fix merge conflict

Author: asudbring

.openpublishing.redirection.json

@@ -22888,6 +22888,11 @@
             "source_path_from_root": "/articles/virtual-network/scripts/virtual-network-cli-sample-multi-tier-application.md",
             "redirect_url": "/architecture/example-scenario/infrastructure/multi-tier-app-disaster-recovery",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation.md",
+            "redirect_url": "/azure/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-with-federation",
+            "redirect_document_id": true
         }
     ]
 }

articles/active-directory/authentication/TOC.yml

@@ -255,7 +255,7 @@
       - name: Migrate to Azure MFA and user authentication
         href: how-to-migrate-mfa-server-to-mfa-user-authentication.md
       - name: Migrate to Azure MFA with Federation
-        href: how-to-migrate-mfa-server-to-azure-mfa-with-federation.md    
+        href: how-to-migrate-mfa-server-to-mfa-with-federation.md
       - name: Migration Utility
         href: how-to-mfa-server-migration-utility.md    
     - name: Deploy MFA on-premises

articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa.md

@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # Migrate from MFA Server to Azure AD Multi-Factor Authentication
 
-Multifactor authentication (MFA) is important to securing your infrastructure and assets from bad actors. Azure AD Multi-Factor Authentication Server (MFA Server) isn’t available for new deployments and will be deprecated. Customers who are using MFA Server should move to using cloud-based Azure Active Directory (Azure AD) Multi-Factor Authentication.
+Multifactor authentication (MFA) is important to securing your infrastructure and assets from bad actors. Azure AD Multi-Factor Authentication Server (MFA Server) isn't available for new deployments and will be deprecated. Customers who are using MFA Server should move to using cloud-based Azure Active Directory (Azure AD) Multi-Factor Authentication.
 
 In this article, we assume that you have a hybrid environment where:
 
@@ -31,13 +31,13 @@ There are multiple possible end states to your migration, depending on your goal
 
 | <br> | Goal: Decommission MFA Server ONLY | Goal: Decommission MFA Server and move to Azure AD Authentication | Goal: Decommission MFA Server and AD FS |
 |------|------------------------------------|-------------------------------------------------------------------|-----------------------------------------|
-|MFA provider | Change MFA provider from MFA Server to Azure AD Multi-Factor Authentication. | Change MFA provider from MFA Server to Azure AD Multi-Factor Authentication. |	Change MFA provider from MFA Server to Azure AD Multi-Factor Authentication. |
+|MFA provider | Change MFA provider from MFA Server to Azure AD Multi-Factor Authentication. | Change MFA provider from MFA Server to Azure AD Multi-Factor Authentication. |    Change MFA provider from MFA Server to Azure AD Multi-Factor Authentication. |
 |User authentication  |Continue to use federation for Azure AD authentication. | Move to Azure AD with Password Hash Synchronization (preferred) or Passthrough Authentication **and** Seamless single sign-on (SSO).| Move to Azure AD with Password Hash Synchronization (preferred) or Passthrough Authentication **and** SSO. |
 |Application authentication | Continue to use AD FS authentication for your applications. | Continue to use AD FS authentication for your applications. | Move apps to Azure AD before migrating to Azure AD Multi-Factor Authentication. |
 
 If you can, move both your multifactor authentication and your user authentication to Azure. For step-by-step guidance, see [Moving to Azure AD Multi-Factor Authentication and Azure AD user authentication](how-to-migrate-mfa-server-to-mfa-user-authentication.md). 
 
-If you can’t move your user authentication, see the step-by-step guidance for [Moving to Azure AD Multi-Factor Authentication with federation](how-to-migrate-mfa-server-to-azure-mfa-with-federation.md).
+If you can't move your user authentication, see the step-by-step guidance for [Moving to Azure AD Multi-Factor Authentication with federation](how-to-migrate-mfa-server-to-mfa-with-federation.md).
 
 ## Prerequisites
 
@@ -51,7 +51,7 @@ If you can’t move your user authentication, see the step-by-step guidance for
 ## Considerations for all migration paths
 
 Migrating from MFA Server to Azure AD Multi-Factor Authentication involves more than just moving the registered MFA phone numbers. 
-Microsoft’s MFA server can be integrated with many systems, and you must evaluate how these systems are using MFA Server to understand the best ways to integrate with Azure AD Multi-Factor Authentication. 
+Microsoft's MFA server can be integrated with many systems, and you must evaluate how these systems are using MFA Server to understand the best ways to integrate with Azure AD Multi-Factor Authentication. 
 
