Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: bjspeaks

.openpublishing.redirection.json

@@ -5963,11 +5963,6 @@
             "redirect_url": "/azure/reliability/cross-region-replication-azure",
             "redirect_document_id": true
         },
-        {
-            "source_path_from_root": "/articles/partner-solutions/index.md",
-            "redirect_url": "/azure/partner-solutions/overview",
-            "redirect_document_id": false
-        },
         {
             "source_path_from_root": "/articles/fxt-edge-filer/fxt-add-nodes.md",
             "redirect_url": "/azure/fxt-edge-filer/add-nodes",

articles/active-directory-b2c/microsoft-graph-operations.md

@@ -39,7 +39,7 @@ To use MS Graph API, and interact with resources in your Azure AD B2C tenant, yo
 - [Update a user](/graph/api/user-update)
 - [Delete a user](/graph/api/user-delete)
 
-## User phone number management (beta)
+## User phone number management
 
 A phone number that can be used by a user to sign-in using [SMS or voice calls](sign-in-options.md#phone-sign-in), or [multifactor authentication](multi-factor-authentication.md). For more information, see [Azure AD authentication methods API](/graph/api/resources/phoneauthenticationmethod).
 
@@ -54,9 +54,9 @@ Note, the [list](/graph/api/authentication-list-phonemethods) operation returns
 ![Enable phone sign-in](./media/microsoft-graph-operations/enable-phone-sign-in.png)
 
 > [!NOTE]
-> In the current beta version, this API works only if the phone number is stored with a space between the country code and the phone number. The Azure AD B2C service doesn't currently add this space by default.
+> A correctly represented phone number is stored with a space between the country code and the phone number. The Azure AD B2C service doesn't currently add this space by default.
 
-## Self-service password reset email address (beta)
+## Self-service password reset email address
 
 An email address that can be used by a [username sign-in account](sign-in-options.md#username-sign-in) to reset the password. For more information, see [Azure AD authentication methods API](/graph/api/resources/emailauthenticationmethod).
 
@@ -66,7 +66,7 @@ An email address that can be used by a [username sign-in account](sign-in-option
 - [Update](/graph/api/emailauthenticationmethod-update)
 - [Delete](/graph/api/emailauthenticationmethod-delete)
 
-## Software OATH token authentication method (beta)
+## Software OATH token authentication method
 
  A software OATH token is a software-based number generator that uses the OATH time-based one-time password (TOTP) standard for multifactor authentication via an authenticator app. Use the Microsoft Graph API to manage a software OATH token registered to a user:
 
@@ -78,13 +78,14 @@ An email address that can be used by a [username sign-in account](sign-in-option
 
 Manage the [identity providers](add-identity-provider.md) available to your user flows in your Azure AD B2C tenant.
 
-- [List identity providers registered in the Azure AD B2C tenant](/graph/api/identityprovider-list)
-- [Create an identity provider](/graph/api/identityprovider-post-identityproviders)
-- [Get an identity provider](/graph/api/identityprovider-get)
-- [Update identity provider](/graph/api/identityprovider-update)
-- [Delete an identity provider](/graph/api/identityprovider-delete)
+- [List identity providers available in the Azure AD B2C tenant](/graph/api/identityproviderbase-availableprovidertypes)
+- [List identity providers configured in the Azure AD B2C tenant](/graph/api/iidentitycontainer-list-identityproviders)
+- [Create an identity provider](/graph/api/identitycontainer-post-identityproviders)
+- [Get an identity provider](/graph/api/identityproviderbase-get)
+- [Update identity provider](/graph/api/identityproviderbase-update)
+- [Delete an identity provider](/graph/api/identityproviderbase-delete)
 
-## User flow
+## User flow (beta)
 
 Configure pre-built policies for sign-up, sign-in, combined sign-up and sign-in, password reset, and profile update.
 
@@ -100,7 +101,7 @@ Choose a mechanism for letting users register via local accounts. Local accounts
 - [Get](/graph/api/b2cauthenticationmethodspolicy-get)
 - [Update](/graph/api/b2cauthenticationmethodspolicy-update)
 
-## Custom policies
+## Custom policies (beta)
 
 The following operations allow you to manage your Azure AD B2C Trust Framework policies, known as [custom policies](custom-policy-overview.md).
 
