Merge pull request #210746 from MicrosoftDocs/main

9/09 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -5,6 +5,11 @@
     "redirect_url":  "/azure/availability-zones/migrate-api-mgt",
     "redirect_document_id":  false
 },
+{
+    "source_path":  "articles/api-management/breaking-changes/rp-source-ip-address-change-mar2023.md",
+    "redirect_url":  "/azure/api-management/breaking-changes/rp-source-ip-address-change-mar-2023",
+    "redirect_document_id":  false
+},
 {
     "source_path":  "articles/api-management/developer-portal-implement-widgets.md",
     "redirect_url":  "/azure/api-management/developer-portal-extend-custom-functionality",

articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md

@@ -14,7 +14,7 @@ manager: amycolannino
 ms.reviewer: annaba
 
 ms.collection: M365-identity-device-management
-ms.custom: has-adal-ref
+
 ---
 # Get started with certificate-based authentication in Azure Active Directory with federation
 
@@ -37,7 +37,7 @@ This topic:
 
 To configure CBA with federation, the following statements must be true:
 
-- CBA with federation is only supported for Federated environments for browser applications, native clients using modern authentication (ADAL), or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts. To configure Azure AD CBA without needing federation, see [How to configure Azure AD certificate-based authentication](how-to-certificate-based-authentication.md).
+- CBA with federation is only supported for Federated environments for browser applications, native clients using modern authentication, or MSAL libraries. The one exception is Exchange Active Sync (EAS) for Exchange Online (EXO), which can be used for federated and managed accounts. To configure Azure AD CBA without needing federation, see [How to configure Azure AD certificate-based authentication](how-to-certificate-based-authentication.md).
 - The root certificate authority and any intermediate certificate authorities must be configured in Azure Active Directory.
 - Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an internet-facing URL.
 - You must have at least one certificate authority configured in Azure Active Directory. You can find related steps in the [Configure the certificate authorities](#step-2-configure-the-certificate-authorities) section.

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -151,6 +151,8 @@ The following client apps are confirmed to support this setting:
 - Microsoft Teams
 - Microsoft To Do
 - Microsoft Word
+- Microsoft Power Apps
+- Microsoft Field Service (Dynamics 365)
 - MultiLine for Intune
 - Nine Mail - Email and Calendar
 - Notate for Intune

articles/active-directory/conditional-access/concept-conditional-access-policies.md

@@ -36,14 +36,14 @@ All policies are enforced in two phases:
    - Use the session details gathered in phase 1 to identify any requirements that haven't been met. 
    - If there's a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked. 
    - The user will be prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:  
-      - [Multi-factor authentication​](concept-conditional-access-grant.md#require-multi-factor-authentication)
-      - [Device to be marked as compliant](./concept-conditional-access-grant.md#require-device-to-be-marked-as-compliant)
-      - [Hybrid Azure AD joined device](./concept-conditional-access-grant.md#require-hybrid-azure-ad-joined-device)
-      - [Approved client app](./concept-conditional-access-grant.md#require-approved-client-app)
-      - [App protection policy](./concept-conditional-access-grant.md#require-app-protection-policy)
-      - [Password change](./concept-conditional-access-grant.md#require-password-change)
-      - [Terms of use](concept-conditional-access-grant.md#terms-of-use)
-      - [Custom controls](./concept-conditional-access-grant.md#custom-controls-preview)
+      1. [Multi-factor authentication​](concept-conditional-access-grant.md#require-multi-factor-authentication)
+      2. [Device to be marked as compliant](./concept-conditional-access-grant.md#require-device-to-be-marked-as-compliant)
+      3. [Hybrid Azure AD joined device](./concept-conditional-access-grant.md#require-hybrid-azure-ad-joined-device)
+      4. [Approved client app](./concept-conditional-access-grant.md#require-approved-client-app)
+      5. [App protection policy](./concept-conditional-access-grant.md#require-app-protection-policy)
+      6. [Password change](./concept-conditional-access-grant.md#require-password-change)
+      7. [Terms of use](concept-conditional-access-grant.md#terms-of-use)
+      8. [Custom controls](./concept-conditional-access-grant.md#custom-controls-preview)
    - Once all grant controls have been satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and token Lifetime) 
    - Phase 2 of policy evaluation occurs for all enabled policies. 
 

articles/active-directory/conditional-access/faqs.md

@@ -14,7 +14,7 @@ manager: amycolannino
 ms.reviewer: calebb
 
 ms.collection: M365-identity-device-management
-ms.custom: has-adal-ref
+ms.custom: 
 ---
 # Azure Active Directory Conditional Access FAQs
 
@@ -48,7 +48,7 @@ Microsoft Teams relies heavily on Exchange Online and SharePoint Online for core
 
 Microsoft Teams also is supported separately as a cloud app in Conditional Access policies. Conditional Access policies that are set for a cloud app apply to Microsoft Teams when a user signs in. However, without the correct policies on other apps like Exchange Online and SharePoint Online users may still be able to access those resources directly.
 
