Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory-domain-services/network-considerations.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 08/12/2021
+ms.date: 01/06/2022
 ms.author: justinha
 
 ---
@@ -85,7 +85,9 @@ You can enable name resolution using conditional DNS forwarders on the DNS serve
 
 ## Network resources used by Azure AD DS
 
-A managed domain creates some networking resources during deployment. These resources are needed for successful operation and management of the managed domain, and shouldn't be manually configured.
+A managed domain creates some networking resources during deployment. These resources are needed for successful operation and management of the managed domain, and shouldn't be manually configured. 
+
+Don't lock the networking resources used by Azure AD DS. If networking resources get locked, they can't be deleted. When domain controllers need to be rebuilt in that case, new networking resources with different IP addresses need to be created. 
 
 | Azure resource                          | Description |
 |:----------------------------------------|:---|

articles/active-directory/app-provisioning/whats-new-docs.md

@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory application provisioning"
 description: "New and updated documentation for the Azure Active Directory application provisioning."
-ms.date: 12/02/2021
+ms.date: 01/07/2022
 ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: reference
@@ -15,6 +15,13 @@ manager: karenhoran
 
 Welcome to what's new in Azure Active Directory application provisioning documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the provisioning service, see [What's new in Azure Active Directory](../fundamentals/whats-new.md).
 
+## December 2021
+
+### Updated articles
+
+- [How Application Provisioning works in Azure Active Directory](how-provisioning-works.md)
+
+
 ## November 2021
 
 ### New articles

articles/active-directory/app-proxy/whats-new-docs.md

@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory application proxy"
 description: "New and updated documentation for the Azure Active Directory application proxy."
-ms.date: 12/02/2021
+ms.date: 01/07/2022
 ms.service: active-directory
 ms.subservice: app-proxy
 ms.topic: reference
@@ -15,6 +15,14 @@ manager: karenhoran
 
 Welcome to what's new in Azure Active Directory application proxy documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the service, see [What's new in Azure Active Directory](../fundamentals/whats-new.md).
 
+## December 2021
+
+### Updated articles
+
+- [Configure custom domains with Azure AD Application Proxy](application-proxy-configure-custom-domain.md)
+- [Active Directory (Azure AD) Application Proxy frequently asked questions](application-proxy-faq.yml)
+
+
 ## November 2021
 
 ### Updated articles

articles/active-directory/authentication/howto-authentication-passwordless-phone.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/05/2022
+ms.date: 01/07/2022
 
 ms.author: justinha
 author: justinha
@@ -130,7 +130,7 @@ If the user attempts to upgrade multiple installations (5+) of the Microsoft Aut
 
 Before you can create this new strong credential, there are prerequisites. One prerequisite is that the device on which the Microsoft Authenticator app is installed must be registered within the Azure AD tenant to an individual user.
 
-Currently, a device can only be registered in a single tenant. This limit means that only one work or school account in the Microsoft Authenticator app can be enabled for phone sign-in.
+Currently, a device can only be enabled for passwordless sign-in in a single tenant. This limit means that only one work or school account in the Microsoft Authenticator app can be enabled for phone sign-in.
 
 > [!NOTE]
 > Device registration is not the same as device management or mobile device management (MDM). Device registration only associates a device ID and a user ID together, in the Azure AD directory.

articles/active-directory/develop/TOC.yml

@@ -23,22 +23,7 @@
   - name: Single-page app (SPA)
     href: single-page-app-quickstart.md
   - name: Web app
-    items:
-    - name: ASP.NET
-      href: quickstart-v2-aspnet-webapp.md
-    - name: ASP.NET Core (sign in users)
-      href: quickstart-v2-aspnet-core-webapp.md
-    - name: ASP.NET Core (call Microsoft Graph)
-      href: quickstart-v2-aspnet-core-webapp-calls-graph.md
-    - name: Node.js - MSAL
-      href: quickstart-v2-nodejs-webapp-msal.md
-    - name: Node.js - Passport.js
-      displayName: OIDC, express
-      href: quickstart-v2-nodejs-webapp.md
-    - name: Java
-      href: quickstart-v2-java-webapp.md
-    - name: Python
-      href: quickstart-v2-python-webapp.md
+    href: web-app-quickstart.md
   - name: Web API
     items:
     - name: ASP.NET