@@ -110,7 +111,7 @@ The following operations allow you to manage your Azure AD B2C Trust Framework p
 - [Update or create trust framework policy.](/graph/api/trustframework-put-trustframeworkpolicy)
 - [Delete an existing trust framework policy](/graph/api/trustframeworkpolicy-delete)
 
-## Policy keys
+## Policy keys (beta)
 
 The Identity Experience Framework stores the secrets referenced in a custom policy to establish trust between components. These secrets can be symmetric or asymmetric keys/values. In the Azure portal, these entities are shown as **Policy keys**.
 
@@ -169,15 +170,16 @@ For more information about accessing Azure AD B2C audit logs, see [Accessing Azu
 
 ## Conditional Access
 
-- [List all of the Conditional Access policies](/graph/api/conditionalaccessroot-list-policies?tabs=http)
+- [List the built-in templates for Conditional Access policy scenarios](/graph/api/conditionalaccessroot-list-templates)
+- [List all of the Conditional Access policies](/graph/api/conditionalaccessroot-list-policies)
 - [Read properties and relationships of a Conditional Access policy](/graph/api/conditionalaccesspolicy-get)
 - [Create a new Conditional Access policy](/graph/api/resources/application)
 - [Update a Conditional Access policy](/graph/api/conditionalaccesspolicy-update)
 - [Delete a Conditional Access policy](/graph/api/conditionalaccesspolicy-delete)
 
 ## Retrieve or restore deleted users and applications
 
-Deleted items can only be restored if they were deleted within the last 30 days.
+Deleted users and apps can only be restored if they were deleted within the last 30 days.
 
 - [List deleted items](/graph/api/directory-deleteditems-list)
 - [Get a deleted item](/graph/api/directory-deleteditems-get)

articles/active-directory/app-provisioning/customize-application-attributes.md

@@ -120,6 +120,9 @@ Applications and systems that support customization of the attribute list includ
 > [!NOTE]
 > Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute is not automatically displayed in the Azure Portal UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the attribute list as described [above](#editing-the-list-of-supported-attributes). 
 
+> [!NOTE]
+> When a directory extension attribute in Azure AD does not show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list".  When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx _acneCostCenter`, make sure you enter it in the same format as defined in the directory.     
+
 When editing the list of supported attributes, the following properties are provided:
 
 - **Name** - The system name of the attribute, as defined in the target object's schema.

articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md

@@ -43,13 +43,13 @@ At this point, the MIM Sync server is no longer needed.
 
 ## Import a connector configuration
 
- 1. Install the ECMA Connector host and provisioning agent on a Windows Server, using the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#download-install-and-configure-the-azure-ad-connect-provisioning-agent-package) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#download-install-and-configure-the-azure-ad-connect-provisioning-agent-package) articles.
+ 1. Install the ECMA Connector host and provisioning agent on a Windows Server, using the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#3-install-and-configure-the-azure-ad-connect-provisioning-agent) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#download-install-and-configure-the-azure-ad-connect-provisioning-agent-package) articles.
  1. Sign in to the Windows server as the account that the Azure AD ECMA Connector Host runs as.
  1. Change to the directory C:\Program Files\Microsoft ECMA2host\Service\ECMA. Ensure there are one or more DLLs already present in that directory. Those DLLs correspond to Microsoft-delivered connectors.
  1. Copy the MA DLL for your connector, and any of its prerequisite DLLs, to that same ECMA subdirectory of the Service directory.
  1. Change to the directory C:\Program Files\Microsoft ECMA2Host\Wizard. Run the program Microsoft.ECMA2Host.ConfigWizard.exe to set up the ECMA Connector Host configuration.
  1. A new window appears with a list of connectors. By default, no connectors will be present. Select **New connector**.
- 1. Specify the management agent XML file that was exported from MIM Sync earlier. Continue with the configuration and schema-mapping instructions from the section "Create a connector" in either the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#create-a-generic-sql-connector) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#configure-a-generic-ldap-connector) articles.
+ 1. Specify the management agent XML file that was exported from MIM Sync earlier. Continue with the configuration and schema-mapping instructions from the section "Create a connector" in either the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#6-create-a-generic-sql-connector) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#configure-a-generic-ldap-connector) articles.
 