-Microsoft Teams desktop clients for Windows and Mac support modern authentication. Modern authentication brings sign-in based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms.
+Microsoft Teams desktop clients for Windows and Mac support modern authentication. Modern authentication brings sign-in to Microsoft Office client applications across platforms.
 
 For more information, see the article, [Conditional Access service dependencies](service-dependencies.md) and consider targeting policies to the [Office 365 app](concept-conditional-access-cloud-apps.md#office-365) instead.
 

articles/active-directory/develop/includes/console-app/quickstart-nodejs.md

@@ -7,7 +7,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: include
-ms.date: 01/10/2022
+ms.date: 09/09/2022
 ms.author: marsma
 #Customer intent: As an application developer, I want to learn how my Node.js app can get an access token and call an API that is protected by a Microsoft identity platform endpoint using client credentials flow.
 ms.custom: mode-other
@@ -60,17 +60,20 @@ To register your application and add the app's registration information to your
    - `Enter_the_Application_Id_Here` - is the **Application (client) ID** of the application you registered earlier. Find this ID on the app registration's **Overview** pane in the Azure portal.
    - `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant ID** or **Tenant name** (for example, contoso.microsoft.com).  Find these values on the app registration's **Overview** pane in the Azure portal.
    - `Enter_the_Client_Secret_Here` - replace this value with the client secret you created earlier. To generate a new key, use **Certificates & secrets** in the app registration settings in the Azure portal.
+   
+   Using a plaintext secret in the source code poses an increased security risk for your application. Although the sample in this quickstart uses a plaintext client secret, it's only for simplicity. We recommend using [certificate credentials](../../active-directory-certificate-credentials.md) instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production.
 
-> [!WARNING]
-> Any plaintext secret in source code poses an increased security risk. This article uses a plaintext client secret for simplicity only. Use [certificate credentials](../../active-directory-certificate-credentials.md) instead of client secrets in your confidential client applications, especially those apps you intend to deploy to production.
+3. Edit *.env* and replace the Azure AD and Microsoft Graph endpoints with the following values:
+   - For the Azure AD endpoint, replace `Enter_the_Cloud_Instance_Id_Here` with `https://login.microsoftonline.com`.
+   - For the Microsoft Graph endpoint, replace `Enter_the_Graph_Endpoint_Here` with `https://graph.microsoft.com/`.
 
 #### Step 4: Admin consent
 
 If you try to run the application at this point, you'll receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This error happens because any *app-only permission* requires **admin consent**: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role:
 
 ##### Global tenant administrator
 
-If you are a global tenant administrator, go to **API Permissions** page in the Azure portal's Application Registration and select **Grant admin consent for {Tenant Name}** (where {Tenant Name} is the name of your directory).
+If you're a global tenant administrator, go to **API Permissions** page in the Azure portal's Application Registration and select **Grant admin consent for {Tenant Name}** (where {Tenant Name} is the name of your directory).
 
