Merge pull request #174754 from MicrosoftDocs/master

10/06 AM Publish

Author: huypub

articles/active-directory-b2c/implicit-flow-single-page-application.md

@@ -218,7 +218,7 @@ error=user_authentication_required
 If you receive this error in the iframe request, the user must interactively sign in again to retrieve a new token.
 
 ## Refresh tokens
-ID tokens and access tokens both expire after a short period of time. Your app must be prepared to refresh these tokens periodically.  To refresh either type of token, perform the same hidden iframe request we used in an earlier example, by using the `prompt=none` parameter to control Azure AD steps.  To receive a new `id_token` value, be sure to use `response_type=id_token` and `scope=openid`, and a `nonce` parameter.
+ID tokens and access tokens both expire after a short period of time. Your app must be prepared to refresh these tokens periodically. Implicit flows do not allow you to obtain a refresh token due to security reasons. To refresh either type of token, use the implicit flow in a hidden HTML iframe element. In the authorization request include the  `prompt=none` parameter. To receive a new id_token value, be sure to use `response_type=id_token` and `scope=openid`, and a `nonce` parameter.
 
 ## Send a sign-out request
 When you want to sign the user out of the app, redirect the user to Azure AD to sign out. If you don't redirect the user, they might be able to reauthenticate to your app without entering their credentials again because they have a valid single sign-on session with Azure AD.

articles/active-directory/app-proxy/application-proxy-faq.yml

@@ -55,7 +55,7 @@ sections:
           
               To manually upgrade a connector:
           
-              - Download the latest version of the connector. (You will find it under Application Proxy on the Azure Portal. You can also find the link at [Azure AD Application Proxy: Version release history](./application-proxy-release-version-history.md).
+              - Download the latest version of the connector. (You will find it under Application Proxy on the Azure portal. You can also find the link at [Azure AD Application Proxy: Version release history](./application-proxy-release-version-history.md).
               -	The installer restarts the Azure AD Application Proxy Connector services. In some cases, a reboot of the server might be required if the installer cannot replace all files. Therefore we recommend closing all applications (i.e. Event Viewer) before you start the upgrade.
               -	Run the installer. The upgrade process is quick and does not require providing any credentials and the connector will not be re-registered.
           
@@ -158,7 +158,19 @@ sections:
          How do I change the landing page my application loads?
         answer: |
               From the Application Registrations page, you can change the homepage URL to the desired external URL of the landing page. The specified page will load when the application is launched from My Apps or the Office 365 Portal. For configuration steps, see [Set a custom home page for published apps by using Azure AD Application Proxy](application-proxy-configure-custom-home-page.md)
-          
+
+      - question: |
+         Why do I get redirected to a truncated URL when I try to access my published application whenever the  URL contains a "#"  (hashtag) character?
+        answer: |
+              If Azure AD pre-authentication is configured, and the application URL contains a “#” character when you try to access the application for the first time, you get redirected to Azure AD (login.microsoftonline.com) for the authentication. Once you complete the authentication you get redirected to the URL part prior to the ”#” character and everything that comes after the “#“ seems to be ignored/ removed. For example if the URL is `https://www.contoso.com/#/home/index.html`, once the Azure AD authentication is done the user will be redirected to `https://www.contoso.com/`.
+              This behavior is by design due to how the “#” character is handled by the browser.
+              
+              Possible solutions/  alternatives:
+
+              - Setup a redirection from `https://www.contoso.com` to `https://contoso.com/#/home/index.html`. The user must first access `https://www.contoso.com`.
+              - The URL used for the first access attempt must include the “#” character in encoded form (%23). The published server might not accept this.
+              - Configure passthrough pre-authentication type (not recommended).
+              
       - question: |
          Can only IIS-based applications be published? What about web applications running on non-Windows web servers? Does the connector have to be installed on a server with IIS installed?
         answer: |

articles/active-directory/develop/active-directory-saml-claims-customization.md

@@ -53,8 +53,9 @@ From the **Choose name identifier format** dropdown, you can select one of the f
 |---------------|-------------|
 | **Default** | Microsoft identity platform will use the default source format. |
 | **Persistent** | Microsoft identity platform will use Persistent as the NameID format. |
-| **EmailAddress** | Microsoft identity platform will use EmailAddress as the NameID format. |
+| **Email address** | Microsoft identity platform will use EmailAddress as the NameID format. |
 | **Unspecified** | Microsoft identity platform will use Unspecified as the NameID format. |
+|**Windows domain qualified name**| Microsoft identity platform will use the WindowsDomainQualifiedName format.|
 
