Merge pull request #161863 from MicrosoftDocs/master

6/10 AM Publish

Author: huypub

articles/active-directory-b2c/TOC.yml

@@ -559,7 +559,7 @@
   - name: Azure Roadmap
     href: https://azure.microsoft.com/roadmap/?category=security-identity
   - name: Frequently asked questions
-    href: /azure/active-directory-b2c/faq
+    href: ./faq.yml
   - name: Getting help
     href: ../active-directory/develop/developer-support-help-options.md
   - name: Pricing
@@ -576,4 +576,4 @@
     href: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json
     displayName: technical
   - name: Videos
-    href: azure-ad-external-identities-videos.md
+    href: azure-ad-external-identities-videos.md

articles/active-directory-b2c/conditional-access-user-flow.md

@@ -108,37 +108,31 @@ To add a Conditional Access policy:
 | **Device platforms**  |Not supported   |Characterized by the operating system that runs on a device. For more information, see [Device platforms](../active-directory/conditional-access/concept-conditional-access-conditions.md#device-platforms).   |
 | **Locations**  |P1,P2   |Named locations may include the public IPv4 network information, country or region, or unknown areas that don't map to specific countries or regions. For more information, see [Locations](../active-directory/conditional-access/concept-conditional-access-conditions.md#locations).   |
 
-
-1. Under **Access controls**, select **Grant**. Then select whether to block or grant access:
+3. Under **Access controls**, select **Grant**. Then select whether to block or grant access:
 
 |Option   | License  | Note  |
 |---|---|---|
 | **Block access**  |P1, P2| Prevents access based on the conditions specified in this conditional access policy.  |  
 | **Grant access** with **Require multi-factor authentication**  | P1, P2| Based on the conditions specified in this conditional access policy, the user is required to go through Azure AD B2C multi-factor authentication. |  
 
-1. Under **Enable policy**, select one of the following:
+4. Under **Enable policy**, select one of the following:
 
 | Option  | License  | Note  |
 |---|---|---|
 |**Report-only**    | P1, P2  | Report-only allows administrators to evaluate the impact of Conditional Access policies before enabling them in their environment. We recommend you check policy with this state, and determine the impact to end users without requiring multi-factor authentication or blocking users. For more information, see [Review Conditional Access outcomes in the audit report](#review-conditional-access-outcomes-in-the-audit-report)  |
 |**On**   |  P1, P2 |The access policy is evaluated and not enforced.   |
 |**Off**    | P1, P2  | The access policy is not activated and has no effect on the users.  |
 
-1. Enable your test Conditional Access policy by selecting **Create**.
+5. Enable your test Conditional Access policy by selecting **Create**.
 
 ## Template 1: Sign-in risk-based Conditional Access
 
-Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform multi-factor authentication to prove that they are really who they say they are.
-A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Azure AD B2C tenants with P2 licenses can create Conditional Access policies incorporating [Azure AD Identity Protection sign-in risk detections](../active-directory/identity-protection/concept-identity-protection-risks.md#sign-in-risk). Note the [limitations on Identity Protection detections for B2C](./identity-protection-investigate-risk.md?pivots=b2c-user-flow#service-limitations-and-considerations).
-If risk is detected, users can perform multi-factor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.
-Configure Conditional Access through the Azure portal or Microsoft Graph APIs to enable a sign-in risk-based Conditional Access policy requiring MFA when the sign-in risk is *medium* or *high*.
-To configure your conditional access:
+Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform multi-factor authentication to prove that they are really who they say they are. A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner. Azure AD B2C tenants with P2 licenses can create Conditional Access policies incorporating Azure AD Identity Protection sign-in risk detections.
+
+Note the limitations on Identity Protection detections for B2C. If risk is detected, users can perform multi-factor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.
+
+Configure Conditional Access through the Azure portal or Microsoft Graph APIs to enable a sign-in risk-based Conditional Access policy requiring MFA when the sign-in risk is medium or high.
 
