Merge branch 'main' into release-asr-edge-zone

Author: v-alje

.openpublishing.redirection.active-directory.json

@@ -45,6 +45,11 @@
       "redirect_url": "/azure/active-directory/saas-apps/tutorial-list",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/saas-apps/iauditor-tutorial.md",
+      "redirect_url": "/azure/active-directory/saas-apps/safety-culture-tutorial",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/saas-apps/icertisicm-tutorial.md",
       "redirect_url": "/azure/active-directory/saas-apps/tutorial-list",

.openpublishing.redirection.defender-for-cloud.json

@@ -764,6 +764,11 @@
             "source_path_from_root": "/articles/defender-for-cloud/plan-multicloud-security-other-resources.md",
             "redirect_url": "/azure/defender-for-cloud/multicloud",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/defender-for-servers-introduction.md",
+            "redirect_url": "/azure/defender-for-cloud/plan-defender-for-servers",
+            "redirect_document_id": true
         }
       ]
 }

articles/active-directory/conditional-access/terms-of-use.md

@@ -413,7 +413,7 @@ A: You can [review previously accepted terms of use policies](#how-users-can-rev
 A: If you've configured both Azure AD terms of use and [Intune terms and conditions](/intune/terms-and-conditions-create), the user will be required to accept both. For more information, see the [Choosing the right Terms solution for your organization blog post](https://go.microsoft.com/fwlink/?linkid=2010506&clcid=0x409).
 
 **Q: What endpoints does the terms of use service use for authentication?**<br />
-A: Terms of use utilize the following endpoints for authentication: https://tokenprovider.termsofuse.identitygovernance.azure.com and https://account.activedirectory.windowsazure.com. If your organization has an allowlist of URLs for enrollment, you'll need to add these endpoints to your allowlist, along with the Azure AD endpoints for sign-in.
+A: Terms of use utilize the following endpoints for authentication: https://tokenprovider.termsofuse.identitygovernance.azure.com, https://myaccount.microsoft.com and https://account.activedirectory.windowsazure.com. If your organization has an allowlist of URLs for enrollment, you'll need to add these endpoints to your allowlist, along with the Azure AD endpoints for sign-in.
 
 ## Next steps
 

articles/active-directory/develop/msal-android-shared-devices.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/30/2021
+ms.date: 12/06/2022
 ms.author: henrymbugua
 ms.reviewer: brandwe
 ms.custom: aaddev, identitypla | Azuretformtop40
@@ -93,8 +93,14 @@ If your application is running in multiple-account mode, and an administrator pu
 
 These Microsoft applications support Azure AD's shared device mode:
 
-* [Microsoft Teams](/microsoftteams/platform/)
-* [Microsoft Managed Home Screen](/mem/intune/apps/app-configuration-managed-home-screen-app) app for Android Enterprise
+- [Microsoft Teams](/microsoftteams/platform/)
+- [Microsoft Managed Home Screen](/mem/intune/apps/app-configuration-managed-home-screen-app) app for Android Enterprise
+- [Microsoft Edge](/microsoft-edge) (in Public Preview)
+- [Yammer](/yammer) (in Public Preview)
+
+> [!IMPORTANT]
+> Public preview is provided without a service-level agreement and isn't recommended for production workloads. Some features might be unsupported or have constrained capabilities. For more information, see [Supplemental terms of use for Microsoft Azure previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
 ## Shared device sign-out and the overall app lifecycle
 
 When a user signs out, you'll need to take action to protect the privacy and data of the user. For example, if you're building a medical records app you'll want to make sure that when the user signs out previously displayed patient records are cleared. Your application must be prepared for data privacy and check every time it enters the foreground.

articles/active-directory/develop/msal-net-token-cache-serialization.md

@@ -548,149 +548,7 @@ A product-quality, file-based token cache serializer for public client applicati
 
 #### Dual token cache serialization (MSAL unified cache and ADAL v3)
 
-If you want to implement token cache serialization with the unified cache format (common to ADAL.NET 4.x, MSAL.NET 2.x, and other MSALs of the same generation or older, on the same platform), take a look at the following code:
-
-```csharp
-string appLocation = Path.GetDirectoryName(Assembly.GetEntryAssembly().Location;
-string cacheFolder = Path.GetFullPath(appLocation) + @"..\..\..\..");
-string adalV3cacheFileName = Path.Combine(cacheFolder, "cacheAdalV3.bin");
-string unifiedCacheFileName = Path.Combine(cacheFolder, "unifiedCache.bin");
-
-IPublicClientApplication app;
-app = PublicClientApplicationBuilder.Create(clientId)
-                                    .Build();
-FilesBasedTokenCacheHelper.EnableSerialization(app.UserTokenCache,
-                                               unifiedCacheFileName,
-                                               adalV3cacheFileName);
-
-```
-
-This time, the helper class is defined as:
-
-```csharp
-using System;
-using System.IO;
-using System.Security.Cryptography;
-using Microsoft.Identity.Client;
-
-namespace CommonCacheMsalV3
-{
- /// <summary>
- /// Simple persistent cache implementation of the dual cache serialization (ADAL v3 legacy
- /// and unified cache format) for a desktop applications (from MSAL 2.x)
- /// </summary>
- static class FilesBasedTokenCacheHelper
- {
-  /// <summary>
-  /// Enables the serialization of the token cache
-  /// </summary>
-  /// <param name="adalV3CacheFileName">File name where the cache is serialized with the
-  /// ADAL v3 token cache format. Can
-  /// be <c>null</c> if you don't want to implement the legacy ADAL v3 token cache
-  /// serialization in your MSAL 2.x+ application</param>
-  /// <param name="unifiedCacheFileName">File name where the cache is serialized
-  /// with the unified cache format, common to
-  /// ADAL v4 and MSAL v2 and later, and also across ADAL/MSAL on the same platform.
-  ///  Should not be <c>null</c></param>
-  /// <returns></returns>
-  public static void EnableSerialization(ITokenCache tokenCache, string unifiedCacheFileName, string adalV3CacheFileName)
-  {
-   UnifiedCacheFileName = unifiedCacheFileName;
-   AdalV3CacheFileName = adalV3CacheFileName;
-
-   tokenCache.SetBeforeAccess(BeforeAccessNotification);
-   tokenCache.SetAfterAccess(AfterAccessNotification);
-  }
-
-  /// <summary>
-  /// File path where the token cache is serialized with the unified cache format
-  /// (ADAL.NET v4, MSAL.NET v3)
-  /// </summary>
-  public static string UnifiedCacheFileName { get; private set; }
-
-  /// <summary>
-  /// File path where the token cache is serialized with the legacy ADAL v3 format
-  /// </summary>
-  public static string AdalV3CacheFileName { get; private set; }
-
-  private static readonly object FileLock = new object();
-
-  public static void BeforeAccessNotification(TokenCacheNotificationArgs args)
-  {
-   lock (FileLock)
-   {
-    args.TokenCache.DeserializeAdalV3(ReadFromFileIfExists(AdalV3CacheFileName));
-    try
-    {
-     args.TokenCache.DeserializeMsalV3(ReadFromFileIfExists(UnifiedCacheFileName));
-    }
-    catch(Exception ex)
-    {
-     // Compatibility with the MSAL v2 cache if you used one
-     args.TokenCache.DeserializeMsalV2(ReadFromFileIfExists(UnifiedCacheFileName));
-    }
-   }
-  }
-
-  public static void AfterAccessNotification(TokenCacheNotificationArgs args)
-  {
-   // if the access operation resulted in a cache update
-   if (args.HasStateChanged)
-   {
-    lock (FileLock)
-    {
-     WriteToFileIfNotNull(UnifiedCacheFileName, args.TokenCache.SerializeMsalV3());
-     if (!string.IsNullOrWhiteSpace(AdalV3CacheFileName))
-     {
-      WriteToFileIfNotNull(AdalV3CacheFileName, args.TokenCache.SerializeAdalV3());
-     }
-    }
-   }
-  }
-
-  /// <summary>
-  /// Read the content of a file if it exists
-  /// </summary>
-  /// <param name="path">File path</param>
-  /// <returns>Content of the file (in bytes)</returns>
-  private static byte[] ReadFromFileIfExists(string path)
-  {
-   byte[] protectedBytes = (!string.IsNullOrEmpty(path) && File.Exists(path))
-       ? File.ReadAllBytes(path) : null;
-   byte[] unprotectedBytes = encrypt ?
-       ((protectedBytes != null) ? ProtectedData.Unprotect(protectedBytes, null, DataProtectionScope.CurrentUser) : null)
-       : protectedBytes;
-   return unprotectedBytes;
-  }
-
-  /// <summary>
-  /// Writes a blob of bytes to a file. If the blob is <c>null</c>, deletes the file
-  /// </summary>
-  /// <param name="path">path to the file to write</param>
-  /// <param name="blob">Blob of bytes to write</param>
-  private static void WriteToFileIfNotNull(string path, byte[] blob)
-  {
-   if (blob != null)
-   {
-    byte[] protectedBytes = encrypt
-      ? ProtectedData.Protect(blob, null, DataProtectionScope.CurrentUser)
-      : blob;
-    File.WriteAllBytes(path, protectedBytes);
-   }
-   else
-   {
-    File.Delete(path);
-   }
-  }
-
-  // Change if you want to test with an unencrypted blob (this is a JSON format)
-  private static bool encrypt = true;
- }
-}
-```
-
-For more details see the sample: https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2/tree/master/TokenCacheMigration/ADAL2MSAL
-
+If you want to implement token cache serialization with the unified cache format (common to ADAL.NET 4.x, MSAL.NET 2.x, and other MSALs of the same generation or older, on the same platform), take a look at the following sample: https://github.com/Azure-Samples/active-directory-dotnet-v1-to-v2/tree/master/TokenCacheMigration/ADAL2MSAL.
 
