Merge pull request #250234 from MicrosoftDocs/main

9/4/2023 AM Publish

Author: Taojunshen

articles/active-directory/develop/includes/web-app-client-credentials.md

@@ -72,4 +72,8 @@ Instead of a client secret, you can provide a client certificate. The following
 }
 ```
 
-*Microsoft.Identity.Web* provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates) on GitHub.
+> [!WARNING]
+>
+> If you forget to change the `Scopes` to an array, when you try to use the `IDownstreamApi` the scopes will appear null, and `IDownstreamApi` will attempt an anonymous (unauthenticated) call to the downstream API, which will result in a `401/unauthenticated`.
+
+*Microsoft.Identity.Web* provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates) on GitHub.

articles/active-directory/develop/saml-claims-customization.md

@@ -210,10 +210,14 @@ When the following conditions occur after **Add** or **Run test** is selected, a
 
 ## Add the UPN claim to SAML tokens
 
-The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md), so you can't add it in the **Attributes & Claims** section. As a workaround, you can add it as an [optional claim](./optional-claims.md) through **App registrations** in the Azure portal.  
+The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md#saml-restricted-claim-set). If you have custom signing key configured, you can add it in the **Attributes & Claims** section.  
 
+In case there is no custom signing key configured, please refer to [SAML Restricted claim set](reference-claims-mapping-policy-type.md#saml-restricted-claim-set). You can add it as an [optional claim](./optional-claims.md) through **App registrations** in the Azure portal.
+ 
 Open the application in **App registrations**, select **Token configuration**, and then select **Add optional claim**. Select the **SAML** token type, choose **upn** from the list, and then click **Add** to add the claim to the token.
 
+Customization done in the **Attributes & Claims** section can overwrite the optional claims in the **App Registration**.
+
 ## Emit claims based on conditions
 
 You can specify the source of a claim based on user type and the group to which the user belongs.

articles/active-directory/external-identities/customers/media/how-to-define-custom-attributes/page-layouts.png

@@ -26,18 +26,18 @@ It is recommended that you use a non-production environment to test the steps in
 
 To configure OIDC-based SSO, you need:
 
-- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: Global Administrator, or owner of the service principal.
+- An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
 
 ## Add the application
 
 When you add an enterprise application that uses the OIDC standard for SSO, you select a setup button. When you select the button, you complete the sign-up process for the application.
 
 To configure OIDC-based SSO for an application:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
-1. Browse to **Azure Active Directory** > **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant. 
-1. In the **Enterprise applications** pane, select **New application**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
+1. In the **All applications** pane, select **New application**.
 1. The **Browse Azure AD Gallery** pane opens and displays tiles for cloud platforms, on-premises applications, and featured applications. Applications listed in the **Featured applications** section have icons indicating whether they support federated SSO and provisioning. Search for and select the application. In this example, **SmartSheet** is being used.
 1. Select **Sign-up**. Sign in with the user account credentials from Azure Active Directory. If you already have a subscription to the application, then user details and tenant information is validated. If the application is not able to verify the user, then it redirects you to sign up for the application service.
 

articles/active-directory/manage-apps/add-application-portal-setup-oidc-sso.md

@@ -41,15 +41,22 @@ Azure AD supports two signing algorithms, or secure hash algorithms (SHAs), to s
 
 * **SHA-1**. This algorithm is older, and it's treated as less secure than SHA-256. If an application supports only this signing algorithm, you can select this option in the **Signing Algorithm** drop-down list. Azure AD then signs the SAML response with the SHA-1 algorithm.
 
+## Prerequisites
+
+To change an application's SAML certificate signing options and the certificate signing algorithm, you need:
+
+- An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+
 [!INCLUDE [portal updates](../includes/portal-update.md)]
 
 ## Change certificate signing options and signing algorithm
 
-To change an application's SAML certificate signing options and the certificate signing algorithm, select the application in question:
+To change an application's SAML certificate signing options and the certificate signing algorithm:
 
-1. In the [Azure portal](https://portal.azure.com), sign in to your account.
-1. Browse to **Azure Active Directory** > **Enterprise applications**. A list of the enterprise applications in your account appears.
