Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into ultraLimFixes

Author: roygara

articles/active-directory-b2c/claim-resolver-overview.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/04/2021
+ms.date: 12/12/2021
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -36,11 +36,9 @@ In the technical profile, map the claim resolver to the claim type. Azure AD B2C
 <InputClaim ClaimTypeReferenceId="correlationId" DefaultValue="{Context:CorrelationId}" />
 ```
 
-## Claim resolver types
+## Culture
 
-The following sections list available claim resolvers.
-
-### Culture
+The following table lists the claim resolvers with information about the language used in the authorization request:
 
 | Claim | Description | Example |
 | ----- | ----------- | --------|
@@ -49,7 +47,9 @@ The following sections list available claim resolvers.
 | {Culture:RegionName} | The two letter ISO code for the region. | US |
 | {Culture:RFC5646} | The RFC5646 language code. | en-US |
 
-### Policy
+## Policy
+
+The following table lists the claim resolvers with information about the policy used in the authorization request:
 
 | Claim | Description | Example |
 | ----- | ----------- | --------|
@@ -58,43 +58,49 @@ The following sections list available claim resolvers.
 | {Policy:TenantObjectId} | The tenant object ID of the relying party policy. | 00000000-0000-0000-0000-000000000000 |
 | {Policy:TrustFrameworkTenantId} | The tenant ID of the trust framework. | your-tenant.onmicrosoft.com |
 
-### OpenID Connect
 
-| Claim | Description | Example |
-| ----- | ----------- | --------|
-| {OIDC:AuthenticationContextReferences} |The `acr_values` query string parameter. | N/A |
-| {OIDC:ClientId} |The `client_id`  query string parameter. | 00000000-0000-0000-0000-000000000000 |
-| {OIDC:DomainHint} |The `domain_hint`  query string parameter. | facebook.com |
-| {OIDC:LoginHint} |  The `login_hint` query string parameter. | [email protected] |
-| {OIDC:MaxAge} | The `max_age`. | N/A |
-| {OIDC:Nonce} |The `Nonce`  query string parameter. | defaultNonce |
-| {OIDC:Password}| The [resource owner password credentials flow](add-ropc-policy.md) user's password.| password1| 
-| {OIDC:Prompt} | The `prompt` query string parameter. | login |
-| {OIDC:RedirectUri} |The `redirect_uri`  query string parameter. | https://jwt.ms |
-| {OIDC:Resource} |The `resource`  query string parameter. | N/A |
-| {OIDC:Scope} |The `scope`  query string parameter. | openid |
-| {OIDC:Username}| The [resource owner password credentials flow](add-ropc-policy.md) user's username.| [email protected]| 
+## Context
 
-### Context
+The following table lists the contextual claim resolvers of the authorization request:
 
 | Claim | Description | Example |
 | ----- | ----------- | --------|
 | {Context:BuildNumber} | The Identity Experience Framework version (build number).  | 1.0.507.0 |
 | {Context:CorrelationId} | The correlation ID.  | 00000000-0000-0000-0000-000000000000 |
-| {Context:DateTimeInUtc} |The date time in UTC.  | 10/10/2018 12:00:00 PM |
+| {Context:DateTimeInUtc} |The date time in UTC.  | 10/10/2021 12:00:00 PM |
 | {Context:DeploymentMode} |The policy deployment mode.  | Production |
 | {Context:HostName} | The host name of the current request.  | contoso.b2clogin.com |
 | {Context:IPAddress} | The user IP address. | 11.111.111.11 |
 | {Context:KMSI} | Indicates whether [Keep me signed in](session-behavior.md?pivots=b2c-custom-policy#enable-keep-me-signed-in-kmsi) checkbox is selected. |  true |
 
-### Claims 
+## Claims 
+
+This section describes how to get a claim value as a claim resolver.
 
 | Claim | Description | Example |
 | ----- | ----------- | --------|
-| {Claim:claim type} | An identifier of a claim type already defined in the ClaimsSchema section in the policy file or parent policy file.  For example: `{Claim:displayName}`, or `{Claim:objectId}`. | A claim type value.|
+| {Claim:claim type} | An identifier of a claim type already defined in the [ClaimsSchema](claimsschema.md) section in the policy file or parent policy file.  For example: `{Claim:displayName}`, or `{Claim:objectId}`. | A claim type value.|
+
+## OpenID Connect
 
+The following table lists the claim resolvers with information about the OpenID Connect authorization request:
+
+| Claim | Description | Example |
