Merge branch 'main' into auth-migration

Author: Justinha

articles/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility.md

@@ -269,7 +269,7 @@ Following the steps below will delete your existing customappsso job and create
 
 11. In the results of the last step, copy the full "ID" string that begins with "scim". Optionally, reapply your old attribute-mappings by running the command below, replacing [new-job-id] with the new job ID you copied, and entering the JSON output from step #7 as the request body.
 
- `POST https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs/[new-job-id]/schema`
+ `PUT https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronization/jobs/[new-job-id]/schema`
  `{   <your-schema-json-here>   }`
 
 12. Return to the first web browser window, and select the **Provisioning** tab for your application.

articles/active-directory/authentication/concept-authentication-methods-manage.md

@@ -38,9 +38,6 @@ To manage the Authentication methods policy, click **Security** > **Authenticati
 
 Only the [converged registration experience](concept-registration-mfa-sspr-combined.md) is aware of the Authentication methods policy. Users in scope of the Authentication methods policy but not the converged registration experience won't see the correct methods to register.
 
->[!NOTE]
->Some pieces of the Authentication methods policy experience are in preview. This includes management of Email OTP, third party software OATH tokens, SMS, and voice call as noted in the portal. Also, use of the authentication methods policy alone with the legacy MFA and SSPR polices disabled is a preview experience.
-
 ## Legacy MFA and SSPR policies
 
 Two other policies, located in **Multifactor authentication** settings and **Password reset** settings, provide a legacy way to manage some authentication methods for all users in the tenant. You can't control who uses an enabled authentication method, or how the method can be used. A [Global Administrator](../roles/permissions-reference.md#global-administrator) is needed to manage these policies. 
@@ -76,7 +73,7 @@ For users who are enabled for **Mobile phone** for SSPR, the independent control
 
 Similarly, let's suppose you enable **Voice calls** for a group. After you enable it, you find that even users who aren't group members can sign-in with a voice call. In this case, it's likely those users are enabled for **Mobile phone** in the legacy SSPR policy or **Call to phone** in the legacy MFA policy.  
 
-## Migration between policies
+## Migration between policies 
 
 The Authentication methods policy provides a migration path toward unified administration of all authentication methods. All desired methods can be enabled in the Authentication methods policy. Methods in the legacy MFA and SSPR policies can be disabled. Migration has three settings to let you move at your own pace, and avoid problems with sign-in or SSPR during the transition. After migration is complete, you'll centralize control over authentication methods for both sign-in and SSPR in a single place, and the legacy MFA and SSPR policies will be disabled.
 
@@ -107,8 +104,7 @@ Tenants are set to either Pre-migration or Migration in Progress by default, dep
 > In the future, both of these features will be integrated with the Authentication methods policy.
 
 ## Known issues and limitations
-- Some customers may see the control to enable Voice call grayed out due to a licensing requirement, despite having a premium license. This is a known issue that we are actively working to fix.
-- As a part of the public preview we removed the ability to target individual users. Previously targeted users will remain in the policy but we recommend moving them to a targeted group.
+- In recent updates we removed the ability to target individual users. Previously targeted users will remain in the policy but we recommend moving them to a targeted group.
 
 ## Next steps
 

articles/active-directory/authentication/concept-sspr-howitworks.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 03/22/2023
 
 ms.author: justinha
 author: justinha
@@ -165,7 +165,7 @@ To improve awareness of password events, SSPR lets you configure notifications f
 
 ### Notify users on password resets
 
-If this option is set to **Yes**, users resetting their password receive an email notifying them that their password has been changed. The email is sent via the SSPR portal to their primary and alternate email addresses that are stored in Azure AD. No one else is notified of the reset event.
+If this option is set to **Yes**, users resetting their password receive an email notifying them that their password has been changed. The email is sent via the SSPR portal to their primary and alternate email addresses that are stored in Azure AD. If no primary or alternate email address is defined SSPR will attempt email notification via the users User Principal Name (UPN). No one else is notified of the reset event.
 
