Merge branch 'master' into release-ie-converge

Author: v-alje

.github/workflows/stale.yml

@@ -19,7 +19,8 @@ jobs:
         close-pr-label: auto-close
         exempt-pr-labels: keep-open
         operations-per-run: 1200
-        ascending: false
+        ascending: true
+        start-date: '2021-04-12'
         stale-pr-message: >
           This pull request has been inactive for at least 14 days.
           If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation) for instructions.

.openpublishing.publish.config.json

@@ -845,6 +845,7 @@
     "articles/purview/.openpublishing.redirection.purview.json",
     "articles/service-bus-messaging/.openpublishing.redirection.service-bus-messaging.json",
     "articles/stream-analytics/.openpublishing.redirection.stream-analytics.json",
-    "articles/virtual-machines/.openpublishing.redirection.virtual-machines.json"
+    "articles/virtual-machines/.openpublishing.redirection.virtual-machines.json",
+    "articles/mysql/.openpublishing.redirection.mysql.json"
   ]
 }

articles/active-directory-b2c/configure-tokens.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/15/2021
+ms.date: 10/08/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
@@ -58,6 +58,11 @@ To configure your user flow token lifetime:
 1. Under **Token lifetime**, adjust the properties to fit the needs of your application.
 1. Click **Save**.
 
+
+
+:::image type="content" source="./media/configure-tokens/configure-tokens.png" alt-text="configure user flows tokens in Azure portal.":::
+
+
 ::: zone-end
 
 ::: zone pivot="b2c-custom-policy"

articles/active-directory-b2c/implicit-flow-single-page-application.md

@@ -218,7 +218,7 @@ error=user_authentication_required
 If you receive this error in the iframe request, the user must interactively sign in again to retrieve a new token.
 
 ## Refresh tokens
-ID tokens and access tokens both expire after a short period of time. Your app must be prepared to refresh these tokens periodically.  To refresh either type of token, perform the same hidden iframe request we used in an earlier example, by using the `prompt=none` parameter to control Azure AD steps.  To receive a new `id_token` value, be sure to use `response_type=id_token` and `scope=openid`, and a `nonce` parameter.
+ID tokens and access tokens both expire after a short period of time. Your app must be prepared to refresh these tokens periodically. Implicit flows do not allow you to obtain a refresh token due to security reasons. To refresh either type of token, use the implicit flow in a hidden HTML iframe element. In the authorization request include the  `prompt=none` parameter. To receive a new id_token value, be sure to use `response_type=id_token` and `scope=openid`, and a `nonce` parameter.
 
 ## Send a sign-out request
 When you want to sign the user out of the app, redirect the user to Azure AD to sign out. If you don't redirect the user, they might be able to reauthenticate to your app without entering their credentials again because they have a valid single sign-on session with Azure AD.

articles/active-directory-b2c/media/configure-tokens/configure-tokens.png

@@ -55,7 +55,7 @@ sections:
           
               To manually upgrade a connector:
           
-              - Download the latest version of the connector. (You will find it under Application Proxy on the Azure Portal. You can also find the link at [Azure AD Application Proxy: Version release history](./application-proxy-release-version-history.md).
+              - Download the latest version of the connector. (You will find it under Application Proxy on the Azure portal. You can also find the link at [Azure AD Application Proxy: Version release history](./application-proxy-release-version-history.md).
               -	The installer restarts the Azure AD Application Proxy Connector services. In some cases, a reboot of the server might be required if the installer cannot replace all files. Therefore we recommend closing all applications (i.e. Event Viewer) before you start the upgrade.
               -	Run the installer. The upgrade process is quick and does not require providing any credentials and the connector will not be re-registered.
           
@@ -158,7 +158,19 @@ sections:
          How do I change the landing page my application loads?
         answer: |
               From the Application Registrations page, you can change the homepage URL to the desired external URL of the landing page. The specified page will load when the application is launched from My Apps or the Office 365 Portal. For configuration steps, see [Set a custom home page for published apps by using Azure AD Application Proxy](application-proxy-configure-custom-home-page.md)
-          
+
+      - question: |
+         Why do I get redirected to a truncated URL when I try to access my published application whenever the  URL contains a "#"  (hashtag) character?
+        answer: |
+              If Azure AD pre-authentication is configured, and the application URL contains a “#” character when you try to access the application for the first time, you get redirected to Azure AD (login.microsoftonline.com) for the authentication. Once you complete the authentication you get redirected to the URL part prior to the ”#” character and everything that comes after the “#“ seems to be ignored/ removed. For example if the URL is `https://www.contoso.com/#/home/index.html`, once the Azure AD authentication is done the user will be redirected to `https://www.contoso.com/`.
+              This behavior is by design due to how the “#” character is handled by the browser.
+              
+              Possible solutions/  alternatives:
+
+              - Setup a redirection from `https://www.contoso.com` to `https://contoso.com/#/home/index.html`. The user must first access `https://www.contoso.com`.
+              - The URL used for the first access attempt must include the “#” character in encoded form (%23). The published server might not accept this.
+              - Configure passthrough pre-authentication type (not recommended).
+              
       - question: |
          Can only IIS-based applications be published? What about web applications running on non-Windows web servers? Does the connector have to be installed on a server with IIS installed?
         answer: |

articles/active-directory/app-proxy/application-proxy-faq.yml

@@ -53,8 +53,9 @@ From the **Choose name identifier format** dropdown, you can select one of the f
 |---------------|-------------|
 | **Default** | Microsoft identity platform will use the default source format. |
 | **Persistent** | Microsoft identity platform will use Persistent as the NameID format. |
-| **EmailAddress** | Microsoft identity platform will use EmailAddress as the NameID format. |
+| **Email address** | Microsoft identity platform will use EmailAddress as the NameID format. |
 | **Unspecified** | Microsoft identity platform will use Unspecified as the NameID format. |
+|**Windows domain qualified name**| Microsoft identity platform will use the WindowsDomainQualifiedName format.|
 