+| ----- | ----------- | --------|
+| {OIDC:AuthenticationContextReferences} |The `acr_values` query string parameter. | N/A |
+| {OIDC:ClientId} |The `client_id`  query string parameter. | 00000000-0000-0000-0000-000000000000 |
+| {OIDC:DomainHint} |The `domain_hint`  query string parameter. | facebook.com |
+| {OIDC:LoginHint} |  The `login_hint` query string parameter. | [email protected] |
+| {OIDC:MaxAge} | The `max_age`. | N/A |
+| {OIDC:Nonce} |The `Nonce`  query string parameter. | defaultNonce |
+| {OIDC:Password}| The [resource owner password credentials flow](add-ropc-policy.md) user's password.| password1| 
+| {OIDC:Prompt} | The `prompt` query string parameter. | login |
+| {OIDC:RedirectUri} |The `redirect_uri`  query string parameter. | https://jwt.ms |
+| {OIDC:Resource} |The `resource`  query string parameter. | N/A |
+| {OIDC:Scope} |The `scope`  query string parameter. | openid |
+| {OIDC:Username}| The [resource owner password credentials flow](add-ropc-policy.md) user's username.| [email protected]|
 
-### OAuth2 key-value parameters
+## OAuth2 key-value parameters
 
 Any parameter name included as part of an OIDC or OAuth2 request can be mapped to a claim in the user journey. For example, the request from the application might include a query string parameter with a name of `app_session`, `loyalty_number`, or any custom query string.
 
@@ -105,15 +111,9 @@ Any parameter name included as part of an OIDC or OAuth2 request can be mapped t
 | {OAUTH-KV:loyalty_number} | A query string parameter. | 1234 |
 | {OAUTH-KV:any custom query string} | A query string parameter. | N/A |
 
-### OAuth2
-
-| Claim | Description | Example |
-| ----- | ----------------------- | --------|
-| {oauth2:access_token} | The access token. | N/A |
-| {oauth2:refresh_token} | The refresh token. | N/A |
-
+## SAML
 
-### SAML
+The following table lists the claim resolvers  with information about the SAML authorization request:
 
 | Claim | Description | Example |
 | ----- | ----------- | --------|
@@ -125,6 +125,16 @@ Any parameter name included as part of an OIDC or OAuth2 request can be mapped t
 | {SAML:ProviderName} | The `ProviderName` attribute value, from the `AuthnRequest` element of the SAML request.| Contoso.com |
 | {SAML:RelayState} | The `RelayState` query string parameter.| 
 | {SAML:Subject} | The `Subject` from the NameId element of the SAML AuthN request.| 
+| {SAML:Binding} | The `ProtocolBinding` attribute value, from the `AuthnRequest` element of the SAML request. | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
+
+## OAuth2 identity provider
+
+The following table lists the [OAuth2 identity provider](oauth2-technical-profile.md) claim resolvers:
+
+| Claim | Description | Example |
+| ----- | ----------------------- | --------|
+| {oauth2:access_token} | The access token. | N/A |
+| {oauth2:refresh_token} | The refresh token. | N/A |
 
 ## Using claim resolvers
 

articles/active-directory/develop/tutorial-v2-nodejs-console.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: tutorial
-ms.date: 02/17/2021
+ms.date: 12/12/2021
 ms.author: marsma
 ---
 
@@ -45,63 +45,75 @@ Use the following settings for your app registration:
 
 ## Create the project
 
-Create a folder to host your application, for example *NodeConsoleApp*.
 
-1. First, change to your project directory in your terminal and then run the following NPM commands:
+1. Start by creating a directory for this Node.js tutorial project. For example, *NodeConsoleApp*.
 
-```console
+1. In your terminal, change into the directory you created (the project root), and then run the following commands:
+
+    ```console
     npm init -y
     npm install --save dotenv yargs axios @azure/msal-node
-```
+    ```
 
-2. Next, create a folder named *bin*. Then, inside this folder, create file named *index.js* and add the following code:
+1. Next, edit the *package.json* file in the project root and prefix the value of `main` with `bin/`, like this:
 
-```JavaScript
-#!/usr/bin/env node
+    ```json
+    "main": "bin/index.js",
+    ```
 
-// read in env settings
-require('dotenv').config();
+1. Now create the *bin* directory, and inside *bin*, add the following code to a new file named *index.js*:
 
-const yargs = require('yargs');
+    ```JavaScript
+    #!/usr/bin/env node
 
