Merge branch 'main' into release-preview-mswb

Author: v-alje

.openpublishing.redirection.json

@@ -23347,6 +23347,56 @@
             "redirect_url": "/azure/active-directory/develop/quickstart-register-app",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/migrate-adal-msal-java.md",
+            "redirect_url": "/entra/msal/java/advanced/support-for-adfs",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/msal-logging-java.md",
+            "redirect_url": "/entra/msal/java/advanced/msal-logging-java",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/msal-error-handling-java.md",
+            "redirect_url": "/entra/msal/java/advanced/msal-error-handling-java",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/msal-java-token-cache-serialization.md",
+            "redirect_url": "/entra/msal/java/advanced/msal-java-token-cache-serialization",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/msal-java-adfs-support.md",
+            "redirect_url": "/entra/msal/java/advanced/msal-java-adfs-support",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/msal-java-get-remove-accounts-token-cache.md",
+            "redirect_url": "/entra/msal/java/advanced/msal-java-get-remove-accounts-token-cache",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/migrate-python-adal-msal.md",
+            "redirect_url": "/entra/msal/python/advanced/migrate-python-adal-msal",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/msal-logging-python.md",
+            "redirect_url": "/entra/msal/python/advanced/msal-logging-python",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/msal-error-handling-python.md",
+            "redirect_url": "/entra/msal/python/advanced/msal-error-handling-python",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/active-directory/develop/msal-python-token-cache-serialization.md",
+            "redirect_url": "/entra/msal/python/advanced/msal-python-token-cache-serialization",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/networking/azure-orbital-overview.md",
             "redirect_url": "/azure/orbital/overview",

articles/active-directory-domain-services/faqs.yml

@@ -11,7 +11,7 @@ metadata:
   ms.subservice: domain-services
   ms.workload: identity
   ms.topic: faq
-  ms.date: 08/01/2023
+  ms.date: 09/05/2023
   ms.author: justinha
 title: Frequently asked questions (FAQs) about Azure Active Directory (AD) Domain Services
 summary: This page answers frequently asked questions about Azure Active Directory Domain Services.
@@ -106,6 +106,11 @@ sections:
         answer: |
           Any user account that's part of the managed domain can join a VM. Members of the *Azure AD DC Administrators* group are granted remote desktop access to machines that have been joined to the managed domain.
 
+      - question: |
+          Is there any quota for the number of machines that I can join to the domain?
+        answer: |
+          There's no quota in Azure AD DS for domain-joined machines.
+
       - question: |
           Do I have domain administrator privileges for the managed domain provided by Azure AD Domain Services?
         answer: |

articles/active-directory/architecture/resilience-client-app.md

@@ -37,8 +37,8 @@ Learn more:
 
 * [Token cache serialization](https://github.com/AzureAD/microsoft-identity-web/wiki/token-cache-serialization)
 * [Token cache serialization in MSAL.NET](../develop/msal-net-token-cache-serialization.md)
-* [Custom token cache serialization in MSAL for Java](../develop/msal-java-token-cache-serialization.md)
-* [Custom token cache serialization in MSAL for Python](../develop/msal-python-token-cache-serialization.md).
+* [Custom token cache serialization in MSAL for Java](/entra/msal/java/advanced/msal-java-token-cache-serialization)
+* [Custom token cache serialization in MSAL for Python](/entra/msal/python/advanced/msal-python-token-cache-serialization).
 
    ![Diagram of a device and and application using MSAL to call Microsoft Identity](media/resilience-client-app/resilience-with-microsoft-authentication-library.png)
 

articles/active-directory/cloud-infrastructure-entitlement-management/faqs.md

@@ -139,7 +139,7 @@ Customers can also remove, export or modify specific data if a Global Administra
 
 If you're an enterprise customer, you can contact your Microsoft representative, account team, or tenant admin to file a high-priority IcM support ticket requesting a Data Subject Request. Do not include details or any personally identifiable information in the IcM request. We'll reach out to you for these details only after an IcM is filed.
 
-If you're a self-service customer (you set up a trial or paid license in the Microsoft 365 admin center) you can contact the Permissions Management privacy team by selecting your profile drop-down menu, then **Account Settings** in Permissions Management. Follow the instructions to make a Data Subject Access Request.
+If you're a self-service customer (you set up a trial or paid license in the Microsoft 365 admin center) you can contact the Permissions Management privacy team by selecting your profile drop-down menu, then **Account Settings** in Permissions Management. Follow the instructions to make a Data Subject Request.
 
