Merge branch 'main' into release-qumolo

Author: v-alje

articles/active-directory-b2c/partner-akamai-secure-hybrid-access.md

@@ -385,8 +385,8 @@ Once the Application is deployed in a private environment and a connector is cap
 
   | Header Name  | Attribute |
   |--------------|-----------|
-  | ps-sso-first | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name      |
-  | ps-sso-last  | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
+  | ps-sso-first | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` |
+  | ps-sso-last  | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` |
   | ps-sso-EmailAddress      | emailaddress |
   | ps-sso-uid   | objectId |
 

articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md

@@ -19,7 +19,7 @@ ms.custom: has-adal-ref
 
 # Certificate user IDs 
 
-Azure AD has a multivalued attribute named **certificateUserIds** on the user object that can be used in Username bindings. The attribute allows up to four values, and each value can be of 120-character length. It can store any value, and doesn't require email ID format. It can store non-routable User Principal Names (UPNs) like _bob@woodgrove_ or _bob@local_.
+Users in Azure AD can have a multivalued attribute named **certificateUserIds**. The attribute allows up to four values, and each value can be of 120-character length. It can store any value, and doesn't require email ID format. It can store non-routable User Principal Names (UPNs) like _bob@woodgrove_ or _bob@local_.
 
 ## Supported patterns for certificate user IDs
 

articles/active-directory/develop/active-directory-jwt-claims-customization.md

@@ -1,5 +1,5 @@
 ---
-title: Customize app JSON Web Token (JWT) claims
+title: Customize app JSON Web Token (JWT) claims (Preview)
 description: Learn how to customize the claims issued by Microsoft identity platform in the JSON web token (JWT) token for enterprise applications.
 services: active-directory
 author: davidmu1
@@ -13,11 +13,11 @@ ms.author: davidmu
 ms.custom: aaddev
 ---
 
-# Customize claims issued in the JSON web token (JWT) for enterprise applications
+# Customize claims issued in the JSON web token (JWT) for enterprise applications (Preview)
 
 The Microsoft identity platform supports single sign-on (SSO) with most enterprise applications, including both applications pre-integrated in the Azure AD app gallery and custom applications. When a user authenticates to an application through the Microsoft identity platform using the OIDC protocol, the Microsoft identity platform sends a token to the application. And then, the application validates and uses the token to log the user in instead of prompting for a username and password.
 
-These JSON Web tokens (JWT) used by OIDC & OAuth applications contain pieces of information about the user known as *claims*. A *claim* is information that an identity provider states about a user inside the token they issue for that user.
+These JSON Web tokens (JWT) used by OIDC & OAuth applications (preview) contain pieces of information about the user known as *claims*. A *claim* is information that an identity provider states about a user inside the token they issue for that user.
 
 In an [OIDC response](v2-protocols-oidc.md), *claims* data is typically contained in the ID Token issued by the identity provider in the form of a JWT.
 

articles/active-directory/external-identities/user-properties.md

@@ -83,7 +83,7 @@ Microsoft account |  This user is homed in a Microsoft account and authenticates
 {host’s domain} | This user authenticates by using an Azure AD account that belongs to this organization.
 google.com | This user has a Gmail account and has signed up by using self-service to the other organization.
 facebook.com | This user has a Facebook account and has signed up by using self-service to the other organization.
-mail | This user has an email address that doesn't match with verified Azure AD or SAML/WS-Fed domains, and isn't a Gmail address or a Microsoft account.
+mail | This user has signed up by using Azure AD Email one-time passcode (OTP).
 phone | This user has an email address that doesn't match a verified Azure AD domain or a SAML/WS-Fed domain, and isn't a Gmail address or Microsoft account.
 {issuer URI} | This user is homed in an external organization that doesn't use Azure Active Directory as their identity provider, but instead uses a SAML/WS-Fed-based identity provider. The issuer URI is shown when the Identities field is clicked.
 

articles/active-directory/fundamentals/azure-active-directory-b2c-deployment-plans.md

@@ -6,15 +6,15 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: hybrid
 ms.topic: conceptual
-ms.date: 08/26/2022
+ms.date: 01/06/2023
 
 ms.author: jricketts
 author: janicericketts
 manager: martinco
 
 ms.collection: M365-identity-device-management
 ---
-# Migrate from federation to cloud authentication 
+# Migrate from federation to cloud authentication  
 
 In this article, you learn how to deploy cloud user authentication with either Azure Active Directory [Password hash synchronization (PHS)](whatis-phs.md) or [Pass-through authentication (PTA)](how-to-connect-pta.md). While we present the use case for moving from [Active Directory Federation Services (AD FS)](whatis-fed.md) to cloud authentication methods, the guidance substantially applies to other on premises systems as well.
 
