Merge branch 'MicrosoftDocs:main' into main

Author: jacinda-eng

.openpublishing.redirection.healthcare-apis.json

@@ -586,15 +586,19 @@
           "redirect_document_id": false
       },
       {   "source_path_from_root": "/articles/healthcare-apis/iot/iot-data-flow.md",
-          "redirect_url": "/azure/healthcare-apis/iot/understand-service",
+          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-data-processing-stages",
           "redirect_document_id": false
       },
       {   "source_path_from_root": "/articles/healthcare-apis/iot/data-flow.md",
-          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-message-processing-stages",
+          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-data-processing-stages",
           "redirect_document_id": false
       },
       {   "source_path_from_root": "/articles/healthcare-apis/iot/understand-service.md",
-          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-message-processing-stages",
+          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-data-processing-stages",
+          "redirect_document_id": false
+      },
+      {   "source_path_from_root": "/articles/healthcare-apis/iot/overview-of-device-message-processing-stages.md",
+          "redirect_url": "/azure/healthcare-apis/iot/overview-of-device-data-processing-stages",
           "redirect_document_id": false
       },
       {   "source_path_from_root": "/articles/healthcare-apis/iot/how-to-use-device-mappings.md",
@@ -654,7 +658,11 @@
           "redirect_document_id": false
       },
       {   "source_path_from_root": "/articles/healthcare-apis/iot/how-to-use-iot-jsonpath-content-mappings.md",
-          "redirect_url": "/azure/healthcare-apis/iot/how-to-use-iotjsonpathcontenttemplate-mappings",
+          "redirect_url": "/azure/healthcare-apis/iot/how-to-use-iotjsonpathcontent-mappings",
+          "redirect_document_id": false
+      },
+      {   "source_path_from_root": "/articles/healthcare-apis/iot/how-to-use-iotjsonpathcontenttemplate-mappings.md",
+          "redirect_url": "/azure/healthcare-apis/iot/how-to-use-iotjsonpathcontent-mappings",
           "redirect_document_id": false
       },
       {   "source_path_from_root": "/articles/healthcare-apis/iot/deploy-new-button.md",

articles/active-directory-b2c/custom-policies-series-call-rest-api.md

@@ -88,7 +88,7 @@ You need to deploy an app, which will serve as your external app. Your custom po
                     "code" : "errorCode",
                     "requestId": "requestId",
                     "userMessage" : "The access code you entered is incorrect. Please try again.",
-                    "developerMessage" : `The The provided code ${req.body.accessCode} does not match the expected code for user.`,
+                    "developerMessage" : `The provided code ${req.body.accessCode} does not match the expected code for user.`,
                     "moreInfo" :"https://docs.microsoft.com/en-us/azure/active-directory-b2c/string-transformations"
                 };
                 res.status(409).send(errorResponse);                
@@ -133,7 +133,7 @@ You need to deploy an app, which will serve as your external app. Your custom po
             "code": "errorCode",
             "requestId": "requestId",
             "userMessage": "The access code you entered is incorrect. Please try again.",
-            "developerMessage": "The The provided code 54321 does not match the expected code for user.",
+            "developerMessage": "The provided code 54321 does not match the expected code for user.",
             "moreInfo": "https://docs.microsoft.com/en-us/azure/active-directory-b2c/string-transformations"
         }
     ```

articles/active-directory-b2c/index.yml

@@ -7,8 +7,8 @@ summary: >
 brand: azure
 
 metadata:
-  title: Azure Active Directory B2C documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
-  description: Learn how to use Azure Active Directory B2C to customize and control how customers sign up, sign in, and manage their profiles when using your applications. # Required; article description that is displayed in search results. < 160 chars.
+  title: Azure Active Directory B2C documentation
+  description: Learn how to use Azure Active Directory B2C to customize and control how customers sign up, sign in, and manage their profiles when using your applications.
   services: active-directory-b2c
   ms.service: active-directory
   ms.subservice: B2C

articles/active-directory/app-provisioning/how-provisioning-works.md

@@ -88,7 +88,7 @@ originalUserPrincipalName = alias_theirdomain#EXT#@yourdomain
 
 ## Provisioning cycles: Initial and incremental
 
-When Azure AD is the source system, the provisioning service uses the [Use delta query to track changes in Microsoft Graph data](/graph/delta-query-overview) to monitor users and groups. The provisioning service runs an initial cycle against the source system and target system, followed by periodic incremental cycles.
+When Azure AD is the source system, the provisioning service uses the [delta query to track changes in Microsoft Graph data](/graph/delta-query-overview) to monitor users and groups. The provisioning service runs an initial cycle against the source system and target system, followed by periodic incremental cycles.
 