 ## Next steps
 

articles/active-directory/authentication/concept-certificate-based-authentication-smartcard.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 10/05/2022
+ms.date: 11/10/2022
 
 ms.author: justinha
 author: vimrang
@@ -77,7 +77,7 @@ The Windows smart card sign-in works with the latest preview build of Windows 11
 
 ## Restrictions and caveats  
 
-- Azure AD CBA is supported on Windows Hybrid or Azure AD Joined.  
+- Azure AD CBA is supported on Windows devices that are hybrid or Azure AD joined.  
 - Users must be in a managed domain or using Staged Rollout and can't use a federated authentication model.
 
 ## Next steps

articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 09/23/2022
+ms.date: 11/10/2022
 
 ms.author: justinha
 author: justinha
@@ -93,7 +93,7 @@ For both modes, users who have previously registered a method that can be used f
 
 ### Interrupt mode
 
-Combined registration adheres to both multifactor authentication and SSPR policies, if both are enabled for your tenant. These policies control whether a user is interrupted for registration during sign-in and which methods are available for registration. If only an SSPR policy is enabled, then users will be able to skip the registration interruption and complete it at a later time.
+Combined registration adheres to both multifactor authentication and SSPR policies, if both are enabled for your tenant. These policies control whether a user is interrupted for registration during sign-in and which methods are available for registration. If only an SSPR policy is enabled, then users will be able to skip (indefinitely) the registration interruption and complete it at a later time.
 
 The following are sample scenarios where users might be prompted to register or refresh their security info:
 

articles/active-directory/authentication/concept-sspr-policy.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 05/04/2022
+ms.date: 11/10/2022
 
 ms.author: justinha
 author: justinha
@@ -51,7 +51,7 @@ The following Azure AD password policy options are defined. Unless noted, you ca
 | Characters allowed |<ul><li>A – Z</li><li>a - z</li><li>0 – 9</li> <li>@ # $ % ^ & * - _ ! + = [ ] { } &#124; \ : ' , . ? / \` ~ " ( ) ; < ></li> <li>blank space</li></ul> |
 | Characters not allowed | Unicode characters. |
 | Password restrictions |<ul><li>A minimum of 8 characters and a maximum of 256 characters.</li><li>Requires three out of four of the following:<ul><li>Lowercase characters.</li><li>Uppercase characters.</li><li>Numbers (0-9).</li><li>Symbols (see the previous password restrictions).</li></ul></li></ul> |
-| Password expiry duration (Maximum password age) |<ul><li>Default value: **90** days.</li><li>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Azure Active Directory Module for Windows PowerShell.</li></ul> |
+| Password expiry duration (Maximum password age) |<ul><li>Default value: **90** days. If the tenant was created after 2021, it has no default expiration value. You can check current policy with [Get-MsolPasswordPolicy](/powershell/module/msonline/get-msolpasswordpolicy).</li><li>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet from the Azure Active Directory Module for Windows PowerShell.</li></ul> |
 | Password expiry notification (When users are notified of password expiration) |<ul><li>Default value: **14** days (before password expires).</li><li>The value is configurable by using the `Set-MsolPasswordPolicy` cmdlet.</li></ul> |
 | Password expiry (Let passwords never expire) |<ul><li>Default value: **false** (indicates that password's have an expiration date).</li><li>The value can be configured for individual user accounts by using the `Set-MsolUser` cmdlet.</li></ul> |
 | Password change history | The last password *can't* be used again when the user changes a password. |

articles/active-directory/develop/active-directory-claims-mapping.md

@@ -123,7 +123,7 @@ In this example, you create a policy that emits a custom claim "JoinedData" to J
    1. To create the policy, run the following command:
 