-const fetch = require('./fetch');
-const auth = require('./auth');
+    // read in env settings
+    require('dotenv').config();
 
-const options = yargs
-    .usage('Usage: --op <operation_name>')
-    .option('op', { alias: 'operation', describe: 'operation name', type: 'string', demandOption: true })
-    .argv;
+    const yargs = require('yargs');
 
-async function main() {
-    console.log(`You have selected: ${options.op}`);
+    const fetch = require('./fetch');
+    const auth = require('./auth');
 
-    switch (yargs.argv['op']) {
-        case 'getUsers':
+    const options = yargs
+        .usage('Usage: --op <operation_name>')
+        .option('op', { alias: 'operation', describe: 'operation name', type: 'string', demandOption: true })
+        .argv;
 
-            try {
-                // here we get an access token
-                const authResponse = await auth.getToken(auth.tokenRequest);
+    async function main() {
+        console.log(`You have selected: ${options.op}`);
 
-                // call the web API with the access token
-                const users = await fetch.callApi(auth.apiConfig.uri, authResponse.accessToken);
+        switch (yargs.argv['op']) {
+            case 'getUsers':
 
-                // display result
-                console.log(users);
-            } catch (error) {
-                console.log(error);
-            }
+                try {
+                    // here we get an access token
+                    const authResponse = await auth.getToken(auth.tokenRequest);
 
-            break;
-        default:
-            console.log('Select a Graph operation first');
-            break;
-    }
-};
+                    // call the web API with the access token
+                    const users = await fetch.callApi(auth.apiConfig.uri, authResponse.accessToken);
 
-main();
-```
+                    // display result
+                    console.log(users);
+                } catch (error) {
+                    console.log(error);
+                }
+
+                break;
+            default:
+                console.log('Select a Graph operation first');
+                break;
+        }
+    };
+
+    main();
+    ```
+
+The *index.js* file you just created references two other node modules that you'll create next:
+
+- *auth.js* - Uses MSAL Node for acquiring access tokens from the Microsoft identity platform.
+- *fetch.js* - Requests data from the Microsoft Graph API by including access tokens (acquired in *auth.js*) in HTTP requests to the API.
 
-This file references two other node modules: *auth.js* which contains an implementation of MSAL Node for acquiring access tokens, and *fetch.js* which contains a method for making an HTTP request to Microsoft Graph API with an access token. After completing the rest of the tutorial, the file and folder structure of your project should look similar to the following:
+At the end of the tutorial, your project's file and directory structure should look similar to this:
 