 ### Initial cycle
 

articles/active-directory/authentication/howto-sspr-deployment.md

@@ -38,6 +38,9 @@ To quickly see SSPR in action and then come back to understand additional deploy
 > [!div class="nextstepaction"]
 > [Enable self-service password reset (SSPR)](tutorial-enable-sspr.md)
 
+> [!TIP]
+> As a companion to this article, we recommend using the [Plan your self-service password reset deployment guide](https://go.microsoft.com/fwlink/?linkid=2221501) when signed in to the Microsoft 365 Admin Center. This guide will customize your experience based on your environment. To review best practices without signing in and activating automated setup features, go to the [M365 Setup portal](https://go.microsoft.com/fwlink/?linkid=2221600). 
+
 ## Learn about SSPR
 
 Learn more about SSPR. See [How it works: Azure AD self-service password reset](./concept-sspr-howitworks.md).

articles/active-directory/develop/application-model.md

@@ -28,9 +28,9 @@ For an identity provider to know that a user has access to a particular app, bot
 * Decide if you want to allow users to sign in only if they belong to your organization. This architecture is known as a single-tenant application. Or, you can allow users to sign in by using any work or school account, which is known as a multi-tenant application. You can also allow personal Microsoft accounts or a social account from LinkedIn, Google, and so on.
 * Request scope permissions. For example, you can request the "user.read" scope, which grants permission to read the profile of the signed-in user.
 * Define scopes that define access to your web API. Typically, when an app wants to access your API, it will need to request permissions to the scopes you define.
-* Share a secret with the Microsoft identity platform that proves the app's identity. Using a secret is relevant in the case where the app is a confidential client application. A confidential client application is an application that can hold credentials securely. A trusted back-end server is required to store the credentials.
+* Share a secret with the Microsoft identity platform that proves the app's identity. Using a secret is relevant in the case where the app is a confidential client application. A confidential [client application](developer-glossary.md#client-application) is an application that can hold credentials securely, like a [web client](developer-glossary.md#web-client). A trusted back-end server is required to store the credentials.
 
-After the app is registered, it's given a unique identifier that it shares with the Microsoft identity platform when it requests tokens. If the app is a [confidential client application](developer-glossary.md#client-application), it will also share the secret or the public key depending on whether certificates or secrets were used.
+After the app is registered, it's given a unique identifier that it shares with the Microsoft identity platform when it requests tokens. If the app is a confidential client application, it will also share the secret or the public key depending on whether certificates or secrets were used.
 
 The Microsoft identity platform represents applications by using a model that fulfills two main functions:
 
@@ -44,14 +44,14 @@ The Microsoft identity platform:
 * Provides infrastructure for implementing app provisioning within the app developer's tenant, and to any other Azure AD tenant.
 * Handles user consent during token request time and facilitates the dynamic provisioning of apps across tenants.
 
-*Consent* is the process of a resource owner granting authorization for a client application to access protected resources, under specific permissions, on behalf of the resource owner. The Microsoft identity platform enables:
+[*Consent*](developer-glossary.md#consent) is the process of a resource owner granting authorization for a client application to access protected resources, under specific permissions, on behalf of the resource owner. The Microsoft identity platform enables:
 
 * Users and administrators to dynamically grant or deny consent for the app to access resources on their behalf.
 * Administrators to ultimately decide what apps are allowed to do and which users can use specific apps, and how the directory resources are accessed.
 
 ## Multi-tenant apps
 
-In the Microsoft identity platform, an [application object](developer-glossary.md#application-object) describes an application. At deployment time, the Microsoft identity platform uses the application object as a blueprint to create a [service principal](developer-glossary.md#service-principal-object), which represents a concrete instance of an application within a directory or tenant. The service principal defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. The Microsoft identity platform creates a service principal from an application object through [consent](developer-glossary.md#consent).
+In the Microsoft identity platform, an [application object](developer-glossary.md#application-object) describes an application. At deployment time, the Microsoft identity platform uses the application object as a blueprint to create a [service principal](developer-glossary.md#service-principal-object), which represents a concrete instance of an application within a directory or tenant. The service principal defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. The Microsoft identity platform creates a service principal from an application object through consent.
 
