Merge pull request #94287 from MicrosoftDocs/release-ignite-b2c-app-registration

Ignite

Author: SyntaxC4

articles/active-directory-b2c/active-directory-b2c-devquickstarts-android.md

@@ -34,7 +34,9 @@ Next, register an application in your Azure AD B2C tenant. This gives Azure AD t
 
 [!INCLUDE [active-directory-b2c-appreg-native](../../includes/active-directory-b2c-appreg-native.md)]
 
-Record the **APPLICATION ID** for use in a later step. Next, select the application in the list and record the **Custom Redirect URI**, also for use in a later step. For example, `com.onmicrosoft.contosob2c.exampleapp://oauth/redirect`.
+Record the **Application (client) ID** for use in a later step.
+
+Also record your custom redirect URI for use in a later step. For example, `com.onmicrosoft.contosob2c.exampleapp://oauth/redirect`.
 
 ## Create your user flows
 

articles/active-directory-b2c/active-directory-b2c-devquickstarts-ios.md

@@ -33,7 +33,9 @@ Next, register an application in your Azure AD B2C tenant. This gives Azure AD t
 
 [!INCLUDE [active-directory-b2c-appreg-native](../../includes/active-directory-b2c-appreg-native.md)]
 
-Record the **APPLICATION ID** for use in a later step. Next, select the application in the list and record the **Custom Redirect URI**, also for use in a later step. For example, `com.onmicrosoft.contosob2c.exampleapp://oauth/redirect`.
+Record the **Application (client) ID** for use in a later step.
+
+Also record your custom redirect URI for use in a later step. For example, `com.onmicrosoft.contosob2c.exampleapp://oauth/redirect`.
 
 ## Create your user flows
 In Azure AD B2C, every user experience is defined by a [user flow](active-directory-b2c-reference-policies.md). This application contains one identity experience: a combined sign-in and sign-up. When you create the user flow, be sure to:

articles/active-directory-b2c/active-directory-b2c-faqs.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 08/31/2019
+ms.date: 10/14/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -126,15 +126,20 @@ Not currently. This feature is on our roadmap. Verifying your domain in the **Do
 
 ### How do I delete my Azure AD B2C tenant?
 
-Follow these steps to delete your Azure AD B2C tenant:
+Follow these steps to delete your Azure AD B2C tenant.
 
+You can use the current **Applications** experience or our new unified **App registrations (Preview)** experience. [Learn more about the preview experience](http://aka.ms/b2cappregintro).
+
+#### [Applications](#tab/applications/)
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) as the *Subscription Administrator*. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**.
 1. Delete all the **User flows (policies)** in your Azure AD B2C tenant.
 1. Delete all the **Applications** you registered in your Azure AD B2C tenant.
-1. Next, sign in to the [Azure portal](https://portal.azure.com/) as the Subscription Administrator. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
-1. Switch to the Azure AD B2C tenant you want to delete.
 1. Select **Azure Active Directory** on the left-hand menu.
 1. Under **Manage**, select **Users**.
-1. Select each user in turn (exclude the Subscription Administrator user you are currently signed in as). Select **Delete** at the bottom of the page and select **YES** when prompted.
+1. Select each user in turn (exclude the *Subscription Administrator* user you are currently signed in as). Select **Delete** at the bottom of the page and select **YES** when prompted.
 1. Under **Manage**, select **App registrations** (or **App registrations (Legacy)**).
 1. Select **View all applications**
 1. Select the application named **b2c-extensions-app**, select **Delete**, and then select **Yes** when prompted.
@@ -146,6 +151,28 @@ Follow these steps to delete your Azure AD B2C tenant:
 1. Select **Azure Active Directory** on the left-hand menu.
 1. On the **Overview** page, select **Delete directory**. Follow the on-screen instructions to complete the process.
 
+#### [App registrations (Preview)](#tab/app-reg-preview/)
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) as the *Subscription Administrator*. Use the same work or school account or the same Microsoft account that you used to sign up for Azure.
+1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
+1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**.
+1. Delete all **User flows (policies)** in your Azure AD B2C tenant.
+1. Select **App registrations (Preview)**, then select the **All applications** tab.
+1. Delete all applications that you registered.
+1. Delete the **b2c-extensions-app**.
+1. Under **Manage**, select **Users**.
+1. Select each user in turn (exclude the *Subscription Administrator* user you are currently signed in as). Select **Delete** at the bottom of the page and select **Yes** when prompted.
+1. Select **Azure Active Directory** on the left-hand menu.
+1. Under **Manage**, select **User settings**.
+1. If present, under **LinkedIn account connections**, select **No**, then select **Save**.
+1. Under **Manage**, select **Properties**
+1. Under **Access management for Azure resources**, select **Yes**, and then select **Save**.
+1. Sign out of the Azure portal and then sign back in to refresh your access.
+1. Select **Azure Active Directory** on the left-hand menu.
+1. On the **Overview** page, select **Delete directory**. Follow the on-screen instructions to complete the process.
+
+* * *
+
 ### Can I get Azure AD B2C as part of Enterprise Mobility Suite?
 
