Merge pull request #174916 from MicrosoftDocs/master

10/07 AM Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -10509,6 +10509,11 @@
             "source_path": "articles/active-directory/privileged-identity-management/pim-resource-roles-start-access-review.md",
             "redirect_url": "/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review",
             "redirect_document_id": false
-        }
+        },
+        {
+            "source_path_from_root": "/articles/active-directory-b2c/troubleshoot-custom-policies.md",
+            "redirect_url": "/azure/active-directory-b2c/troubleshoot",
+            "redirect_document_id": false
+          }
     ]
 }

articles/active-directory-b2c/TOC.yml

@@ -398,15 +398,13 @@
       displayName: rest claims exchange
     - name: Secure an API connector
       href: secure-rest-api.md
-  - name: Custom policy
+  - name: Troubleshooting
     items:
-    - name: Troubleshooting
-      items:
-      - name: Collect logs using Application Insights
-        href: troubleshoot-with-application-insights.md
-        displayName: troubleshooting, app insights
-      - name: Troubleshooting custom policies
-        href: troubleshoot-custom-policies.md
+    - name: Collect logs using Application Insights
+      href: troubleshoot-with-application-insights.md
+      displayName: troubleshooting, app insights
+    - name: Troubleshooting and error handling
+      href: troubleshoot.md
   - name: UserInfo endpoint
     href: userinfo-endpoint.md
   - name: Partner integration

articles/active-directory-b2c/add-password-reset-policy.md

@@ -335,6 +335,9 @@ Custom policies are a set of XML files that you upload to your Azure AD B2C tena
 
 ::: zone-end
 
+## Troubleshoot Azure AD B2C user flows and custom policies
+Your application needs to handle certain errors coming from Azure B2C service. Learn [how to troubleshoot Azure AD B2C's user flows and custom policies](troubleshoot.md).
+
 ## Next steps
 
 Set up a [force password reset](force-password-reset.md).

articles/active-directory-b2c/troubleshoot-with-application-insights.md

@@ -13,10 +13,21 @@ ms.date: 09/20/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
+zone_pivot_groups: b2c-policy-type
 ---
 
 # Collect Azure Active Directory B2C logs with Application Insights
 
+[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
+
+::: zone pivot="b2c-user-flow"
+
+[!INCLUDE [active-directory-b2c-limited-to-custom-policy](../../includes/active-directory-b2c-limited-to-custom-policy.md)]
+
+::: zone-end
+
+::: zone pivot="b2c-custom-policy"
+
 This article provides steps for collecting logs from Active Directory B2C (Azure AD B2C) so that you can diagnose problems with your custom policies. Application Insights provides a way to diagnose exceptions and visualize application performance issues. Azure AD B2C includes a feature for sending data to Application Insights.
 
 The detailed activity logs described here should be enabled **ONLY** during the development of your custom policies.
@@ -189,4 +200,6 @@ To improve your production environment performance and better user experience, i
 
 ## Next steps
 
-- Learn how to [troubleshoot Azure AD B2C custom policies](troubleshoot-custom-policies.md)
+- Learn how to [troubleshoot Azure AD B2C custom policies](troubleshoot.md)
+
+::: zone-end

articles/active-directory-b2c/troubleshoot-custom-policies.md renamed to articles/active-directory-b2c/troubleshoot.md

@@ -1,5 +1,5 @@
 ---
-title: Troubleshoot custom policies in Azure Active Directory B2C
+title: Troubleshoot custom policies and user flows in Azure Active Directory B2C
 description: Learn about approaches to solving errors when working with custom policies in Azure Active Directory B2C.
 services: active-directory-b2c
 author: msmimart
@@ -8,12 +8,39 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: troubleshooting
-ms.date: 05/25/2021
+ms.date: 10/08/2021
 ms.author: mimart
 ms.subservice: B2C
+zone_pivot_groups: b2c-policy-type
 ---
 
-# Troubleshoot Azure AD B2C custom policies
+# Troubleshoot Azure AD B2C custom policies and user flows
+
+[!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
+
+Your application needs to handle certain errors coming from Azure B2C service. This article highlights some of the common errors and how to handle them.
+
+::: zone pivot="b2c-user-flow"
+
+## Password reset error
+
+This error occurs when the [self-service password reset experience](add-password-reset-policy.md#self-service-password-reset-recommended) isn't enabled in a user flow. Thus, selecting the **Forgot your password?** link doesn't trigger a password reset user flow. Instead, the error code `AADB2C90118` is returned to your application.
+
+There are 2 solutions to this problem:  
+  - Respond back with a new authentication request using Azure AD B2C password reset user flow.
+  - Use recommended [self service password resect (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended).  
+
+
+## User canceled the operation
+Azure AD B2C service can also return an error to your application when a user cancels an operation. The following are examples of scenarios where a user performs a cancel operation: 
+-  A user policy uses the recommended [self service password resect (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended) with a consumer local account. The user selects the **Forgot your password?** link , and then selects **Cancel** button before the user flow experience completes. In this case, Azure AD B2C service returns error code `AADB2C90091` to your application. 
+- A user chooses to authenticate with an external identity provider such as [LinkedIn](identity-provider-linkedin.md). The user select **Cancel** button before authenticating to the identity provider itself. In this case, Azure AD B2C service returns error code `AADB2C90273` to your application. Learn more about [error codes Azure Active Directory B2C service return](error-codes.md).
+
+To handle this error, fetch the **error description** for the user and respond back with a new authentication request with the same user flow. 
+
+::: zone-end
+
+::: zone pivot="b2c-custom-policy"
 
 If you use Azure Active Directory B2C (Azure AD B2C) [custom policies](custom-policy-overview.md), you might experience challenges with policy language XML format or runtime issues. This article describes some tools and tips that can help you discover and resolve issues. 
 