 Transient NameID is also supported, but is not available in the dropdown and cannot be configured on Azure's side. To learn more about the NameIDPolicy attribute, see [Single Sign-On SAML protocol](single-sign-on-saml-protocol.md).
 

articles/active-directory/manage-apps/access-panel-collections.md

@@ -1,6 +1,7 @@
 ---
-title: Create collections for My Apps portals in Azure Active Directory  | Microsoft Docs
-description: Use My Apps collections to Customize My Apps pages for a simpler My Apps experience for your end users. Organize applications into groups with separate tabs.
+title: Create collections for My Apps portals
+titleSuffix: Azure AD
+description: Use My Apps collections to Customize My Apps pages for a simpler My Apps experience for your users. Organize applications into groups with separate tabs.
 services: active-directory
 author: davidmu1
 manager: CelesteDG
@@ -13,10 +14,10 @@ ms.author: davidmu
 ms.reviewer: lenalepa
 ms.collection: M365-identity-device-management
 
-#customer intent: As an admin, I want to enable and create collections for My Apps portal in Azure AD.
+#customer intent: As an admin, I want to enable and create collections for My Apps portal in Azure AD so that I can create a simpler My Apps experience for users.
 ---
 
-# Create collections on the My Apps portal
+# Create collections on the My Apps portal in Azure Active Directory
 
 Your users can use the My Apps portal to view and start the cloud-based applications they have access to. By default, all the applications a user can access are listed together on a single page. To better organize this page for your users, if you have an Azure AD Premium P1 or P2 license you can set up collections. With a collection, you can group together applications that are related (for example, by job role, task, or project) and display them on a separate tab. A collection essentially applies a filter to the applications a user can already access, so the user sees only those applications in the collection that have been assigned to them.
 

articles/active-directory/manage-apps/app-management-powershell-samples.md

@@ -1,5 +1,6 @@
 ---
-title: PowerShell samples for Azure Active Directory Application Management
+title: PowerShell samples in Application Management
+titleSuffix: Azure AD
 description: These PowerShell samples are used for apps you manage in your Azure Active Directory tenant. You can use these sample scripts to find expiration information about secrets and certificates.
 services: active-directory
 author: davidmu1

articles/active-directory/manage-apps/application-management-certs-faq.md

@@ -1,5 +1,6 @@
 ---
-title: Azure Active Directory Application Management certificates frequently asked questions
+title: Application Management certificates frequently asked questions
+titleSuffix: Azure AD
 description: Learn answers to frequently asked questions (FAQ) about managing certificates for apps using Azure Active Directory as an Identity Provider (IdP).  
 services: active-directory
 author: davidmu1
@@ -13,7 +14,7 @@ ms.author: davidmu
 ms.reviewer: sureshja, saumadan
 ---
 
-# Azure Active Directory (Azure AD) Application Management certificates frequently asked questions
+# Azure Active Directory Application Management certificates frequently asked questions
 
 This page answers frequently asked questions about managing the certificates for apps using Azure Active Directory (Azure AD) as an Identity Provider (IdP).
 

articles/active-directory/manage-apps/application-management-fundamentals.md

@@ -1,5 +1,6 @@
 ---
-title: 'Application management: Best practices and recommendations | Microsoft Docs'
+title: 'Application management: Best practices and recommendations'
+titleSuffix: Azure AD
 description: Learn best practices and recommendations for managing applications in Azure Active Directory. Learn about using automatic provisioning and publishing on-premises apps with Application Proxy.
 services: active-directory
 author: davidmu1
@@ -16,7 +17,7 @@ ms.collection: M365-identity-device-management
 ms.reviewer: napuri
 ---
 
-# Application management best practices
+# Application management best practices in Azure Active Directory
 
 This article contains recommendations and best practices for managing applications in Azure Active Directory (Azure AD), using automatic provisioning, and publishing on-premises apps with Application Proxy.
 