 Transient NameID is also supported, but is not available in the dropdown and cannot be configured on Azure's side. To learn more about the NameIDPolicy attribute, see [Single Sign-On SAML protocol](single-sign-on-saml-protocol.md).
 

articles/active-directory/develop/active-directory-saml-claims-customization.md

@@ -12,7 +12,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: how-to
 ms.subservice: compliance
-ms.date: 04/12/2021
+ms.date: 10/05/2021
 ms.author: ajburnle
 ms.reviewer: 
 ms.collection: M365-identity-device-management
@@ -70,7 +70,7 @@ $assignments = Get-MgEntitlementManagementAccessPackageAssignment -AccessPackage
 $assignments | ft Id,AssignmentState,TargetId,{$_.Target.DisplayName}
 ```
 
-## Directly assign a user
+## Directly assign a user 
 
 In some cases, you might want to directly assign specific users to an access package so that users don't have to go through the process of requesting the access package. To directly assign users, the access package must have a policy that allows administrator direct assignments.
 
@@ -110,6 +110,35 @@ In some cases, you might want to directly assign specific users to an access pac
 > [!NOTE]
 > When assigning users to an access package, administrators will need to verify that the users are eligible for that access package based on the existing policy requirements. Otherwise, the users won't successfully be assigned to the access package. If the access package contains a policy that requires user requests to be approved, users can't be directly assigned to the package without necessary approval(s) from the designated approver(s).
 
+## Directly assign any user (Preview)
+Azure AD Entitlement Management also allows you to directly assign external users to an access package to make collaborating with partners easier. To do this, the access package must have a policy that allows users not yet in your directory to request access.
+
+**Prerequisite role:** Global administrator, User administrator, Catalog owner, Access package manager or Access package assignment manager
+
+1.	In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.
+
+1.	In the left menu, click **Access packages** and then open the access package in which you want to add a user.
+
+1.	In the left menu, click **Assignments**.
+
+1.	Select **New assignment** to open **Add user to access package**.
+
+1.	In the **Select policy** list, select a policy that allows that is set to **For users not in your directory**
+
+1. Select **Any user**. You’ll be able to specify which users you want to assign to this access package.
+    ![Assignments - Add any user to access package](./media/entitlement-management-access-package-assignments/assignments-add-any-user.png)
+
+1. Enter the user’s **Name** (optional) and the user’s **Email address** (required).
+
+    > [!NOTE]
+    > - The user you want to add must be within the scope of the policy. For example, if your policy is set to **Specific connected organizations**, the user’s email address must be from the domain(s) of the selected organization(s). If the user you are trying to add has an email address of jen@*foo.com* but the selected organization’s domain is *bar.com*, you won't be able to add that user to the access package.
+    > - Similarly, if you set your policy to include **All configured connected organizations**, the user’s email address must be from one of your configured connected organizations. Otherwise, the user won't be added to the access package.
+    > - If you wish to add any user to the access package, you'll need to ensure that you select **All users (All connected organizations + any external user)** when configuring your policy.
+
+1.	Set the date and time you want the selected users' assignment to start and end. If an end date is not provided, the policy's lifecycle settings will be used.
+1.	Click **Add** to directly assign the selected users to the access package.
+1.	After a few moments, click **Refresh** to see the users in the Assignments list.
+
 ## Directly assigning users programmatically
 ### Assign a user to an access package with Microsoft Graph
 You can also directly assign a user to an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application with that application permission, can call the API to [create an accessPackageAssignmentRequest](/graph/api/accesspackageassignmentrequest-post?view=graph-rest-beta&preserve-view=true). In this request, the value of the `requestType` property should be `AdminAdd`, and the `accessPackageAssignment` property is a structure that contains the `targetId` of the user being assigned.

articles/active-directory/governance/entitlement-management-access-package-assignments.md

@@ -1,6 +1,7 @@
 ---
-title: Create collections for My Apps portals in Azure Active Directory  | Microsoft Docs
-description: Use My Apps collections to Customize My Apps pages for a simpler My Apps experience for your end users. Organize applications into groups with separate tabs.
+title: Create collections for My Apps portals
+titleSuffix: Azure AD
+description: Use My Apps collections to Customize My Apps pages for a simpler My Apps experience for your users. Organize applications into groups with separate tabs.
 services: active-directory
 author: davidmu1
 manager: CelesteDG
@@ -13,10 +14,10 @@ ms.author: davidmu
 ms.reviewer: lenalepa
 ms.collection: M365-identity-device-management
 
-#customer intent: As an admin, I want to enable and create collections for My Apps portal in Azure AD.
+#customer intent: As an admin, I want to enable and create collections for My Apps portal in Azure AD so that I can create a simpler My Apps experience for users.
 ---
 
-# Create collections on the My Apps portal
+# Create collections on the My Apps portal in Azure Active Directory
 
 Your users can use the My Apps portal to view and start the cloud-based applications they have access to. By default, all the applications a user can access are listed together on a single page. To better organize this page for your users, if you have an Azure AD Premium P1 or P2 license you can set up collections. With a collection, you can group together applications that are related (for example, by job role, task, or project) and display them on a separate tab. A collection essentially applies a filter to the applications a user can already access, so the user sees only those applications in the collection that have been assigned to them.