 ##### Standard user
 
@@ -86,7 +89,7 @@ https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_i
 
 #### Step 5: Run the application
 
-Locate the sample's root folder (where `package.json` resides) in a command prompt or console. You'll need to install the dependencies of this sample once:
+Locate the sample's root folder (where `package.json` resides) in a command prompt or console. You'll need to install the dependencies your sample app requires before running it for the first time:
 
 ```console
 npm install

articles/active-directory/devices/concept-primary-refresh-token.md

@@ -159,7 +159,7 @@ The following diagrams illustrate the underlying details in issuing, renewing, a
 | :---: | --- |
 | A | User enters their password in the sign in UI. LogonUI passes the credentials in an auth buffer to LSA, which in turns passes it internally to CloudAP. CloudAP forwards this request to the CloudAP plugin. |
 | B | CloudAP plugin initiates a realm discovery request to identify the identity provider for the user. If user’s tenant has a federation provider setup, Azure AD returns the federation provider’s Metadata Exchange endpoint (MEX) endpoint. If not, Azure AD returns that the user is managed indicating that user can authenticate with Azure AD. |
-| C | If the user is managed, CloudAP will get the nonce from Azure AD. If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Once it receives, the SAML token, it requests a nonce from Azure AD. |
+| C | If the user is managed, CloudAP will get the nonce from Azure AD. If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Nonce is requested before the SAML token is sent to Azure AD. |
 | D | CloudAP plugin constructs the authentication request with the user’s credentials, nonce, and a broker scope, signs the request with the Device key (dkpriv) and sends it to Azure AD. In a federated environment, CloudAP plugin uses the SAML token returned by the federation provider instead of the user’ credentials. |
 | E | Azure AD validates the user credentials, the nonce, and device signature, verifies that the device is valid in the tenant and issues the encrypted PRT. Along with the PRT, Azure AD also issues a symmetric key, called the Session key encrypted by Azure AD using the Transport key (tkpub). In addition, the Session key is also embedded in the PRT. This Session key acts as the Proof-of-possession (PoP) key for subsequent requests with the PRT. |
 | F | CloudAP plugin passes the encrypted PRT and Session key to CloudAP. CloudAP request the TPM to decrypt the Session key using the Transport key (tkpriv) and re-encrypt it using the TPM’s own key. CloudAP stores the encrypted Session key in its cache along with the PRT. |
@@ -173,7 +173,7 @@ The following diagrams illustrate the underlying details in issuing, renewing, a
 | A | User enters their password in the sign in UI. LogonUI passes the credentials in an auth buffer to LSA, which in turns passes it internally to CloudAP. CloudAP forwards this request to the CloudAP plugin. |
 | B | If the user has previously logged on to the user, Windows initiates cached sign in and validates credentials to log the user in. Every 4 hours, the CloudAP plugin initiates PRT renewal asynchronously. |
 | C | CloudAP plugin initiates a realm discovery request to identify the identity provider for the user. If user’s tenant has a federation provider setup, Azure AD returns the federation provider’s Metadata Exchange endpoint (MEX) endpoint. If not, Azure AD returns that the user is managed indicating that user can authenticate with Azure AD. |
-| D | If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Once it receives, the SAML token, it requests a nonce from Azure AD. If the user is managed, CloudAP will directly get the nonce from Azure AD. |
+| D | If the user is federated, CloudAP plugin requests a SAML token from the federation provider with the user’s credentials. Nonce is requested before the SAML token is sent to Azure AD. If the user is managed, CloudAP will directly get the nonce from Azure AD. |
 | E | CloudAP plugin constructs the authentication request with the user’s credentials, nonce, and the existing PRT, signs the request with the Session key and sends it to Azure AD. In a federated environment, CloudAP plugin uses the SAML token returned by the federation provider instead of the user’ credentials. |
 | F | Azure AD validates the Session key signature by comparing it against the Session key embedded in the PRT, validates the nonce and verifies that the device is valid in the tenant and issues a new PRT. As seen before, the PRT is again accompanied with the Session key encrypted by Transport key (tkpub). |
 | G | CloudAP plugin passes the encrypted PRT and Session key to CloudAP. CloudAP requests the TPM to decrypt the Session key using the Transport key (tkpriv) and re-encrypt it using the TPM’s own key. CloudAP stores the encrypted Session key in its cache along with the PRT. |

articles/active-directory/fundamentals/add-users-azure-active-directory.md

@@ -76,7 +76,7 @@ If you have an environment with both Azure Active Directory (cloud) and Windows
 You can delete an existing user using Azure Active Directory portal.
 
 >[!Note]
->You must have a Global administrator or User administrator role assignment to delete users in your organization. Global admins can delete any users including other admins. User administrators can delete any non-admin users, Helpdesk administrators and other User administrators. For more information, see [Administrator role permissions in Azure AD](../roles/permissions-reference.md).
+>You must have a Global administrator, Privileged authentication administrator or User administrator role assignment to delete users in your organization. Global admins and Privileged authentication admins can delete any users including other admins. User administrators can delete any non-admin users, Helpdesk administrators and other User administrators. For more information, see [Administrator role permissions in Azure AD](../roles/permissions-reference.md).
 
 To delete a user, follow these steps:
 
@@ -109,4 +109,4 @@ After you've added your users, you can do the following basic processes:
 
 - [Work with dynamic groups and users](../enterprise-users/groups-create-rule.md)
 
-Or you can do other user management tasks, such as [adding guest users from another directory](../external-identities/what-is-b2b.md) or [restoring a deleted user](active-directory-users-restore.md). For more information about other available actions, see [Azure Active Directory user management documentation](../enterprise-users/index.yml).
+Or you can do other user management tasks, such as [adding guest users from another directory](../external-identities/what-is-b2b.md) or [restoring a deleted user](active-directory-users-restore.md). For more information about other available actions, see [Azure Active Directory user management documentation](../enterprise-users/index.yml).