@@ -49,6 +50,6 @@ This article contains recommendations and best practices for managing applicatio
 | Synchronize users before deploying Application Proxy | Before deploying application proxy, synchronize user identities from an on-premises directory or create them directly in Azure AD. Identity synchronization allows Azure AD to pre-authenticate users before granting them access to App Proxy published applications. It also provides the necessary user identifier information to perform single sign-on (SSO). (See [Application Proxy planning](../app-proxy/application-proxy-deployment-plan.md).) |
 | Follow our tips for high availability and load balancing | To learn how traffic flows among users, Application Proxy connectors, and back-end app servers, and to get tips for optimizing performance and load balancing, see [High availability and load balancing of your Application Proxy connectors and applications](../app-proxy/application-proxy-high-availability-load-balancing.md). |
 | Use multiple connectors | Use two or more Application Proxy connectors for greater resiliency, availability, and scale (see [Application Proxy connectors](../app-proxy/application-proxy-connectors.md)). Create connector groups and ensure each connector group has at least two connectors (three connectors is optimal). |
-| Locate connector servers close to application servers, and make sure they're in the same domain | To optimize performance, physically locate the connector server close to the application servers (see [Network topology considerations](../app-proxy/application-proxy-network-topology.md)). Also, the connector server and web applications servers should belong to the same Active Directory domain, or they should span trusting domains. This configuration is required for SSO with integrated Windows authentication (IWA) and Kerberos Constrained Delegation (KCD). If the servers are in different domains, you'll need to use resource-based delegation for SSO (see [KCD for single sign-on with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md)). |
+| Locate connector servers close to application servers, and make sure they're in the same domain | To optimize performance, physically locate the connector server close to the application servers (see [Network topology considerations](../app-proxy/application-proxy-network-topology.md)). Also, the connector server and web applications servers should belong to the same Active Directory domain, or they should span trusting domains. This configuration is required for SSO with Integrated Windows Authentication (IWA) and Kerberos Constrained Delegation (KCD). If the servers are in different domains, you'll need to use resource-based delegation for SSO (see [KCD for single sign-on with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md)). |
 | Enable auto-updates for connectors | Enable auto-updates for your connectors for the latest features and bug fixes. Microsoft provides direct support for the latest connector version and one version before. (See [Application Proxy release version history](../app-proxy/application-proxy-release-version-history.md).) |
 | Bypass your on-premises proxy | For easier maintenance, configure the connector to bypass your on-premises proxy so it directly connects to the Azure services. (See [Application Proxy connectors and proxy servers](../app-proxy/application-proxy-configure-connectors-with-proxy-servers.md).) |

articles/active-directory/manage-apps/application-sign-in-other-problem-access-panel.md

@@ -1,5 +1,6 @@
 ---
-title: Troubleshoot problems signing in to an application from Azure AD My Apps
+title: Troubleshoot problems signing in to an application from My Apps portal
+titleSuffix: Azure AD
 description: Troubleshoot problems signing in to an application from Azure AD My Apps
 services: active-directory
 author: davidmu1
@@ -14,7 +15,7 @@ ms.reviewer: lenalepa
 ms.custom: contperf-fy21q2
 ---
 
-# Troubleshoot problems signing in to an application from Azure AD My Apps
+# Troubleshoot application sign-in in Azure Active Directory
 
 My Apps is a web-based portal that enables a user with a work or school account in Azure Active Directory (Azure AD) to view and start cloud-based applications that the Azure AD administrator has granted them access to. My Apps is accessed using a web browser at [https://myapps.microsoft.com](https://myapps.microsoft.com).
 

articles/active-directory/manage-apps/application-sign-in-problem-application-error.md

@@ -1,5 +1,6 @@
 ---
-title: Error message appears on app page after you sign in | Microsoft Docs
+title: Error message appears on app page after you sign in
+titleSuffix: Azure AD
 description: How to resolve issues with Azure AD sign in when the app returns an error message.
 services: active-directory
 author: davidmu1
@@ -14,7 +15,7 @@ ms.reviewer: ergreenl
 ms.collection: M365-identity-device-management
 ---
 
-# An app page shows an error message after the user signs in
+# An app page shows an error message after the user signs in Azure Active Directory
 
 In this scenario, Azure Active Directory (Azure AD) signs the user in. But the application displays an error message and doesn't let the user finish the sign-in flow. The problem is that the app didn't accept the response that Azure AD issued.
 

articles/active-directory/manage-apps/application-sign-in-problem-first-party-microsoft.md

@@ -1,5 +1,6 @@
 ---
-title: Problems signing in to a Microsoft application | Microsoft Docs
+title: Problems signing in to a Microsoft application
+titleSuffix: Azure AD
 description: Troubleshoot common problems faced when signing in to first-party Microsoft Applications using Azure AD (like Microsoft 365).
 services: active-directory
 author: davidmu1
@@ -14,7 +15,7 @@ ms.reviewer: alamaral
 ms.collection: M365-identity-device-management
 ---
 
-# Problems signing in to a Microsoft application
+# Problems signing in to a Microsoft application in Azure Active Directory
 
 Microsoft Applications (like Exchange, SharePoint, Yammer, etc.) are assigned and managed a bit differently than 3rd party SaaS applications or other applications you integrate with Azure AD for single sign on.