 No, Azure AD B2C is a pay-as-you-go Azure service and is not part of Enterprise Mobility Suite.

articles/active-directory-b2c/active-directory-b2c-get-started-custom.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/26/2019
+ms.date: 10/18/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -63,10 +63,16 @@ Add your Facebook application's [App Secret](active-directory-b2c-setup-fb-app.m
 
 ## Register Identity Experience Framework applications
 
-Azure AD B2C requires you to register two applications that are used to sign up and sign in users: IdentityExperienceFramework (a web app), and ProxyIdentityExperienceFramework (a native app) with delegated permission from the IdentityExperienceFramework app. Local accounts exist only in your tenant. Your users sign up with a unique email address/password combination to access your tenant-registered applications.
+Azure AD B2C requires you to register two applications that it uses to sign up and sign in users with local accounts: *IdentityExperienceFramework*, a web API, and *ProxyIdentityExperienceFramework*, a native app with delegated permission to the IdentityExperienceFramework app. Your users can sign up with an email address or username and a password to access your tenant-registered applications, which creates a "local account." Local accounts exist only in your Azure AD B2C tenant.
+
+You need to register these two applications in your Azure AD B2C tenant only once.
 
 ### Register the IdentityExperienceFramework application
 
+To register an application in your Azure AD B2C tenant, you can use the current **Applications** experience, or our new unified **App registrations (Preview)** experience. [Learn more about the preview experience](https://aka.ms/b2cappregintro).
+
+#### [Applications](#tab/applications/)
+
 1. Select **All services** in the top-left corner of the Azure portal.
 1. In the search box, enter `Azure Active Directory`.
 1. Select **Azure Active Directory** in the search results.
@@ -77,8 +83,32 @@ Azure AD B2C requires you to register two applications that are used to sign up
 1. For **Sign-on URL**, enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com`, where `your-tenant-name` is your Azure AD B2C tenant domain name. All URLs should now be using [b2clogin.com](b2clogin.md).
 1. Select **Create**. After it's created, copy the application ID and save it to use later.
 
+#### [App registrations (Preview)](#tab/app-reg-preview/)
+
+1. Select **App registrations (Preview)**, and then select **New registration**.
+1. For **Name**, enter `IdentityExperienceFramework`.
+1. Under **Supported account types**, select **Accounts in this organizational directory only**.
+1. Under **Redirect URI**, select **Web**, and then enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com`, where `your-tenant-name` is your Azure AD B2C tenant domain name.
+1. Under **Permissions**, select the *Grant admin consent to openid and offline_access permissions* check box.
+1. Select **Register**.
+1. Record the **Application (client) ID** for use in a later step.
+
+Next, expose the API by adding a scope:
+
+1. Under **Manage**, select **Expose an API**.
+1. Select **Add a scope**, then select **Save and continue** to accept the default application ID URI.
+1. Enter the following values to create a scope that allows custom policy execution in your Azure AD B2C tenant:
+    * **Scope name**: `user_impersonation`
+    * **Admin consent display name**: `Access IdentityExperienceFramework`
+    * **Admin consent description**: `Allow the application to access IdentityExperienceFramework on behalf of the signed-in user.`
+1. Select **Add scope**
+
+* * *
+
 ### Register the ProxyIdentityExperienceFramework application
 
+#### [Applications](#tab/applications/)
+
 1. In **App registrations (Legacy)**, select **New application registration**.
 1. For **Name**, enter `ProxyIdentityExperienceFramework`.
 1. For **Application type**, choose **Native**.
@@ -89,6 +119,38 @@ Azure AD B2C requires you to register two applications that are used to sign up
 1. Select the check box next to **Access IdentityExperienceFramework**, click **Select**, and then click **Done**.
 1. Select **Grant permissions**, and then confirm by selecting **Yes**.
 
+#### [App registrations (Preview)](#tab/app-reg-preview/)
+
+1. Select **App registrations (Preview)**, and then select **New registration**.
+1. For **Name**, enter `ProxyIdentityExperienceFramework`.
+1. Under **Supported account types**, select **Accounts in this organizational directory only**.
+1. Under **Redirect URI**, use the drop-down to select **Public client/native (mobile & desktop)**.
+1. For **Redirect URI**, enter `https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com`, where `your-tenant-name` is your Azure AD B2C tenant.
+1. Under **Permissions**, select the *Grant admin consent to openid and offline_access permissions* check box.
+1. Select **Register**.
+1. Record the **Application (client) ID** for use in a later step.
+
+Next, specify that the application should be treated as a public client:
+
+1. Under **Manage**, select **Authentication**.
+1. Select **Try out the new experience** (if shown).
+1. Under **Advanced settings**, enable **Treat application as a public client** (select **Yes**).
+1. Select **Save**.
+
+Now, grant permissions to the API scope you exposed earlier in the *IdentityExperienceFramework* registration:
+
+1. Under **Manage**, select **API permissions**.
+1. Under **Configured permissions**, select **Add a permission**.
+1. Select the **My APIs** tab, then select the **IdentityExperienceFramework** application.
+1. Under **Permission**, select the **user_impersonation** scope that you defined earlier.
+1. Select **Add permissions**. As directed, wait a few minutes before proceeding to the next step.
+1. Select **Grant admin consent for (your tenant name)**.
+1. Select your currently signed-in administrator account, or sign in with an account in your Azure AD B2C tenant that's been assigned at least the *Cloud application administrator* role.
+1. Select **Accept**.
+1. Select **Refresh**, and then verify that "Granted for ..." appears under **STATUS** for both scopes. It might take a few minutes for the permissions to propagate.
+
+* * *
+
 ## Custom policy starter pack
 
