Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into 2023-may-freshness

Author: barclayn

.whatsnew/.microsoft-identity-platform.json

@@ -7,7 +7,7 @@
         "relativeLinkPrefix": "/azure/active-directory/develop"
     },
     "inclusionCriteria": {
-        "omitPullRequestTitles" : true,
+        "omitPullRequestTitles" : false,
         "minAdditionsToFile" : 20,
         "maxFilesChanged": 50,
         "labels": [

README.md

@@ -1,6 +1,6 @@
 # Microsoft Azure Documentation
 
-Welcome to the open-source [documentation](/azure) of [Microsoft Azure](https://azure.microsoft.com). Please review this README file to understand how you can assist in contributing to the Microsoft Azure documentation.
+Welcome to the open-source [documentation](/azure) of [Microsoft Azure](https://azure.microsoft.com). Please review this README file to understand how you can assist in contributing to the Microsoft Azure documentation. 
 
 ## Getting Started
 

articles/active-directory-domain-services/use-azure-monitor-workbooks.md

@@ -54,7 +54,7 @@ To access the workbook template for the security overview report, complete the f
 1. Select your managed domain, such as *aaddscontoso.com*
 1. From the menu on the left-hand side, choose **Monitoring > Workbooks**
 
-    ![Screenshot that hightlights where to select the Security Overview Report and the Account Activity Report.](./media/use-azure-monitor-workbooks/select-workbooks-in-azure-portal.png)
+    ![Screenshot that highlights where to select the Security Overview Report and the Account Activity Report.](./media/use-azure-monitor-workbooks/select-workbooks-in-azure-portal.png)
 
 1. Choose the **Security Overview Report**.
 1. From the drop-down menus at the top of the workbook, select your Azure subscription and then an Azure Monitor workspace.

articles/active-directory/develop/claims-challenge.md

@@ -34,7 +34,7 @@ Here's an example:
 ```https
 HTTP 401; Unauthorized
 
-www-authenticate =Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsiYWNycyI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlIjoiYzEifX19"
+www-authenticate =Bearer realm="", authorization_uri="https://login.microsoftonline.com/common/oauth2/authorize", error="insufficient_claims", claims="eyJhY2Nlc3NfdG9rZW4iOnsiYWNycyI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlIjoiY3AxIn19fQ=="
 ```
 
  **HTTP Status Code**: Must be **401 Unauthorized**.

articles/active-directory/develop/id-tokens.md

@@ -77,7 +77,7 @@ The table below shows the claims that are in most ID tokens by default (except w
 |`at_hash`| String |The access token hash is included in ID tokens only when the ID token is issued from the `/authorize` endpoint with an OAuth 2.0 access token. It can be used to validate the authenticity of an access token. To understand how to do this validation, see the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken). This is not returned on ID tokens from the `/token` endpoint. |
 |`aio` | Opaque String | An internal claim used by Azure AD to record data for token reuse. Should be ignored.|
 |`preferred_username` | String |The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format. Its value is mutable and might change over time. Since it is mutable, this value must not be used to make authorization decisions. It can be used for username hints, however, and in human-readable UI as a username. The `profile` scope is required in order to receive this claim. Present only in v2.0 tokens.|
-|`email` | String | The `email` claim is present by default for guest accounts that have an email address.  Your app can request the email claim for managed users (those from the same tenant as the resource) using the `email` [optional claim](active-directory-optional-claims.md).  On the v2.0 endpoint, your app can also request the `email` OpenID Connect scope - you don't need to request both the optional claim and the scope to get the claim.|
+|`email` | String | The `email` claim is present by default for guest accounts that have an email address.  Your app can request the email claim for managed users (those from the same tenant as the resource) using the `email` [optional claim](active-directory-optional-claims.md). This value isn't guaranteed to be correct and is mutable over time. Never use it for authorization or to save data for a user. If you require an addressable email address in your app, request this data from the user directly by using this claim as a suggestion or prefill in your UX. On the v2.0 endpoint, your app can also request the `email` OpenID Connect scope - you don't need to request both the optional claim and the scope to get the claim.|
 |`name` | String | The `name` claim provides a human-readable value that identifies the subject of the token. The value isn't guaranteed to be unique, it can be changed, and it's designed to be used only for display purposes. The `profile` scope is required to receive this claim. |
 |`nonce`| String | The nonce matches the parameter included in the original /authorize request to the IDP. If it does not match, your application should reject the token. |
 |`oid` | String, a GUID | The immutable identifier for an object in the Microsoft identity system, in this case, a user account. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the `oid` claim. The Microsoft Graph will return this ID as the `id` property for a given user account. Because the `oid` allows multiple apps to correlate users, the `profile` scope is required to receive this claim. Note that if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they're considered different accounts, even though the user logs into each account with the same credentials. The `oid` claim is a GUID and cannot be reused. |

articles/active-directory/develop/msal-android-shared-devices.md

@@ -95,13 +95,10 @@ These Microsoft applications support Azure AD's shared device mode:
 
