Merge pull request #231384 from MicrosoftDocs/main

3/20 AM Publish

Author: huypub

articles/active-directory-b2c/faq.yml

@@ -261,6 +261,11 @@ sections:
           
           1. Retrieve the `RefreshToken` again.
           
+      - question: |
+         I use multiple tabs in a web browser to sign in to multiple applications that I registered in the same Azure AD B2C tenant. When I try to perform a single sign out, not all of the applications are signed out. Why does this happen? 
+        answer: |
+          Currently, Azure AD B2C doesn't support single sign out for this specific scenario. It's caused by cookie contention as all the applications operates on the same cookie simultaneously.
+          
       - question: |
           How do I report issues with Azure AD B2C?
         answer: |

articles/active-directory-b2c/identity-provider-generic-openid-connect.md

@@ -81,6 +81,7 @@ Define the OpenId Connect identity provider by adding it to the **ClaimsProvider
             <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
             <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
             <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
+            <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="oid"/>
           </OutputClaims>
           <OutputClaimsTransformations>
             <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>

articles/active-directory/develop/msal-error-handling-js.md

@@ -54,17 +54,20 @@ The following error types are available:
 
 - `InteractionRequiredAuthError`: Error class, extends `ServerError` to represent server errors, which require an interactive call. This error is thrown by `acquireTokenSilent` if the user is required to interact with the server to provide credentials or consent for authentication/authorization. Error codes include `"interaction_required"`, `"login_required"`, and `"consent_required"`.
 
-For error handling in authentication flows with redirect methods (`loginRedirect`, `acquireTokenRedirect`), you'll need to register the callback, which is called with success or failure after the redirect using `handleRedirectCallback()` method as follows:
+For error handling in authentication flows with redirect methods (`loginRedirect`, `acquireTokenRedirect`), you'll need to handle the redirect promise, which is called with success or failure after the redirect using the `handleRedirectPromise()` method as follows:
 
 ```javascript
-function authCallback(error, response) {
-    //handle redirect response
-}
-
-var myMSALObj = new Msal.UserAgentApplication(msalConfig);
+const msal = require('@azure/msal-browser');
+const myMSALObj = new msal.PublicClientApplication(msalConfig);
 
 // Register Callbacks for redirect flow
-myMSALObj.handleRedirectCallback(authCallback);
+myMSALObj.handleRedirectPromise()
+    .then(function (response) {
+        //success response
+    })
+    .catch((error) => {
+        console.log(error);
+    })
 myMSALObj.acquireTokenRedirect(request);
 ```
 
@@ -97,10 +100,8 @@ myMSALObj.acquireTokenSilent(request).then(function (response) {
     // call API
 }).catch( function (error) {
     // call acquireTokenPopup in case of acquireTokenSilent failure
-    // due to consent or interaction required
-    if (error.errorCode === "consent_required"
-    || error.errorCode === "interaction_required"
-    || error.errorCode === "login_required") {
+    // due to interaction required
+    if (error instanceof InteractionRequiredAuthError) {
         myMSALObj.acquireTokenPopup(request).then(
             function (response) {
                 // call API
@@ -123,10 +124,9 @@ myMSALObj.acquireTokenSilent(accessTokenRequest).then(function(accessTokenRespon
 }).catch(function(error) {
     if (error instanceof InteractionRequiredAuthError) {
 
-        // extract, if exists, claims from error message
-        if (error.ErrorMessage.claims) {
-            accessTokenRequest.claimsRequest = JSON.stringify(error.ErrorMessage.claims);
-        }
+        // extract, if exists, claims from the error object
+        if (error.claims) {
+            accessTokenRequest.claims = error.claims,
 
         // call acquireTokenPopup in case of InteractionRequiredAuthError failure
         myMSALObj.acquireTokenPopup(accessTokenRequest).then(function(accessTokenResponse) {
@@ -140,13 +140,12 @@ myMSALObj.acquireTokenSilent(accessTokenRequest).then(function(accessTokenRespon
 
 Interactively acquiring the token prompts the user and gives them the opportunity to satisfy the required Conditional Access policy.
 
-When calling an API requiring Conditional Access, you can receive a claims challenge in the error from the API. In this case, you can pass the claims returned in the error to the `claimsRequest` field of the `AuthenticationParameters.ts` class to satisfy the appropriate policy. 
-
-See [Requesting Additional Claims](active-directory-optional-claims.md) for more detail.
+When calling an API requiring Conditional Access, you can receive a claims challenge in the error from the API. In this case, you can pass the claims returned in the error to the `claims` parameter in the [access token request object](https://learn.microsoft.com/azure/active-directory/develop/msal-js-pass-custom-state-authentication-request) to satisfy the appropriate policy. 
 