-1. Select an application. An overview page for the application appears. In this example, the Salesforce application is used.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
+1. Enter the name of the existing application in the search box, and then select the application from the search results. In this example, you use the Salesforce application.
 
    ![Example: Application overview page](./media/certificate-signing-options/application-overview-page.png)
 
@@ -69,5 +76,5 @@ Next, change the certificate signing options in the SAML token for that applicat
 
 ## Next steps
 
-* [Configure single sign-on to applications that are not in the Azure Active Directory App Gallery](../develop/single-sign-on-saml-protocol.md)
-* [Troubleshoot SAML-based single sign-on](./debug-saml-sso-issues.md)
+- [Configure single sign-on to applications that are not in the Azure Active Directory App Gallery](../develop/single-sign-on-saml-protocol.md)
+- [Troubleshoot SAML-based single sign-on](./debug-saml-sso-issues.md)

articles/active-directory/manage-apps/certificate-signing-options.md

@@ -32,8 +32,8 @@ To download and install the My Apps Secure Sign-in Extension, use one of the fol
 
 To test SAML-based single sign-on between Azure AD and a target application:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator or other administrator that is authorized to manage applications.
-1. In the left navigation pane, select **Azure Active Directory**, and then select **Enterprise applications**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
 1. From the list of enterprise applications, select the application for which you want to test single sign-on, and then from the options on the left, select **Single sign-on**.
 1. To open the SAML-based single sign-on testing experience, go to **Test single sign-on** (step 5). If the **Test** button is greyed out, you need to fill out and save the required attributes first in the **Basic SAML Configuration** section.
 1. In the **Test single sign-on** page, use your corporate credentials to sign in to the target application. You can sign in as the current user or as a different user. If you sign in as a different user, a prompt asks you to authenticate.

articles/active-directory/manage-apps/debug-saml-sso-issues.md

@@ -26,18 +26,17 @@ In this article, you learn how to prevent users from signing in to an applicatio
 
 To disable user sign-in, you need:
 
-- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: An administrator, or owner of the service principal.
+- An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
 
 ## Disable user sign-in
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
 :::zone pivot="portal"
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator for your directory.
-1. Search for and select **Azure Active Directory**.
-1. Select **Enterprise applications**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
 1. Search for the application you want to disable a user from signing in, and select the application.
 1. Select **Properties**.
 1. Select **No** for **Enabled for users to sign-in?**.
@@ -49,11 +48,11 @@ To disable user sign-in, you need:
 
 You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being preauthorized by Microsoft. You can manually create the service principal for the app and then disable it by using the following Microsoft Graph PowerShell cmdlet.
 
-Ensure you've installed the AzureAD module (use the command `Install-Module -Name AzureAD`). In case you're prompted to install a NuGet module or the new Azure AD V2 PowerShell module, type Y and press ENTER.
+Ensure you've installed the AzureAD module (use the command `Install-Module -Name AzureAD`). In case you're prompted to install a NuGet module or the new Azure AD V2 PowerShell module, type Y and press ENTER. You need to sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 ```PowerShell
 # Connect to Azure AD PowerShell
-Connect-AzureAD -Scopes "Application.ReadWrite.All"
+Connect-AzureAD -Scopes
 
 # The AppId of the app to be disabled
 $appId = "{AppId}"
@@ -74,7 +73,7 @@ if ($servicePrincipal) {
 
 You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being preauthorized by Microsoft. You can manually create the service principal for the app and then disable it by using the following Microsoft Graph PowerShell cmdlet.
 
-Ensure you've installed the Microsoft Graph module (use the command `Install-Module Microsoft.Graph`).
+Ensure you've installed the Microsoft Graph module (use the command `Install-Module Microsoft.Graph`). You need to sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 ```powershell
 # Connect to Microsoft Graph PowerShell
@@ -98,7 +97,7 @@ else {  $servicePrincipal = New-MgServicePrincipal -AppId $appId –AccountEnabl
 
 You may know the AppId of an app that doesn't appear on the Enterprise apps list. For example, you may have deleted the app or the service principal hasn't yet been created due to the app being preauthorized by Microsoft. You can manually create the service principal for the app and then disable it by using the following Microsoft Graph PowerShell cmdlet.
 
-To disable sign-in to an application, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) with one of the roles listed in the prerequisite section.
