Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into fixEncryption

Author: roygara

.openpublishing.redirection.json

@@ -2,7 +2,7 @@
     "redirections": [
         {
             "source_path": "articles/iot-hub/iot-hub-rm-template.md",
-            "redirect_url": "articles/iot-hub/iot-hub-rm-rest",
+            "redirect_url": "/azure/iot-hub/iot-hub-rm-template-powershell",
             "redirect_document_id": false
         },
         {

CODEOWNERS

@@ -73,7 +73,7 @@ articles/service-health @rboucher
 /articles/lighthouse/ @JnHs
 
 # Healthcare APIs
-/articles/healthcare-apis/ @ginalee-dotcom
+/articles/healthcare-apis/ @ranvijaykumar @mikaelweave
 
 # Configuration
 *.json @SyntaxC4 @snoviking

articles/active-directory-b2c/TOC.yml

@@ -528,6 +528,8 @@
       displayName: bulk import
     - name: Partner integration
       items:
+      - name: Grit IAM B2B2C
+        href: partner-grit-iam.md
       - name: N8identity
         href: partner-n8identity.md
       - name: Saviynt 

articles/active-directory-b2c/media/partner-gallery/grit-logo.png

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/21/2022
+ms.date: 09/14/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -65,6 +65,7 @@ Microsoft partners with the following ISVs for role-based access control.
 
 | ISV partner | Description and integration walkthroughs |
 |:-------------------------|:--------------|
+| ![Screenshot of a grit IAM logo.](./media/partner-gallery/grit-logo.png) | [Grit IAM B2B2C](./partner-grit-iam.md) provides authentication, authorization, profile and role management, and delegated B2B SaaS application administration. It also enables role-based access control (RBAC) for end-users of Azure AD B2C.|
 | ![Screenshot of a n8identity logo](./media/partner-gallery/n8identity-logo.png) | [N8Identity](./partner-n8identity.md) is an Identity-as-a-Service governance platform that provides solution to address customer accounts migration and Customer Service Requests (CSR) administration running on Microsoft Azure. |
 | ![Screenshot of a Saviynt logo](./media/partner-gallery/saviynt-logo.png) | [Saviynt](./partner-Saviynt.md) cloud-native platform promotes better security, compliance, and governance through intelligent analytics and cross application integration for streamlining IT modernization. |
 | ![Screenshot of a WhoIAM Rampart logo](./media/partner-gallery/whoiam-logo.png) | [WhoIAM Rampart](./partner-whoiam-rampart.md) provides a fully integrated helpdesk and invitation-gated user registration experience. It allows support specialists to efficiently perform tasks like resetting passwords and multi-factor authentication without using Azure. It also enables apps and role-based access control (RBAC) for end-users of Azure AD B2C. |

