Merge pull request #255381 from MicrosoftDocs/main

Publish 10/18 11:00 AM IST

Author: Saisang

.openpublishing.redirection.azure-monitor.json

@@ -6373,6 +6373,11 @@
             "source_path_from_root": "/articles/azure-monitor/app/transaction-diagnostics.md",
             "redirect_url": "/azure/azure-monitor/app/search-and-transaction-diagnostics?tabs=transaction-diagnostics",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/separate-resources.md",
+            "redirect_url": "/azure/azure-monitor/app/create-workspace-resource#how-many-application-insights-resources-should-i-deploy",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory/authentication/certificate-based-authentication-faq.yml

@@ -109,7 +109,7 @@ sections:
       - question: |
           Will the changes to the Authentication methods policy take effect immediately?
         answer: |
-          The policy is cached. After a policy update, it may take up to an hour for the changes to take effect.
+          The policy is cached. After a policy update, it might take up to an hour for the changes to take effect.
       
       - question: |
           Why do I see the certificate-based authentication option after it fails?
@@ -154,7 +154,12 @@ sections:
            
         answer: |
           This is commonly seen when a firewall rule setting blocks access to the CRL endpoint. 
-          
+
+      - question: |
+           Can Microsoft Entra CBA be used on SurfaceHub?
+        answer: |
+           Yes. This will work out of the box for most smart card / smart card reader combinations. If the smart card / smart card reader combination requires additional drivers these must be installed prior to using the smart card / smart card reader combination on the surface hub.
+      
 additionalContent: |
   ## Next steps
     If your question isn't answered here, see the following related topics:

articles/active-directory/develop/reference-saml-tokens.md

@@ -29,7 +29,7 @@ The Microsoft identity platform emits several types of security tokens in the pr
 > |Authentication Method | `amr` |Identifies how the subject of the token was authenticated. | `<AuthnContextClassRef>`<br>`http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod/password`<br>`</AuthnContextClassRef>` |
 > |First Name | `given_name` |Provides the first or "given" name of the user, as set on the Microsoft Entra user object. | `<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">`<br>`<AttributeValue>Frank<AttributeValue>`  |
 > |Groups | `groups` |Provides object IDs that represent the subject's group memberships. These values are unique (see Object ID) and can be safely used for managing access, such as enforcing authorization to access a resource. The groups included in the groups claim are configured on a per-application basis, through the "groupMembershipClaims" property of the application manifest. A value of null will exclude all groups, a value of "SecurityGroup" will include only Active Directory Security Group memberships, and a value of "All" will include both Security Groups and Microsoft 365 Distribution Lists. <br><br> **Notes**: <br> If the number of groups the user is in goes over a limit (150 for SAML, 200 for JWT) then an overage claim will be added the claim sources pointing at the Graph endpoint containing the list of groups for the user. | `<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">`<br>`<AttributeValue>07dd8a60-bf6d-4e17-8844-230b77145381</AttributeValue>` |
-> | Groups Overage Indicator | `groups:src1` | For token requests that are not length-limited but still too large for the token, a link to the full groups list for the user will be included. For SAML this is added as a new claim in place of the `groups` claim. <br><br> **Notes**: <br> The Azure AD Graph API is being replaced by the Microsoft Graph API. To learn more about the equivalent endpoint, see [user: getMemberObjects](/graph/api/user-getmemberobjects). | `<Attribute Name=" http://schemas.microsoft.com/claims/groups.link">`<br>`<AttributeValue>https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects<AttributeValue>` |
+> | Groups Overage Indicator | `groups:src1` | For token requests that are not length-limited but still too large for the token, a link to the full groups list for the user will be included. For SAML this is added as a new claim in place of the `groups` claim. <br><br> **Notes**: <br> The Azure AD Graph API is being replaced by the Microsoft Graph API. To learn more about the equivalent endpoint, see [user: getMemberObjects](/graph/api/directoryobject-getmemberobjects). | `<Attribute Name=" http://schemas.microsoft.com/claims/groups.link">`<br>`<AttributeValue>https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects<AttributeValue>` |
 > |Identity Provider | `idp` |Records the identity provider that authenticated the subject of the token. This value is identical to the value of the Issuer claim unless the user account is in a different tenant than the issuer. | `<Attribute Name=" http://schemas.microsoft.com/identity/claims/identityprovider">`<br>`<AttributeValue>https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/<AttributeValue>` |
 > |IssuedAt | `iat` |Stores the time at which the token was issued. It is often used to measure token freshness. | `<Assertion ID="_d5ec7a9b-8d8f-4b44-8c94-9812612142be" IssueInstant="2014-01-06T20:20:23.085Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">` |
 > |Issuer | `iss` |Identifies the security token service (STS) that constructs and returns the token. In the tokens that Microsoft Entra ID returns, the issuer is sts.windows.net. The GUID in the Issuer claim value is the tenant ID of the Microsoft Entra directory. The tenant ID is an immutable and reliable identifier of the directory. | `<Issuer>https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/</Issuer>` |

articles/active-directory/develop/scenario-desktop-acquire-token-wam.md

@@ -23,7 +23,7 @@ The Microsoft Authentication Library (MSAL) calls Web Account Manager (WAM), a W
 
 Using an authentication broker such as WAM has numerous benefits:
 
-- Enhanced security. See [Token protection](/azure/active-directory/conditional-access/concept-token-protection).
+- Enhanced security. See [Token protection](../conditional-access/concept-token-protection.md).
 - Support for Windows Hello, Conditional Access, and FIDO keys.
 - Integration with the Windows **Email & accounts** view.
 - Fast single sign-on.
@@ -93,7 +93,7 @@ ms-appx-web://microsoft.aad.brokerplugin/{client_id}
 
 ### Token cache persistence
 
-It's important to persist the MSAL token cache because MSAL continues to store ID tokens and account metadata there. For more information, see [Token cache serialization in MSAL.NET](/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=desktop).
+It's important to persist the MSAL token cache because MSAL continues to store ID tokens and account metadata there. For more information, see [Token cache serialization in MSAL.NET](/entra/msal/dotnet/how-to/token-cache-serialization?tabs=desktop).
 
