Merge pull request #188049 from MicrosoftDocs/main

Merge Main to Live, 4 AM

Author: PMEds28

.openpublishing.redirection.active-directory.json

@@ -837,12 +837,12 @@
         },
         {
             "source_path_from_root": "/articles/active-directory/active-directory-conditional-access.md",
-            "redirect_url": "/azure/active-directory/active-directory-conditional-access-azure-portal",
+            "redirect_url": "/azure/active-directory/conditional-access/overview",
             "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/active-directory/active-directory-conditional-access-azuread-connected-apps.md",
-            "redirect_url": "/azure/active-directory/active-directory-conditional-access-azure-portal-get-started",
+            "redirect_url": "/azure/active-directory/concept-conditional-access-cloud-apps",
             "redirect_document_id": false
         },
         {
@@ -1972,7 +1972,7 @@
         },
         {
             "source_path_from_root": "/articles/active-directory/active-directory-conditional-access-azure-portal-get-started.md",
-            "redirect_url": "/azure/active-directory/conditional-access/app-based-mfa",
+            "redirect_url": "/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management",
             "redirect_document_id": true
         },
         {
@@ -2067,7 +2067,7 @@
         },
         {
             "source_path_from_root": "/articles/active-directory/active-directory-conditional-access-device-policies.md",
-            "redirect_url": "/azure/active-directory/conditional-access/overview",
+            "redirect_url": "/azure/active-directory/conditional-access/concept-condition-filters-for-devices",
             "redirect_document_id": false
         },
         {
@@ -2077,7 +2077,7 @@
         },
         {
             "source_path_from_root": "/articles/active-directory/conditional-access/howto-conditional-access-adoption-kit.md",
-            "redirect_url": "/azure/active-directory/conditional-access/overview",
+            "redirect_url": "/azure/active-directory/conditional-access/plan-conditional-access",
             "redirect_document_id": false
         },
         {

.openpublishing.redirection.json

@@ -44949,6 +44949,11 @@
         "redirect_url": "/learn/modules/translate-text-with-translator-service?toc=/azure/cognitive-services/translator/toc.json&bc=/azure/cognitive-services/translator/breadcrumb/toc.json",
         "redirect_document_id": false
       },
+      {
+        "source_path": "articles/machine-learning/classic/deploy-with-resource-manager-template.md",
+        "redirect_url": "/previous-versions/azure/machine-learning/classic/deploy-with-resource-manager-template",
+        "redirect_document_id": false
+      },
       {
         "source_path_from_root": "/articles/governance/policy/how-to/guest-configuration-create-group-policy.md",
         "redirect_url": "/azure/governance/policy/how-to/guest-configuration-create",

articles/active-directory-b2c/faq.yml

@@ -220,6 +220,16 @@ sections:
         answer: |
           No, Azure AD B2C is a pay-as-you-go Azure service and is not part of Enterprise Mobility Suite.
           
+      - question: |
+          Can I purchase Azure AD Premium P1 and Azure AD Premium P2 licensing for my Azure AD B2C tenant?
+        answer: |
+          No, Azure AD B2C tenants don't use Azure AD Premium P1 or Azure AD Premium P2 licensing. Azure AD B2C uses [Azure AD B2C Premium P1 or P2](billing.md#change-your-azure-ad-pricing-tier) licenses, which are different from Azure AD Premium P1 or P2 licenses for a Standard Azure AD tenant. Azure AD B2C tenants natively support some features that are similar to Azure AD Premium features, as explained in [Supported Azure AD features](supported-azure-ad-features.md).
+         
+      - question: |
+          Can I use group-based assignment for Azure AD Enterprise Applications in my Azure AD B2C tenant?
+        answer: |
+          No, Azure AD B2C tenants do not support [group-based assignment to Azure AD Enterprise Applications](../active-directory/manage-apps/assign-user-or-group-access-portal.md).
+          
       - question: |
           What Azure AD B2C features are unavailable in Microsoft Azure Government?
         answer: |

articles/active-directory/app-proxy/application-proxy-secure-api-access.md

@@ -15,7 +15,7 @@ ms.custom: has-adal-ref
 ---
 # Secure access to on-premises APIs with Azure Active Directory Application Proxy
 
-You may have business logic APIs running on-premises, or hosted on virtual machines in the cloud. Your native Android, iOS, Mac, or Windows apps need to interact with the API endpoints to use data or provide user interaction. Azure AD Application Proxy and the [Microsoft Authentication Library (MSAL)](../azuread-dev/active-directory-authentication-libraries.md) let your native apps securely access your on-premises APIs. Azure Active Directory Application Proxy is a faster and more secure solution than opening firewall ports and controlling authentication and authorization at the app layer.
+You may have business logic APIs running on-premises, or hosted on virtual machines in the cloud. Your native Android, iOS, Mac, or Windows apps need to interact with the API endpoints to use data or provide user interaction. Azure AD Application Proxy and the [Microsoft Authentication Library (MSAL)](../develop/reference-v2-libraries.md) let your native apps securely access your on-premises APIs. Azure Active Directory Application Proxy is a faster and more secure solution than opening firewall ports and controlling authentication and authorization at the app layer.
 