articles/active-directory-b2c/media/partner-grit-iam/grit-b2b2c-architecture.png

@@ -0,0 +1,116 @@
+---
+title: Configure the Grit IAM B2B2C solution with Azure Active Directory B2C
+titleSuffix: Azure AD B2C
+description: Learn how to integrate Azure AD B2C authentication with the Grit IAM B2B2C solution
+services: active-directory-b2c
+author: gargi-sinha
+manager: martinco
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 9/15/2022
+ms.author: gasinh
+ms.reviewer: kengaderdus
+ms.subservice: B2C
+---
+
+# Tutorial: Configure the Grit IAM B2B2C solution with Azure Active Directory B2C
+
+In this tutorial, you learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with a [Grit IAM B2B2C](https://www.gritiam.com/b2b2c) solution. You can use the solution to provide secure, reliable, self-serviceable, and user-friendly identity and access management to your customers. Shared profile data such as first name, last name, home address, and email used in web and mobile applications are stored in a centralized manner with consideration to compliance and regulatory needs.
+
+
+Use Grit's B2BB2C solution for:
+
+- Authentication, authorization, profile and role management, and delegated B2B SaaS application administration.
+- Role-based access control for Azure AD B2C applications.
+
+## Prerequisites
+
+To get started, ensure the following prerequisites are met:
+
+- A Grit IAM account. You can go to [Grit IAM B2B2C solution](https://www.gritiam.com/b2b2c) to get a demo.
+- An Azure AD subscription. If you don't have one, you can create a [free Azure account](https://azure.microsoft.com/free/).
+- An Azure AD B2C tenant linked to the Azure subscription. You can learn more at [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md). 
+- Configure your application in the Azure portal. 
+
+## Scenario description
+
+Contoso does business with end customers and large enterprises, like Fabrikam_big1 and Fabrikam_big2. There're small enterprise customers like Fabrikam_small1 and Fabrikam_small2 and direct business is done with end customers like Smith1 and Smith2.
+
+*Contoso* has web and mobile applications and develops new applications. The applications rely on user shared profile data such as, first name, last name, address, and email. They want to centralize the profile data, so applications aren't collecting and storing the data. They want to store the profile information in accordance with certain compliance and regulations.
+
+![Screenshot that shows the architecture diagram of how the components are connected to each other.](./media/partner-grit-iam/grit-b2b2c-architecture.png)
+
+This integration is composed of the following components:
+
+- **Azure AD B2C Identity Experience Framework (IEF)**: An engine that executes user journeys, which can include validating credentials, performing MFA, checking user access. It's aided by the Azure AD database and the API layer, which's configured using XML.
+
+- **Grit API layer**: This layer exposes user profile data and metadata about organizations and applications. The data is stored in Azure AD and Cosmos DB.
+
+- **Grit Onboarding portal**: Used by admins to onboard applications and organizations.
+
+- **Grit Admin portal**: Used by the *Contoso* admin and by admins of *fabrikam_big1*, and *fabirkam_small1*. Delegated admins can manage users and their access. Super admins of the organizations manage all users.
+
+
+- **Grit Visual IEF editor**: A low code/no code editor that customizes the user journey and is provided by Grit. It produces the XML used by IEF. *Contoso* developers use it to customize user journeys.
+
+
+- **Applications**: Developed by *Contoso* or third parties. Applications use Open ID or SAML to connect to the customer identity and access management (CIAM) system. The tokens they receive contain user-profile information, but can make API calls, with the token as the auth mechanism, to do user-profile data create, read, update and delete (CRUD) operations.
+
+
+> [!NOTE]
+> Components developed by Grit, except the visual IEF editor, will be deployed in the Contoso Azure environment.
+
+## Configure Grit B2B2C with Azure AD B2C
+
+Use the guidance provided in the following sections to get started with configuration.
+
+### Step 1 - Setup infrastructure 
+
+To get started with setup:
+
+- Contact [Grit support](mailto:[email protected]) to obtain access.
+- For evaluation, the Grit support team will deploy the infrastructure in the Grit Azure subscription and they'll give you admin rights.
+- After you purchase the solution, Grit engineers will install the production version in your Azure subscription.
+- The infrastructure integrates with your virtual network (VNet) setup, supports APIM (third-party API management) and the firewall.
+- Grit implementation engineers can provide custom recommendations based on your infrastructure.
+
+### Step 2 - Create admins in the Admin Portal
+
+Use the Grit Admin portal to assign administrators access to the portal where they can perform the following tasks -
+
+- Add other admins such as super, organization, application admin in the hierarchy depending on their permission level.
+
+- View/accept/reject all the user's requests for the application registration.
+
+- Search users.
+
+To learn how to assign admin roles, check the [tutorial.](https://app.archbee.com/doc/j1VX2J3B3xJ-zMqnmlDA5/9IW3PgI2yn1cCpPGm1vVN) 
+
+### Step 3 - Onboard organizations
+
+Use the Onboarding portal for one or more of your customers and their identity provider (IdP) that supports OpenID Connect (OIDC) and SAML. Onboard customers without an IdP, for local account authentication. For B2C applications, enable social authentications.
+
+In the Grit Onboarding portal, create a super admin for the tenant. The Onboarding portal defines the claims per application and per organization. Thereafter, the portal creates an endpoint URL for the sign-in and sign-up user flow.
+
+To learn how to onboard an organization, check this [tutorial](https://app.archbee.com/doc/G_YZFq_VwvgMlmX-_efmX/8m90WVb2M6Yi0gCe7yor2).
+
+### Step 4 - Integrate applications using OIDC or SAML
+
+After you onboard the customer, the Grit Onboarding portal provides URLs to onboard the applications.
+
+Learn [how your customers can sign up, sign in, and manage their profiles](add-sign-up-and-sign-in-policy.md?pivots=b2c-custom-policy). 
+
+## Test the scenarios
+
+Check the authentication [scenarios](#scenario-description) in your applications. Use the Grit Admin portal to change roles and user properties. Provide delegated access to Admin portal by inviting users.
+
+## Next steps
+
+- [Azure AD B2C custom policy overview](custom-policy-overview.md)
+
+- [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](custom-policy-get-started.md?tabs=applications)
+
+- [SAAS Platform - Organization Application Onboarding Portal](https://app.archbee.com/doc/G_YZFq_VwvgMlmX-_efmX/8m90WVb2M6Yi0gCe7yor2)
+
+- [SAAS Platform - Admin Portal](https://app.archbee.com/doc/j1VX2J3B3xJ-zMqnmlDA5/9IW3PgI2yn1cCpPGm1vVN)

