Merge pull request #206535 from MicrosoftDocs/main

8/01 AM Publish

Author: huypub

articles/active-directory-b2c/whats-new-docs.md

@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory business-to-customer (B2C)"
 description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)."
-ms.date: 05/23/2022
+ms.date: 08/01/2022
 ms.service: active-directory
 ms.subservice: B2C
 ms.topic: reference
@@ -15,6 +15,23 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md) and [Azure AD B2C developer release notes](custom-policy-developer-notes.md)
 
+## July 2022
+
+### New articles
+
+- [Configure authentication in a sample React single-page application by using Azure Active Directory B2C](configure-authentication-sample-react-spa-app.md)
+- [Configure authentication options in a React application by using Azure Active Directory B2C](enable-authentication-react-spa-app-options.md)
+- [Enable authentication in your own React Application by using Azure Active Directory B2C](enable-authentication-react-spa-app.md)
+
+### Updated articles
+
+- [Enable custom domains for Azure Active Directory B2C](custom-domain.md)
+- [Set up sign-up and sign-in with a Twitter account using Azure Active Directory B2C](identity-provider-twitter.md)
+- [Page layout versions](page-layout.md)
+- [Monitor Azure AD B2C with Azure Monitor](azure-monitor.md)
+- [Enable JavaScript and page layout versions in Azure Active Directory B2C](javascript-and-page-layout.md)
+- [Localization string IDs](localization-string-ids.md)
+
 ## June 2022
 
 ### New articles
@@ -137,28 +154,4 @@ Welcome to what's new in Azure Active Directory B2C documentation. This article
 - [Billing model for Azure Active Directory B2C](billing.md)
 - [Configure SAML identity provider options with Azure Active Directory B2C](identity-provider-generic-saml-options.md)
 - [About claim resolvers in Azure Active Directory B2C custom policies](claim-resolver-overview.md)
-- [Add AD FS as a SAML identity provider using custom policies in Azure Active Directory B2C](identity-provider-adfs-saml.md)
-
-## December 2021
-
-### New articles
-
-- [TOTP display control](display-control-time-based-one-time-password.md)
-- [Set up sign-up and sign-in with a SwissID account using Azure Active Directory B2C](identity-provider-swissid.md)
-- [Set up sign-up and sign-in with a PingOne account using Azure Active Directory B2C](identity-provider-ping-one.md)
-- [Tutorial: Configure Haventec with Azure Active Directory B2C for single step, multifactor passwordless authentication](partner-haventec.md)
-- [Tutorial: Acquire an access token for calling a web API in Azure AD B2C](tutorial-acquire-access-token.md)
-- [Tutorial: Sign in and sign out users with Azure AD B2C in a Node.js web app](tutorial-authenticate-nodejs-web-app-msal.md)
-- [Tutorial: Call a web API protected with Azure AD B2C](tutorial-call-api-with-access-token.md)
-
-### Updated articles
-
-- [About claim resolvers in Azure Active Directory B2C custom policies](claim-resolver-overview.md)
-- [Azure Active Directory B2C service limits and restrictions](service-limits.md)
-- [Add Conditional Access to user flows in Azure Active Directory B2C](conditional-access-user-flow.md)
-- [Display controls](display-controls.md)
-- ['Azure AD B2C: Frequently asked questions (FAQ)'](faq.yml)
-- [Manage Azure AD B2C with Microsoft Graph](microsoft-graph-operations.md)
-- [Define an Azure AD MFA technical profile in an Azure AD B2C custom policy](multi-factor-auth-technical-profile.md)
-- [Enable multifactor authentication in Azure Active Directory B2C](multi-factor-authentication.md)
-- [String claims transformations](string-transformations.md)
+- [Add AD FS as a SAML identity provider using custom policies in Azure Active Directory B2C](identity-provider-adfs-saml.md)

articles/active-directory/authentication/concept-mfa-data-residency.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/16/2021
+ms.date: 08/01/2022
 
 ms.author: justinha
 author: justinha
@@ -26,7 +26,7 @@ The Azure AD multifactor authentication service has datacenters in the United St
 
 * Multifactor authentication phone calls originate from datacenters in the customer's region and are routed by global providers. Phone calls using custom greetings always originate from data centers in the United States.
 * General purpose user authentication requests from other regions are currently processed based on the user's location.
-* Push notifications that use the Microsoft Authenticator app are currently processed in regional datacenters based on the user's location. Vendor-specific device services, such as Apple Push Notification Service, might be outside the user's location.
+* Push notifications that use the Microsoft Authenticator app are currently processed in regional datacenters based on the user's location. Vendor-specific device services, such as Apple Push Notification Service or Google Firebase Cloud Messaging, might be outside the user's location.
 
