Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into 1414791-clean-up-broken-azure-docs-pr-links-9-30

Author: john-par

.openpublishing.redirection.json

@@ -42115,6 +42115,21 @@
       "source_path": "articles/cloudfoundry/use-osba-pcf-app.md",
       "redirect_url": "/azure/cloudfoundry",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/compliance/azure-services-in-fedramp-auditscope.md",
+      "redirect_url": "/azure/azure-government/compliance/azure-services-in-fedramp-auditscope",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/compliance/compliance-tic.md",
+      "redirect_url": "/azure/azure-government/compliance/compliance-tic",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/security/compliance/secure-azure-computing-architecture.md",
+      "redirect_url": "/azure/azure-government/compliance/secure-azure-computing-architecture",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.md

@@ -45,19 +45,11 @@ To use the Azure AD Graph API with your B2C tenant, you need to register an appl
 
 ### Assign API access permissions
 
-1. On the **Registered app** overview page, select **Settings**.
-1. Under **API ACCESS**, select **Required permissions**.
-1. Select **Windows Azure Active Directory**.
-1. Under **APPLICATION PERMISSIONS**, select **Read and write directory data**.
-1. Select **Save**.
-1. Select **Grant permissions**, and then select **Yes**. It might take a few minutes to for the permissions to fully propagate.
+[!INCLUDE [active-directory-b2c-permissions-directory](../../includes/active-directory-b2c-permissions-directory.md)]
 
 ### Create client secret
 
-1. Under **API ACCESS**, select **Keys**.
-1. Enter a description for the key in the **Key description** box. For example, *Management Key*.
-1. Select a validity **Duration** and then select **Save**.
-1. Record the key's **VALUE**. You use this value for configuration in a later step.
+[!INCLUDE [active-directory-b2c-client-secret](../../includes/active-directory-b2c-client-secret.md)]
 
 You now have an application that has permission to *create*, *read*, and *update* users in your Azure AD B2C tenant. Continue to the next section to add user *delete* and *password update* permissions.
 

articles/active-directory-b2c/active-directory-b2c-reference-audit-logs.md

@@ -108,10 +108,7 @@ Follow these steps register an application, grant it the required Microsoft Grap
 
 ### Create client secret
 
-1. Under **API ACCESS**, select **Keys**.
-1. Enter a description for the key in the **Key description** box. For example, *Audit Log Key*.
-1. Select a validity **Duration**, then select **Save**.
-1. Record the key's **VALUE**. You need this value for authentication in automation scripts like the example PowerShell script shown in a later section.
+[!INCLUDE [active-directory-b2c-client-secret](../../includes/active-directory-b2c-client-secret.md)]
 
 You now have an application with the required API access, an application ID, and a key that you can use in your automation scripts. See the PowerShell script section later in this article for an example of how you can get activity events with a script.
 

articles/active-directory-b2c/active-directory-b2c-user-migration.md

@@ -55,22 +55,13 @@ First, register an application that you can use for management tasks like user m
 
 Next, grant the application the Azure AD Graph API permissions required for writing to the directory.
 
-1. In the **Settings** menu, select **Required permissions**.
-1. Select **Windows Azure Active Directory**.
-1. In the **Enable Access** pane, under **Application Permissions**, select **Read and write directory data**, and then select **Save**.
-1. In the **Required permissions** pane, select **Grant Permissions**, then select **Yes**.
-
-   ![Read/write directory checkbox, Save, and Grant permissions highlighted](media/active-directory-b2c-user-migration/pre-migration-app-registration-permissions.png)
+[!INCLUDE [active-directory-b2c-permissions-directory](../../includes/active-directory-b2c-permissions-directory.md)]
 
 ### Step 1.3: Create the application secret
 
 Create a client secret (key) for use by the user migration application that you configure in a later step.
 
-1. In the **Registered app** page, select **Settings**.
-1. Select **Keys**.
-1. Under **Passwords**, add a new key (also known as a client secret) named *MyClientSecret* or another name of your choosing, select an expiration window, select **Save**, and then copy the key value for later use.
-
-    ![Application ID value and Keys menu item highlighted in Azure portal](media/active-directory-b2c-user-migration/pre-migration-app-id-and-key.png)
+[!INCLUDE [active-directory-b2c-client-secret](../../includes/active-directory-b2c-client-secret.md)]
 
 Now you have an application with permissions to create, read, and update users in your Azure AD B2C tenant.
 

articles/active-directory-b2c/media/active-directory-b2c-user-migration/pre-migration-app-id-and-key.png

@@ -199,17 +199,17 @@ If you see the `401` status code, you've verified that only callers with a valid
 