+See [How to use Continuous Access Evaluation enabled APIs in your applications](./app-resilience-continuous-access-evaluation.md) for more detail.
 
 [!INCLUDE [Active directory error handling retries](../../../includes/active-directory-develop-error-handling-retries.md)]
 
 ## Next steps
 
-Consider enabling [Logging in MSAL.js](msal-logging-js.md) to help you diagnose and debug issues.
+Consider enabling [Logging in MSAL.js](msal-logging-js.md) to help you diagnose and debug issues

articles/active-directory/hybrid/reference-connect-version-history.md

@@ -47,7 +47,6 @@ Required permissions | For permissions required to apply an update, see [Azure A
 > 
 > The following versions will retire on 15 March 2023:
 >
-> - 2.0.91.0
 > - 2.0.89.0
 > - 2.0.88.0
 > - 2.0.28.0

articles/active-directory/saas-apps/servicenow-provisioning-tutorial.md

@@ -3,12 +3,13 @@ title: Configure ServiceNow for automatic user provisioning with Azure Active Di
 description: Learn how to automatically provision and deprovision user accounts from Azure AD to ServiceNow.
 services: active-directory
 author: twimmers
-manager: CelesteDG
-ms.reviewer: celested
+writer: twimmers
+manager: beatrizd
+ms.assetid: 5f03d8b7-c3a0-443e-91af-99cc3956fa18
 ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
-ms.topic: how-to
+ms.topic: tutorial
 ms.date: 3/10/2023
 ms.author: thwimmer
 ---
@@ -87,13 +88,13 @@ To configure automatic user provisioning for ServiceNow in Azure AD:
 1. Set **Provisioning Mode** to **Automatic**.
 
 1. In the **Admin Credentials** section, enter your ServiceNow tenant URL, Client ID, Client Secret and Authorization Endpoint. Select **Test Connection** to ensure that Azure AD can connect to ServiceNow. [This ServiceNow documentation](https://docs.servicenow.com/bundle/utah-platform-security/page/administer/security/task/t_CreateEndpointforExternalClients.html) outlines how to generate these values.
+   ![Screenshot that shows the Service Provisioning page, where you can enter admin credentials.](./media/servicenow-provisioning-tutorial/servicenow-provisioning.png)
 
-- Tenant URL: https://**InsertInstanceName**.service-now.com/api/now/scim
-- Authorization Endpoint: https://**InsertInstanceName**.service-now.com/oauth_auth.do?response_type=code&client_id=**InsertClientID**&state=1&scope=useraccount&redirect_uri=https%3A%2F%2Fportal.azure.com%2FTokenAuthorize
-- Token Endoint: https://**InsertInstanceName**.service-now.com/api/now/scim
-
-![Screenshot that shows the Service Provisioning page, where you can enter admin credentials.](./media/servicenow-provisioning-tutorial/servicenow-provisioning.png)
-
+   > [!NOTE]
+   > - Tenant URL: https://**InsertInstanceName**.service-now.com/api/now/scim
+   > - Authorization Endpoint: https://**InsertInstanceName**.service-now.com/oauth_auth.do?response_type=code&client_id=**InsertClientID**&state=1&scope=useraccount&redirect_uri=https%3A%2F%2Fportal.azure.com%2FTokenAuthorize
+   > - Token Endoint: https://**InsertInstanceName**.service-now.com/api/now/scim
+   
 1. In the **Notification Email** box, enter the email address of a person or group that should receive the provisioning error notifications. Then select the **Send an email notification when a failure occurs** check box.
 
 1. Select **Save**.

articles/aks/learn/quick-kubernetes-deploy-portal.md

@@ -30,18 +30,15 @@ This quickstart assumes a basic understanding of Kubernetes concepts. For more i
 ## Create an AKS cluster
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
-
-2. On the Azure portal menu or from the **Home** page, select **Create a resource**.
-
-3. Select **Containers** > **Kubernetes Service**.
-
-4. On the **Basics** page, configure the following options:
+1. On the Azure portal menu or from the **Home** page, select **Create a resource**.
+1. Select **Containers** > **Kubernetes Service**.
+1. On the **Basics** page, configure the following options:
 