 This article walks you through setting up an Azure AD Application Proxy solution for hosting a web API service that native apps can access.
 
@@ -29,9 +29,9 @@ The following diagram shows how you can use Azure AD Application Proxy to secure
 
 ![Azure AD Application Proxy API access](./media/application-proxy-secure-api-access/overview-publish-api-app-proxy.png)
 
-The Azure AD Application Proxy forms the backbone of the solution, working as a public endpoint for API access, and providing authentication and authorization. You can access your APIs from a vast array of platforms by using the [Microsoft Authentication Library (MSAL)](../azuread-dev/active-directory-authentication-libraries.md) libraries.
+The Azure AD Application Proxy forms the backbone of the solution, working as a public endpoint for API access, and providing authentication and authorization. You can access your APIs from a vast array of platforms by using the [Microsoft Authentication Library (MSAL)](../develop/reference-v2-libraries.md) libraries.
 
-Since Azure AD Application Proxy authentication and authorization are built on top of Azure AD, you can use Azure AD Conditional Access to ensure only trusted devices can access APIs published through Application Proxy. Use Azure AD Join or Azure AD Hybrid Joined for desktops, and Intune Managed for devices. You can also take advantage of Azure Active Directory Premium features like Azure AD Multi-Factor Authentication, and the machine learning-backed security of [Azure Identity Protection](../identity-protection/overview-identity-protection.md).
+Since Azure AD Application Proxy authentication and authorization are built on top of Azure AD, you can use Azure AD Conditional Access to ensure only trusted devices can access APIs published through Application Proxy. Use Azure AD Join or Azure AD Hybrid Joined for desktops, and Intune Managed for devices. You can also take advantage of Azure Active Directory Premium features like Azure AD Multi-Factor Authentication, and the machine learning-backed security of [Azure Identity Protection](../identity-protection/overview-identity-protection.md).
 
 ## Prerequisites
 
@@ -52,7 +52,7 @@ To publish the SecretAPI web API through Application Proxy:
 
 1. At the top of the **Enterprise applications - All applications** page, select **New application**.
 
-1. On the **Add an application** page, select **On-premises applications**. The **Add your own on-premises application** page appears.
+1. On the **Browse Azure AD Gallery** page, locate section **On-premises applications** and select **Add an on-premises application**. The **Add your own on-premises application** page appears.
 
 1. If you don't have an Application Proxy Connector installed, you'll be prompted to install it. Select **Download Application Proxy Connector** to download and install the connector.
 
@@ -91,7 +91,7 @@ You've published your web API through Azure AD Application Proxy. Now, add users
 1. Back on the **Add Assignment** page, select **Assign**.
 
 > [!NOTE]
-> APIs that use integrated Windows authentication might require [additional steps](./application-proxy-configure-single-sign-on-with-kcd.md).
+> APIs that use integrated Windows authentication might require [additional steps](./application-proxy-configure-single-sign-on-with-kcd.md).
 
 ## Register the native app and grant access to the API
 
@@ -105,9 +105,9 @@ To register the AppProxyNativeAppSample native app:
 
    1. Under **Name**, enter *AppProxyNativeAppSample*.
 
-   1. Under **Supported account types**, select **Accounts in any organizational directory**.
+   1. Under **Supported account types**, select **Accounts in this organizational directory only (Contoso only - Single tenant)**.
 
-   1. Under **Redirect URL**, drop down and select **Public client (mobile & desktop)**, and then enter *https://login.microsoftonline.com/common/oauth2/nativeclient*.
+   1. Under **Redirect URL**, drop down and select **Public client/native (mobile & desktop)**, and then enter *https://login.microsoftonline.com/common/oauth2/nativeclient    *.
 
    1. Select **Register**, and wait for the app to be successfully registered.
 
@@ -125,58 +125,72 @@ You've now registered the AppProxyNativeAppSample app in Azure Active Directory.
 
 1. On the next **Request API permissions** page, select the check box next to **user_impersonation**, and then select **Add permissions**.
 