articles/active-directory-b2c/partner-gallery.md

@@ -24,7 +24,7 @@ Azure Active Directory (Azure AD) has access and session cookies for accessing o
 | Cookie setting | Default | Description | Recommendations |
 | -------------- | ------- | ----------- | --------------- |
 | Use HTTP-Only Cookie | **No** | **Yes** allows Application Proxy to include the HTTPOnly flag in HTTP response headers. This flag provides additional security benefits, for example, it prevents client-side scripting (CSS) from copying or modifying the cookies.<br></br><br></br>Before we supported the HTTP-Only setting, Application Proxy encrypted and transmitted cookies over a secured TLS channel to protect against modification. | Use **Yes** because of the additional security benefits.<br></br><br></br>Use **No** for clients or user agents that do require access to the session cookie. For example, use **No** for an RDP or MTSC client that connects to  a Remote Desktop Gateway server through Application Proxy.|
-| Use Secure Cookie | **No** | **Yes** allows Application Proxy to include the Secure flag in HTTP response headers. Secure Cookies enhances security by transmitting cookies over a TLS secured channel such as HTTPS. This prevents cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text. | Use **Yes** because of the additional security benefits.|
+| Use Secure Cookie | **Yes** | **Yes** allows Application Proxy to include the Secure flag in HTTP response headers. Secure Cookies enhances security by transmitting cookies over a TLS secured channel such as HTTPS. This prevents cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text. | Use **Yes** because of the additional security benefits.|
 | Use Persistent Cookie | **No** | **Yes** allows Application Proxy to set its access cookies to not expire when the web browser is closed. The persistence lasts until the access token expires, or until the user manually deletes the persistent cookies. | Use **No** because of the security risk associated with keeping users authenticated.<br></br><br></br>We suggest only using **Yes** for older applications that can't share cookies between processes. It's better to update your application to handle sharing cookies between processes instead of using persistent cookies. For example, you might need persistent cookies to allow a user to open Office documents in explorer view from a SharePoint site. Without persistent cookies, this operation might fail if the access cookies aren't shared between the browser, the explorer process, and the Office process. |
 
 ## SameSite Cookies

articles/active-directory-b2c/partner-grit-iam.md

@@ -1,12 +1,12 @@
 ---
 title: Block legacy authentication - Azure Active Directory
-description: Learn how to improve your security posture by blocking legacy authentication using Azure AD Conditional Access.
+description: Block legacy authentication using Azure AD Conditional Access.
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 08/22/2022
+ms.date: 09/26/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. However, legacy authentication doesn't support things like multifactor authentication (MFA). MFA is a common requirement to improve security posture in organizations. 
 
