Merge pull request #207445 from MicrosoftDocs/main

8/9/2022 Publish

Author: Taojunshen

.openpublishing.redirection.azure-monitor.json

@@ -505,6 +505,11 @@
             "source_path_from_root": "/articles/azure-monitor/app/cloudservices.md" ,
             "redirect_url": "/azure/azure-monitor/app/azure-web-apps-net-core",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/logs/workspace-design-service-providers.md" ,
+            "redirect_url": "/azure/azure-monitor/logs/workspace-design",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 07/18/2022
+ms.date: 08/09/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -167,11 +167,11 @@ In some cases, an **All cloud apps** policy could inadvertently block user acces
 
 - Calls to Azure AD Graph and MS Graph, to access user profile, group membership and relationship information that is commonly used by applications excluded from policy. The excluded scopes are listed below. Consent is still required for apps to use these permissions. 
    - For native clients:
-      - Azure AD Graph: User.read
-      - MS Graph: User.read, People.read, and UserProfile.read 
+      - Azure AD Graph: User.Read
+      - MS Graph: User.Read, People.Read, and UserProfile.Read
    - For confidential / authenticated clients:
-      - Azure AD Graph: User.read, User.read.all, and User.readbasic.all
-      - MS Graph: User.read,User.read.all, User.read.All People.read, People.read.all, GroupMember.Read.All, Member.Read.Hidden, and UserProfile.read 
+      - Azure AD Graph: User.Read, User.Read.All, and User.ReadBasic.All
+      - MS Graph: User.Read, User.Read.All, User.ReadBasic.All, People.Read, People.Read.All, GroupMember.Read.All, Member.Read.Hidden, and UserProfile.Read 
 
 ## User actions
 

articles/active-directory/conditional-access/media/what-if-tool/01.png

@@ -6,106 +6,67 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 06/22/2020
+ms.date: 08/09/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: karenhoran
 ms.reviewer: nigu
 ms.collection: M365-identity-device-management
-
-#Customer intent: As an IT admin, I want to know how to use the What If tool for my existing Conditional Access policies, so that I can understand the impact they have on my environment. 
 ---
-# Troubleshoot using the What If tool in Conditional Access
+# Use the What If tool to troubleshoot Conditional Access policies
 
-[Conditional Access](./overview.md) is a capability of Azure Active Directory (Azure AD) that enables you to control how authorized users access your cloud apps. How do you know what to expect from the Conditional Access policies in your environment? To answer this question, you can use the **Conditional Access What If tool**.
+The **Conditional Access What If policy tool** allows you to understand the impact of [Conditional Access](./overview.md) policies in your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.
 
-This article explains how you can use this tool to test your Conditional Access policies.
+The **What If** tool provides a way to quickly determine the policies that apply to a specific user. You can use the information, for example, if you need to troubleshoot an issue.	
 
 > [!VIDEO https://www.youtube.com/embed/M_iQVM-3C3E]
 
-## What it is
-
-The **Conditional Access What If policy tool** allows you to understand the impact of your Conditional Access policies on your environment. Instead of test driving your policies by performing multiple sign-ins manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report. The report does not only list the applied Conditional Access policies but also [classic policies](policy-migration.md#classic-policies) if they exist.    
-
-The **What If** tool provides a way to quickly determine the policies that apply to a specific user. You can use the information, for example, if you need to troubleshoot an issue.	
-
 ## How it works
 
-In the **Conditional Access What If tool**, you first need to configure the settings of the sign-in scenario you want to simulate. These settings include:
+In the **Conditional Access What If tool**, you first need to configure the conditions of the sign-in scenario you want to simulate. These settings may include:
 
 - The user you want to test 
 - The cloud apps the user would attempt to access
 - The conditions under which access to the configured cloud apps is performed
+
+The What If tool doesn't test for [Conditional Access service dependencies](service-dependencies.md). For example, if you're using What If to test a Conditional Access policy for Microsoft Teams, the result doesn't take into consideration any policy that would apply to Office 365 Exchange Online, a Conditional Access service dependency for Microsoft Teams.
 
 As a next step, you can initiate a simulation run that evaluates your settings. Only policies that are enabled are part of an evaluation run.
 
-When the evaluation has finished, the tool generates a report of the affected policies. To gather more information about a Conditional Access policy, the [Conditional Access insights and reporting workbook](howto-conditional-access-insights-reporting.md) can provide additional details about policies in report-only mode and those policies currently enabled.
+When the evaluation has finished, the tool generates a report of the affected policies. To gather more information about a Conditional Access policy, the [Conditional Access insights and reporting workbook](howto-conditional-access-insights-reporting.md) can provide more details about policies in report-only mode and those policies currently enabled.
 