 ### Migrating MFA user information
 
@@ -157,7 +157,7 @@ Others might include:
 
 ## Next steps
 
-- [Moving to Azure AD Multi-Factor Authentication with federation](how-to-migrate-mfa-server-to-azure-mfa-with-federation.md)
+- [Moving to Azure AD Multi-Factor Authentication with federation](how-to-migrate-mfa-server-to-mfa-with-federation.md)
 - [Moving to Azure AD Multi-Factor Authentication and Azure AD user authentication](how-to-migrate-mfa-server-to-mfa-user-authentication.md)
 - [How to use the MFA Server Migration Utility](how-to-mfa-server-migration-utility.md)
 

articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation.md renamed to articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-with-federation.md

@@ -19,7 +19,7 @@ To migrate to Azure AD MFA with federation, the Azure AD MFA authentication prov
 
 The following diagram shows the migration process.
 
-   ![Flow chart of the migration process. Process areas and headings in this document are in the same order](./media/how-to-migrate-mfa-server-to-azure-mfa-with-federation/mfa-federation-flow.png)
+   ![Flow chart of the migration process. Process areas and headings in this document are in the same order](./media/how-to-migrate-mfa-server-to-mfa-with-federation/mfa-federation-flow.png)
 
 ## Create migration groups
 
@@ -300,7 +300,7 @@ In Usage & insights, select **Authentication methods**.
 
 Detailed Azure AD MFA registration information can be found on the Registration tab. You can drill down to view a list of registered users by selecting the **Users capable of Azure multi-factor authentication** hyperlink.
 
-   ![Image of Authentication methods activity screen showing user registrations to MFA](./media/how-to-migrate-mfa-server-to-azure-mfa-with-federation/authentication-methods.png)
+   ![Image of Authentication methods activity screen showing user registrations to MFA](./media/how-to-migrate-mfa-server-to-mfa-with-federation/authentication-methods.png)
 
 ## Cleanup steps
 

articles/active-directory/authentication/media/how-to-migrate-mfa-server-to-azure-mfa-with-federation/authentication-methods.png renamed to articles/active-directory/authentication/media/how-to-migrate-mfa-server-to-mfa-with-federation/authentication-methods.png

@@ -524,10 +524,6 @@
           href: test-automate-integration-testing.md
         - name: Throttling and service limits
           href: test-throttle-service-limits.md
-        - name: Call and test a web API using Postman
-          href: howto-call-a-web-api-with-postman.md
-        - name: Call and test a web API using cURL
-          href: howto-call-a-web-api-with-curl.md
         - name: Create a service principal using the Azure portal
           href: howto-create-service-principal-portal.md
         - name: Create a service principal using Azure PowerShell
@@ -883,4 +879,4 @@
     - name: "Blog: Azure AD - Identity"
       href: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/bg-p/Identity
     - name: Azure roadmap - security and identity
-      href: https://azure.microsoft.com/roadmap/?category=security-identity
+      href: https://azure.microsoft.com/roadmap/?category=security-identity

articles/active-directory/authentication/media/how-to-migrate-mfa-server-to-azure-mfa-with-federation/mfa-federation-flow.png renamed to articles/active-directory/authentication/media/how-to-migrate-mfa-server-to-mfa-with-federation/mfa-federation-flow.png

@@ -8,17 +8,17 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 11/25/2022
+ms.date: 05/30/2023
 ms.author: owenrichards
 ms.reviewer: kenwith
 ms.custom: aaddev, engagement-fy23
 ---
 
 # Single Sign-Out SAML Protocol
 
-Azure Active Directory (Azure AD) supports the SAML 2.0 web browser single sign-out profile. For single sign-out to work correctly, the **LogoutURL** for the application must be explicitly registered with Azure AD during application registration. If the app is [added to the Azure App Gallery](../manage-apps/v2-howto-app-gallery-listing.md) then this value can be set by default. Otherwise, the value must be determined and set by the person adding the app to their Azure AD tenant. Azure AD uses the LogoutURL to redirect users after they're signed out. 
+Azure Active Directory (Azure AD) supports the SAML 2.0 web browser single sign-out profile. For single sign-out to work correctly, the **LogoutURL** for the application must be explicitly registered with Azure AD during application registration. 
 
-Azure AD supports redirect binding (HTTP GET), and not HTTP POST binding.
+If the app is [added to the Azure App Gallery](../manage-apps/v2-howto-app-gallery-listing.md) then this value can be set by default. Otherwise, the value must be determined and set by the person adding the app to their Azure AD tenant. Azure AD uses the **LogoutURL** to redirect users after they're signed out. Azure AD supports redirect binding (HTTP GET), and not HTTP POST binding.
 
 The following diagram shows the workflow of the Azure AD single sign-out process.
 
@@ -51,28 +51,31 @@ The `Issuer` element in a `LogoutRequest` must exactly match one of the **Servic
 The value of the `NameID` element must exactly match the `NameID` of the user that is being signed out. 
 