@@ -76,7 +76,7 @@ Although this deployment changes no other relying parties in your AD FS farm, yo
 
 ## Plan the project
 
-When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md#include-the-right-stakeholders) and that stakeholder roles in the project are well understood.
+When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that stakeholder roles in the project are well understood.
 
 ### Plan communications
 

articles/active-directory/hybrid/migrate-from-federation-to-cloud-authentication.md

@@ -64,7 +64,7 @@ Administrators should be in control of application use by providing the right in
   - Investigate and hunt for consent phishing attacks by following the guidance on [advanced hunting with Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview).
 - Allow access to trusted applications and protect against those applications that aren't:
   - Use applications that have been publisher verified. [Publisher verification](../develop/publisher-verification-overview.md) helps administrators and users understand the authenticity of application developers through a Microsoft supported vetting process.
-  - [Configure user consent settings](./configure-user-consent.md?tabs=azure-portal) to allow users to only consent to specific trusted applications, such as applications developed by the organization or from verified publishers.
+  - [Configure user consent settings](./configure-user-consent.md?tabs=azure-portal) to allow users to only consent to specific trusted applications, such as applications developed by the organization or from verified publishers and only for low risk permissions you select.
   - Create proactive [application governance](/microsoft-365/compliance/app-governance-manage-app-governance) policies to monitor third-party application behavior on the Microsoft 365 platform to address common suspicious application behaviors.
 
 ## Next steps

articles/active-directory/manage-apps/protect-against-consent-phishing.md

@@ -1,5 +1,5 @@
 ---
-title: 'Tutorial: Azure Active Directory integration with Atlassian Cloud'
+title: 'Tutorial: Azure Active Directory SSO integration with Atlassian Cloud'
 description: Learn how to configure single sign-on between Azure Active Directory and Atlassian Cloud.
 services: active-directory
 author: jeevansd
@@ -9,10 +9,10 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/21/2022
+ms.date: 01/06/2023
 ms.author: jeedes
 ---
-# Tutorial: Integrate Atlassian Cloud with Azure Active Directory
+# Tutorial: Azure Active Directory SSO integration with Atlassian Cloud
 
 In this tutorial, you'll learn how to integrate Atlassian Cloud with Azure Active Directory (Azure AD). When you integrate Atlassian Cloud with Azure AD, you can:
 
@@ -49,8 +49,6 @@ To configure the integration of Atlassian Cloud into Azure AD, you need to add A
 1. In the **Add from the gallery** section, type **Atlassian Cloud** in the search box.
 1. Select **Atlassian Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
 
- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)
-
 Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide&preserve-view=true).
 
 ## Configure and test Azure AD SSO
@@ -228,15 +226,15 @@ In this section, you test your Azure AD single sign-on configuration with follow
 
 #### SP initiated:
 
-* Click on **Test this application** in Azure portal. This will redirect to Atlassian Cloud Sign on URL where you can initiate the login flow.  
+* Click on **Test this application** in Azure portal. This will redirect to Atlassian Cloud Sign-on URL where you can initiate the login flow.  
 
 * Go to Atlassian Cloud Sign-on URL directly and initiate the login flow from there.
 
 #### IDP initiated:
 
 * Click on **Test this application** in Azure portal and you should be automatically signed in to the Atlassian Cloud for which you set up the SSO. 
 
-You can also use Microsoft My Apps to test the application in any mode. When you click the Atlassian Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Atlassian Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Atlassian Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Atlassian Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
 
 ## Next steps
 

articles/active-directory/saas-apps/atlassian-cloud-tutorial.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/21/2022
+ms.date: 01/06/2023
 ms.author: jeedes
 ---
 # Tutorial: Azure AD SSO integration with Canvas
@@ -80,17 +80,9 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
     > [!NOTE]
     > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Canvas Client support team](https://community.canvaslms.com/community/help) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
 
-5. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog.
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
 
-    ![Edit SAML Signing Certificate](common/edit-certificate.png)
-
-6. In the **SAML Signing Certificate** section, copy the **THUMBPRINT** and save it on your computer.
-
-    ![Copy Thumbprint value](common/copy-thumbprint.png)
-
-7. On the **Set up Canvas** section, copy the appropriate URL(s) as per your requirement.
-
-    ![Copy configuration URLs](common/copy-configuration-urls.png)
+	![The Certificate download link](common/copy-metadataurl.png)
 
 ### Create an Azure AD test user
 
@@ -120,33 +112,18 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 1. In a different web browser window, log in to your Canvas company site as an administrator.
 
