Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-rbac-roles-jan

Author: rolyon

articles/active-directory-b2c/billing.md

@@ -112,7 +112,7 @@ To change your pricing tier, follow these steps:
    ![Screenshot that shows how to select the pricing tier.](media/billing/select-tier.png)
 
 > [!NOTE]
-> Currently, Azure AD Premium P1 for Azure AD B2C is the default pricing tier, and it's equivalent to Azure AD Free tier, but it costs money. Therefore, in terms of features, Azure AD Premium P1 license applied to Azure AD tenant, is not equivalent to Azure AD B2C Premium P1 license in a B2C tenant, and the same is true for Premium P2. Hence, you expect that some features available in Azure AD tenant may be missing in Azure AD B2C even when the tenants have Azure AD Premium P2 and Azure AD B2C Premium P2 licenses respectively. For instance, Azure AD Premium P2 offers identity protection in Azure AD B2C tenants, but does not offer other Azure AD Premium P2 features that apply to Azure AD tenants.
+> Currently, Azure AD Premium P1 for Azure AD B2C is the default pricing tier, and it's equivalent to Azure AD Free tier, but it costs money. Therefore, in terms of features, Azure AD Premium P1 license when applied to Azure AD tenant, isn't equivalent to Azure AD B2C Premium P1 license in a Azure AD B2C tenant, and the same is true for Premium P2 license. Hence, you expect that some features available in Azure AD tenant may be missing in Azure AD B2C even when the tenants have Azure AD Premium P2 and Azure AD B2C Premium P2 licenses respectively. For instance, Azure AD Premium P2 offers identity protection in Azure AD B2C tenants, but does not offer other Azure AD Premium P2 features that apply to Azure AD tenants. Learn more about [Azure AD B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/). 
 
 ## Switch to MAU billing (pre-November 2019 Azure AD B2C tenants)
 

articles/active-directory-b2c/identity-provider-adfs.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/16/2021
+ms.date: 01/18/2022
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C

articles/active-directory/conditional-access/media/plan-conditional-access/create-policy.png

@@ -72,7 +72,7 @@ The following samples show how to protect a web API with the Microsoft identity
 
 ## Desktop
 
-The following samples show public client desktop applications that access the Microsoft Graph API, or your own web API in the name of the user. Apart from the _Desktop (Console) with Workspace Application Manager (WAM)_ sample, all these client applications use the Microsoft Authentication Library (MSAL).
+The following samples show public client desktop applications that access the Microsoft Graph API, or your own web API in the name of the user. Apart from the _Desktop (Console) with Web Authentication Manager (WAM)_ sample, all these client applications use the Microsoft Authentication Library (MSAL).
 
 > [!div class="mx-tdCol2BreakAll"]
 > | Language/<br/>Platform | Code sample(s) <br/> on GitHub | Auth<br/> libraries | Auth flow |  

articles/active-directory/conditional-access/media/plan-conditional-access/manage-access.png

@@ -40,7 +40,7 @@ The `spa` redirect type is backwards compatible with the implicit flow. Apps cur
 
 If you attempt to use the authorization code flow and see this error:
 
-`access to XMLHttpRequest at 'https://login.microsoftonline.com/common/v2.0/oauth2/token' from origin 'yourApp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.`
+`access to XMLHttpRequest at 'https://login.microsoftonline.com/common/oauth2/v2.0/token' from origin 'yourApp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.`
 
 Then, visit your app registration and update the redirect URI for your app to type `spa`.
 

articles/active-directory/conditional-access/media/plan-conditional-access/report-only-mode.png

@@ -71,6 +71,15 @@ sections:
           
           If you have not configured password writeback for a specific user or if the user doesn't have a valid Azure AD license assigned, the user can't update their password in the cloud. They can't update their password, even if their password has expired. The user instead sees this message: "Your organization doesn't allow you to update your password on this site. Update it according to the method recommended by your organization, or ask your admin if you need help." The user or the administrator must reset their password in on-premises Active Directory.
           
+      - question: |
+          The user logs on to Azure AD with his credentials (username, password). In the meantime the user’s password expires, but the user can still access Azure AD resources. Why does this happen?
+        answer: |
+          The password expiry does not trigger the revocation of authentication tokens or cookies. Until the tokens or cookies are valid, the user will be able to use them. This applies regardless of the authentication type (PTA, PHS and federated scenarios).
+
+          For more details please check the documentation below:
+          [Microsoft identity platform access tokens - Microsoft identity platform | Microsoft Docs](../develop/access-tokens.md#revocation)
+
+     
       - question: |
           How does Pass-through Authentication protect you against brute-force password attacks?
         answer: |

articles/active-directory/conditional-access/plan-conditional-access.md

@@ -85,7 +85,7 @@ The following scenarios are not supported for staged rollout:
 
 - When you first add a security group for staged rollout, you're limited to 200 users to avoid a UX time-out. After you've added the group, you can add more users directly to it, as required.
 
-- While users are in Staged Rollout, password expiration policy is set to 90 days with no option to customize it. 
+- While users are in Staged Rollout with Password Hash Synchronization (PHS), by default no password expiration is applied. Password expiration can be applied by enabling "EnforceCloudPasswordPolicyForPasswordSyncedUsers". When "EnforceCloudPasswordPolicyForPasswordSyncedUsers" is enabled, password expiration policy is set to 90 days from the time password was set on-prem with no option to customize it. To learn how to set 'EnforceCloudPasswordPolicyForPasswordSyncedUsers' see [Password expiration policy](./how-to-connect-password-hash-synchronization.md#enforcecloudpasswordpolicyforpasswordsyncedusers).
 
 - Windows 10 Hybrid Join or Azure AD Join primary refresh token acquisition for Windows 10 version older than 1903. This scenario will fall back to the WS-Trust endpoint of the federation server, even if the user signing in is in scope of staged rollout.