-1. Sign in to the **Azure portal**.
-2. Browse to **Azure AD B2C** > **Security** > **Conditional Access**.
-3. Select **New policy**.
-4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-5. Under **Assignments**, select **Users and groups**.
    1. Under **Include**, select **All users**.
    2. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.
    3. Select **Done**.
@@ -253,8 +247,10 @@ With the location condition in Conditional Access, you can control access to you
 [Using the location condition in a Conditional Access policy](../active-directory/conditional-access/location-condition.md
 
 Configure Conditional Access through Azure portal or Microsoft Graph APIs to enable a Conditional Access policy blocking access to specific locations.
+For more information about the location condition in Conditional Access can be found in the article, [Using the location condition in a Conditional Access policy](../active-directory/conditional-access/location-condition.md)
 
 ### Define locations
+
 1. Sign in to the **Azure portal**.
 2. Browse to **Azure AD B2C** > **Security** > **Conditional Access** > **Named Locations**.
 3. Select **Countries location** or **IP ranges location**

articles/active-directory-b2c/configure-authentication-sample-web-app.md

@@ -7,7 +7,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 05/25/2021
+ms.date: 06/10/2021
 ms.author: mimart
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -96,18 +96,7 @@ For web apps that request an ID token directly from Azure AD B2C, enable the imp
 1. Under **Implicit grant**, select the **ID tokens** check box.
 1. Select **Save**.
 
-## Step 3: Get your tenant name
-
-To integrate your app with your Azure AD B2C tenant, you need to specify your tenant name in the app configuration file. Follow these steps to get your tenant name:
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Select the **Directory + subscription** filter in the top menu, and then select the directory that contains your Azure AD B2C tenant.
-1. In the **Overview**, copy the first part of the **Domain name**. 
-
-![Get your tenant name](./media/configure-authentication-sample-web-app/get-azure-ad-b2c-tenant-name.png)  
-
-
-## Step 4: Get the web app sample
+## Step 3: Get the web app sample
 
 [Download the zip file](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/archive/refs/heads/master.zip), or clone the sample web application from GitHub. 
 
@@ -117,14 +106,14 @@ git clone https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-op
 
 Extract the sample file to a folder where the total character length of the path is less than 260.
 
-## Step 5: Configure the sample application
+## Step 4: Configure the sample application
 
 In the sample folder, under the `1-WebApp-OIDC/1-5-B2C/` folder, open the **WebApp-OpenIDConnect-DotNet.csproj** project with Visual Studio or Visual Studio Code. 
 
 Under the project root folder, open the `appsettings.json` file. This file contains information about your Azure AD B2C identity provider. Update the following properties of the app settings: 
 
-* **Instance** -  Replace `<your-tenant-name>` with your tenant name. For example, `https://contoso.b2clogin.com`.
-* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full domain name. For example, `contoso.onmicrosoft.com`.
+* **Instance** -  Replace `<your-tenant-name>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.
+* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.
 * **Client ID** -  Replace `<web-app-application-id>` with the Application ID from [Step 2](#step-2-register-a-web-application).
 * **Policy name** -  Replace `<your-sign-up-in-policy>` with the user flows you created in [Step 1](#step-1-configure-your-user-flow).
 