+To disable sign-in to an application, sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 You need to consent to the `Application.ReadWrite.All` permission.
 

articles/active-directory/manage-apps/disable-user-sign-in-portal.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/28/2023
+ms.date: 09/04/2023
 ms.author: jawoods
 ms.reviewer: phsignor
 zone_pivot_groups: enterprise-apps-all
@@ -41,34 +41,25 @@ Please see [Restore permissions granted to applications](restore-permissions.md)
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-You can access the Azure portal to view the permissions granted to an app. You can revoke permissions granted by admins for your entire organization, and you can get contextual PowerShell scripts to perform other actions.
+You can access the Microsoft Entra admin center to view the permissions granted to an app. You can revoke permissions granted by admins for your entire organization, and you can get contextual PowerShell scripts to perform other actions.
 
-To revoke an application's permissions that have been granted for the entire organization:
+To review an application's permissions that have been granted for the entire organization or to a specific user or group:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) using one of the roles listed in the prerequisites section.
-1. Select **Azure Active Directory**, and then select **Enterprise applications**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
 1. Select the application that you want to restrict access to.
 1. Select **Permissions**. 
-1. The permissions listed in the **Admin consent** tab apply to your entire organization. Choose the permission you would like to remove, select the **...** control for that permission, and then choose **Revoke permission**.
-
-To review an application's permissions:
-
-1. Sign in to the [Azure portal](https://portal.azure.com) using one of the roles listed in the prerequisites section.
-1. Select **Azure Active Directory**, and then select **Enterprise applications**.
-1. Select the application that you want to restrict access to.
-1. Select **Permissions**. In the command bar, select **Review permissions**.
-![Screenshot of the review permissions window.](./media/manage-application-permissions/review-permissions.png)
-1. Give a reason for why you want to review permissions for the application by selecting any of the options listed after the question, **Why do you want to review permissions for this application?**
-
-Each option generates PowerShell scripts that enable you to control user access to the application and to review permissions granted to the application. For information about how to control user access to an application, see [How to remove a user's access to an application](methods-for-removing-user-access.md)
+1. To view permissions that apply to your entire organization, select the **Admin consent** tab. To view permissions granted to a specific user or group, select the **User consent** tab.
+1. To view the details of a given permission, select the permission from the list. The **Permission Details** pane opens. 
+1. To revoke a given permission, choose the permission you would like to revoke, select the **...** control for that permission, and then choose **Revoke permission**.
 
 :::zone-end
 
 :::zone pivot="aad-powershell"
 
 ## Review and revoke permissions
 
-Use the following Azure AD PowerShell script to revoke all permissions granted to an application.
+Use the following Azure AD PowerShell script to revoke all permissions granted to an application. You need to sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 ```powershell
 Connect-AzureAD 
@@ -117,7 +108,7 @@ $assignments | ForEach-Object {
 
 ## Review and revoke permissions
 
-Use the following Microsoft Graph PowerShell script to revoke all permissions granted to an application.
+Use the following Microsoft Graph PowerShell script to revoke all permissions granted to an application. You need to sign in as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 ```powershell
 Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
@@ -171,7 +162,7 @@ $spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrin
 
 ## Review and revoke permissions
 
-To review permissions, Sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) with one of the roles listed in the prerequisite section.
+To review permissions, Sign in to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
 You need to consent to the following permissions: 
 

articles/active-directory/manage-apps/manage-application-permissions.md

@@ -25,17 +25,16 @@ In this article, you learn how to review and take action on admin consent reques
 To review and take action on admin consent requests, you need:
 
 - An Azure account. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- A designated reviewer with the appropriate role to [review admin consent requests](grant-admin-consent.md#prerequisites).
+- A Global Administrator or a designated reviewer with the appropriate role to [review admin consent requests](grant-admin-consent.md#prerequisites).
 
 ## Review and take action on admin consent requests
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
 To review the admin consent requests and take action:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) as one of the registered reviewers of the admin consent workflow.
-1. Search for and select **Azure Active Directory**.
-1. From the navigation menu, select **Enterprise applications**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator) who is a designated reviewer.
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
 1. Under **Activity**, select **Admin consent requests**.
 1. Select **My Pending** tab to view and act on the pending requests. 
 1. Select the application that is being requested from the list.