-    ![Select an API](./media/application-proxy-secure-api-access/10-secretapi-added.png)
+    ![Select an A P I.](./media/application-proxy-secure-api-access/10-secretapi-added.png)
 
 1. Back on the **API permissions** page, you can select **Grant admin consent for Contoso** to prevent other users from having to individually consent to the app.
 
 ## Configure the native app code
 
-The last step is to configure the native app. The following snippet from the *Form1.cs* file in the NativeClient sample app causes the MSAL library to acquire the token for requesting the API call, and attach it as bearer to the app header.
-
-```csharp
-// Acquire Access Token from AAD for Proxy Application
-IPublicClientApplication clientApp = PublicClientApplicationBuilder
-    .Create(<App ID of the Native app>)
-    .WithDefaultRedirectUri() // Will automatically use the default Uri for native app
-    .WithAuthority("https://login.microsoftonline.com/{<Tenant ID>}")
-    .Build();
-
-AuthenticationResult authResult = null;
-var accounts = await clientApp.GetAccountsAsync();
-IAccount account = accounts.FirstOrDefault();
-
-IEnumerable<string> scopes = new string[] {"<Scope>"};
-
-try
-{
-    authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();
-}
-catch (MsalUiRequiredException ex)
-{
-    authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();
-}
-
-if (authResult != null)
-{
-    // Use the Access Token to access the Proxy Application
-
-    HttpClient httpClient = new HttpClient();
-    HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
-    HttpResponseMessage response = await httpClient.GetAsync("<Proxy App Url>");
-}
-```
+The last step is to configure the native app. The code snippet that's used in the following steps is based on [Add the Microsoft Authentication Library to your code (.NET C# sample)](application-proxy-configure-native-client-application.md#step-4-add-the-microsoft-authentication-library-to-your-code-net-c-sample). The code is customized for this example. The code must be added to the *Form1.cs* file in the NativeClient sample app where it will cause the [MSAL library](../develop/reference-v2-libraries.md) to acquire the token for requesting the API call and attach it as bearer to the header in the request.
+
+> [!NOTE]
+> The sample app uses [Azure Active Directory Authentication Library (ADAL)](../azuread-dev/active-directory-authentication-libraries.md). Read how to [add MSAL to your project](../develop/tutorial-v2-windows-desktop.md#add-msal-to-your-project). Remember to [add the reference to MSAL](../develop/tutorial-v2-windows-desktop.md#add-the-code-to-initialize-msal) to the class and remove the ADAL reference.
+
+To configure the native app code:
+
+1. In *Form1.cs*, add the namespace `using Microsoft.Identity.Client;` to the code.
+1. Remove the namespace `using Microsoft.IdentityModel.Clients.ActiveDirectory;` from the code.
+1. Remove lines 26 and 30 because they are no longer needed.
+1. Replace the contents of the `GetTodoList()` method with the following code snippet:
+
+   ```csharp
+   // Acquire Access Token from Azure AD for Proxy Application
+   var clientApp = PublicClientApplicationBuilder
+       .Create(clientId)
+       .WithDefaultRedirectUri() // Will automatically use the default URI for native app
+       .WithAuthority(authority)
+       .Build();
+   var accounts = await clientApp.GetAccountsAsync();
+   var account = accounts.FirstOrDefault();
+
+   var scopes = new string[] { todoListResourceId + "/user_impersonation" };
+
+   AuthenticationResult authResult;
+   try
+   {
+       authResult = await clientApp.AcquireTokenSilent(scopes, account).ExecuteAsync();
+   }
+   catch (MsalUiRequiredException ex)
+   {
+       authResult = await clientApp.AcquireTokenInteractive(scopes).ExecuteAsync();
+   }
+
+   if (authResult != null)
+   {
+       // Use the Access Token to access the Proxy Application
+       var httpClient = new HttpClient();
+       httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
+       // Call the To Do list service
+       var response = await httpClient.GetAsync(todoListBaseAddress + "/api/values/4");
+       var responseString = await response.Content.ReadAsStringAsync();
+       MessageBox.Show(responseString);
+   }
+   ```
 
 To configure the native app to connect to Azure Active Directory and call the API App Proxy, update the placeholder values in the *App.config* file of the NativeClient sample app with values from Azure AD:
 
-- Paste the **Directory (tenant) ID** in the `<add key="ida:Tenant" value="" />` field. You can find and copy this value (a GUID) from the **Overview** page of either of your apps.
+1. Paste the **Directory (tenant) ID** in the `<add key="ida:Tenant" value="" />` field. You can find and copy this value (a GUID) from the **Overview** page of either of your apps.
 