     - **Project details**:
         * Select an Azure **Subscription**.
         * Select or create an Azure **Resource group**, such as *myResourceGroup*.
     - **Cluster details**:
-        * Ensure the the **Preset configuration** is *Standard ($$)*. For more details on preset configurations, see [Cluster configuration presets in the Azure portal][preset-config].
+        * Ensure the **Preset configuration** is *Standard ($$)*. For more details on preset configurations, see [Cluster configuration presets in the Azure portal][preset-config].
         * Enter a **Kubernetes cluster name**, such as *myAKSCluster*.
         * Select a **Region** for the AKS cluster, and leave the default value selected for **Kubernetes version**.
         * Select **99.5%** for **API server availability**.
@@ -54,20 +51,20 @@ This quickstart assumes a basic understanding of Kubernetes concepts. For more i
     > You can change the preset configuration when creating your cluster by selecting *Learn more and compare presets* and choosing a different option.
     > :::image type="content" source="media/quick-kubernetes-deploy-portal/cluster-preset-options.png" alt-text="Screenshot of Create AKS cluster - portal preset options.":::
 
-5. Select **Next: Node pools** when complete.
-
-6. Keep the default **Node pools** options. At the bottom of the screen, click **Next: Access**.
-
-7. On the **Access** page, configure the following options:
+1. Select **Next: Node pools** when complete. 
+1. Keep the default **Node pools** options. At the bottom of the screen, click **Next: Access**.
+1. On the **Access** page, configure the following options:
 
     - The default value for **Resource identity** is **System-assigned managed identity**. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. For more details about managed identities, see [What are managed identities for Azure resources?](../../active-directory/managed-identities-azure-resources/overview.md).
     - The Kubernetes role-based access control (RBAC) option is the default value to provide more fine-grained control over access to the Kubernetes resources deployed in your AKS cluster.
 
     By default, *Basic* networking is used, and [Container insights](../../azure-monitor/containers/container-insights-overview.md) is enabled.
 
-8. Click **Review + create**. When you navigate to the **Review + create** tab, Azure runs validation on the settings that you have chosen. If validation passes, you can proceed to create the AKS cluster by selecting **Create**. If validation fails, then it indicates which settings need to be modified.
-
-9. It takes a few minutes to create the AKS cluster. When your deployment is complete, navigate to your resource by either:
+1. Select **Next: Networking** when complete.
+1. Keep the default **Networking** options. At the bottom of the screen, click **Next: Integrations**.
+1. On the **Integrations** page, if you want to enable the [recommended out-of-the-box alerts](../../azure-monitor/alerts/alerts-overview.md#recommended-alert-rules) for AKS clusters, select **Enable recommended alert rules**. You can see the list of alerts that are automatically enabled if you select this option. 
+1. Click **Review + create**. When you navigate to the **Review + create** tab, Azure runs validation on the settings that you have chosen. If validation passes, you can proceed to create the AKS cluster by selecting **Create**. If validation fails, then it indicates which settings need to be modified.
+1. It takes a few minutes to create the AKS cluster. When your deployment is complete, navigate to your resource by either:
     * Selecting **Go to resource**, or
     * Browsing to the AKS cluster resource group and selecting the AKS resource. In this example you browse for *myResourceGroup* and select the resource *myAKSCluster*.
 

articles/azure-functions/configure-monitoring.md

@@ -307,7 +307,7 @@ Function apps are an essential part of solutions that can cause high volumes of
 
 The generated telemetry can be consumed in real-time dashboards, alerting, detailed diagnostics, and so on. Depending on how the generated telemetry is going to be consumed, you'll need to define a strategy to reduce the volume of data generated. This strategy will allow you to properly monitor, operate, and diagnose your function apps in production. You can consider the following options:
 
-+ **Use sampling**: As mentioned [earlier](#configure-sampling), it will help to dramatically reduce the volume of telemetry events ingested while maintaining a statistically correct analysis. It could happen that even using sampling you still a get high volume of telemetry. Inspect the options that [adaptive sampling](../azure-monitor/app/sampling.md#configuring-adaptive-sampling-for-aspnet-applications) provides to you. For example, set the `maxTelemetryItemsPerSecond` to a value that balances the volume generated with your monitoring needs. Keep in mind that the telemetry sampling is applied per host executing your function app.
++ **Use sampling**: As mentioned [earlier](#configure-sampling), it will help to dramatically reduce the volume of telemetry events ingested while maintaining a statistically correct analysis. It could happen that even using sampling you still get a high volume of telemetry. Inspect the options that [adaptive sampling](../azure-monitor/app/sampling.md#configuring-adaptive-sampling-for-aspnet-applications) provides to you. For example, set the `maxTelemetryItemsPerSecond` to a value that balances the volume generated with your monitoring needs. Keep in mind that the telemetry sampling is applied per host executing your function app.
 
