Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into anf-preferred-ldap-2022.11

Author: b-ahibbard

articles/active-directory-b2c/integrate-with-app-code-samples.md

@@ -2,11 +2,11 @@
 title: Azure Active Directory B2C integrate with app samples
 description: Code samples for integrating Azure AD B2C to mobile, desktop, web, and single-page applications.
 services: active-directory-b2c
-author: kengaderdus
+author: garrodonnell
 manager: CelesteDG
 
-ms.author: kengaderdus
-ms.date: 06/21/2022
+ms.author: godonnell
+ms.date: 02/21/2023
 ms.custom: mvc
 ms.topic: sample
 ms.service: active-directory
@@ -17,17 +17,6 @@ ms.subservice: B2C
 
 The following tables provide links to samples for applications including iOS, Android, .NET, and Node.js.
 
-## Mobile and desktop apps
-
-| Sample | Description |
-|--------| ----------- |
-| [ios-swift-native-msal](https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal) | An iOS sample in Swift that authenticates Azure AD B2C users and calls an API using OAuth 2.0 |
-| [android-native-msal](https://github.com/Azure-Samples/ms-identity-android-java#b2cmodefragment-class) | A simple Android app showcasing how to use MSAL to authenticate users via Azure Active Directory B2C, and access a Web API with the resulting tokens. |
-| [ios-native-appauth](https://github.com/Azure-Samples/active-directory-b2c-ios-native-appauth) | A sample that shows how you can use a third-party library to build an iOS application in Objective-C that authenticates Microsoft identity users to our Azure AD B2C identity service. |
-| [android-native-appauth](https://github.com/Azure-Samples/active-directory-b2c-android-native-appauth) | A sample that shows how you can use a third-party library to build an Android application that authenticates Microsoft identity users to our B2C identity service and calls a web API using OAuth 2.0 access tokens. |
-| [dotnet-desktop](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop) | A sample that shows how a Windows Desktop .NET (WPF) application can sign in a user using Azure AD B2C, get an access token using MSAL.NET and call an API. |
-| [xamarin-native](https://github.com/Azure-Samples/active-directory-b2c-xamarin-native) | A simple Xamarin Forms app showcasing how to use MSAL to authenticate users via Azure Active Directory B2C, and access a Web API with the resulting tokens. |
-
 ## Web apps and APIs
 
 | Sample | Description |
@@ -48,6 +37,17 @@ The following tables provide links to samples for applications including iOS, An
 | [ms-identity-b2c-javascript-spa](https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa) | A VanillaJS single page application (SPA) calling a web API. Authentication is done with Azure AD B2C by using MSAL.js. This sample uses the authorization code flow with PKCE. |
 | [javascript-nodejs-management](https://github.com/Azure-Samples/ms-identity-b2c-javascript-nodejs-management/tree/main/Chapter1) | A VanillaJS single page application (SPA) calling Microsoft Graph to manage users in a B2C directory. Authentication is done with Azure AD B2C by using MSAL.js. This sample uses the authorization code flow with PKCE.|
 
+## Mobile and desktop apps
+
+| Sample | Description |
+|--------| ----------- |
+| [ios-swift-native-msal](https://github.com/Azure-Samples/active-directory-b2c-ios-swift-native-msal) | An iOS sample in Swift that authenticates Azure AD B2C users and calls an API using OAuth 2.0 |
+| [android-native-msal](https://github.com/Azure-Samples/ms-identity-android-java#b2cmodefragment-class) | A simple Android app showcasing how to use MSAL to authenticate users via Azure Active Directory B2C, and access a Web API with the resulting tokens. |
+| [ios-native-appauth](https://github.com/Azure-Samples/active-directory-b2c-ios-native-appauth) | A sample that shows how you can use a third-party library to build an iOS application in Objective-C that authenticates Microsoft identity users to our Azure AD B2C identity service. |
+| [android-native-appauth](https://github.com/Azure-Samples/active-directory-b2c-android-native-appauth) | A sample that shows how you can use a third-party library to build an Android application that authenticates Microsoft identity users to our B2C identity service and calls a web API using OAuth 2.0 access tokens. |
+| [dotnet-desktop](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop) | A sample that shows how a Windows Desktop .NET (WPF) application can sign in a user using Azure AD B2C, get an access token using MSAL.NET and call an API. |
+| [xamarin-native](https://github.com/Azure-Samples/active-directory-b2c-xamarin-native) | A simple Xamarin Forms app showcasing how to use MSAL to authenticate users via Azure Active Directory B2C, and access a Web API with the resulting tokens. |
+
 ## Console/Daemon apps
 