 Learn more about [Azure Data Subject Requests](https://go.microsoft.com/fwlink/?linkid=2245178).
 

articles/active-directory/cloud-infrastructure-entitlement-management/onboard-enable-controller-after-onboarding.md

@@ -8,17 +8,17 @@ ms.service: active-directory
 ms.subservice: ciem
 ms.workload: identity
 ms.topic: how-to
-ms.date: 06/16/2023
+ms.date: 08/24/2023
 ms.author: jfields
 ---
 
 # Enable or disable the controller after onboarding is complete
 
-With the controller, you determine what level of access to provide Permissions Management.
+With the controller, you can decide what level of access to grant in Permissions Management.
 
-* Enable to grant read and write access to your environment(s). You can manage permissions and remediate through Permissions Management.
+* Enable to grant read and write access to your environments. You can right-size permissions and remediate through Permissions Management.
 
-* Disable to grant read-only access to your environment(s).
+* Disable to grant read-only access to your environments.
 
 
 This article describes how to enable the controller in Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) after onboarding is complete.
@@ -30,7 +30,7 @@ This article also describes how to disable the controller in Microsoft Azure and
 ## Enable the controller in AWS
 
 > [!NOTE]
->  You can enable the controller in AWS if you disabled it during onboarding. Once you enable the controller, you can’t disable it at this time.
+>  You can enable the controller in AWS if you disabled it during onboarding. Once you enable the controller in AWS, you can’t disable it.
 
 1. Sign in to the AWS console of the member account in a separate browser window.
 1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.

articles/active-directory/conditional-access/how-to-app-protection-policy-windows.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 07/14/2023
+ms.date: 09/05/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -23,7 +23,7 @@ App protection policies apply mobile application management (MAM) to specific ap
 
 ## Prerequisites
 
-Customers interested in the public preview will need to opt-in using the [MAM for Windows Public Preview Sign Up Form](https://aka.ms/MAMforWindowsPublic).
+Customers interested in the public preview need to opt in using the [MAM for Windows Public Preview Sign Up Form](https://aka.ms/MAMforWindowsPublic).
 
 ## User exclusions
 [!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)]
@@ -34,7 +34,7 @@ The following policy is put in to [Report-only mode](howto-conditional-access-in
 
 ### Require app protection policy for Windows devices
 
-The following steps help create a Conditional Access policy requiring an app protection policy when using a Windows device. The app protection policy must also be configured and assigned to your users in Microsoft Intune. For more information about how to create the app protection policy, see the article [Preview: App protection policy settings for Windows](/mem/intune/apps/app-protection-policy-settings-windows).
+The following steps help create a Conditional Access policy requiring an app protection policy when using a Windows device. The app protection policy must also be configured and assigned to your users in Microsoft Intune. For more information about how to create the app protection policy, see the article [Preview: App protection policy settings for Windows](/mem/intune/apps/app-protection-policy-settings-windows). The following policy includes multiple controls allowing devices to either use app protection policies for mobile application management (MAM) or be managed and compliant with mobile device management (MDM) policies.
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).
 1. Browse to **Protection** > **Conditional Access**.
@@ -52,16 +52,19 @@ The following steps help create a Conditional Access policy requiring an app pro
    1. **Client apps**, set **Configure** to **Yes**. 
       1. Select **Browser** only.
 1. Under **Access controls** > **Grant**, select **Grant access**.
-   1. Select **Require app protection policy**
+   1. Select **Require app protection policy** and **Require device to be marked as compliant**.
    1. **For multiple controls** select **Require one of the selected controls**
 1. Confirm your settings and set **Enable policy** to **Report-only**.
 1. Select **Create** to create to enable your policy.
 
-After confirming your settings using [report-only mode](howto-conditional-access-insights-reporting.md), an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.
+
+> [!TIP]
+> Organizations should also deploy a policy that [blocks access from unsupported or unknown device platforms](howto-policy-unknown-unsupported-device.md) along with this policy.
 
 ## Sign in to Windows devices
 
-When users attempt to sign in to a site that is protected by an app protection policy for the first time, they're prompted: To access your service, app or website, you may need to sign in to Microsoft Edge using `[email protected]` or register your device with `organization` if you are already signed in.
+When users attempt to sign in to a site that is protected by an app protection policy for the first time, they're prompted: To access your service, app or website, you may need to sign in to Microsoft Edge using `[email protected]` or register your device with `organization` if you're already signed in.
 
 Clicking on **Switch Edge profile** opens a window listing their Work or school account along with an option to **Sign in to sync data**.
 
@@ -70,11 +73,13 @@ Clicking on **Switch Edge profile** opens a window listing their Work or school
 This process opens a window offering to allow Windows to remember your account and automatically sign you in to your apps and websites. 
 