 ### Account for silent login
 

articles/active-directory/develop/scenario-mobile-acquire-token.md

@@ -230,7 +230,7 @@ The class defines the following constants:
 - `ForceLogin` enables the service to prompt the user for credentials even if the prompt isn't needed.
 
     This option can be useful if the token acquisition fails and you want to let the user sign in again. In this case, MSAL sends `prompt=login` to the identity provider. You might want to use this option in security-focused applications where the organization governance requires the user to sign in each time they access specific parts of the application.
-- `Never` is for only .NET 4.5 and Windows Runtime (WinRT). This constant won't prompt the user, but it will try to use the cookie that's stored in the hidden embedded web view. For more information, see [Using web browsers with MSAL.NET](./msal-net-web-browsers.md).
+- `Never` is for only .NET 4.5 and Windows Runtime (WinRT). This constant won't prompt the user, but it will try to use the cookie that's stored in the hidden embedded web view. For more information, see [Using web browsers with MSAL.NET](/entra/msal/dotnet/acquiring-tokens/using-web-browsers).
 
     If this option fails, then `AcquireTokenInteractive` throws an exception to notify you that a UI interaction is needed. Then use another `Prompt` parameter.
 - `NoPrompt` doesn't send a prompt to the identity provider.
@@ -291,4 +291,4 @@ client_id=<CLIENT_ID>
 ## Next steps
 
 Move on to the next article in this scenario,
-[Calling a web API](scenario-mobile-call-api.md).
+[Calling a web API](scenario-mobile-call-api.md).

articles/active-directory/develop/scenario-spa-overview.md

@@ -17,7 +17,7 @@ ms.custom: aaddev, identityplatformtop40, devx-track-js, engagement-fy23
 
 # Scenario: Single-page application
 
-Learn all you need to build a single-page application (SPA). For instructions regarding Azure Static Web Apps, see [Authentication and Authorization for Static Web Apps](../../static-web-apps/authentication-authorization.md) instead.
+Learn all you need to build a single-page application (SPA). For instructions regarding Azure Static Web Apps, see [Authentication and Authorization for Static Web Apps](/azure/static-web-apps/authentication-authorization) instead.
 
 ## Getting started
 

articles/active-directory/develop/scenario-spa-sign-in.md

@@ -34,7 +34,7 @@ The choice between a pop-up or redirect experience depends on your application f
 
 - If you don't want users to move away from your main application page during authentication, we recommend the pop-up method. Because the authentication redirect happens in a pop-up window, the state of the main application is preserved.
 
-- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](/azure/active-directory/develop/msal-js-use-ie-browser).
+- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](./msal-js-use-ie-browser.md).
 
 ## Sign-in with a pop-up window
 

articles/active-directory/develop/scenario-token-exchange-saml-oauth.md

@@ -26,7 +26,7 @@ Many apps are implemented with SAML. However, the Graph API uses the OIDC/OAuth
 The general strategy is to add the OIDC/OAuth stack to your app. With your app that implements both standards you can use a session cookie. You aren't exchanging a token explicitly. You're logging a user in with SAML, which generates a session cookie. When the Graph API invokes an OAuth flow, you use the session cookie to authenticate. This strategy assumes the Conditional Access checks pass and the user is authorized.
 
 > [!NOTE]
-> The recommended library for adding OIDC/OAuth behavior to your applications is the [Microsoft Authentication Library (MSAL)](/entra/msal).
+> The recommended library for adding OIDC/OAuth behavior to your applications is the [Microsoft Authentication Library (MSAL)](/entra/msal/).
 
 ## Next steps
 - [Authentication flows and application scenarios](authentication-flows-app-scenarios.md)

articles/active-directory/develop/scenario-web-api-call-api-app-configuration.md

@@ -125,7 +125,7 @@ The following image shows the possibilities of *Microsoft.Identity.Web* and the
 :::image type="content" source="media/scenarios/microsoft-identity-web-startup-cs.svg" alt-text="Block diagram showing service configuration options in startup dot C S for calling a web API and specifying a token cache implementation":::
 
 > [!NOTE]
-> To fully understand the code examples here, be familiar with [ASP.NET Core fundamentals](/aspnet/core/fundamentals), and in particular with [dependency injection](/aspnet/core/fundamentals/dependency-injection) and [options](/aspnet/core/fundamentals/configuration/options).
+> To fully understand the code examples here, be familiar with [ASP.NET Core fundamentals](/aspnet/core/fundamentals/), and in particular with [dependency injection](/aspnet/core/fundamentals/dependency-injection) and [options](/aspnet/core/fundamentals/configuration/options).
 
 # [ASP.NET](#tab/aspnet)
 

articles/active-directory/develop/scenario-web-app-sign-user-production.md

@@ -45,7 +45,7 @@ This progressive tutorial has production-ready code for a web app, including how
 - Your organization
 - Multiple organizations
 - Work or school accounts, or personal Microsoft accounts
-- [Azure AD B2C](../../active-directory-b2c/overview.md)
+- [Azure AD B2C](/azure/active-directory-b2c/overview)
 - National clouds
 
 ## Tutorial: Node.js web app