articles/active-directory/develop/includes/web-app/quickstart-aspnet-core.md

@@ -0,0 +1,184 @@
+---
+title: "Quickstart: ASP.NET Core web app that signs in users and calls Microsoft Graph | Azure"
+titleSuffix: Microsoft identity platform
+description: In this quickstart, you learn how an app leverages Microsoft.Identity.Web to implement Microsoft sign-in in an ASP.NET Core web app using OpenID Connect and calls Microsoft Graph
+services: active-directory
+author: jmprieur
+manager: CelesteDG
+
+ms.service: active-directory
+ms.subservice: develop
+ms.topic: quickstart
+ms.workload: identity
+ms.date: 11/22/2021
+ms.author: jmprieur
+ms.custom: "devx-track-csharp, aaddev, identityplatformtop40, scenarios:getting-started, languages:aspnet-core"
+#Customer intent: As an application developer, I want to know how to write an ASP.NET Core web app that can sign in personal Microsoft accounts and work/school accounts from any Azure Active Directory instance,  then access their data in Microsoft Graph on their behalf.
+---
+
+In this quickstart, you download and run a code sample that demonstrates how an ASP.NET Core web app can sign in users from any Azure Active Directory (Azure AD) organization.  
+
+The following diagram shows how the sample app works:
+
+![Diagram of the interaction between the web browser, the web app, and the Microsoft identity platform in the sample app.](../../media/quickstart-v2-aspnet-core-webapp/aspnetcorewebapp-intro.svg)
+
+## Prerequisites
+
+* [Visual Studio 2019](https://visualstudio.microsoft.com/vs/) or [Visual Studio Code](https://code.visualstudio.com/)
+* [.NET Core SDK 3.1+](https://dotnet.microsoft.com/download)
+
+## Register and download your quickstart application
+
+#### Step 1: Register your application
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="../../media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations** > **New registration**.
+1. For **Name**, enter a name for your application. For example, enter **AspNetCore-Quickstart**. Users of your app will see this name, and you can change it later.
+1. For **Redirect URI**, enter **https://localhost:44321/signin-oidc**.
+1. Select **Register**.
+1. Under **Manage**, select **Authentication**.
+1. For **Front-channel logout URL**, enter **https://localhost:44321/signout-oidc**.
+1. Under **Implicit grant and hybrid flows**, select **ID tokens**.
+1. Select **Save**.
+1. Under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**.
+1. Enter a **Description**, for example `clientsecret1`.
+1. Select **In 1 year** for the secret's expiration.
+1. Select **Add** and immediately record the secret's **Value** for use in a later step. The secret value is *never displayed again* and is irretrievable by any other means. Record it in a secure location as you would any password.
+
+#### Step 2: Download the ASP.NET Core project
+
+
+[Download the ASP.NET Core solution](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/archive/aspnetcore3-1.zip)
+
+[!INCLUDE [active-directory-develop-path-length-tip](../../../../../includes/active-directory-develop-path-length-tip.md)]
+
+#### Step 3: Configure your ASP.NET Core project
+1. Extract the .zip archive into a local folder near the root of your drive. For example, extract into *C:\Azure-Samples*.
+
+   We recommend extracting the archive into a directory near the root of your drive to avoid errors caused by path length limitations on Windows.
+1. Open the solution in Visual Studio 2019.
+1. Open the *appsettings.json* file and modify the following code:
+
+   ```json
+   "Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",
+   "ClientId": "Enter_the_Application_Id_here",
+   "TenantId": "common",
+   ```
+
+   - Replace `Enter_the_Application_Id_here` with the application (client) ID of the application that you registered in the Azure portal. You can find the **Application (client) ID** value on the app's **Overview** page.
+   - Replace `common` with one of the following:
+      - If your application supports **Accounts in this organizational directory only**, replace this value with the directory (tenant) ID (a GUID) or the tenant name (for example, `contoso.onmicrosoft.com`). You can find the **Directory (tenant) ID** value on the app's **Overview** page.
+      - If your application supports **Accounts in any organizational directory**, replace this value with `organizations`.
+      - If your application supports **All Microsoft account users**, leave this value as `common`.
+    - Replace `Enter_the_Client_Secret_Here` with the **Client secret** you created and recorded in an earlier step.
+
+For this quickstart, don't change any other values in the *appsettings.json* file.
+
+#### Step 4: Build and run the application
+
+Build and run the app in Visual Studio by selecting the **Debug** menu > **Start Debugging**, or by pressing the F5 key.
+
+You're prompted for your credentials, and then asked to consent to the permissions that your app requires. Select **Accept** on the consent prompt.
+
+:::image type="content" source="../../media/quickstart-v2-aspnet-core-webapp/webapp-01-consent.png" alt-text="Screenshot of the consent dialog box, showing the permissions that the app is requesting from the user.":::
+
+After consenting to the requested permissions, the app displays that you've successfully logged in using your Azure Active Directory credentials, and you'll see your email address in the "Api result" section of the page. This was extracted using Microsoft Graph.