 ```
 NodeConsoleApp/
@@ -115,7 +127,7 @@ NodeConsoleApp/
 
 ## Add authentication logic
 
-Inside the *bin* folder, create another file named *auth.js* and add the following code for acquiring an access token to present when calling the Microsoft Graph API.
+Inside the *bin* directory, add the following code to a new file named *auth.js*. The code in *auth.js* acquires an access token from the Microsoft identity platform for including in Microsoft Graph API requests.
 
 ```JavaScript
 const msal = require('@azure/msal-node');
@@ -128,7 +140,7 @@ const msal = require('@azure/msal-node');
 const msalConfig = {
     auth: {
         clientId: process.env.CLIENT_ID,
-        authority: process.env.AAD_ENDPOINT + process.env.TENANT_ID,
+        authority: process.env.AAD_ENDPOINT + '/' + process.env.TENANT_ID,
         clientSecret: process.env.CLIENT_SECRET,
     }
 };

articles/active-directory/fundamentals/security-operations-applications.md

@@ -207,7 +207,7 @@ Alert any time these changes are detected outside of approved change management
 
 The following are links to useful resources:
 
-* Github Azure AD toolkit - [https://github.com/microsoft/AzureADToolkit](https://github.com/microsoft/AzureADToolkit)
+* GitHub Azure AD toolkit - [https://github.com/microsoft/AzureADToolkit](https://github.com/microsoft/AzureADToolkit)
 
 * Azure Key Vault security overview and security guidance - [Azure Key Vault security overview](../../key-vault/general/security-features.md)
 

articles/active-directory/hybrid/how-to-connect-install-custom.md

@@ -347,7 +347,7 @@ When you select the domain that you want to federate, Azure AD Connect provides
 
 ## Configuring federation with PingFederate
 You can configure PingFederate with Azure AD Connect in just a few clicks. The following prerequisites are required:
-- PingFederate 8.4 or later.  For more information, see [PingFederate integration with Azure Active Directory and Microsoft 365](https://docs.pingidentity.com/bundle/O365IG20_sm_integrationGuide/page/O365IG_c_integrationGuide.html).
+- PingFederate 8.4 or later.  For more information, see [PingFederate integration with Azure Active Directory and Microsoft 365](https://docs.pingidentity.com/bundle/pingfederate-azuread-office365-integration/).
 - A TLS/SSL certificate for the federation service name that you intend to use (for example, sts.contoso.com).
 
 ### Verify the domain

articles/active-directory/hybrid/tshoot-connect-sync-errors.md

@@ -218,7 +218,8 @@ Below are some examples which demonstrate the different weighs of attributes lik
 3. If a similar synchronized user with 10 UserCertificates plus for instance 4 subscriptions assigned (with all Service Plans enabled), the maximum number of ProxyAddresses decreases to 311.
 4. Now let’s take the above user which already holds the maximum number of ProxyAddresses, and say you need to add 1 more smtp address - to achieve 312 ProxyAddresses you would need to remove at least 3 UserCertificates (depending on the size of the certificate).
 
-> [NOTE] These numbers can vary slightly. As a rule of thumb, it is safer to assume that the limit of smtp addresses in ProxyAddresses is approximately 300 addresses to leave the room for the future growth of the object and its populated attributes. 
+>[!NOTE]
+> These numbers can vary slightly. As a rule of thumb, it is safer to assume that the limit of smtp addresses in ProxyAddresses is approximately 300 addresses to leave the room for the future growth of the object and its populated attributes. 
 
 ### How to fix
 

articles/active-directory/privileged-identity-management/pim-deployment-plan.md

@@ -1,5 +1,5 @@
 ---
-title: Plan a Privileged Identity Management deployment? - Azure AD | Microsoft Docs
+title: Plan a Privileged Identity Management deployment - Azure AD | Microsoft Docs
 description: Learn how to deploy Privileged Identity Management (PIM) in your Azure AD organization.
 services: active-directory
 documentationcenter: ''
@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: pim
 ms.topic: conceptual
-ms.date: 11/23/2021
+ms.date: 12/10/2021
 ms.author: curtand
 ms.reviewer: shaunliu
 ms.custom: pim

articles/active-directory/roles/TOC.yml

@@ -80,7 +80,7 @@
       href: admin-units-add-manage-users.md
     - name: Add and manage groups
       href: admin-units-add-manage-groups.md
-    - name: Assign a role with scope
+    - name: Assign roles with scope
       href: admin-units-assign-roles.md
   - name: Delegate
     items: