apps.md)
-- [Add authorization using app roles & roles claims to an ASP.NET Core web app](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles)
 - [Using Security Groups and Application Roles in your apps (Video)](https://www.youtube.com/watch?v=LRoc-na27l0)
-- [Azure Active Directory, now with Group Claims and Application Roles](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-with-Group-Claims-and-Application/ba-p/243862)
 - [Azure Active Directory app manifest](./reference-app-manifest.md)