 > [!NOTE]
-> Effective October 1, 2022, we will begin to permanently disable Basic Authentication for Exchange Online in all Microsoft 365 tenants regardless of usage, except for SMTP Authentication. Read more [here](/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online)
+> Effective October 1, 2022, we will begin to permanently disable Basic Authentication for Exchange Online in all Microsoft 365 tenants regardless of usage, except for SMTP Authentication. For more information, see the article [Deprecation of Basic authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online)
 
 Alex Weinert, Director of Identity Security at Microsoft, in his March 12, 2020 blog post [New tools to block legacy authentication in your organization](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#) emphasizes why organizations should block legacy authentication and what other tools Microsoft provides to accomplish this task:
 
@@ -90,8 +90,8 @@ Before you can block legacy authentication in your directory, you need to first
 #### Indicators from Azure AD
 
 1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-in logs**.
-1. Add the Client App column if it isn't shown by clicking on **Columns** > **Client App**.
-1. **Add filters** > **Client App** > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box.
+1. Add the **Client App** column if it isn't shown by clicking on **Columns** > **Client App**.
+1. Select **Add filters** > **Client App** > choose all of the legacy authentication protocols and select **Apply**.
 1. If you've activated the [new sign-in activity reports preview](../reports-monitoring/concept-all-sign-ins.md), repeat the above steps also on the **User sign-ins (non-interactive)** tab.
 
 Filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you more details. The **Client App** field under the **Basic Info** tab will indicate which legacy authentication protocol was used.
@@ -131,16 +131,12 @@ There are two ways to use Conditional Access policies to block legacy authentica
 
 ### Directly blocking legacy authentication
 
-The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access. When assigning users and applications to the policy, make sure to exclude users and service accounts that still need to sign in using legacy authentication. When choosing the cloud apps in which to apply this policy, select All cloud apps, targeted apps such as Office 365 (recommended) or at a minimum, Office 365 Exchange Online. Configure the client apps condition by selecting **Exchange ActiveSync clients** and **Other clients**. To block access for these client apps, configure the access controls to Block access.
-
-![Client apps condition configured to block legacy auth](./media/block-legacy-authentication/client-apps-condition-configured-yes.png)
+The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access. When assigning users and applications to the policy, make sure to exclude users and service accounts that still need to sign in using legacy authentication. When choosing the cloud apps in which to apply this policy, select All cloud apps, targeted apps such as Office 365 (recommended) or at a minimum, Office 365 Exchange Online. Organizations can use the policy available in [Conditional Access templates](concept-conditional-access-policy-common.md) or the common policy [Conditional Access: Block legacy authentication](howto-conditional-access-policy-block-legacy.md) as a reference.
 
 ### Indirectly blocking legacy authentication
 
 If your organization isn't ready to block legacy authentication across the entire organization, you should ensure that sign-ins using legacy authentication aren't bypassing policies that require grant controls such as requiring multifactor authentication or compliant/hybrid Azure AD joined devices. During authentication, legacy authentication clients don't support sending MFA, device compliance, or join state information to Azure AD. Therefore, apply policies with grant controls to all client applications so that legacy authentication based sign-ins that can’t satisfy the grant controls are blocked. With the general availability of the client apps condition in August 2020, newly created Conditional Access policies apply to all client apps by default.
 
-![Client apps condition default configuration](./media/block-legacy-authentication/client-apps-condition-configured-no.png)
-
 ## What you should know
 
 It can take up to 24 hours for the Conditional Access policy to go into effect.

articles/active-directory/app-proxy/application-proxy-configure-cookie-settings.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 09/06/2022
+ms.date: 09/26/2022
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: amycolannino
@@ -18,7 +18,7 @@ ms.collection: M365-identity-device-management
 
 Within a Conditional Access policy, an administrator can use access controls to grant or block access to resources.
 
-:::image type="content" source="media/concept-conditional-access-session/conditional-access-session.png" alt-text="Screenshot of a Conditional Access policy with a grant control that requires multifactor authentication." lightbox="media/concept-conditional-access-session/conditional-access-session.png":::
+:::image type="content" source="media/concept-conditional-access-grant/conditional-access-grant.png" alt-text="Screenshot of a Conditional Access policy with a grant control that requires multifactor authentication." lightbox="media/concept-conditional-access-grant/conditional-access-grant.png":::
 
 ## Block access