-2. Go to **Courses \> Managed Accounts \> Microsoft**.
-
-    ![Canvas](./media/canvas-lms-tutorial/course.png "Canvas")
-
-3. In the navigation pane on the left, select **Authentication**, and then click **Add New SAML Config**.
-
-    ![Authentication](./media/canvas-lms-tutorial/tools.png "Authentication")
-
-4. On the Current Integration page, perform the following steps:
-
-    ![Current Integration](./media/canvas-lms-tutorial/save.png "Current Integration")
+2. Go to **Admin > Microsoft OneNote > Authentication**.
+3. Choose an authentication service as **SAML**. 
 
-    a. In **IdP Entity ID** textbox, paste the value of **Azure Ad Identifier** which you have copied from Azure portal.
+    ![Canvas](./media/canvas-lms-tutorial/admin.png "Canvas")
 
-    b. In **Log On URL** textbox, paste the value of **Login URL** which you have copied from Azure portal .
+4. On the **Current Provider** page, perform the following steps:
 
-    c. In **Log Out URL** textbox, paste the value of **Logout URL** which you have copied from Azure portal.
+    ![Current Integration](./media/canvas-lms-tutorial/current-provider.png "Current Integration")
 
-    d. In **Change Password Link** textbox, paste the value of **Change Password URL** which you have copied from Azure portal.
+    a. In **IdP Metadata URI** textbox, paste the value of **App Federation Metadata URL** value, which you have copied from Azure portal.
 
-    e. In **Certificate Fingerprint** textbox, paste the **Thumbprint** value of certificate which you have copied from Azure portal.
-
-    f. From the **Login Attribute** list, select **NameID**.
-
-    g. From the **Identifier Format** list, select **emailAddress**.
-
-    h. Click **Save Authentication Settings**.
+    b. Click **Save**.
 
 ### Create Canvas test user
 
@@ -156,31 +133,19 @@ To enable Azure AD users to log in to Canvas, they must be provisioned into Canv
 
 1. Log in to your **Canvas** tenant.
 
-2. Go to **Courses \> Managed Accounts \> Microsoft**.
-
-   ![Canvas](./media/canvas-lms-tutorial/course.png "Canvas")
-
-3. Click **Users**.
+2. Go to **Admin > Microsoft OneNote > People**.
 
-   ![Screenshot shows Canvas menu with Users selected.](./media/canvas-lms-tutorial/user.png "Users")
+3. Click **+People**.
 
-4. Click **Add New User**.
+4. On the Add a New User dialog page, perform the following steps:
 
-   ![Screenshot shows the Add a new User button.](./media/canvas-lms-tutorial/add-user.png "Users")
-
-5. On the Add a New User dialog page, perform the following steps:
-
-   ![Add User](./media/canvas-lms-tutorial/name.png "Add User")
+   ![Add User](./media/canvas-lms-tutorial/new-user.png "Add User")
 
    a. In the **Full Name** textbox, enter the name of user like **BrittaSimon**.
 
    b. In the **Email** textbox, enter the email of user like **brittasimon\@contoso.com**.
 
-   c. In the **Login** textbox, enter the user’s Azure AD email address like **brittasimon\@contoso.com**.
-
-   d. Select **Email the user about this account creation**.
-
-   e. Click **Add User**.
+   c. Click **Add User**.
 
 > [!NOTE]
 > You can use any other Canvas user account creation tools or APIs provided by Canvas to provision Azure AD user accounts.
@@ -189,9 +154,9 @@ To enable Azure AD users to log in to Canvas, they must be provisioned into Canv
 
 In this section, you test your Azure AD single sign-on configuration with following options. 
 
-* Click on **Test this application** in Azure portal. This will redirect to Canvas Sign-on URL where you can initiate the login flow. 
+* Click on **Test this application** in Azure portal. This will redirect to Canvas Sign on URL where you can initiate the login flow. 
 
-* Go to Canvas Sign-on URL directly and initiate the login flow from there.
+* Go to Canvas Sign on URL directly and initiate the login flow from there.
 
 * You can use Microsoft My Apps. When you click the Canvas tile in the My Apps, you should be automatically signed in to the Canvas for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).