 ## Support multiple applications and issuers
 
-Several applications typically interact with a single REST API. To allow multiple applications to call your API, add their application IDs to the `<audiences>` element in the APIM inbound policy.
+Several applications typically interact with a single REST API. To enable your API to accept tokens intended for multiple applications, add their application IDs to the `<audiences>` element in the APIM inbound policy.
 
 ```XML
-<!-- Accept requests from multiple applications -->
+<!-- Accept tokens intended for these recipient applications -->
 <audiences>
     <audience>44444444-0000-0000-0000-444444444444</audience>
     <audience>66666666-0000-0000-0000-666666666666</audience>
 </audiences>
 ```
 
-Similarly, to support multiple token issuers, add their endpoint URIs to the `<audiences>` element in the APIM inbound policy.
+Similarly, to support multiple token issuers, add their endpoint URIs to the `<issuers>` element in the APIM inbound policy.
 
 ```XML
 <!-- Accept tokens from multiple issuers -->

articles/active-directory-b2c/media/active-directory-b2c-user-migration/pre-migration-app-registration-permissions.png

@@ -276,6 +276,12 @@
         href: authentication-national-cloud.md
       - name: Authentication
         href: msal-national-cloud.md
+    - name: Automatic user provisioning (SCIM)
+      items:
+      - name: What is automatic user provisioning?
+        href: /azure/active-directory/manage-apps/user-provisioning
+      - name: Building and integrating a SCIM endpoint
+        href: /azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups
   - name: How-to guides
     items:
     - name: Authentication

articles/active-directory-b2c/secure-api-management.md

@@ -274,7 +274,7 @@ In web apps or web APIs the cache could leverage the session, a Redis cache, or
 
 In web apps or web APIs, keep one token cache per account.  For web apps, the token cache should be keyed by the account ID.  For web APIs, the account should be keyed by the hash of the token used to call the API. MSAL.NET provides custom token cache serialization in .NET Framework and .NET Core subplatforms. Events are fired when the cache is accessed, apps can choose whether to serialize or deserialize the cache. On confidential client applications that handle users (web apps that sign in users and call web APIs, and web APIs calling downstream web APIs), there can be many users and the users are processed in parallel. For security and performance reasons, our recommendation is to serialize one cache per user. Serialization events compute a cache key based on the identity of the processed user and serialize/deserialie a token cache for that user.
 
-Examples of how to use token caches for web apps and web APIs are available in the [ASP.NET Core web app tutorial](https://ms-identity-aspnetcore-webapp-tutorial) in the phase [2-2 Token Cache](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-2-TokenCache). For implementations have a look at the following folder [TokenCacheProviders](https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet/tree/master/src/Microsoft.Identity.Client.Extensions.Web/TokenCacheProviders) in the [microsoft-authentication-extensions-for-dotnet](https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet) library (in the [Microsoft.Identity.Client.Extensions.Web](https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet/tree/master/src/Microsoft.Identity.Client.Extensions.Web) folder. 
+Examples of how to use token caches for web apps and web APIs are available in the [ASP.NET Core web app tutorial](https://ms-identity-aspnetcore-webapp-tutorial) in the phase [2-2 Token Cache](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-2-TokenCache). For implementations have a look at the folder [TokenCacheProviders](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/Microsoft.Identity.Web/TokenCacheProviders) in the [microsoft-authentication-extensions-for-dotnet](https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet) library (in the [Microsoft.Identity.Client.Extensions.Web](https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet/tree/master/src/Microsoft.Identity.Client.Extensions.Web) folder. 
 
 ## Next steps
 The following samples illustrate token cache serialization.

articles/active-directory/develop/TOC.yml

@@ -12,7 +12,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 09/09/2019
+ms.date: 09/30/2019
 ms.author: jmprieur
 ms.custom: aaddev 
 #Customer intent: As an application developer, I want to know how to write a Web app that calls web APIs using the Microsoft identity platform for developers.
@@ -26,55 +26,55 @@ Now that you have built you client application object, you'll use it to acquire
 - Getting a token for the web API using the token cache. To get this token, you call `AcquireTokenSilent`.
 - Calling the protected API with the access token.
 
-## ASP.NET Core
+# [ASP.NET Core](#tab/aspnetcore)
 
 The controller methods are protected by an `[Authorize]` attribute that forces users being authenticated to use the Web App. Here is the code that calls Microsoft Graph.
 
 ```CSharp
 [Authorize]
 public class HomeController : Controller
 {
- ...
+ readonly ITokenAcquisition tokenAcquisition;
+
+ public HomeController(ITokenAcquisition tokenAcquisition)
+ {
+  this.tokenAcquisition = tokenAcquisition;
+ }
+
+ // Code for the controller actions(see code below)
+
 }
 ```
 
+The `ITokenAcquisition` service is injected by ASP.NET through dependency injection.
+
+
 Here is a simplified code of the action of the HomeController, which gets a token to call the Microsoft Graph.
 
