Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into 2036501

Author: ktoliver

articles/active-directory-b2c/add-api-connector.md

@@ -331,7 +331,7 @@ Content-type: application/json
 {
     "version": "1.0.0",
     "action": "ShowBlockPage",
-    "userMessage": "There was a problem with your request. You are not able to sign up at this time.",
+    "userMessage": "There was a problem with your request. You are not able to sign up at this time. Please contact your system administrator",
 }
 
 ```

articles/active-directory-b2c/add-sign-up-and-sign-in-policy.md

@@ -37,7 +37,8 @@ Watch this video to learn how the user sign-up and sign-in policy works.
 
 ## Prerequisites
 
-[!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- If you don't have one already, [create an Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.
 
 ::: zone pivot="b2c-user-flow"
 

articles/active-directory-b2c/configure-authentication-sample-python-web-app.md

@@ -7,7 +7,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 06/28/2022
+ms.date: 02/28/2023
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: "b2c-support"
@@ -19,7 +19,7 @@ This article uses a sample Python web application to illustrate how to add Azure
 
 ## Overview
 
-OpenID Connect (OIDC) is an authentication protocol that's built on OAuth 2.0. You can use OIDC to securely sign users in to an application. This web app sample uses the [Microsoft Authentication Library (MSAL) for Python](https://github.com/AzureAD/microsoft-authentication-library-for-python). The MSAL for Python simplifies adding authentication and authorization support to Python web apps. 
+OpenID Connect (OIDC) is an authentication protocol that's built on OAuth 2.0. You can use OIDC to securely sign users in to an application. This web app sample uses the [identity package for Python](https://pypi.org/project/identity/) to simplify adding authentication and authorization support to Python web apps. 
 
 The sign-in flow involves the following steps:
 
@@ -29,17 +29,11 @@ The sign-in flow involves the following steps:
 1. After users sign in successfully, Azure AD B2C returns an ID token to the app.
 1. The app exchanges the authorization code with an ID token, validates the ID token, reads the claims, and then returns a secure page to users.
 
-
-### Sign-out
-
-[!INCLUDE [active-directory-b2c-app-integration-sign-out-flow](../../includes/active-directory-b2c-app-integration-sign-out-flow.md)] 
-
 ## Prerequisites
 
-A computer that's running: 
-
-* [Visual Studio Code](https://code.visualstudio.com/) or another code editor
-* [Python](https://www.python.org/downloads/) 3.9 or above 
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- If you don't have one already, [create an Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.
+- [Python 3.7+](https://www.python.org/downloads/)
 
 ## Step 1: Configure your user flow
 
@@ -90,37 +84,29 @@ Extract the sample file to a folder where the total length of the path is 260 or
 In the project's root directory, follow these steps:
 
 1. Rename the *app_config.py* file to *app_config.py.OLD*.
-1. Rename the *app_config_b2c.py* file to *app_config.py*. 
-
-Open the *app_config.py* file. This file contains information about your Azure AD B2C identity provider. Update the following app settings properties: 
-
-|Key  |Value  |
-|---------|---------|
-|`b2c_tenant`| The first part of your Azure AD B2C [tenant name]( tenant-management-read-tenant-name.md#get-your-tenant-name) (for example, `contoso`).|
-|`CLIENT_ID`| The web API application ID from [step 2.1](#step-21-register-the-app).|
-|`CLIENT_SECRET`| The client secret value you created in [step 2.2](#step-22-create-a-web-app-client-secret). To help increase security, consider storing it instead in an environment variable, as recommended in the comments. |
-|`*_user_flow`|The user flows or custom policy you created in [step 1](#step-1-configure-your-user-flow).|
-| | |
-
-Your final configuration file should look like the following Python code:
-
-```python
-import os
-
-b2c_tenant = "contoso"
-signupsignin_user_flow = "B2C_1_signupsignin"
-editprofile_user_flow = "B2C_1_profileediting"
-resetpassword_user_flow = "B2C_1_passwordreset"
-authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user_flow}"
-
-CLIENT_ID = "11111111-1111-1111-1111-111111111111" # Application (client) ID of app registration
-