 ---
 

articles/active-directory/develop/msal-shared-devices.md

@@ -17,24 +17,17 @@ ms.custom: aaddev
 
 # Overview of shared device mode
 
-Shared device mode is a feature of Azure Active Directory that allows you to build applications that support frontline workers and enable shared device mode on the devices deployed to them.
+Shared device mode is a feature of Azure Active Directory(Azure AD) that allows you to build and deploy applications that support frontline workers and educational scenarios that require shared Android and iOS devices.
 
 >[!IMPORTANT]
 > Shared device mode for iOS [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]
 
-## What are frontline workers?
-
-Frontline workers are retail employees, maintenance and field agents, medical personnel, and other users that don't sit in front of a computer or use corporate email for collaboration. The following sections introduce the aspects and challenges of supporting frontline workers, followed by an introduction to the features provided by Microsoft that enable your application for use by an organization's frontline workers.
-
-### Challenges of supporting frontline workers
-
-Enabling frontline worker workflows includes challenges not usually presented by typical information workers. Such challenges can include high turnover rate and less familiarity with an organization's core productivity tools. To empower their frontline workers, organizations are adopting different strategies. Some are adopting a bring-your-own-device (BYOD) strategy in which their employees use business apps on their personal phone, while others provide their employees with shared devices like iPads or Android tablets.
 
 ### Supporting multiple users on devices designed for one user
 
 Because mobile devices running iOS or Android were designed for single users, most applications optimize their experience for use by a single user. Part of this optimized experience means enabling single sign-on across applications and keeping users signed in on their device. When a user removes their account from an application, the app typically doesn't consider it a security-related event. Many apps even keep a user's credentials around for quick sign-in. You may even have experienced this yourself when you've deleted an application from your mobile device and then reinstalled it, only to discover you're still signed in.
 
-### Global sign-in and sign-out (SSO)
+### Automatic single sign-in and single sign-out
 
 To allow an organization's employees to use its apps across a pool of devices shared by those employees, developers need to enable the opposite experience. Employees should be able to pick a device from the pool and perform a single gesture to "make it theirs" for the duration of their shift. At the end of their shift, they should be able to perform another gesture to sign out globally on the device, with all their personal and company information removed so they can return it to the device pool. Furthermore, if an employee forgets to sign out, the device should be automatically signed out at the end of their shift and/or after a period of inactivity.
 
@@ -45,7 +38,7 @@ Azure Active Directory enables these scenarios with a feature called **shared de
 As mentioned, shared device mode is a feature of Azure Active Directory that enables you to:
 
 * Build applications that support frontline workers
-* Deploy devices to frontline workers and turn on shared device mode
+* Deploy devices to frontline workers with apps that support shared device mode.
 
 ### Build applications that support frontline workers
 
@@ -60,7 +53,11 @@ Supported features are:
 
 Supporting shared device mode should be considered a feature upgrade for your application, and can help increase its adoption in environments where the same device is used among multiple users.
 