 + **Default log level**: Use `Warning` or `Error` as the default value for all telemetry categories. Now, you can decide which [categories](#configure-categories) you want to set at `Information` level so that you can monitor and diagnose your functions properly.
 

articles/azure-functions/dotnet-isolated-process-guide.md

@@ -196,7 +196,7 @@ A function can have zero or more input bindings that can pass data to a function
 
 ### Output bindings
 
-To write to an output binding, you must apply an output binding attribute to the function method, which defined how to write to the bound service. The value returned by the method is written to the output binding. For example, the following example writes a string value to a message queue named `myqueue-output` by using an output binding:
+To write to an output binding, you must apply an output binding attribute to the function method, which defined how to write to the bound service. The value returned by the method is written to the output binding. For example, the following example writes a string value to a message queue named `output-queue` by using an output binding:
 
 :::code language="csharp" source="~/azure-functions-dotnet-worker/samples/Extensions/Queue/QueueFunction.cs" id="docsnippet_queue_output_binding" :::
 

articles/azure-functions/functions-app-settings.md

@@ -253,7 +253,7 @@ Specifies the repository or provider to use for key storage. Keys are always enc
 |AzureWebJobsSecretStorageType|`blob`|Keys are stored in a Blob storage container in the account provided by the `AzureWebJobsStorage` setting. Blob storage is the default behavior when `AzureWebJobsSecretStorageType` isn't set.<br/>To specify a different storage account, use the `AzureWebJobsSecretStorageSas` setting to indicate the SAS URL of a second storage account. |
 |AzureWebJobsSecretStorageType  | `files` | Keys are persisted on the file system. This is the default behavior for Functions v1.x.|
 |AzureWebJobsSecretStorageType |`keyvault` | Keys are stored in a key vault instance set by `AzureWebJobsSecretStorageKeyVaultName`. | 
-|Kubernetes Secrets  | `kubernetes` | Supported only when running the Functions runtime in Kubernetes. When `AzureWebJobsKubernetesSecretName` isn't set, the repository is considered read-only. In this case, the values must be generated before deployment. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when deploying to Kubernetes.|
+|AzureWebJobsSecretStorageType | `kubernetes` | Supported only when running the Functions runtime in Kubernetes. When `AzureWebJobsKubernetesSecretName` isn't set, the repository is considered read-only. In this case, the values must be generated before deployment. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when deploying to Kubernetes.|
 
 To learn more, see [Secret repositories](security-concepts.md#secret-repositories).
 

articles/azure-functions/functions-bindings-event-hubs-output.md

@@ -42,16 +42,23 @@ The following example shows how to use the `IAsyncCollector` interface to send a
 [FunctionName("EH2EH")]
 public static async Task Run(
     [EventHubTrigger("source", Connection = "EventHubConnectionAppSetting")] EventData[] events,
-    [EventHub("dest", Connection = "EventHubConnectionAppSetting")]IAsyncCollector<string> outputEvents,
+    [EventHub("dest", Connection = "EventHubConnectionAppSetting")]IAsyncCollector<EventData> outputEvents,
     ILogger log)
 {
     foreach (EventData eventData in events)
     {
-        // do some processing:
-        var myProcessedEvent = DoSomething(eventData);
-
-        // then send the message
-        await outputEvents.AddAsync(JsonConvert.SerializeObject(myProcessedEvent));
+        // Do some processing:
+        string newEventBody = DoSomething(eventData);
+        
+        // Queue the message to be sent in the background by adding it to the collector.
+        // If only the event is passed, an Event Hub partition to be be assigned via
+        // round-robin for each batch.
+        await outputEvents.AddAsync(new EventData(newEventBody));
+        
+        // If your scenario requires that certain events are grouped together in an
+        // Event Hub partition, you can specify a partition key.  Events added with 
+        // the same key will always be assigned to the same partition.        
+        await outputEvents.AddAsync(new EventData(newEventBody), "sample-key");
     }
 }
 ```
@@ -311,7 +318,7 @@ In-process C# class library functions supports the following types:
 
 This version of [EventData](/dotnet/api/azure.messaging.eventhubs.eventdata) drops support for the legacy `Body` type in favor of [EventBody](/dotnet/api/azure.messaging.eventhubs.eventdata.eventbody).
 
-Send messages by using a method parameter such as `out string paramName`. To write multiple messages, you can use `ICollector<string>` or `IAsyncCollector<string>` in place of `out string`.
+Send messages by using a method parameter such as `out string paramName`. To write multiple messages, you can use `ICollector<EventData>` or `IAsyncCollector<EventData>` in place of `out string`.  Partition keys may only be used with `IAsyncCollector<EventData>`.
 
 # [Extension v3.x+](#tab/extensionv3/in-process)