 ## Personal data stored by Azure AD multifactor authentication
 

articles/active-directory/conditional-access/TOC.yml

@@ -39,12 +39,14 @@
     href: service-dependencies.md
   - name: Location conditions
     href: location-condition.md
-  - name: Continuous access evaluation
-    href: concept-continuous-access-evaluation.md
   - name: Workload identities
     href: workload-identity.md
-  - name: CAE for workload identities
-    href: concept-continuous-access-evaluation-workload.md
+  - name: Continuous access evaluation
+    items:
+    - name: CAE for users
+      href: concept-continuous-access-evaluation.md
+    - name: CAE for workload identities
+      href: concept-continuous-access-evaluation-workload.md
   - name: Filter for devices
     href: concept-condition-filters-for-devices.md
   - name: What if tool

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -361,7 +361,7 @@ You might get the following error message when you initiate a remote desktop con
 
 ![Screenshot of the message that says your account is configured to prevent you from using this device.](./media/howto-vm-sign-in-azure-ad-windows/rbac-role-not-assigned.png)
 
-Verify that you've [configured Azure RBAC policies](../../virtual-machines/linux/login-using-aad.md) for the VM that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role.
+Verify that you've [configured Azure RBAC policies](#configure-role-assignments-for-the-vm) for the VM that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role.
 
 > [!NOTE]
 > If you're having problems with Azure role assignments, see [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#limits).

articles/active-directory/governance/entitlement-management-access-package-resources.md

@@ -42,15 +42,19 @@ If you need to add resources to an access package, you should check whether the
 
     ![List of resources in a catalog](./media/entitlement-management-access-package-resources/catalog-resources.png)
 
-1. If the resources aren't already in the catalog, and you're an administrator or a catalog owner, you can [add resources to a catalog](entitlement-management-catalog-create.md#add-resources-to-a-catalog).
+1. If the resources aren't already in the catalog, and you're an administrator or a catalog owner, you can [add resources to a catalog](entitlement-management-catalog-create.md#add-resources-to-a-catalog). The types of resources you can add are groups, applications, and SharePoint Online sites. For example:
+
+* Groups can be cloud-created Microsoft 365 Groups or cloud-created Azure AD security groups. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. To give users access to an application that uses AD security group memberships, create a new group in Azure AD, configure [group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md), and [enable that group to be written to AD](../enterprise-users/groups-write-back-portal.md). Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either.
+* Applications can be Azure AD enterprise applications, which include both software as a service (SaaS) applications and your own applications integrated with Azure AD.  If your application has not yet been integrated with Azure AD, see [govern access for applications in your environment](identity-governance-applications-prepare.md) and [integrate an application with Azure AD](identity-governance-applications-integrate.md).
+* Sites can be SharePoint Online sites or SharePoint Online site collections.
 
 1. If you are an access package manager and you need to add resources to the catalog, you can ask the catalog owner to add them.
 
 ## Add resource roles
 
 A resource role is a collection of permissions associated with a resource.  Resources can be made available for users to request if you add resource roles from each of the catalog's resources to your access package. You can add resource roles that are provided by groups, teams, applications, and SharePoint sites.  When a user receives an assignment to an access package, they'll be added to all the resource roles in the access package.
 
-If you don't want users to receive all of the roles, then you'll need to create multiple access packages in the catalog, with separate access packages for each of the resource roles.  You can also mark the access packages as [incompatible](entitlement-management-access-package-incompatible.md) with each other so users can't request access to access packages that would give them excessive access.
+If you want some users to receive different roles than others, then you'll need to create multiple access packages in the catalog, with separate access packages for each of the resource roles.  You can also mark the access packages as [incompatible](entitlement-management-access-package-incompatible.md) with each other so users can't request access to access packages that would give them excessive access.
 
 **Prerequisite role:** Global administrator, User administrator, Catalog owner, or Access package manager
 

articles/active-directory/governance/entitlement-management-catalog-create.md

@@ -75,10 +75,19 @@ $catalog = New-MgEntitlementManagementAccessPackageCatalog -DisplayName "Marketi
 
 ## Add resources to a catalog
 
-To include resources in an access package, the resources must exist in a catalog. The types of resources you can add are groups, applications, and SharePoint Online sites. For example:
+To include resources in an access package, the resources must exist in a catalog. The types of resources you can add are groups, applications, and SharePoint Online sites.
 