 > [!NOTE]
-> During SAML logout request, the `NameID` value is not considered by Azure Active Directory.  
-> If a single user session is active, Azure Active Directory will automatically select that session and the SAML logout will proceed.  
-> If multiple user sessions are active, Azure Active Directory will enumerate the active sessions for user selection. After user selection, the SAML logout will proceed.
+> During SAML logout request, the `NameID` value is not considered by Azure AD.  
+> If a single user session is active, Azure AD will automatically select that session and the SAML logout will proceed.  
+> If multiple user sessions are active, Azure AD will enumerate the active sessions for user selection. After user selection, the SAML logout will proceed.
 
 ## LogoutResponse
+
 Azure AD sends a `LogoutResponse` in response to a `LogoutRequest` element. The following excerpt shows a sample `LogoutResponse`.
 
 ```
 <samlp:LogoutResponse ID="_f0961a83-d071-4be5-a18c-9ae7b22987a4" Version="2.0" IssueInstant="2013-03-18T08:49:24.405Z" InResponseTo="iddce91f96e56747b5ace6d2e2aa9d4f8c" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
-  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/82869000-6ad1-48f0-8171-272ed18796e9/</Issuer>
+  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://login.microsoftonline.com/82869000-6ad1-48f0-8171-272ed18796e9/</Issuer>
   <samlp:Status>
     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
 </samlp:LogoutResponse>
+
 ```
 
 Azure AD sets the `ID`, `Version` and `IssueInstant` values in the `LogoutResponse` element. It also sets the `InResponseTo` element to the value of the `ID` attribute of the `LogoutRequest` that elicited the response.
 
 ### Issuer
-Azure AD sets this value to `https://login.microsoftonline.com/<TenantIdGUID>/` where \<TenantIdGUID> is the tenant ID of the Azure AD tenant.
 
-To evaluate the value of the `Issuer` element, use the value of the **App ID URI** provided during application registration.
+Azure AD sets this value to `https://login.microsoftonline.com/<TenantIdGUID>/` where \<TenantIdGUID> is the tenant ID of the Azure AD tenant. 
+
+To correctly identify the issuer element, use the value `https://login.microsoftonline.com/<TenantIdGUID>/` as shown in the sample LogoutResponse. This URL format identifies the Azure AD tenant as the issuer, representing the authority responsible for issuing the response.
 
 ### Status
 Azure AD uses the `StatusCode` element in the `Status` element to indicate the success or failure of sign-out. When the sign-out attempt fails, the `StatusCode` element can also contain custom error messages.

articles/active-directory/develop/TOC.yml

@@ -4,7 +4,7 @@ description: Sign in Azure AD users by using the Microsoft identity platform's i
 author: OwenRichards1
 manager: CelesteDG
 ms.custom: aaddev, identityplatformtop40
-ms.date: 02/14/2023
+ms.date: 05/30/2023
 ms.author: owenrichards
 ms.reviewer: ludwignick
 ms.service: active-directory
@@ -133,7 +133,7 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e
 | --- | --- | --- |
 | `tenant` | Required | You can use the `{tenant}` value in the path of the request to control who can sign in to the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more information, see [protocol basics](active-directory-v2-protocols.md#endpoints). Critically, for guest scenarios where you sign a user from one tenant into another tenant, you *must* provide the tenant identifier to correctly sign them into the resource tenant.|
 | `client_id` | Required | The **Application (client) ID** that the [Azure portal – App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. |
-| `response_type` | Required | Must include `code` for OpenID Connect sign-in. |
+| `response_type` | Required | Must include `id_token` for OpenID Connect sign-in. |
 | `redirect_uri` | Recommended | The redirect URI of your app, where authentication responses can be sent and received by your app. It must exactly match one of the redirect URIs you registered in the portal, except that it must be URL-encoded. If not present, the endpoint will pick one registered `redirect_uri` at random to send the user back to. |
 | `scope` | Required | A space-separated list of scopes. For OpenID Connect, it must include the scope `openid`, which translates to the **Sign you in** permission in the consent UI. You might also include other scopes in this request for requesting consent. |
 | `nonce` | Required | A value generated and sent by your app in its request for an ID token. The same `nonce` value is included in the ID token returned to your app by the Microsoft identity platform. To mitigate token replay attacks, your app should verify the `nonce` value in the ID token is the same value it sent when requesting the token. The value is typically a unique, random string. |

articles/active-directory/develop/single-sign-out-saml-protocol.md

@@ -9,7 +9,7 @@ ms.workload: identity
 ms.topic: how-to
 ms.subservice: compliance
 ms.date: 05/26/2023
-ms.author: amsliu
+ms.author: owinfrey
 ms.reviewer: krbain
 ms.custom: template-tutorial
 ---