 - [Microsoft Teams](/microsoftteams/platform/)
 - [Microsoft Managed Home Screen](/mem/intune/apps/app-configuration-managed-home-screen-app) app for Android Enterprise
-- [Microsoft Edge](/microsoft-edge) (in Public Preview)
-- [Outlook](/mem/intune/apps/app-configuration-policies-outlook) (in Public Preview)
-- [Microsoft Power Apps](/power-apps) (in Public Preview)
-- [Yammer](/yammer) (in Public Preview)
-
-> [!IMPORTANT]
-> Public preview is provided without a service-level agreement and isn't recommended for production workloads. Some features might be unsupported or have constrained capabilities. For more information, see [Supplemental terms of use for Microsoft Azure previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+- [Microsoft Edge](/microsoft-edge)
+- [Outlook](/mem/intune/apps/app-configuration-policies-outlook)
+- [Microsoft Power Apps](/power-apps)
+- [Microsoft Viva Engage](/viva/engage/overview) (previously [Yammer](/yammer))
 
 ## Shared device sign-out and the overall app lifecycle
 

articles/active-directory/external-identities/customers/how-to-facebook-federation-customers.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: ciam
 ms.topic: how-to
-ms.date: 04/28/2023
+ms.date: 05/24/2023
 ms.author: mimart
 ms.custom: it-pro
 
@@ -38,17 +38,21 @@ If you don't already have a Facebook account, sign up at [https://www.facebook.c
     1. Enter a URL for the **Terms of Service URL**, for example `https://www.contoso.com/tos`. The policy URL is a page you maintain to provide terms and conditions for your application.
     1. Enter a URL for the **User Data Deletion**, for example `https://www.contoso.com/delete_my_data`. The User Data Deletion URL is a page you maintain to provide away for users to request that their data be deleted.
     1. Choose a **Category**, for example `Business and Pages`. Facebook requires this value, but it's not used for Azure AD.
-2. At the bottom of the page, select **Add Platform**, and then select **Website**.
-3. In **Site URL**, enter the address of your website, for example `https://contoso.com`. 
-4. Select **Save Changes**.
-5. From the menu, select the **plus** sign or **Add Product** link next to **PRODUCTS**. Under the **Add Products to Your App**, select **Set up** under **Facebook Login**.
-6. From the menu, select **Facebook Login**, select **Settings**.
-7. In **Valid OAuth redirect URIs**, enter:
-    - `https://login.microsoftonline.com`
-    -  `https://login.microsoftonline.com/te/<tenant ID>/oauth2/authresp`. Replace the tenant ID with your Azure AD for customers tenant ID. To find your tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**.
-    - `https://login.microsoftonline.com/te/<tenant name>.onmicrosoft.com/oauth2/authresp`. Replace the tenant name with your Azure AD for customers tenant name.
-8. Select **Save Changes** at the bottom of the page.
-9. To make your Facebook application available to Azure AD, select the Status selector at the top right of the page and turn it **On** to make the Application public, and then select **Switch Mode**. At this point, the Status should change from **Development** to **Live**. For more information, see [Facebook App Development](https://developers.facebook.com/docs/development/release).
+1. At the bottom of the page, select **Add Platform**, and then select **Website**.
+1. In **Site URL**, enter the address of your website, for example `https://contoso.com`. 
+1. Select **Save Changes**.
+1. From the menu, select the **plus** sign or **Add Product** link next to **PRODUCTS**. Under the **Add Products to Your App**, select **Set up** under **Facebook Login**.
+1. From the menu, select **Facebook Login**, select **Settings**.
+1. In **Valid OAuth redirect URIs**, enter the following URIs, replacing `<tenant-ID>` with your customer tenant ID and `<tenant-name>` with your customer tenant name:
+   - `https://login.microsoftonline.com/te/<tenant-ID>/oauth2/authresp`
+   - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oidc/www.facebook.com`
+    - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oidc/www.facebook.com`
+    - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oauth2`
+    - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2`
+   > [!NOTE]
+   > To find your customer tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**.
+1. Select **Save Changes** at the bottom of the page.
+1. To make your Facebook application available to Azure AD, select the Status selector at the top right of the page and turn it **On** to make the Application public, and then select **Switch Mode**. At this point, the Status should change from **Development** to **Live**. For more information, see [Facebook App Development](https://developers.facebook.com/docs/development/release).
 
 ## Configure Facebook federation in Azure AD for customers
 

articles/active-directory/external-identities/customers/how-to-google-federation-customers.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: ciam
 ms.topic: how-to
-ms.date: 04/28/2023
+ms.date: 05/24/2023
 ms.author: mimart
 ms.custom: it-pro
 
@@ -31,21 +31,27 @@ To enable sign-in for customers with a Google account, you need to create an app
 1. Under the **Quick access**, or in the left menu, select **APIs & services** and then **OAuth consent screen**.
 1. For the **User Type**, select **External** and then select **Create**.
 1. On the **OAuth consent screen**, under **App information**
-    1. Enter a **Name** for your application.
-    2. Select a **User support email** address.
-1. Under the **Authorized domains** section, select **Add domain**, and then type *microsoftonline.com*.
+   1. Enter a **Name** for your application.
+   1. Select a **User support email** address.
+1. Under the **Authorized domains** section, select **Add domain**, and then add `ciamlogin.com` and `microsoftonline.com`.
 1. In the **Developer contact information** section, enter comma separated emails for Google to notify you about any changes to your project.
 1. Select **Save and Continue**.
 1. From the left menu, select **Credentials**
 1. Select **Create credentials**, and then **OAuth client ID**.
 1. Under **Application type**, select **Web application**.
-    1. Enter a suitable **Name** for your application, such as "Azure AD for customers."
-    1. For the **Authorized redirect URIs**, enter:
-        - `https://login.microsoftonline.com`
-        -  `https://login.microsoftonline.com/te/<tenant ID>/oauth2/authresp`. Replace the tenant ID with your Azure AD for customers tenant ID. To find your tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**.
-        - `https://login.microsoftonline.com/te/<tenant name>.onmicrosoft.com/oauth2/authresp`. Replace the tenant name with your Azure AD for customers tenant name.
-1. Select **Create**.
-1. Copy the values of **Client ID** and **Client secret**. You need both values to configure Google as an identity provider in your tenant. **Client secret** is an important security credential.
+   1. Enter a suitable **Name** for your application, such as "Azure AD for customers."
+   1. In **Valid OAuth redirect URIs**, enter the following URIs, replacing `<tenant-ID>` with your customer tenant ID and `<tenant-name>` with your customer tenant name:
+    - `https://login.microsoftonline.com`
+    - `https://login.microsoftonline.com/te/<tenant-ID>/oauth2/authresp`
+    - `https://login.microsoftonline.com/te/<tenant-name>.onmicrosoft.com/oauth2/authresp`
+    - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oidc/accounts.google.com`
+    - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oidc/accounts.google.com`
+    - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oauth2`
+    - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2`
+   > [!NOTE]
+   > To find your customer tenant ID, go to the [Microsoft Entra admin center](https://entra.microsoft.com). Under **Azure Active Directory**, select **Overview**. Then select the **Overview** tab and copy the **Tenant ID**.
+2. Select **Create**.
+3. Copy the values of **Client ID** and **Client secret**. You need both values to configure Google as an identity provider in your tenant. **Client secret** is an important security credential.
 
 > [!NOTE]
 > In some cases, your app might require verification by Google (for example, if you update the application logo). For more information, check out the [Google's verification status guid](https://support.google.com/cloud/answer/10311615#verification-status).

articles/active-directory/fundamentals/how-to-manage-user-profile-info.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: how-to
-ms.date: 03/28/2023
+ms.date: 05/24/2023
 ms.author: sarahlipsey
 ms.reviewer: jeffsta
 ms.collection: M365-identity-device-management
@@ -78,13 +78,18 @@ In the **User settings** area of Azure AD, you can adjust several settings that
 
 Go to **Azure AD** > **User settings**. 
 
-![Screenshot of the Azure AD user settings options.](media/how-to-manage-user-profile-info/user-settings-options.png)
+[ ![Screenshot of the Azure AD user settings options.](media/how-to-manage-user-profile-info/user-settings.png) ](media/how-to-manage-user-profile-info/user-settings.png#lightbox)
 
 The following settings can be managed from Azure AD **User settings**.
 
-- Manage how end users launch and view their applications
 - Allow users to register their own applications
-- [Prevent non-admins from creating their own tenants](users-default-permissions.md#restrict-member-users-default-permissions)
+- Prevent non-admins from creating their own tenants
+    - For more information, see [default user permissions](users-default-permissions.md#restrict-member-users-default-permissions)
+- Allow users to create security groups
+- Guest user access restrictions
+    - Guest users have the same access as members (most inclusive)
+    - Guest users have limited access to properties and memberships of directory objects
+    - Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)
 - Restrict access to the Azure AD administration portal
 - [Allow users to connect their work or school account with LinkedIn](../enterprise-users/linkedin-user-consent.md)
 - [Enable the "Stay signed in?" prompt](how-to-manage-stay-signed-in-prompt.md)
@@ -94,6 +99,8 @@ The following settings can be managed from Azure AD **User settings**.
     - [External user leave settings](../external-identities/self-service-sign-up-user-flow.md#enable-self-service-sign-up-for-your-tenant)
     - Collaboration restrictions
 - Manage user feature settings
+    - Users can use preview features for My Apps
+    - Administrators can access My Staff
 
 ## Next steps