 | Sample | Description |

articles/active-directory-domain-services/policy-reference.md

@@ -1,7 +1,7 @@
 ---
 title: Built-in policy definitions for Azure Active Directory Domain Services
 description: Lists Azure Policy built-in policy definitions for Azure Active Directory Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 01/29/2023
+ms.date: 02/21/2023
 ms.service: active-directory
 ms.subservice: domain-services
 author: justinha

articles/active-directory/app-provisioning/user-provisioning.md

@@ -7,7 +7,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: overview
 ms.workload: identity
-ms.date: 02/17/2023
+ms.date: 02/21/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -52,15 +52,15 @@ The provisioning mode supported by an application is also visible on the **Provi
 
 ## Benefits of automatic provisioning
 
-The number of applications used in modern organizations continues to grow. IT admins must manage access management at scale. Admins use standards such as SAML or OIDC for single sign-on (SSO), but access also requires users to be provisioned into the app. To many admins, provisioning means manually creating every user account or uploading CSV files each week. These processes are time-consuming, expensive, and error prone. Solutions such as SAML just-in-time (JIT) have been adopted to automate provisioning. Enterprises also need a solution to deprovision users when they leave the organization or no longer require access to certain apps based on role change.
+The number of applications used in modern organizations continues to grow. You, as an IT admin, must manage access management at scale. You use standards such as SAML or OIDC for single sign-on (SSO), but access also requires you provision users into an app. You might think provisioning means manually creating every user account or uploading CSV files each week. These processes are time-consuming, expensive, and error prone. To streamline the process, use SAML just-in-time (JIT) to automate provisioning. Use the same process to deprovision users when they leave the organization or no longer require access to certain apps based on role change.
 
 Some common motivations for using automatic provisioning include:
 
 - Maximizing the efficiency and accuracy of provisioning processes.
 - Saving on costs associated with hosting and maintaining custom-developed provisioning solutions and scripts.
 - Securing your organization by instantly removing users' identities from key SaaS apps when they leave the organization.
 - Easily importing a large number of users into a particular SaaS application or system.
-- Having a single set of policies to determine who is provisioned and who can sign in to an app.
+- A single set of policies to determine provisioned users that can sign in to an app.
 
 Azure AD user provisioning can help address these challenges. To learn more about how customers have been using Azure AD user provisioning, read the [ASOS case study](https://aka.ms/asoscasestudy). The following video provides an overview of user provisioning in Azure AD.
 
@@ -74,7 +74,7 @@ Azure AD features pre-integrated support for many popular SaaS apps and human re
 
    ![Image that shows logos for DropBox, Salesforce, and others.](./media/user-provisioning/gallery-app-logos.png)
 
-   If you want to request a new application for provisioning, you can [request that your application be integrated with our app gallery](../manage-apps/v2-howto-app-gallery-listing.md). For a user provisioning request, we require the application to have a SCIM-compliant endpoint. Request that the application vendor follows the SCIM standard so we can onboard the app to our platform quickly.
+   To request a new application for provisioning, see [Submit a request to publish your application in Azure Active Directory application gallery](../manage-apps/v2-howto-app-gallery-listing.md). For a user provisioning request, we require the application to have a SCIM-compliant endpoint. Request that the application vendor follows the SCIM standard so we can onboard the app to our platform quickly.
 
 * **Applications that support SCIM 2.0**: For information on how to generically connect applications that implement SCIM 2.0-based user management APIs, see [Build a SCIM endpoint and configure user provisioning](use-scim-to-provision-users-and-groups.md).
 

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -74,30 +74,24 @@ Now we'll walk through each step:
 
 ## Certificate-based authentication is MFA capable
 
-Azure AD CBA is an MFA (Multi factor authentication) capable method, that is Azure AD CBA can be either Single (SF) or Multi-factor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to proof up to register other authentication methods when the user is in scope for CBA. 
+Azure AD CBA is an MFA (Multi factor authentication) capable method, that is Azure AD CBA can be either Single (SF) or Multi-factor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to get MFA and proof up to register other authentication methods when the user is in scope for CBA.
 
-This can happen when: 
-
-If CBA enabled user only has a Single Factor (SF) certificate
-	To unblock user:
-	1. Use Password + SF certificate.
+If CBA enabled user only has a Single Factor (SF) certificate and need MFA
+   1. Use Password + SF certificate.
    1. Issue Temporary Access Pass (TAP)
    1. Admin adds Phone Number to user account and allows Voice/SMS method for user.
 
-If CBA enabled user but has not yet been issued a certificate
-   To unblock user:
+If CBA enabled user has not yet been issued a certificate and need MFA
    1. Issue Temporary Access Pass (TAP)
    1. Admin adds Phone Number to user account and allows Voice/SMS method for user.
 
-If CBA enabled user cannot use MF cert (such as on mobile device without smart card support)
-   To unblock user: 
+If CBA enabled user cannot use MF cert (such as on mobile device without smart card support) and need MFA
    1. Issue Temporary Access Pass (TAP)
    1. User Register another MFA method (when user can use MF cert)
    1. Use Password + MF cert (when user can use MF cert)
    1. Admin adds Phone Number to user account and allows Voice/SMS method for user
 
 
-
 ## MFA with Single-factor certificate-based authentication
 
 Azure AD CBA can be used as a second factor to meet MFA requirements with single-factor certificates. The supported combintaions are

articles/active-directory/develop/TOC.yml

@@ -61,6 +61,8 @@
           href: application-model.md
         - name: Workload identities
           href: workload-identities-overview.md
+        - name: Workload identities FAQs
+          href: workload-identities-faqs.md
         - name: Applications and service principals
           href: app-objects-and-service-principals.md
         - name: How and why apps are added to Azure AD

articles/active-directory/develop/quickstart-v2-nodejs-console.md

@@ -23,7 +23,7 @@ ms.custom: mode-api
 > 
 > We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
 
-> [!div renderon="portal" class="sxs-lookup"]
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
 > In this quickstart, you download and run a code sample that demonstrates how a Node.js console application can get an access token using the app's identity to call the Microsoft Graph API and display a [list of users](/graph/api/user-list) in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity.
 > 
 > This quickstart uses the [Microsoft Authentication Library for Node.js (MSAL Node)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) with the [client credentials grant](v2-oauth2-client-creds-grant-flow.md).