       ```powershell
-      New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":[{"Source":"user","ID":"extensionattribute1"},{"Source":"transformation","ID":"DataJoin","TransformationId":"JoinTheData","JwtClaimType":"JoinedData"}],"ClaimsTransformations":[{"ID":"JoinTheData","TransformationMethod":"Join","InputClaims":[{"ClaimTypeReferenceId":"extensionattribute1","TransformationClaimType":"string1"}], "InputParameters": [{"ID":"string2","Value":"sandbox"},{"ID":"separator","Value":"."}],"OutputClaims":[{"ClaimTypeReferenceId":"DataJoin","TransformationClaimType":"outputClaim"}]}]}}') -DisplayName "TransformClaimsExample" -Type "ClaimsMappingPolicy"
+      New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema":[{"Source":"user","ID":"extensionattribute1"},{"Source":"transformation","ID":"DataJoin","TransformationId":"JoinTheData","JwtClaimType":"JoinedData"}],"ClaimsTransformation":[{"ID":"JoinTheData","TransformationMethod":"Join","InputClaims":[{"ClaimTypeReferenceId":"extensionattribute1","TransformationClaimType":"string1"}], "InputParameters": [{"ID":"string2","Value":"sandbox"},{"ID":"separator","Value":"."}],"OutputClaims":[{"ClaimTypeReferenceId":"DataJoin","TransformationClaimType":"outputClaim"}]}]}}') -DisplayName "TransformClaimsExample" -Type "ClaimsMappingPolicy"
       ```
 
    2. To see your new policy, and to get the policy ObjectId, run the following command:

articles/active-directory/develop/active-directory-optional-claims.md

@@ -305,9 +305,9 @@ This section covers the configuration options under optional claims for changing
    | **name:** | Must be "groups" |
    | **source:** | Not used. Omit or specify null |
    | **essential:** | Not used. Omit or specify false |
-   | **additionalProperties:** | List of additional properties.  Valid options are "sam_account_name", "dns_domain_and_sam_account_name", "netbios_domain_and_sam_account_name", "emit_as_roles" |
+   | **additionalProperties:** | List of additional properties.  Valid options are "sam_account_name", "dns_domain_and_sam_account_name", "netbios_domain_and_sam_account_name", "emit_as_roles" and “cloud_displayname” |
 
-   In additionalProperties only one of "sam_account_name", "dns_domain_and_sam_account_name", "netbios_domain_and_sam_account_name" are required.  If more than one is present, the first is used and any others ignored.
+   In additionalProperties only one of "sam_account_name", "dns_domain_and_sam_account_name", "netbios_domain_and_sam_account_name" are required.  If more than one is present, the first is used and any others ignored. Additionally you can add “cloud_displayname” to emit display name of the cloud group. Note, that this option works only when `“groupMembershipClaims”` is set to `“ApplicationGroup”`.
 
    Some applications require group information about the user in the role claim.  To change the claim type from a group claim to a role claim, add "emit_as_roles" to additional properties.  The group values will be emitted in the role claim.
 
@@ -366,6 +366,33 @@ This section covers the configuration options under optional claims for changing
         ]
     }
     ```
+3) Emit group names in the format of samAccountName for on-prem synced groups and display name for cloud groups in SAML and OIDC ID Tokens for the groups assigned to the application:
+    
+    **Application manifest entry:**
+
+    ```json
+    "groupMembershipClaims": "ApplicationGroup",
+    "optionalClaims": {
+        "saml2Token": [
+            {
+                "name": "groups",
+                "additionalProperties": [
+                    "sam_account_name",
+                    "cloud_displayname"
+                ]
+            }
+        ],
+        "idToken": [
+            {
+                "name": "groups",
+                "additionalProperties": [
+                    "sam_account_name",
+                    "cloud_displayname"
+                ]
+            }
+        ]
+    }
+    ```
 
 ## Optional claims example
 

articles/active-directory/develop/delegated-and-app-perms.md

@@ -10,7 +10,7 @@ ms.subservice: develop
 ms.custom: aaddev 
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/27/2021
+ms.date: 11/10/2022
 ms.author: ryanwi
 ROBOTS: NOINDEX
 ---
@@ -20,6 +20,7 @@ ROBOTS: NOINDEX
 ## Recommended documents
 
 - Learn more about how client applications use [delegated and application permission requests](developer-glossary.md#permissions) to access resources.
+- Learn about [delegated and application permissions](permissions-consent-overview.md).
 - See step-by-step instructions on how to [configure a client application's permission requests](quickstart-configure-app-access-web-apis.md)
 - For more depth, learn how resource applications expose [scopes](developer-glossary.md#scopes) and [application roles](developer-glossary.md#roles) to client applications, which manifest as delegated and application permissions respectively in the Azure portal.