-- Paste the AppProxyNativeAppSample **Application (client) ID** in the `<add key="ida:ClientId" value="" />` field. You can find and copy this value (a GUID) from the AppProxyNativeAppSample's **Overview** page, in the left navigation under **Manage**.
+1. Paste the AppProxyNativeAppSample **Application (client) ID** in the `<add key="ida:ClientId" value="" />` field. You can find and copy this value (a GUID) from the AppProxyNativeAppSample's **Overview** page, in the left navigation under **Manage**.
 
-- Paste the AppProxyNativeAppSample **Redirect URI** in the `<add key="ida:RedirectUri" value="" />` field. You can find and copy this value (a URI) from the AppProxyNativeAppSample's **Authentication** page, in the left navigation under **Manage**.
+1. *This step is optional as MSAL uses the method PublicClientApplicationBuilder.WithDefaultRedirectUri() to insert the recommended reply URI.* Paste the AppProxyNativeAppSample **Redirect URI** in the `<add key="ida:RedirectUri" value="" />` field. You can find and copy this value (a URI) from the AppProxyNativeAppSample's **Authentication** page, in the left navigation under **Manage**.
 
-- Paste the SecretAPI **Application ID URI** in the `<add key="todo:TodoListResourceId" value="" />` field. You can find and copy this value (a URI) from the SecretAPI's **Expose an API** page, in the left navigation under **Manage**.
+1. Paste the SecretAPI **Application ID URI** in the `<add key="todo:TodoListResourceId" value="" />` field. This is the same value as `todo:TodoListBaseAddress` below. You can find and copy this value (a URI) from the SecretAPI's **Expose an API** page, in the left navigation under **Manage**.
 
-- Paste the SecretAPI **Home Page URL** in the `<add key="todo:TodoListBaseAddress" value="" />` field. You can find and copy this value (a URL) from the SecretAPI's **Branding** page, in the left navigation under **Manage**.
+1. Paste the SecretAPI **Home Page URL** in the `<add key="todo:TodoListBaseAddress" value="" />` field. You can find and copy this value (a URL) from the SecretAPI **Branding & properties** page, in the left navigation under **Manage**.
+
+> [!NOTE]
+> If the solution doesn't build and reports the error *invalid Resx file*, in Solution Explorer, expand **Properties**, right-click *Resources.resx*, and then select **View Code**. Comment lines 121 to 123.
 
 After you configure the parameters, build and run the native app. When you select the **Sign In** button, the app lets you sign in, and then displays a success screen to confirm that it successfully connected to the SecretAPI.
 

articles/active-directory/app-proxy/media/application-proxy-secure-api-access/8-create-reg-ga.png

@@ -59,9 +59,9 @@ With phone call verification during SSPR or Azure AD Multi-Factor Authentication
 If you have problems with phone authentication for Azure AD, review the following troubleshooting steps:
 
 * “You've hit our limit on verification calls” or “You’ve hit our limit on text verification codes” error messages during sign-in
-   * Microsoft may limit repeated authentication attempts that are performed by the same user in a short period of time. This limitation does not apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes.
+   * Microsoft may limit repeated authentication attempts that are performed by the same user or organization in a short period of time. This limitation does not apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes.
 * "Sorry, we're having trouble verifying your account" error message during sign-in
-   * Microsoft may limit or block voice or SMS authentication attempts that are performed by the same user, phone number, or organization due to high number of failed voice or SMS authentication attempts. If you are experiencing this error, you can try another method, such as Authenticator App or verification code, or reach out to your admin for support.
+   * Microsoft may limit or block voice or SMS authentication attempts that are performed by the same user, phone number, or organization due to high number of voice or SMS authentication attempts. If you are experiencing this error, you can try another method, such as Authenticator App or verification code, or reach out to your admin for support.
 * Blocked caller ID on a single device.
    * Review any blocked numbers configured on the device.
 * Wrong phone number or incorrect country/region code, or confusion between personal phone number versus work phone number.

articles/active-directory/authentication/concept-authentication-phone-options.md

@@ -48,7 +48,7 @@ The following limitations apply to using SSPR from the Windows sign-in screen:
 - The combination of the following specific three settings can cause this feature to not work.
     - Interactive logon: Do not require CTRL+ALT+DEL = Disabled
     - *DisableLockScreenAppNotifications* = 1 or Enabled
-    - Windows SKU isn't Home or Professional edition
+    - Windows SKU is Home edition
 
 > [!NOTE]
 > These limitations also apply to Windows Hello for Business PIN reset from the device lock screen.