 ```CSharp
 public async Task<IActionResult> Profile()
 {
- var application = BuildConfidentialClientApplication(HttpContext, HttpContext.User);
- string accountIdentifier = claimsPrincipal.GetMsalAccountId();
- string loginHint = claimsPrincipal.GetLoginHint();
-
- // Get the account
- IAccount account = await application.GetAccountAsync(accountIdentifier);
-
- // Special case for guest users as the Guest iod / tenant id are not surfaced.
- if (account == null)
- {
-  var accounts = await application.GetAccountsAsync();
-  account = accounts.FirstOrDefault(a => a.Username == loginHint);
- }
-
- AuthenticationResult result;
- result = await application.AcquireTokenSilent(new []{"user.read"}, account)
-                            .ExecuteAsync();
- var accessToken = result.AccessToken;
- ...
- // use the access token to call a web API
+ // Acquire the access token
+ string[] scopes = new string[]{"user.read"};
+ string accessToken = await tokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(scopes);
+
+// use the access token to call a protected web API
+HttpClient client = new HttpClient();
+client.DefaultRequestHeaders.Add("Authorization", result.CreateAuthorizationHeader());
+string json = await client.GetStringAsync(url);
 }
 ```
 
 To understand more thoroughly the code required for this scenario, see the phase 2 ([2-1-Web App Calls Microsoft Graph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph)) step of the [ms-identity-aspnetcore-webapp-tutorial](https://github.com/Azure-Samples/ms-identity-aspnetcore-webapp-tutorial) tutorial.
 
 There are many additional complexities, such as:
 
-- Implementing a token cache for the Web App (the tutorial presents several implementations)
-- Removing the account from the cache when the user signs out
-- Calling several APIs, including having incremental consent
+- Calling several APIs,
+- processing  incremental consent and conditional access.
 
-## ASP.NET
+These advanced steps are processed in chapter 3 of the tutorial [3-WebApp-multi-APIs](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/3-WebApp-multi-APIs)
+
+# [ASP.NET](#tab/aspnet)
 
 Things are similar in ASP.NET:
 
@@ -84,6 +84,68 @@ Things are similar in ASP.NET:
 
 The code is similar to the code shown for ASP.NET Core.
 
+# [Java](#tab/java)
+
+In the Java sample, the code that calls an API is in the getUsersFromGraph method [AuthPageController.java#L62](https://github.com/Azure-Samples/ms-identity-java-webapp/blob/d55ee4ac0ce2c43378f2c99fd6e6856d41bdf144/src/main/java/com/microsoft/azure/msalwebsample/AuthPageController.java#L62).
+
+It attempts to call `getAuthResultBySilentFlow`. If the user needs to consent to more scopes, the code processes the `MsalInteractionRequiredException` to challenge the user.
+
+```java
+@RequestMapping("/msal4jsample/graph/users")
+    public ModelAndView getUsersFromGraph(HttpServletRequest httpRequest, HttpServletResponse response)
+            throws Throwable {
+
+        IAuthenticationResult result;
+        ModelAndView mav;
+        try {
+            result = authHelper.getAuthResultBySilentFlow(httpRequest, response);
+        } catch (ExecutionException e) {
+            if (e.getCause() instanceof MsalInteractionRequiredException) {
+
+                // If silent call returns MsalInteractionRequired, then redirect to Authorization endpoint
+                // so user can consent to new scopes
+                String state = UUID.randomUUID().toString();
+                String nonce = UUID.randomUUID().toString();
+
+                SessionManagementHelper.storeStateAndNonceInSession(httpRequest.getSession(), state, nonce);
+
+                String authorizationCodeUrl = authHelper.getAuthorizationCodeUrl(
+                        httpRequest.getParameter("claims"),
+                        "User.ReadBasic.all",
+                        authHelper.getRedirectUriGraphUsers(),
+                        state,
+                        nonce);
+
+                return new ModelAndView("redirect:" + authorizationCodeUrl);
+            } else {
+
+                mav = new ModelAndView("error");
+                mav.addObject("error", e);
+                return mav;
+            }
+        }
+    // Code omitted here.
+```
+
+# [Python](#tab/python)
+
+In the python sample, the code calling Microsoft graph is in [app.py#L53-L62](https://github.com/Azure-Samples/ms-identity-python-webapp/blob/48637475ed7d7733795ebeac55c5d58663714c60/app.py#L53-L62).
+
+It attempts to get a token from the token cache, and then calls the eb API after setting the authorization header. If it can't, it re-signs in the user.
+
+```python
+@app.route("/graphcall")
+def graphcall():
+    token = _get_token_from_cache(app_config.SCOPE)
+    if not token:
+        return redirect(url_for("login"))
+    graph_data = requests.get(  # Use token to call downstream service
+        app_config.ENDPOINT,
+        headers={'Authorization': 'Bearer ' + token['access_token']},
+        ).json()
+    return render_template('display.html', result=graph_data)
+```
+
 ## Next steps
 
 > [!div class="nextstepaction"]