-* Groups can be cloud-created Microsoft 365 Groups or cloud-created Azure AD security groups. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either.
-* Applications can be Azure AD enterprise applications, which include both software as a service (SaaS) applications and your own applications integrated with Azure AD. For more information on how to select appropriate resources for applications with multiple roles, see [Add resource roles](entitlement-management-access-package-resources.md#add-resource-roles).
+* Groups can be cloud-created Microsoft 365 Groups or cloud-created Azure AD security groups.
+
+  * Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. To give a user access to an application that uses AD security group memberships, create a new security group in Azure AD, configure [group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md), and [enable that group to be written to AD](../enterprise-users/groups-write-back-portal.md), so that the cloud-created group can be used by an AD-based application.
+
+  * Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either, so cannot be added to catalogs.
+
+* Applications can be Azure AD enterprise applications, which include both software as a service (SaaS) applications and your own applications integrated with Azure AD.
+
+  * If your application has not yet been integrated with Azure AD, see [govern access for applications in your environment](identity-governance-applications-prepare.md) and [integrate an application with Azure AD](identity-governance-applications-integrate.md).
+
+  * For more information on how to select appropriate resources for applications with multiple roles, see [Add resource roles](entitlement-management-access-package-resources.md#add-resource-roles).
 * Sites can be SharePoint Online sites or SharePoint Online site collections.
 > [!NOTE]
 > Search SharePoint Site by site name or an exact URL as the search box is case sensitive.

articles/active-directory/manage-apps/configure-authentication-for-federated-users-portal.md

@@ -94,7 +94,7 @@ New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFe
 
 ```json
 "HomeRealmDiscoveryPolicy": {
-"AccelerateToFederatedDomain": true
+    "AccelerateToFederatedDomain": true
 }
 ```
 ::: zone-end
@@ -112,8 +112,10 @@ New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFe
 
 ```json
 "HomeRealmDiscoveryPolicy": {
-"AccelerateToFederatedDomain": true
-"PreferredDomain": ["federated.example.edu"]
+    "AccelerateToFederatedDomain": true,
+    "PreferredDomain": [
+      "federated.example.edu"
+    ]
 }
 ```
 ::: zone-end
@@ -126,7 +128,7 @@ The following policy enables username/password authentication for federated user
 ```json
 
 "EnableDirectAuthPolicy": {
-"AllowCloudPasswordValidation": true
+    "AllowCloudPasswordValidation": true
 }
 
 ```
@@ -222,9 +224,9 @@ Set the HRD policy using Microsoft Graph. See [homeRealmDiscoveryPolicy](/graph/
 
 From the Microsoft Graph explorer window:
 
-1. Grant the Policy.ReadWrite.ApplicationConfiguration permission under the **Modify permissions** tab.
+1. Grant consent to the *Policy.ReadWrite.ApplicationConfiguration* permission.
 1. Use the URL https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies
-1. POST the new policy to this URL, or PATCH to /policies/homerealmdiscoveryPolicies/{policyID} if overwriting an existing one.
+1. POST the new policy to this URL, or PATCH to https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/{policyID} if overwriting an existing one.
 1. POST or PATCH contents:
 
     ```json
@@ -242,15 +244,15 @@ From the Microsoft Graph explorer window:
 1. To see your new policy and get its ObjectID, run the following query:  
 
     ```http
-    GET policies/homeRealmDiscoveryPolicies
+    GET https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies
     ```	
 1. To  delete the HRD policy you created, run the query:
 
     ```http
-    DELETE /policies/homeRealmDiscoveryPolicies/{policy objectID}
+    DELETE https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/{policy objectID}
     ```	
 ::: zone-end
 
 ## Next steps
 
-[Prevent sign-in auto-acceleration](prevent-domain-hints-with-home-realm-discovery.md).
+[Prevent sign-in auto-acceleration](prevent-domain-hints-with-home-realm-discovery.md).

articles/active-directory/managed-identities-azure-resources/managed-identities-faq.md

@@ -12,7 +12,7 @@ ms.devlang:
 ms.topic: conceptual
 ms.tgt_pltfrm: 
 ms.workload: identity
-ms.date: 02/23/2022
+ms.date: 07/27/2022
 ms.author: barclayn
 ---
 
@@ -111,9 +111,9 @@ Managed identities use certificate-based authentication. Each managed identity
 
 In short, yes you can use user assigned managed identities in more than one Azure region. The longer answer is that while user assigned managed identities are created as regional resources the associated [service principal](../develop/app-objects-and-service-principals.md#service-principal-object) (SP) created in Azure AD is available globally. The service principal can be used from any Azure region and its availability is dependent on the availability of Azure AD. For example, if you created a user assigned managed identity in the South-Central region and that region becomes unavailable this issue only impacts [control plane](../../azure-resource-manager/management/control-plane-and-data-plane.md) activities on the managed identity itself.  The activities performed by any resources already configured to use the managed identities wouldn't be impacted.
 
-### Does managed identities for Azure resources work with Azure Cloud Services?
+### Does managed identities for Azure resources work with Azure Cloud Services (Classic)?
 
-No, there are no plans to support managed identities for Azure resources in Azure Cloud Services.
+Managed identities for Azure resources don’t have support for [Azure Cloud Services (classic)](../../cloud-services/cloud-services-choose-me.md) at this time. “
 
 
 ### What is the security boundary of managed identities for Azure resources?