 ## Running the tool
 
-You can find the **What If** tool on the **[Conditional Access - Policies](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies)** page in the Azure portal.
-
-To start the tool, in the toolbar on top of the list of policies, click **What If**.
-
-:::image type="content" source="./media/what-if-tool/01.png" alt-text="Screenshot of the Conditional Access - Policies page in the Azure portal. In the toolbar, the What if item is highlighted." border="false":::
-
-Before you can run an evaluation, you must configure the settings.
-
-## Settings
-
-This section provides you with information about the settings of simulation run.
-
-:::image type="content" source="./media/what-if-tool/02.png" alt-text="Screenshot of the Azure portal What If page, with fields for a user, cloud apps, an I P address, a device platform, a client app, and a sign-in risk." border="false":::
-
-### User
-
-You can only select one user. This is the only required field.
-
-### Cloud apps
-
-The default for this setting is **All cloud apps**. The default setting performs an evaluation of all available policies in your environment. You can narrow down the scope to policies affecting specific cloud apps.
-
-> [!NOTE]
-> When using the What If tool, it does not test for [Conditional Access service dependencies](service-dependencies.md). For example, if you are using What If to test a Conditional Access policy for Microsoft Teams, the result will not take into consideration any policy that would apply to Office 365 Exchange Online, a Conditional Access service dependency for Microsoft Teams.
-
-### IP address
-
-The IP address is a single IPv4 address to mimic the [location condition](location-condition.md). The address represents Internet facing address of the device used by your user to sign in. You can verify the IP address of a device by, for example, navigating to [What is my IP address](https://whatismyipaddress.com).    
-
-### Device platforms
-
-This setting mimics the [device platforms condition](concept-conditional-access-conditions.md#device-platforms) and represents the equivalent of **All platforms (including unsupported)**. 
+You can find the **What If** tool in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **What If**.
 
-### Client apps
+:::image type="content" source="./media/what-if-tool/portal-showing-location-of-what-if-tool.png" alt-text="Screenshot of the Conditional Access - Policies page in the Azure portal. In the toolbar, the What if item is highlighted." border="false" lightbox="media/what-if-tool/portal-showing-location-of-what-if-tool.png":::
 
-This setting mimics the [client apps condition](concept-conditional-access-conditions.md#client-apps).
-By default, this setting causes an evaluation of all policies having **Browser** or **Mobile apps and desktop clients** either individually or both selected. It also detects policies that enforce **Exchange ActiveSync (EAS)**. You can narrow this setting down by selecting:
+Before you can run the What If tool, you must provide the conditions you want to evaluate.
 
-- **Browser** to evaluate all policies having at least **Browser** selected. 
-- **Mobile apps and desktop clients** to evaluate all policies having at least **Mobile apps and desktop clients** selected. 
+## Conditions
 
-### Sign-in risk
+The only condition you must make is selecting a user or workload identity. All other conditions are optional. For a definition of these conditions, see the article [Building a Conditional Access policy](concept-conditional-access-policies.md).
 
-This setting mimics the [sign-in risk condition](concept-conditional-access-conditions.md#sign-in-risk).   
+:::image type="content" source="./media/what-if-tool/supply-conditions-to-evaluate-in-the-what-if-tool.png" alt-text="Screenshot of the Azure portal What If page ready for conditions to be entered." border="false" lightbox="media/what-if-tool/supply-conditions-to-evaluate-in-the-what-if-tool.png":::
 
-## Evaluation 
+## Evaluation
 
 You start an evaluation by clicking **What If**. The evaluation result provides you with a report that consists of: 
 
-:::image type="content" source="./media/what-if-tool/03.png" alt-text="Screenshot of an evaluation report. Text indicates that at least one classic policy is configured. Tabs are available for viewing policies." border="false":::
+- An indicator whether classic policies exist in your environment.
+- Policies that will apply to your user or workload identity.
+- Policies that don't apply to your user or workload identity.
 
-- An indicator whether classic policies exist in your environment
-- Policies that apply to your user
-- Policies that don't apply to your user
+If [classic policies](policy-migration.md#classic-policies) exist for the selected cloud apps, an indicator is presented to you. By clicking the indicator, you're redirected to the classic policies page. On the classic policies page, you can migrate a classic policy or just disable it. You can return to your evaluation result by closing this page.
 