-CLIENT_SECRET = "xxxxxxxxxxxxxxxxxxxxxxxx" # Placeholder - for use ONLY during testing.
-```
+1. Rename the *app_config_b2c.py* file to *app_config.py*. This file contains information about your Azure AD B2C identity provider. 
+
+1. Create an `.env` file in the root folder of the project using `.env.sample.b2c` as a guide.
+
+    ```shell
+    FLASK_DEBUG=True
+    TENANT_NAME=<tenant name>
+    CLIENT_ID=<client id>
+    CLIENT_SECRET=<client secret>
+    SIGNUPSIGNIN_USER_FLOW=B2C_1_profile_editing
+    EDITPROFILE_USER_FLOW=B2C_1_reset_password
+    RESETPASSWORD_USER_FLOW=B2C_1_signupsignin1
+    ```
 
-> [!IMPORTANT]
-> As noted in the code snippet comments, we recommend that you *do not store secrets in plaintext* in your application code. The hard-coded variable is used in the code sample *for convenience only*. Consider using an environment variable or a secret store, such as an Azure key vault.
+    |Key  |Value  |
+    |---------|---------|
+    |`TENANT_NAME`| The first part of your Azure AD B2C [tenant name](tenant-management-read-tenant-name.md#get-your-tenant-name) (for example, `contoso`). |
+    |`CLIENT_ID`| The web API application ID from [step 2.1](#step-21-register-the-app).|
+    |`CLIENT_SECRET`| The client secret value you created in [step 2.2](#step-22-create-a-web-app-client-secret). |
+    |`*_USER_FLOW`|The user flows you created in [step 1](#step-1-configure-your-user-flow).|
+    | | |
 
+    The environment variables are referenced in *app_config.py*, and are kept in a separate *.env* file to keep them out of source control. The provided *.gitignore* file prevents the *.env* file from being checked in.
 
 ## Step 5: Run the sample web app
 
@@ -157,11 +143,9 @@ CLIENT_SECRET = "xxxxxxxxxxxxxxxxxxxxxxxx" # Placeholder - for use ONLY during t
     The console window displays the port number of the locally running application:
 
     ```console
-     * Serving Flask app "app" (lazy loading)
-     * Environment: production
+     * Debug mode: on
        WARNING: This is a development server. Do not use it in a production deployment.
        Use a production WSGI server instead.
-     * Debug mode: off
      * Running on `http://localhost:5000/` (Press CTRL+C to quit)
     ```
 
@@ -190,7 +174,7 @@ To enable your app to sign in with Azure AD B2C and call a web API, you must reg
 
 The app registrations and the application architecture are described in the following diagrams:
 
-![Diagram describing a web app with web A P I, registrations, and tokens.](./media/configure-authentication-sample-python-web-app/web-app-with-api-architecture.png) 
+![Diagram describing a web app with web API, registrations, and tokens.](./media/configure-authentication-sample-python-web-app/web-app-with-api-architecture.png) 
 
 [!INCLUDE [active-directory-b2c-app-integration-call-api](../../includes/active-directory-b2c-app-integration-call-api.md)]
 
@@ -208,58 +192,34 @@ The app registrations and the application architecture are described in the foll
 
 ### Step 6.4: Configure your web API
 
-This sample acquires an access token with the relevant scopes, which the web app can use for a web API. To call a web API from the code, use an existing web API or create a new one. For more information, see [Enable authentication in your own web API by using Azure AD B2C](enable-authentication-web-api.md).
+This sample acquires an access token with the relevant scopes, which the web app can use for a web API. This sample itself does *not* act as a web API. Instead, you must use an existing web API or create a new one. For a tutorial on creating a web API in your B2C tenant, see [Enable authentication in your own web API by using Azure AD B2C](enable-authentication-web-api.md).
 
 ### Step 6.5: Configure the sample app with the web API
 
 Open the *app_config.py* file. This file contains information about your Azure AD B2C identity provider. Update the following properties of the app settings: 
 
 |Key  |Value  |
 |---------|---------|
-|`ENDPOINT`| The URI of your web API (for example, `https://localhost:5000/getAToken`).|
-|`SCOPE`| The web API [scopes](#step-62-configure-scopes) that you created.|
+|`ENDPOINT`| The URI of your web API (for example, `https://localhost:6000/hello`).|
+|`SCOPE`| The web API [scopes](#step-62-configure-scopes) that you created (for example, `["https://contoso.onmicrosoft.com/tasks-api/tasks.read", https://contoso.onmicrosoft.com/tasks-api/tasks.write"]`).|