 ### Notify all admins when other admins reset their passwords
 

articles/active-directory/develop/msal-error-handling-python.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/26/2020
+ms.date: 03/16/2023
 ms.author: dmwendia
 ms.reviewer: saeeda, rayluo
 ms.custom: aaddev
@@ -25,9 +25,34 @@ In MSAL for Python, most errors are conveyed as a return value from the API call
 * A successful response contains the `"access_token"` key. The format of the response is defined by the OAuth2 protocol. For more information, see [5.1 Successful Response](https://tools.ietf.org/html/rfc6749#section-5.1)
 * An error response contains `"error"` and usually `"error_description"`. The format of the response is defined by the OAuth2 protocol. For more information, see [5.2 Error Response](https://tools.ietf.org/html/rfc6749#section-5.2)
 
-When an error is returned, the `"error_description"` key contains a human-readable message; which in turn typically contains a Microsoft identity platform error code. For details about the various error codes, see [Authentication and authorization error codes](./reference-aadsts-error-codes.md).
+When an error is returned, the `"error"` key contains a machine-readable code. If the `"error"` is, for example, an `"interaction_required"`, you may prompt the user to provide additional information to complete the authentication process. If the `"error"` is `"invalid_grant"`, you may prompt the user to reenter their credentials. The following snippet is an example of error handling in MSAL for Python.
 
-In MSAL for Python, exceptions are rare because most errors are handled by returning an error value. The `ValueError` exception is only thrown when there is an issue with how you are attempting to use the library, such as when API parameter(s) are malformed.
+```python
+
+from msal import ConfidentialClientApplication
+
+authority_url = "https://login.microsoftonline.com/your_tenant_id"
+client_id = "your_client_id"
+client_secret = "your_client_secret"
+scopes = ["https://graph.microsoft.com/.default"]
+
+app = ConfidentialClientApplication(client_id, authority=authority_url, client_credential=client_secret)
+
+result = app.acquire_token_silent(scopes=scopes, account=None)
+
+if not result:
+    result = app.acquire_token_silent(scopes=scopes)
+
+if "access_token" in result:
+    print("Access token: %s" % result["access_token"])
+else:
+    print("Error: %s" % result.get("error"))
+
+```
+
+When an error is returned, the `"error_description"` key also contains a human-readable message, and there is typically also an `"error_code"` key which contains a machine-readable Microsoft identity platform error code. For more information about the various Microsoft identity platform error codes, see [Authentication and authorization error codes](./reference-aadsts-error-codes.md).
+
+In MSAL for Python, exceptions are rare because most errors are handled by returning an error value. The `ValueError` exception is only thrown when there's an issue with how you're attempting to use the library, such as when API parameter(s) are malformed.
 
 [!INCLUDE [Active directory error handling claims challenges](../../../includes/active-directory-develop-error-handling-claims-challenges.md)]
 

articles/app-service/includes/tutorial-connect-app-app-clean.md

@@ -0,0 +1,32 @@
+---
+services: storage, app-service-web
+author: rwike77
+manager: CelesteDG
+ms.service: app-service
+ms.topic: include
+ms.workload: identity
+ms.date: 03/09/2023
+ms.author: ryanwi
+ms.reviewer: stsoneff
+ms.devlang: azurecli
+ms.custom: azureday1
+ms.subservice: web-apps
+---
+
+In the preceding steps, you created Azure resources in a resource group. 
+
+1. Delete the resource group by running the following command in the Cloud Shell. This command may take a minute to run.
+
+
+    ```azurecli-interactive
+    az group delete --name myAuthResourceGroup
+    ```
+
+
+1. Use the authentication apps' **Client ID**, you previously found and made note of in the `Enable authentication and authorization` sections for the backend and frontend apps.
+1. Delete app registrations for both frontend and backend apps.
+
+    ```azurecli-interactive
+    # delete app - do this for both frontend and backend client ids
+    az ad app delete <client-id>
+    ```

articles/app-service/media/tutorial-connect-app-app-graph-javascript/architecture-app-to-app-to-graph.png

@@ -124,8 +124,8 @@
               href: tutorial-connect-app-access-microsoft-graph-as-user-javascript.md
         - name: App to app authentication
           href: tutorial-auth-aad.md
-
-
+        - name: App to app to another Azure service
+          href: tutorial-connect-app-app-graph-javascript.md
     - name: Isolate network traffic
       href: tutorial-networking-isolate-vnet.md
     - name: Host a RESTful API