-If [classic policies](policy-migration.md#classic-policies) exist for the selected cloud apps, an indicator is presented to you. By clicking the indicator, you are redirected to the classic policies page. On the classic policies page, you can migrate a classic policy or just disable it. You can return to your evaluation result by closing this page.
+:::image type="content" source="media/what-if-tool/conditional-access-what-if-evaluation-result-example.png" alt-text="Screenshot of an example of the policy evaluation in the What If tool showing policies that would apply." lightbox="media/what-if-tool/conditional-access-what-if-evaluation-result-example.png":::
 
-On the list of policies that apply to your selected user, you can also find a list of [grant controls](concept-conditional-access-grant.md) and [session controls](concept-conditional-access-session.md) your user must satisfy.
+On the list of policies that apply, you can also find a list of [grant controls](concept-conditional-access-grant.md) and [session controls](concept-conditional-access-session.md) that must be satisfied.
 
-On the list of policies that don't apply to your user, you can and also find the reasons why these policies don't apply. For each listed policy, the reason represents the first condition that was not satisfied. A possible reason for a policy that is not applied is a disabled policy because they are not further evaluated.   
+On the list of policies that don't apply, you can find the reasons why these policies don't apply. For each listed policy, the reason represents the first condition that wasn't satisfied.
 
 ## Next steps
 
 - More information about Conditional Access policy application can be found using the policies report-only mode using [Conditional Access insights and reporting](howto-conditional-access-insights-reporting.md).
-- If you are ready to configure Conditional Access policies for your environment, see the [Conditional Access common policies](concept-conditional-access-policy-common.md).
+- If you're ready to configure Conditional Access policies for your environment, see the [Conditional Access common policies](concept-conditional-access-policy-common.md).

articles/active-directory/conditional-access/media/what-if-tool/02.png

@@ -47,6 +47,8 @@ Your app would check for:
   - an "error" parameter with the value "insufficient_claims"
   - a "claims" parameter
 
+# [.NET](#tab/dotnet)
+
 When these conditions are met, the app can extract and decode the claims challenge using MSAL.NET `WwwAuthenticateParameters` class.
 
 ```csharp
@@ -97,7 +99,69 @@ _clientApp = PublicClientApplicationBuilder.Create(App.ClientId)
 
 You can test your application by signing in a user to the application then using the Azure portal to Revoke the user's sessions. The next time the app calls the CAE enabled API, the user will be asked to reauthenticate.
 
+# [JavaScript](#tab/JavaScript)
+
+When these conditions are met, the app can extract the claims challenge from the API response header as follows: 
+
+```javascript
+const authenticateHeader = response.headers.get('www-authenticate');
+const claimsChallenge = authenticateHeader
+        .split(' ')
+        .find((entry) => entry.includes('claims='))
+        .split('claims="')[1]
+        .split('",')[0];
+```
+
+Your app would then use the claims challenge to acquire a new access token for the resource.
+
+```javascript
+let tokenResponse;
+
+try {
+
+    tokenResponse = await msalInstance.acquireTokenSilent({
+                    claims: window.atob(claimsChallenge), // decode the base64 string
+                    scopes: scopes,  // e.g ['User.Read', 'Contacts.Read']
+                    account: account, // current active account
+                });
+
+} catch (error) {
+
+     if (error instanceof InteractionRequiredAuthError) {
+
+        tokenResponse = await msalInstance.acquireTokenPopup({
+                        claims: window.atob(claimsChallenge), // decode the base64 string
+                        scopes: scopes, // e.g ['User.Read', 'Contacts.Read']
+                        account: account, // current active account
+                    });
+    }
+
+}
+```
+
+Once your application is ready to handle the claim challenge returned by a CAE-enabled resource, you can tell Microsoft Identity your app is CAE-ready by adding a `clientCapabilities` property in the MSAL configuration.
+
+```javascript
+const msalConfig = {
+    auth: {
+        clientId: 'Enter_the_Application_Id_Here', 
+        clientCapabilities: ["CP1"]
+        // the remaining settings
+        // ... 
+    }
+}
+
+const msalInstance = new PublicClientApplication(msalConfig);
+
+```
+
+---
+
+You can test your application by signing in a user and then using the Azure portal to revoke the user's session. The next time the app calls the CAE-enabled API, the user will be asked to reauthenticate.
+
 ## Next steps
 
 - [Continuous access evaluation](../conditional-access/concept-continuous-access-evaluation.md) conceptual overview
 - [Claims challenges, claims requests, and client capabilities](claims-challenge.md)
+- [React single-page application using MSAL React to sign-in users against Azure Active Directory](https://github.com/Azure-Samples/ms-identity-javascript-react-tutorial/tree/main/2-Authorization-I/1-call-graph)
+- [Enable your ASP.NET Core web app to sign in users and call Microsoft Graph with the Microsoft identity platform](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph)