Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into dev-box-pools

Author: RoseHJM

.openpublishing.publish.config.json

@@ -986,7 +986,6 @@
     ".openpublishing.redirection.azure-percept.json",
     ".openpublishing.redirection.azure-productivity.json",
     ".openpublishing.redirection.azure-australia.json",
-    ".openpublishing.redirection.aks.json",
     "articles/azure-fluid-relay/.openpublishing.redirection.fluid-relay.json",
     "articles/azure-netapp-files/.openpublishing.redirection.azure-netapp-files.json",
     "articles/azure-relay/.openpublishing.redirection.relay.json",

.openpublishing.redirection.aks.json

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 08/05/2022
+ms.date: 09/06/2022
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: amycolannino
@@ -132,9 +132,9 @@ In your Conditional Access policy, you can require that an [Intune app protectio
 
 To apply this grant control, Conditional Access requires that the device is registered in Azure AD, which requires using a broker app. The broker app can be either Microsoft Authenticator for iOS or Microsoft Company Portal for Android devices. If a broker app isn't installed on the device when the user attempts to authenticate, the user is redirected to the app store to install the broker app.
 
-Applications must have the Intune SDK with policy assurance implemented and must meet certain other requirements to support this setting. Developers who are implementing applications with the Intune SDK can find more information on these requirements in the SDK documentation.
+Applications must have the Intune SDK with policy assurance implemented and must meet certain other requirements to support this setting. Developers who are implementing applications with the Intune SDK can find more information on these requirements in the [SDK documentation](/mem/intune/developer/app-sdk-get-started).
 
-The following client apps support this setting:
+The following client apps are confirmed to support this setting:
 
 - Microsoft Cortana
 - Microsoft Edge
@@ -153,6 +153,9 @@ The following client apps support this setting:
 - Microsoft Word
 - MultiLine for Intune
 - Nine Mail - Email and Calendar
+- Notate for Intune
+
+This list is not all encompassing, if your app is not in this list please check with the application vendor to confirm support.
 
 > [!NOTE]
 > Kaizala, Skype for Business, and Visio don't support the **Require app protection policy** grant. If you require these apps to work, use the **Require approved apps** grant exclusively. Using the "or" clause between the two grants will not work for these three applications.

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/23/2021
+ms.date: 09/06/2022
 ms.author: ergreenl
 ms.custom: contperf-fy22q2, contperf-fy22q3
 
@@ -17,7 +17,7 @@ ms.custom: contperf-fy22q2, contperf-fy22q3
 
 # Assign users and groups to an application
 
-This article shows you how to assign users and groups to an enterprise application in Azure Active Directory (Azure AD) using PowerShell. When you assign a user to an application, the application appears in the user's [My Apps](https://myapps.microsoft.com/) portal for easy access. If the application exposes roles, you can also assign a specific role to the user.
+This article shows you how to assign users and groups to an enterprise application in Azure Active Directory (Azure AD) using PowerShell. When you assign a user to an application, the application appears in the user's [My Apps](https://myapps.microsoft.com/) portal for easy access. If the application exposes app roles, you can also assign a specific app role to the user.
 
 When you assign a group to an application, only users in the group will have access. The assignment does not cascade to nested groups.
 
@@ -33,7 +33,6 @@ To assign users to an app using PowerShell, you need:
 - One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
 - If you have not yet installed the AzureAD module (use the command `Install-Module -Name AzureAD`). If you're prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.
 - Azure Active Directory Premium P1 or P2 for group-based assignment. For more licensing requirements for the features discussed in this article, see the [Azure Active Directory pricing page](https://azure.microsoft.com/pricing/details/active-directory).
-- Optional: Completion of [Configure an app](add-application-portal-configure.md).
 
 ## Assign users, and groups, to an app using PowerShell
 

articles/active-directory/manage-apps/assign-user-or-group-access-portal.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 06/10/2022
+ms.date: 09/02/2022
 ms.author: ergreenl
 ms.collection: M365-identity-device-management
 ms.custom: contperf-fy22q2
@@ -34,7 +34,7 @@ To configure the admin consent workflow, you need:
 
 To enable the admin consent workflow and choose reviewers:
 
-1. Sign in to the [Azure portal](https://portal.azure.com)  with one of the roles listed in the prerequisites.
+1. Sign-in to the [Azure portal](https://portal.azure.com)  with one of the roles listed in the prerequisites.
 1. Search for and select **Azure Active Directory**.
 1. Select **Enterprise applications**.
 1. Under **Manage**, select **User settings**.
@@ -58,3 +58,5 @@ To configure the admin consent workflow programmatically, use the [Update adminC
 ## Next steps
 
 [Grant tenant-wide admin consent to an application](grant-admin-consent.md)
+
+[Reivew admin consent requests](review-admin-consent-requests.md)

articles/active-directory/manage-apps/configure-admin-consent-workflow.md

@@ -8,15 +8,19 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/23/2021
+ms.date: 09/06/2022
 ms.author: ergreenl
 ms.custom: it-pro
 ms.collection: M365-identity-device-management
 #customer intent: As an admin, I want to disable the way a user signs in for an application so that no user can sign in to it in Azure Active Directory.
 ---
-# Disable how a user signs in for an application
+# Disable user sign-in for an application
+
+There may be situations while configuring or managing an application where you don't want tokens to be issued for an application. Or, you may want to preemptively block an application that you do not want your employees to try to access. To accomplish this, you can disable user sign-in for the application, which will prevent all tokens from being issued for that application.
+
+In this article, you will learn how to disable how a user signs in to an application in Azure Active Directory through both the Azure portal and PowerShell. If you are looking for how to block specific users from accessing an application, use [user or group assignment](./assign-user-or-group-access-portal.md).
+
 
-In this article, you disable how a user signs in to an application in Azure Active Directory.
 