@@ -140,7 +129,7 @@ Your final configuration file should look like the following JSON:
 }
 ```
 
-## Step 6: Run the sample application
+## Step 5: Run the sample application
 
 1. Build and run the project.
 1. Browse to https://localhost:5001. 

articles/active-directory-b2c/enable-authentication-web-application.md

@@ -7,7 +7,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 05/25/2021
+ms.date: 06/10/2021
 ms.author: mimart
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -259,8 +259,8 @@ Azure AD B2C identity provider settings are stored in the `appsettings.json` fil
 
 The required information is described in the [Configure authentication in a sample web application](configure-authentication-sample-web-app.md) article. Use the following settings:
 
-* **Instance** -  Replace `<your-tenant-name>` with your tenant name. For example, `https://contoso.b2clogin.com`.
-* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full domain name. For example, `contoso.onmicrosoft.com`.
+* **Instance** -  Replace `<your-tenant-name>` with the first part of your Azure AD B2C [tenant name](tenant-management.md#get-your-tenant-name). For example, `https://contoso.b2clogin.com`.
+* **Domain** - Replace `<your-b2c-domain>` with your Azure AD B2C full [tenant name](tenant-management.md#get-your-tenant-name). For example, `contoso.onmicrosoft.com`.
 * **Client ID** -  Replace `<web-app-application-id>` with the Application ID from [Step 2](configure-authentication-sample-web-app.md#step-2-register-a-web-application).
 * **Policy name** -  Replace `<your-sign-up-in-policy>` with the user flows you created in [Step 1](configure-authentication-sample-web-app.md#step-1-configure-your-user-flow).
 

articles/active-directory-b2c/faq.yml

@@ -115,7 +115,7 @@ sections:
       - question: |
           Can my app open up Azure AD B2C pages within an iFrame?
         answer: |
-          This feature is in public preview. For details, see [Embedded sign-in experience](https://docs.microsoft.com/azure/active-directory-b2c/embedded-login).
+          This feature is in public preview. For details, see [Embedded sign-in experience](./embedded-login.md).
           
       - question: |
           Does Azure AD B2C work with CRM systems such as Microsoft Dynamics?
@@ -149,7 +149,7 @@ sections:
       - question: |
           Can I use my own URLs on my sign-up and sign-in pages that are served by Azure AD B2C? For instance, can I change the URL from contoso.b2clogin.com to login.contoso.com?
         answer: |
-          This feature is available in public preview. For details, see [Azure AD B2C custom domains](https://docs.microsoft.com/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow).
+          This feature is available in public preview. For details, see [Azure AD B2C custom domains](./custom-domain.md?pivots=b2c-user-flow).
           
       - question: |
           How do I delete my Azure AD B2C tenant?
@@ -209,4 +209,3 @@ sections:
           How do I report issues with Azure AD B2C?
         answer: |
           See [File support requests for Azure Active Directory B2C](support-options.md).
-          

articles/active-directory-b2c/force-password-reset.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 05/28/2021
+ms.date: 06/10/2021
 ms.author: mimart
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
@@ -20,6 +20,7 @@ zone_pivot_groups: b2c-policy-type
 [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
 
 ## Overview
+
 As an administrator, you can [reset a user's password](manage-users-portal.md#reset-a-users-password) if the user forgets their password. Or you would like to force them to reset the password. In this article, you'll learn how to force a password reset in these scenarios.
 
 When an administrator resets a user's password via the Azure portal, the value of the [forceChangePasswordNextSignIn](user-profile-attributes.md#password-profile-property) attribute is set to `true`. The [sign-in and sign-up journey](add-sign-up-and-sign-in-policy.md) checks the value of this attribute. After the user completes the sign-in, if the attribute is set to `true`, the user must reset their password. Then the value of the attribute is set to back `false`.
@@ -30,17 +31,11 @@ The password reset flow is applicable to local accounts in Azure AD B2C that use
 
 ::: zone pivot="b2c-user-flow"
 
-### Force a password reset after 90 days
-
-As an administrator, you can set a user's password expiration to 90 days, using [MS Graph](microsoft-graph-operations.md). After 90 days, the value of [forceChangePasswordNextSignIn](user-profile-attributes.md#password-profile-property) attribute is automatically set to `true`. For more information on how to set a user's password expiration policy, see [Password policy attribute](user-profile-attributes.md#password-policy-attribute).
-
-Once a password expiration policy has been set, you must also configure force password reset flow, as described in this article.  
-
 ## Prerequisites
 
 [!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
 
-## Configure your policy
+## Configure your user flow
 
 To enable the **Forced password reset** setting in a sign-up or sign-in user flow:
 
@@ -53,7 +48,7 @@ To enable the **Forced password reset** setting in a sign-up or sign-in user flo
 1. Under **Password configuration**, select **Forced password reset**.
 1. Select **Save**.
 
-### Test the user flow
+## Test the user flow