articles/active-directory/develop/workload-identities-faqs.md

@@ -0,0 +1,132 @@
+---
+title: Workload identities license plans faq
+description: Learn about workload identities license plans, features and capabilities. 
+author: gargi-sinha
+manager: martinco
+ms.service: active-directory
+ms.subservice: develop
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 2/21/2023
+ms.author: gasinh
+ms.reviewer: 
+ms.custom: aaddev 
+#Customer intent: I want to know about workload identities licensing plans 
+---
+
+# Frequently asked questions about workload identities license plans
+
+[Workload identities](workload-identities-overview.md) is now available in two editions: **Free** and **Workload Identities Premium**. The free edition of workload identities is included with a subscription of a commercial online service such as [Azure](https://azure.microsoft.com/) and [Power Platform](https://powerplatform.microsoft.com/). The Workload
+Identities Premium offering is available through a Microsoft representative, the [Open Volume License
+Program](https://www.microsoft.com/licensing/how-to-buy/how-to-buy), and the [Cloud Solution Providers program](/azure/lighthouse/concepts/cloud-solution-provider). Azure and Microsoft 365 subscribers can also purchase Workload
+Identities Premium online.
+
+For more information, see [what are workload identities?](workload-identities-overview.md)
+
+>[!NOTE]
+>Workload Identities Premium is a standalone product and isn't included in other premium product plans. All subscribers require a license to use Workload Identities Premium features.
+
+Learn more about [workload identities
+pricing](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz).
+
+## What features are included in Workload Identities Premium plan and which features are free? 
+
+|Capabilities | Description | Free | Premium |                 
+|:--------|:----------|:------------|:-----------|
+| **Authentication and authorization**|  | | |
+| Create, read, update, delete workload identities  | Create and update identities for securing service to service access  | Yes |  Yes |
+| Authenticate workload identities and tokens to access resources |  Use Azure Active Directory (Azure AD) to protect resource access |  Yes|  Yes |
+| Workload identities sign-in activity and audit trail |   Monitor and track workload identity behavior  |  Yes |  Yes |
+| **Managed identities**| Use Azure AD identities in Azure without handling credentials |  Yes| Yes |
+| Workload identity federation | Use workloads tested by external Identity Providers (IdPs) to access Azure AD protected resources | Yes | Yes |
+|  **Conditional Access (CA)**     |   |   |    
+| CA policies for workload identities |Define the condition in which a workload can access a resource, such as an IP range | |  Yes | 
+|**Lifecycle Management**|    |    |   |
+|Access reviews for service provider-assigned privileged roles  |   Closely monitor workload identities with impactful permissions |    |  Yes |
+|**Identity Protection**  |  | |
+|Identity Protection for workload identities  | Detect and remediate compromised workload identities | | Yes |                                                                            
+
+## What is the cost of Workload Identities Premium plan? 
+
+Check the pricing for the [Microsoft Entra Workload Identities
+Premium](https://www.microsoft.com/security/business/identity-access/microsoft-entra-workload-identities#office-StandaloneSKU-k3hubfz)
+plan.
+
+## How do I purchase a Workload Identities Premium plan?
+
+You need an Azure or Microsoft 365 subscription. You can use a
+current subscription or set up a new one. Then, sign into the [Microsoft
+Entra admin
+center](https://entra.microsoft.com/)
+with your credentials to buy Workload Identities licenses.
+
+## Through what channels can I purchase Workload Identities Premium plan? 
+
+You can purchase the plan through Enterprise Agreement (EA)/Enterprise Subscription (EAS), Cloud Solution Providers (CSPs), or Web Direct.
+
+## Where can I find more feature details to determine if I need a license(s)?
+
+Entra workload identities has three premium features that require a license. 
+
+- [Conditional Access](../conditional-access/workload-identity.md):
+Supports location or risk-based policies for workload identities.
+
+- [Identity Protection](../identity-protection/concept-workload-identity-risk.md):
+Provides reports of compromised credentials, anomalous sign-ins, and
+suspicious changes to accounts.
+
+- [Access Reviews](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-azure-ad-access-reviews-for-service-principals/ba-p/1942488):
+Enables delegation of reviews to the right people, focused on the most
+important privileged roles.
+
+## What do the numbers in each category on the [Workload identities - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade) mean?
+
+Category definitions:
+
+- **Enterprise apps/Service Principals**: This category includes multi-tenant apps, gallery apps, non-gallery apps and service principals.
+
+- **Microsoft apps**: Apps such as Outlook and Microsoft Teams.
+
+- [**Managed Identities**](https://entra.microsoft.com/#home): An identity for
+applications for connecting resources that support Azure AD authentication.
+
+## How many licenses do I need to purchase? Do I need to license all workload identities including Microsoft and Managed Service Identities? 
+
+All workload identities - service principles, apps and managed identities, configured in your directory for a Microsoft Entra
+Workload Identities Premium feature require a license. Select and prioritize the identities based on the available licenses. Remove
+the workload identities from the directory that are no longer required.
+
+The following identity functionalities are currently available to view
+in a directory:
+
+- Identity Protection: All single-tenant and multi-tenant service
+  principals excluding managed identities and Microsoft apps.
+
+- Conditional Access: Single-tenant service principals (excluding
+  managed identities) capable of acting as a subject/client, having a
+  defined credential.
+
+- Access reviews: All single-tenant and multi-tenant service
+  principals assigned to privileged roles.
+
+>[!NOTE]
+>Functionality is subject to change, and feature coverage is
+intended to expand.
+
+## Do these licenses require individual workload identities assignment? 
+
+No, license assignment isn't required. One license in the tenant unlocks features for workload identities. 
+
+## Can I get a free trial of Workload Identities Premium? 
+
+Yes. you can get a [90-day free trial](https://entra.microsoft.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade).
+In the Modern channel, a 30-day only trial is available. Free trial is
+unavailable in Government clouds.
+
+## Is the Workload Identities Premium edition available on Government clouds? 
+
+Yes, it's available.
+
+## Is it possible to have a mix of Azure AD Premium P1, Azure AD Premium P2 and Workload Identities Premium licenses in one tenant?
+
+Yes, customers can have a mixture of license plans in one tenant.

articles/active-directory/develop/workload-identities-overview.md

@@ -52,4 +52,5 @@ Here are some ways you can use workload identities:
 
 ## Next steps
 
-Learn how to [secure access of workload identities](../conditional-access/workload-identity.md) with adaptive policies.
+- Learn how to [secure access of workload identities](../conditional-access/workload-identity.md) with adaptive policies.
+- Get answers to [frequently asked questions about workload identities](workload-identities-faqs.md).