-Your users depend on you to ensure their data isn't leaked to another user. Share Device Mode provides helpful signals to indicate to your application that a change you should manage has occurred. Your application is responsible for checking the state of the user on the device every time the app is used, clearing the previous user's data. This includes if it is reloaded from the background in multi-tasking. On a user change, you should ensure both the previous user's data is cleared and that any cached data being displayed in your application is removed. We recommend you always perform a thorough security review process after adding shared device mode capability to your app.
+Your users depend on you to ensure their data isn't leaked to another user. Share Device Mode provides helpful signals to indicate to your application that a change you should manage has occurred. Your application is responsible for checking the state of the user on the device every time the app is used, clearing the previous user's data. This includes if it is reloaded from the background in multi-tasking. On a user change, you should ensure both the previous user's data is cleared and that any cached data being displayed in your application is removed.
+
+To support all data loss prevention scenarios, we also recommend you integrate with the [Intune App SDK](/mem/intune/developer/app-sdk). By using the Intune App SDK, you can allow your application to support Intune [App Protection Policies](/mem/intune/apps/app-protection-policy). In particular, we recommend that you integrate with Intune's [selective wipe](/mem/intune/developer/app-sdk-android-phase5#selective-wipe) capabilities and [deregister the user on iOS](/mem/intune/developer/app-sdk-ios#deregister-user-accounts) during a sign-out.
+
+Lastly, we recommend you always perform a thorough security review process after adding shared device mode capability to your app.
 
 For details on how to modify your applications to support shared device mode, see the [Next steps](#next-steps) section at the end of this article.
 
@@ -70,6 +67,11 @@ Once your applications support shared device mode and include the required data
 
 An organization's device administrators are able to deploy their devices and your applications to their stores and workplaces through a mobile device management (MDM) solution like Microsoft Intune. Part of the provisioning process is marking the device as a *Shared Device*. Administrators configure shared device mode by deploying the [Microsoft Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) and setting shared device mode through configuration parameters. After performing these steps, all applications that support shared device mode will use the Microsoft Authenticator application to manage its user state and provide security features for the device and organization.
 
+### Use App Protection Policies to provide data loss prevention between users.
+For data protection capabilities along with shared device mode, Microsoft’s supported data protection solution for Microsoft 365 applications on Android and iOS is Microsoft Intune Application Protection Policies. For more information about the policies, see [App protection policies overview - Microsoft Intune | Microsoft Learn](/mem/intune/apps/app-protection-policy).
+
+When setting up App protection policies for shared devices, we recommend using [level 2 enterprise enhanced data protection](/mem/intune/apps/app-protection-framework#level-2-enterprise-enhanced-data-protection). With level 2 data protection, you can restrict data transfer scenarios that may cause data to move to parts of the device that are not cleared with shared device mode.
+
 ## Next steps
 
 We support iOS and Android platforms for shared device mode. Review the documentation below for your platform to begin supporting frontline workers in your applications.

articles/active-directory/external-identities/reset-redemption-status.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 11/28/2022
+ms.date: 12/07/2022
 
 ms.author: mimart
 author: msmimart
@@ -32,7 +32,7 @@ To manage these scenarios previously, you had to manually delete the guest user
 
 To reset a user's redemption status, you'll need one of the following roles:
 
-- [Guest Inviter](../roles/permissions-reference.md#guest-inviter) (least privileged)
+- [Helpdesk Administrator](../roles/permissions-reference.md#helpdesk-administrator) (least privileged)
 - [User Administrator](../roles/permissions-reference.md#user-administrator)
 - [Global Administrator](../roles/permissions-reference.md#global-administrator)
 
@@ -76,7 +76,7 @@ If a user wants to sign in using a different email:
 
 ```powershell
 Install-Module Microsoft.Graph
-Select-MgProfile -Name beta
+Select-MgProfile -Name v1.0
 Connect-MgGraph -Scopes "User.ReadWrite.All"
 
 $user = Get-MgUser -Filter "startsWith(mail, '[email protected]')"
@@ -93,7 +93,7 @@ New-MgInvitation `
 To use the [Microsoft Graph invitation API](/graph/api/resources/invitation), set the `resetRedemption` property  to `true` and specify the new email address in the `invitedUserEmailAddress` property.
 
 ```json
-POST https://graph.microsoft.com/beta/invitations  
+POST https://graph.microsoft.com/v1.0/invitations  
 Authorization: Bearer eyJ0eX...  
 ContentType: application/json  
 {  

articles/active-directory/fundamentals/recoverability-overview.md

@@ -10,7 +10,7 @@ ms.subservice: fundamentals
 ms.topic: conceptual
 ms.date: 08/26/2022
 ms.author: jricketts
-ms.reviewer: baselden
+ms.reviewer: jricketts
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---