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as a user administrator or a password administrator. For more information about the available roles, see [Assigning administrator roles in Azure Active Directory](../active-directory/roles/permissions-reference.md#all-roles).
 1. Select the **Directory + Subscription** icon in the portal toolbar, and then select the directory that contains your Azure AD B2C tenant.
@@ -68,6 +63,54 @@ To enable the **Forced password reset** setting in a sign-up or sign-in user flo
 1. Sign in with the user account for which you reset the password.
 1. You now must change the password for the user. Change the password and select **Continue**. The token is returned to `https://jwt.ms` and should be displayed to you.
 
+## Force password reset on next login
+
+To force reset the password on next login, update the account password profile using MS Graph [Update user](/graph/api/user-update) operation. The following example updates the password profile [forceChangePasswordNextSignIn](user-profile-attributes.md#password-profile-property) attribute to `true`, which forces the user to reset the password on next login.
+
+```http
+PATCH https://graph.microsoft.com/v1.0/users/<user-object-ID>
+Content-type: application/json
+
+{
+"passwordProfile": {
+  "forceChangePasswordNextSignIn": true
+}
+```
+
+Once the account password profile has been set, you must also configure force password reset flow, as described in this article.
+
+## Force a password reset after 90 days
+
+As an administrator, you can set a user's password expiration to 90 days, using [MS Graph](microsoft-graph-operations.md). After 90 days, the value of [forceChangePasswordNextSignIn](user-profile-attributes.md#password-profile-property) attribute is automatically set to `true`. To force a password reset after 90 days, remove the `DisablePasswordExpiration` value from the user's profile [Password policy](user-profile-attributes.md#password-policy-attribute) attribute.
+
+The following example updates the password policy to `None`, which forces a password reset after 90 days:
+
+```http
+PATCH https://graph.microsoft.com/v1.0/users/<user-object-ID>
+Content-type: application/json
+
+{
+  "passwordPolicies": "None"
+}
+```
+
+If you disabled the strong [password complexity](password-complexity.md), update the password policy to [DisableStrongPassword](user-profile-attributes.md#password-policy-attribute):
+
+```http
+PATCH https://graph.microsoft.com/v1.0/users/<user-object-ID>
+Content-type: application/json
+
+{
+  "passwordPolicies": "DisableStrongPassword"
+}
+```
+
+Once a password expiration policy has been set, you must also configure force password reset flow, as described in this article.
+
+### Password expiry duration
+
+The password expiry duration default value is **90** days. The value is configurable by using the [Set-MsolPasswordPolicy](/powershell/module/msonline/set-msolpasswordpolicy) cmdlet from the Azure Active Directory Module for Windows PowerShell. This command updates the tenant, so that all users' passwords expire after number of days you configure.
+
 ::: zone-end
 
 ::: zone pivot="b2c-custom-policy"

articles/active-directory-b2c/https-cipher-tls-requirements.md

@@ -71,10 +71,6 @@ To verify that your endpoints comply with the requirements described in this art
 See also following articles:
 
 - [Troubleshooting applications that don't support TLS 1.2](../cloud-services/applications-dont-support-tls-1-2.md)
-- [Cipher Suites in TLS/SSL (Schannel SSP)](https://docs.microsoft.com/windows/win32/secauthn/cipher-suites-in-schannel)
-- [How to enable TLS 1.2](https://docs.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2)
-- [Solving the TLS 1.0 Problem](https://docs.microsoft.com/security/engineering/solving-tls1-problem)
-
-
-
-
+- [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel)
+- [How to enable TLS 1.2](/mem/configmgr/core/plan-design/security/enable-tls-1-2)
+- [Solving the TLS 1.0 Problem](/security/engineering/solving-tls1-problem)

articles/active-directory-b2c/identity-protection-investigate-risk.md

@@ -77,7 +77,7 @@ Administrators can then choose to take action on these events. Administrators ca
 - Block user from signing in
 - Investigate further using Azure ATP
 
-An administrator can choose to dismiss a user's risk in the Azure portal or programmatically through the Microsoft Graph API [Dismiss User Risk](https://docs.microsoft.com/graph/api/riskyusers-dismiss?view=graph-rest-beta&preserve-view=true). Administrator privileges are required to dismiss a user's risk. Remediating a risk can be performed by the risky user or by an administrator on the user's behalf, for example through a password reset.
+An administrator can choose to dismiss a user's risk in the Azure portal or programmatically through the Microsoft Graph API [Dismiss User Risk](/graph/api/riskyusers-dismiss?preserve-view=true&view=graph-rest-beta). Administrator privileges are required to dismiss a user's risk. Remediating a risk can be performed by the risky user or by an administrator on the user's behalf, for example through a password reset.
 
 ### Navigating the risky users report
 
@@ -118,4 +118,4 @@ Administrators can then choose to return to the user's risk or sign-ins report t
 
 ## Next steps
 
-- [Add Conditional Access to a user flow](conditional-access-user-flow.md).
+- [Add Conditional Access to a user flow](conditional-access-user-flow.md).