+
+:::image type="content" source="../../media/quickstart-v2-aspnet-core-webapp-calls-graph/webapp-02-signed-in.png" alt-text="Web browser displaying the running web app and the user signed in":::
+
+## More information
+
+This section gives an overview of the code required to sign in users and call the Microsoft Graph API on their behalf. This overview can be useful to understand how the code works, main arguments, and also if you want to add sign-in to an existing ASP.NET Core application and call Microsoft Graph. It uses [Microsoft.Identity.Web](../../microsoft-identity-web.md), which is a wrapper around [MSAL.NET](../../msal-overview.md).
+
+### Startup class
+
+The *Microsoft.AspNetCore.Authentication* middleware uses a `Startup` class that's executed when the hosting process starts:
+
+```csharp
+  // Get the scopes from the configuration (appsettings.json)
+  var initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');
+
+  public void ConfigureServices(IServiceCollection services)
+  {
+      // Add sign-in with Microsoft
+      services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+        .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))
+
+            // Add the possibility of acquiring a token to call a protected web API
+            .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
+
+                // Enables controllers and pages to get GraphServiceClient by dependency injection
+                // And use an in memory token cache
+                .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))
+                .AddInMemoryTokenCaches();
+
+      services.AddControllersWithViews(options =>
+      {
+          var policy = new AuthorizationPolicyBuilder()
+              .RequireAuthenticatedUser()
+              .Build();
+          options.Filters.Add(new AuthorizeFilter(policy));
+      });
+
+      // Enables a UI and controller for sign in and sign out.
+      services.AddRazorPages()
+          .AddMicrosoftIdentityUI();
+  }
+```
+
+The `AddAuthentication()` method configures the service to add cookie-based authentication. This authentication is used in browser scenarios and to set the challenge to OpenID Connect.
+
+The line that contains `.AddMicrosoftIdentityWebApp` adds Microsoft identity platform authentication to your application. The application is then configured to sign in users based on the following information in the `AzureAD` section of the *appsettings.json* configuration file:
+
+| *appsettings.json* key | Description                                                                                                                                                          |
+|------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `ClientId`             | Application (client) ID of the application registered in the Azure portal.                                                                                       |
+| `Instance`             | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |
+| `TenantId`             | Name of your tenant or the tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts.                             |
+
+The `EnableTokenAcquisitionToCallDownstreamApi` method enables your application to acquire a token to call protected web APIs. `AddMicrosoftGraph` enables your controllers or Razor pages to benefit directly the `GraphServiceClient` (by dependency injection) and the `AddInMemoryTokenCaches` methods enables your app to benefit from a token cache.
+
+The `Configure()` method contains two important methods, `app.UseAuthentication()` and `app.UseAuthorization()`, that enable their named functionality. Also in the `Configure()` method, you must register Microsoft Identity Web routes with at least one call to `endpoints.MapControllerRoute()` or a call to `endpoints.MapControllers()`:
+
+```csharp
+app.UseAuthentication();
+app.UseAuthorization();
+
+app.UseEndpoints(endpoints =>
+{
+    endpoints.MapControllerRoute(
+        name: "default",
+        pattern: "{controller=Home}/{action=Index}/{id?}");
+    endpoints.MapRazorPages();
+});
+```
+
+### Protect a controller or a controller's method
+
+You can protect a controller or its methods by applying the `[Authorize]` attribute to the controller's class or one or more of its methods. This `[Authorize]` attribute restricts access by allowing only authenticated users. If the user isn't already authenticated, an authentication challenge can be started to access the controller. In this quickstart, the scopes are read from the configuration file:
+
+```csharp
+[AuthorizeForScopes(ScopeKeySection = "DownstreamApi:Scopes")]
+public async Task<IActionResult> Index()
+{
+    var user = await _graphServiceClient.Me.Request().GetAsync();
+    ViewData["ApiResult"] = user.DisplayName;
+
+    return View();
+}
+```
+
+[!INCLUDE [Help and support](../../../../../includes/active-directory-develop-help-support-include.md)]
+
+## Next steps
+
+The GitHub repo that contains the ASP.NET Core code sample referenced in this quickstart includes instructions and more code samples that show you how to:
+
+- Add authentication to a new ASP.NET Core web application.
+- Call Microsoft Graph, other Microsoft APIs, or your own web APIs.
+- Add authorization.
+- Sign in users in national clouds or with social identities.
+
+> [!div class="nextstepaction"]
+> [ASP.NET Core web app tutorials on GitHub](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/)