 ## Prerequisites
 
@@ -39,7 +43,7 @@ To disable how a user signs in, you need:
 
 Ensure you have installed the AzureAD module (use the command Install-Module -Name AzureAD). In case you are prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.
 
-If you know the AppId of an app that doesn't appear on the Enterprise apps list (for example, because you deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft), you can manually create the service principal for the app and then disable it by using [AzureAD PowerShell cmdlet](/powershell/module/azuread/New-AzureADServicePrincipal).
+If you know the AppId of an app that doesn't appear on the Enterprise apps list (for example, because you deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft), you can manually create the service principal for the app and then disable it by using the cmdlet below.
 
 ```PowerShell
 # The AppId of the app to be disabled

articles/active-directory/manage-apps/disable-user-sign-in-portal.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/23/2021
+ms.date: 09/02/2022
 ms.author: ergreenl
 ms.collection: M365-identity-device-management
 ms.custom: contperf-fy22q2
@@ -18,13 +18,15 @@ ms.custom: contperf-fy22q2
 
 # Grant tenant-wide admin consent to an application
 
-  In this article, you'll learn how to grant tenant-wide admin consent to an application in Azure Active Directory (Azure AD).
+  In this article, you'll learn how to grant tenant-wide admin consent to an application in Azure Active Directory (Azure AD). To understand how individual users consent, see [Configure how end-users consent to applications](configure-user-consent.md).
 
-When you grant tenant-wide admin consent to an application, all users can sign in to the app. To restrict which users can sign in to an application, configure the app to require user assignment and then assign users or groups to the application. 
+When you grant tenant-wide admin consent to an application, you give the application access on behalf of the whole organization to the permissions requested. Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of your organization's data, or the permission to do highly privileged operations. Examples of such operations might be role management, full access to all mailboxes or all sites, and full user impersonation.
+
+By default, granting tenant-wide admin consent to an application will allow all users to access the application unless otherwise restricted. To restrict which users can sign-in to an application, configure the app to [require user assignment](application-properties.md#assignment-required) and then [assign users or groups to the application](assign-user-or-group-access-portal.md). 
 
 Tenant-wide admin consent to an app grants the app and the app's publisher access to your organization's data. Carefully review the permissions that the application is requesting before you grant consent. For more information on consenting to applications, see [Azure Active Directory consent framework](../develop/consent-framework.md).
 
-Granting tenant-wide admin consent may revoke any permissions which had previously been granted tenant-wide. Permissions which have previously been granted by users on their own behalf will not be affected.
+Granting tenant-wide admin consent may revoke any permissions which had previously been granted tenant-wide for that application. Permissions which have previously been granted by users on their own behalf will not be affected.
 
 ## Prerequisites
 

articles/active-directory/manage-apps/grant-admin-consent.md

@@ -38,11 +38,13 @@
     items:
     - name: Directory based - Employee
       href: how-to-use-quickstart-verifiedemployee.md
-    - name: ID Token Hint credentials
+    - name: Id token hint attestation
       href: how-to-use-quickstart.md
-    - name: ID Token credentials
+    - name: Id token attestation
       href: how-to-use-quickstart-idtoken.md      
-    - name: Self Issued credentials
+    - name: Presentation attestation
+      href: how-to-use-quickstart-presentation.md
+    - name: Self issued attestation
       href: how-to-use-quickstart-selfissued.md
   - name: Use the Verified ID Network
     href: how-use-vcnetwork.md

articles/active-directory/verifiable-credentials/TOC.yml

@@ -101,7 +101,7 @@ The following four attestation types are currently available to be configured in
 
 * **ID token hint**: The sample App and Tutorial use the ID token Hint. When this option is configured, the relying party app will need to provide claims that should be included in the verifiable credential in the Request Service API issuance request. Where the relying party app gets the claims from is up to the app, but it can come from the current sign-in session, from backend CRM systems or even from self asserted user input. To configure this option, please see this [how to guide](how-to-use-quickstart.md)
 
-* **Verifiable credentials**: The end result of an issuance flow is to produce a verifiable credential but you may also ask the user to Present a verifiable credential in order to issue one. The rules definition is able to take specific claims from the presented verifiable credential and include those claims in the newly issued verifiable credential from your organization. 
+* **Verifiable credentials**: The end result of an issuance flow is to produce a verifiable credential but you may also ask the user to Present a verifiable credential in order to issue one. The rules definition is able to take specific claims from the presented verifiable credential and include those claims in the newly issued verifiable credential from your organization.  To configure this option, please see this [how to guide](how-to-use-quickstart-presentation.md)
 
 * **Self-attested claims**: When this option is selected, the user can type information directly into Authenticator. At this time, strings are the only supported input for self attested claims. To configure this option, please see this [how to guide](how-to-use-quickstart-selfissued.md)