@@ -383,7 +410,7 @@ The cause for this error is similar to the one for the claim error. Check the pr
 
 ### User is currently logged as a user of 'yourtenant.onmicrosoft.com' tenant...
 
-You login with an account from a tenant that is different than the policy you try to upload. For example, you sign-in with [email protected], while your policy `TenantId` is set to `fabrikam.onmicrosoft.com`.
+You login with an account from a tenant that is different than the policy you try to upload. For example, your sign-in with [email protected], while your policy `TenantId` is set to `fabrikam.onmicrosoft.com`.
 
 ```xml
 <TrustFrameworkPolicy ...
@@ -462,6 +489,9 @@ To fix this type of error, when you upload the policy, select the **Overwrite th
 
 ![Screenshot that demonstrates how to overwrite the custom policy if it already exists.](./media/troubleshoot-custom-policies/overwrite-custom-policy-if-exists.png)
 
+::: zone-end
+
+
 
 ## Next steps
 

articles/active-directory-b2c/user-flow-custom-attributes.md

@@ -202,7 +202,7 @@ Use the following steps to remove extension/custom attribute from a user flow:
     1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the Directory name list, and then select **Switch**
 1. Choose **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
 1. Select **User attributes**, and then select the attribute you want to delete.
-1. Select **Delete**
+1. Select **Delete**, and then select **Yes** to confirm.
 
 ::: zone-end
 

articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md

@@ -85,9 +85,6 @@ $domain = "contoso.corp.com"
 # Enter an Azure Active Directory global administrator username and password.
 $cloudCred = Get-Credential
 
-If you have MFA enabled for Global administrator, Please remove "-Cloudcredential $cloudCred"
-you will see web-based popup and complete the U/P and MFA there
-
 # Enter a domain administrator username and password.
 $domainCred = Get-Credential
 
@@ -96,6 +93,29 @@ $domainCred = Get-Credential
 Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
 ```
 
+> [!NOTE]
+> If your organization protects password-based sign-in and enforces modern authentication methods such as MFA, FIDO2, or Smart Card, you must use the "-UserPrincipalName" parameter with the User Principal Name of a Global administrator.
+>    - Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
+>    - Replace `[email protected]` in the following example with the User Principal Name of a Global administrator.
+
+```powerShell
+Import-Module ".\AzureAdKerberos.psd1"
+
+# Specify the on-premises Active Directory domain. A new Azure AD
+# Kerberos Server object will be created in this Active Directory domain.
+$domain = "contoso.corp.com"
+
+# Enter a User Principal Name of Azure Active Directory global administrator
+$userPrincipalName = "[email protected]"
+
+# Enter a domain administrator username and password.
+$domainCred = Get-Credential
+
+# Create the new Azure AD Kerberos Server object in Active Directory
+# and then publish it to Azure Active Directory.
+Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred
+```
+
 ### Viewing and verifying the Azure AD Kerberos Server
 
 You can view and verify the newly created Azure AD Kerberos Server using the following command:

articles/active-directory/manage-apps/assign-app-owners.md

@@ -4,14 +4,14 @@ titleSuffix: Azure AD
 description: Assign owners to applications in Azure Active Directory
 services: active-directory
 documentationcenter: ''
-author: davidmu1
+author: saipradeepb23
 manager: celesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: app-mgmt
 ms.topic: how-to
 ms.date: 08/03/2021
-ms.author: davidmu
+ms.author: saibandaru
 #Customer intent: As an Azure AD administrator, I want to assign owners to enterprise applications.
 
 ---

articles/active-directory/manage-apps/configure-admin-consent-workflow.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 07/08/2021
+ms.date: 10/06/2021
 ms.author: davidmu
 ms.reviewer: ergreenl
 ms.collection: M365-identity-device-management
@@ -86,7 +86,7 @@ To review the admin consent requests and take action:
 
 8. Evaluate the request and take the appropriate action:
 
-   * **Approve the request**. To approve a request, grant admin consent to the application. Once a request is approved, all requestors are notified that they have been granted access.  
+   * **Approve the request**. To approve a request, grant admin consent to the application. Once a request is approved, all requestors are notified that they have been granted access. Approving a request allows all users in your tenant to access the application unless otherwise restricted with user assignment. 
    * **Deny the request**. To deny a request, you must provide a justification that will be provided to all requestors. Once a request is denied, all requestors are notified that they have been denied access to the application. Denying a request won't prevent users from requesting admin consent to the app again in the future.  
    * **Block the request**. To block a request, you must provide a justification that will be provided to all requestors. Once a request is blocked, all requestors are notified they've been denied access to the application. Blocking a request creates a service principal object for the application in your tenant in a disabled state. Users won't be able to request admin consent to the application in the future.
 

articles/active-directory/saas-apps/factset-tutorial.md

@@ -74,10 +74,10 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 1. On the **Set up single sign-on with SAML** page, perform the following steps:
 
     a. In the **Identifier** text box, type the URL:
-    `https://login.factset.com`
+    `https://auth.factset.com`
 
     b. In the **Reply URL** text box, type the URL:
-    `https://login.factset.com/services/saml2/`
+    `https://auth.factset.com/sp/ACS.saml2`
 
 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Federation Metadata XML** and select **Download** to download the metadata file and save it on your computer.
 
@@ -129,4 +129,4 @@ In this section, you test your Azure AD single sign-on configuration with follow
 
 ## Next steps
 
-Once you configure FactSet you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure FactSet you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).