 The following diagram shows a simplified Microsoft identity platform provisioning flow driven by consent. It shows two tenants: *A* and *B*.
 

articles/active-directory/develop/reference-aadsts-error-codes.md

@@ -165,6 +165,7 @@ The `error` field has several possible values - review the protocol documentatio
 | AADSTS50143 | Session mismatch - Session is invalid because user tenant doesn't match the domain hint due to different resource. [Open a support ticket](../fundamentals/active-directory-troubleshooting-support-howto.md) with Correlation ID, Request ID, and Error code to get more details. |
 | AADSTS50144 | InvalidPasswordExpiredOnPremPassword - User's Active Directory password has expired. Generate a new password for the user or have the user use the self-service reset tool to reset their password. |
 | AADSTS50146 | MissingCustomSigningKey - This app is required to be configured with an app-specific signing key. It is either not configured with one, or the key has expired or isn't yet valid. Please contact the owner of the application. |
+| AADSTS501461 | AcceptMappedClaims is only supported for a token audience matching the application GUID or an audience within the tenant's verified domains. Either change the resource identifier, or use an application-specific signing key. |
 | AADSTS50147 | MissingCodeChallenge - The size of the code challenge parameter isn't valid. |
 | AADSTS501481 | The Code_Verifier doesn't match the code_challenge supplied in the authorization request.|
 | AADSTS501491 |  InvalidCodeChallengeMethodInvalidSize - Invalid size of Code_Challenge parameter.|
@@ -183,7 +184,7 @@ The `error` field has several possible values - review the protocol documentatio
 | AADSTS50194 | Application '{appId}'({appName}) isn't configured as a multi-tenant application. Usage of the /common endpoint isn't supported for such applications created after '{time}'. Use a tenant-specific endpoint or configure the application to be multi-tenant. |
 | AADSTS50196 | LoopDetected - A client loop has been detected. Check the app’s logic to ensure that token caching is implemented, and that error conditions are handled correctly.  The app has made too many of the same request in too short a period, indicating that it is in a faulty state or is abusively requesting tokens. |
 | AADSTS50197 | ConflictingIdentities - The user could not be found. Try signing in again. |
-| AADSTS50199 | CmsiInterrupt - For security reasons, user confirmation is required for this request.  Because this is an "interaction_required" error, the client should do interactive auth.  This occurs because a system webview has been used to request a token for a native application - the user must be prompted to ask if this was actually the app they meant to sign into. To avoid this prompt, the redirect URI should be part of the following safe list: <br />http://<br />https://<br />chrome-extension:// (desktop Chrome browser only) |
+| AADSTS50199 | CmsiInterrupt - For security reasons, user confirmation is required for this request. Interrupt is shown for all scheme redirects in mobile browsers. <br />No action required. The user was asked to confirm that this app is the application they intended to sign into. <br />This is a security feature that helps prevent spoofing attacks. This occurs because a system webview has been used to request a token for a native application. <br />To avoid this prompt, the redirect URI should be part of the following safe list: <br />http://<br />https://<br />chrome-extension:// (desktop Chrome browser only) |
 | AADSTS51000 | RequiredFeatureNotEnabled - The feature is disabled. |
 | AADSTS51001 | DomainHintMustbePresent - Domain hint must be present with on-premises security identifier or on-premises UPN. |
 | AADSTS1000104| XCB2BResourceCloudNotAllowedOnIdentityTenant - Resource cloud {resourceCloud} isn't allowed on identity tenant {identityTenant}. {resourceCloud} - cloud instance which owns the resource. {identityTenant} - is the tenant where signing-in identity is originated from. |

articles/active-directory/develop/reference-app-manifest.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
 ms.workload: identity
-ms.date: 05/19/2022
+ms.date: 04/13/2023
 ms.author: ryanwi
 ms.custom: aaddev
 ms.reviewer: sureshja
@@ -260,9 +260,9 @@ Example:
     "keyCredentials": [
         {
            "customKeyIdentifier":null,
-           "endDate":"2018-09-13T00:00:00Z",
+           "endDateTime":"2018-09-13T00:00:00Z",
            "keyId":"<guid>",
-           "startDate":"2017-09-12T00:00:00Z",
+           "startDateTime":"2017-09-12T00:00:00Z",
            "type":"AsymmetricX509Cert",
            "usage":"Verify",
            "value":null
@@ -425,10 +425,12 @@ Example:
     "passwordCredentials": [
       {
         "customKeyIdentifier": null,
-        "endDate": "2018-10-19T17:59:59.6521653Z",
+        "displayName": "Generated by App Service",
+        "endDateTime": "2022-10-19T17:59:59.6521653Z",
+        "hint": "Nsn",
         "keyId": "<guid>",
-        "startDate":"2016-10-19T17:59:59.6521653Z",
-        "value":null
+        "secretText": null,        
+        "startDateTime":"2022-10-19T17:59:59.6521653Z"
       }
     ],
 ```
@@ -638,4 +640,4 @@ Use the following comments section to provide feedback that helps refine and sha
 [IMPLICIT-GRANT]:v1-oauth2-implicit-grant-flow.md
 [INTEGRATING-APPLICATIONS-AAD]: ./quickstart-register-app.md
 [O365-PERM-DETAILS]: /graph/permissions-reference
-[RBAC-CLOUD-APPS-AZUREAD]: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
+[RBAC-CLOUD-APPS-AZUREAD]: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/