 | | |
 
-Your final configuration file should look like the following Python code:
-
-```python
-import os
-
-b2c_tenant = "contoso"
-signupsignin_user_flow = "B2C_1_signupsignin"
-editprofile_user_flow = "B2C_1_profileediting"
-resetpassword_user_flow = "B2C_1_passwordreset"
-authority_template = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user_flow}"
-
-CLIENT_ID = "11111111-1111-1111-1111-111111111111" # Application (client) ID of app registration
-
-CLIENT_SECRET = "xxxxxxxxxxxxxxxxxxxxxxxx" # Placeholder - for use ONLY during testing.
-
-### More code here
-
-# This is the API resource endpoint
-ENDPOINT = 'https://localhost:5000' 
-
-
-SCOPE = ["https://contoso.onmicrosoft.com/api/demo.read", "https://contoso.onmicrosoft.com/api/demo.write"] 
-```
-
 ### Step 6.6: Run the sample app
 
 1. In your console or terminal, switch to the directory that contains the sample. 
-1. Stop the app. and then rerun it.
-1. Select **Call Microsoft Graph API**.
+1. If the app isn't still running, restart it using the command from Step 5.
+1. Select **Call a downstream API**.
 
-    ![Screenshot showing how to call a web A P I.](./media/configure-authentication-sample-python-web-app/call-web-api.png)
+    ![Screenshot showing how to call a web API.](./media/configure-authentication-sample-python-web-app/call-web-api.png)
 
 ## Step 7: Deploy your application 
 
 In a production application, the app registration redirect URI is ordinarily a publicly accessible endpoint where your app is running, such as `https://contoso.com/getAToken`. 
 
 You can add and modify redirect URIs in your registered applications at any time. The following restrictions apply to redirect URIs:
 
-* The reply URL must begin with the scheme `https`.
-* The reply URL is case-sensitive. Its case must match the case of the URL path of your running application. 
+* The redirect URL must begin with the scheme `https`.
+* The redirect URL is case-sensitive. Its case must match the case of the URL path of your running application. 
 
 ## Next steps
 * Learn how to [Configure authentication options in a Python web app by using Azure AD B2C](enable-authentication-python-web-app-options.md).

articles/active-directory-b2c/media/add-api-connector/blocking-page-response.png

@@ -141,34 +141,28 @@ IIF(IsPresent([alternativeSecurityId]),
 
 ## Look up certificateUserIds using Microsoft Graph queries
 
-Tenant admins can run MS Graph queries to find all the users with a given certificateUserId value.
+Authorized callers can run Microsoft Graph queries to find all the users with a given certificateUserId value. On the Microsoft Graph [user](/graph/api/resources/user) object, the collection of certificateUserIds are stored in the **authorizationInfo** property.
 
-GET all user objects that have the value '[email protected]' value in certificateUserIds:
+To retrieve all user objects that have the value '[email protected]' in certificateUserIds:
 
-```http
-GET  https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds/any(x:x eq '[email protected]')
-```
- 
-```http
-GET https://graph.microsoft.com/v1.0/users?$filter=startswith(certificateUserIds, '[email protected]')
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/users?$filter=authorizationInfo/certificateUserIds/any(x:x eq '[email protected]')&$count=true
+ConsistencyLevel: eventual
 ```
 
-```http
-GET https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds eq '[email protected]'
-```
+You can also use the `not` and `startsWith` operators to match the filter condition. To filter against the certificateUserIds object, the request must include the `$count=true` query string and the **ConsistencyLevel** header set to `eventual`.
 
-## Update certificate user IDs using Microsoft Graph queries
-PATCH the user object certificateUserIds value for a given userId
+## Update certificateUserIds using Microsoft Graph queries
+
+Run a PATCH request to update the certificateUserIds for a given user.
 
 #### Request body:
 
 ```http
-PATCH https://graph.microsoft.us/v1.0/users/{id}
+PATCH https://graph.microsoft.com/v1.0/users/{id}
 Content-Type: application/json
-{
 
-    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(authorizationInfo,department)/$entity",
-    "department": "Accounting",
+{
     "authorizationInfo": {
         "certificateUserIds": [
             "X509:<PN>123456789098765@mil"