 Custom policies are a set of XML files you upload to your Azure AD B2C tenant to define technical profiles and user journeys. We provide starter packs with several pre-built policies to get you going quickly. Each of these starter packs contains the smallest number of technical profiles and user journeys needed to achieve the scenarios described:

articles/active-directory-b2c/active-directory-b2c-reference-audit-logs.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/14/2019
+ms.date: 10/16/2019
 ms.author: marsma
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -85,8 +85,7 @@ Audit logs are published to the same pipeline as other activities for Azure Acti
 
 To allow script- or application-based access to the Azure AD reporting API, you need an Azure Active Directory application registered in your Azure AD B2C tenant with the following API permissions:
 
-* Microsoft Graph
-  * Application: Read all audit log data
+* Microsoft Graph > Application permissions > AuditLog.Read.All
 
 You can enable these permissions on an existing Azure Active Directory application registration within your B2C tenant, or create a new one specifically for use with audit log automation.
 
@@ -98,6 +97,8 @@ Follow these steps register an application, grant it the required Microsoft Grap
 
 ### Assign API access permissions
 
+#### [Applications](#tab/applications/)
+
 1. On the **Registered app** overview page, select **Settings**.
 1. Under **API ACCESS**, select **Required permissions**.
 1. Select **Add**, and then **Select an API**.
@@ -106,6 +107,22 @@ Follow these steps register an application, grant it the required Microsoft Grap
 1. Select the **Select** button, and then select **Done**.
 1. Select **Grant permissions**, and then select **Yes**.
 
+#### [App registrations (Preview)](#tab/app-reg-preview/)
+
+1. Under **Manage**, select **API permissions**.
+1. Under **Configured permissions**, select **Add a permission**.
+1. Select the **Microsoft APIs** tab.
+1. Select **Microsoft Graph**.
+1. Select **Application permissions**.
+1. Expand **AuditLog** and then select the **AuditLog.Read.All** check box.
+1. Select **Add permissions**. As directed, wait a few minutes before proceeding to the next step.
+1. Select **Grant admin consent for (your tenant name)**.
+1. Select your currently signed-in account if it's been assigned the *Global Administrator* role, or sign in with an account in your Azure AD B2C tenant that's been assigned the *Global Administrator* role.
+1. Select **Accept**.
+1. Select **Refresh**, and then verify that "Granted for ..." appears under **STATUS** for the *AuditLog.Read.All* permission. It might take a few minutes for the permissions to propagate.
+
+* * *
+
 ### Create client secret
 
 [!INCLUDE [active-directory-b2c-client-secret](../../includes/active-directory-b2c-client-secret.md)]
@@ -124,15 +141,15 @@ https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=loggedByServi
 
 The following PowerShell script shows an example of how to query the Azure AD reporting API. After querying the API, it prints the logged events to standard output, then writes the JSON output to a file.
 
-You can try this script in the [Azure Cloud Shell](../cloud-shell/overview.md). Be sure to update it with your application ID, key, and the name of your Azure AD B2C tenant.
+You can try this script in the [Azure Cloud Shell](../cloud-shell/overview.md). Be sure to update it with your application ID, client secret, and the name of your Azure AD B2C tenant.
 
 ```powershell
 # This script requires the registration of a Web Application in Azure Active Directory:
 # https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-reporting-api
 
 # Constants
-$ClientID       = "your-client-application-id-here"       # Insert your application's Client ID, a GUID (registered by Global Admin)
-$ClientSecret   = "your-client-application-secret-here"   # Insert your application's Client secret/key
+$ClientID       = "your-client-application-id-here"       # Insert your application's client ID, a GUID (registered by Global Admin)
+$ClientSecret   = "your-client-application-secret-here"   # Insert your application's client secret
 $tenantdomain   = "your-b2c-tenant.onmicrosoft.com"       # Insert your Azure AD B2C tenant; for example, contoso.onmicrosoft.com
 $loginURL       = "https://login.microsoftonline.com"
 $resource       = "https://graph.microsoft.com"           # Microsoft Graph API resource URI