 > [!CAUTION]
-> You must *CLEAR THE CHECKBOX* **Allow my organization to manage my device**. Leaving this checked enrolls your device in mobile device maangment (MDM) not mobile application management (MAM).
+> You must *CLEAR THE CHECKBOX* **Allow my organization to manage my device**. Leaving this checked enrolls your device in mobile device maangment (MDM) not mobile application management (MAM). 
+>
+> Don't select **No, sign in to this app only**.
 
 ![Screenshot showing the stay signed in to all your apps window. Uncheck the allow my organization to manage my device checkbox.](./media/how-to-app-protection-policy-windows/stay-signed-in-to-all-your-apps.png)
 
-After selecting **OK** you may see a progress window while policy is applied. After a few moments you should see a window saying "you're all set", app protection policies are applied.
+After selecting **OK**, you may see a progress window while policy is applied. After a few moments, you should see a window saying "you're all set", app protection policies are applied.
 
 ## Troubleshooting
 
@@ -93,7 +98,7 @@ To resolve these possible scenarios:
 
 ### Existing account
 
-If there's a pre-existing, unregistered account, like `[email protected]` in Microsoft Edge, or if a user signs in without registering using the Heads Up Page, then the account isn't properly enrolled in MAM. This configuration blocks the user from being properly enrolled in MAM. This is a known issue that is currently being worked on. 
+If there's a pre-existing, unregistered account, like `[email protected]` in Microsoft Edge, or if a user signs in without registering using the Heads Up Page, then the account isn't properly enrolled in MAM. This configuration blocks the user from being properly enrolled in MAM. This is a known issue. 
 
 ## Next steps
 

articles/active-directory/conditional-access/howto-policy-unknown-unsupported-device.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 07/18/2023
+ms.date: 09/05/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -17,7 +17,9 @@ ms.collection: M365-identity-device-management
 ---
 # Common Conditional Access policy: Block access for unknown or unsupported device platform
 
-Users will be blocked from accessing company resources when the device type is unknown or unsupported.
+Users are blocked from accessing company resources when the device type is unknown or unsupported.
+
+The [device platform condition](concept-conditional-access-conditions.md#device-platforms) is based on user agent strings. Conditional Access policies using it should be used with another policy, like one requiring device compliance or app protection policies.
 
 ## User exclusions
 [!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)]
@@ -38,12 +40,15 @@ Users will be blocked from accessing company resources when the device type is u
    1. Set **Configure** to **Yes**.
    1. Under **Include**, select **Any device**
    1. Under **Exclude**, select **Android**, **iOS**, **Windows**, and **macOS**.
+      > [!NOTE]
+      > For the exclusion select any platforms that your organization knowingly uses, and leave the others unselected.
    1. Select, **Done**.
 1. Under **Access controls** > **Grant**, select **Block access**, then select **Select**.
 1. Confirm your settings and set **Enable policy** to **Report-only**.
 1. Select **Create** to create to enable your policy.
 
 After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.
+
 ## Next steps
 
 [Conditional Access templates](concept-conditional-access-policy-common.md)

articles/active-directory/develop/TOC.yml

@@ -708,20 +708,7 @@
             - name: Migrate to MSAL.iOS / macOS
               href: migrate-objc-adal-msal.md
         - name: MSAL Java
-          items:
-            - name: Custom token cache serialization
-              href: msal-java-token-cache-serialization.md
-            - name: Get and remove accounts from the token cache
-              href: msal-java-get-remove-accounts-token-cache.md
-            - name: Migrate to MSAL for Java
-              href: migrate-adal-msal-java.md
-            - name: AD FS support in MSAL for Java
-              href: msal-java-adfs-support.md
-            - name: Handle errors and exceptions in MSAL for Java
-              displayName: handling, catch
-              href: msal-error-handling-java.md
-            - name: Logging in MSAL for Java
-              href: msal-logging-java.md
+          href: /entra/msal/java
         - name: MSAL.js
           displayName: Angular, JavaScript, Node.js, React
           items:
@@ -830,18 +817,7 @@
               displayName: persistent, serialize, deserialize
               href: msal-node-extensions.md
         - name: MSAL Python
-          items:
-            - name: Custom token cache serialization
-              href: msal-python-token-cache-serialization.md
-            - name: Migrate to MSAL Python
-              href: migrate-python-adal-msal.md
-            - name: AD FS support in MSAL Python
-              href: msal-python-adfs-support.md
-            - name: Handle errors and exceptions in MSAL for Python
-              displayName: handling, catch
-              href: msal-error-handling-python.md
-            - name: Logging in MSAL for Python
-              href: msal-logging-python.md
+          href: /entra/msal/python/
     - name: Protocol reference (OAuth, OIDC, SAML)
       items:
         - name: OAuth 2.0 and OpenID Connect (OIDC)