MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/faq.yml
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory-b2c/faq.yml
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/authentication/concept-certificate-based-authentication-smartcard.md
Lines changed: 5 additions & 1 deletion b/‎articles/active-directory/authentication/concept-certificate-based-authentication-smartcard.md
Lines changed: 5 additions & 1 deletion
diff --git a/‎articles/active-directory/cloud-infrastructure-entitlement-management/media/usage-analytics-active-tasks/high-risk-deleted-task.png
440 Bytes b/‎articles/active-directory/cloud-infrastructure-entitlement-management/media/usage-analytics-active-tasks/high-risk-deleted-task.png
440 Bytes
diff --git a/‎articles/active-directory/cloud-infrastructure-entitlement-management/media/usage-analytics-active-tasks/normal-task.png
470 Bytes b/‎articles/active-directory/cloud-infrastructure-entitlement-management/media/usage-analytics-active-tasks/normal-task.png
470 Bytes
diff --git a/‎articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-active-tasks.md
Lines changed: 4 additions & 5 deletions b/‎articles/active-directory/cloud-infrastructure-entitlement-management/usage-analytics-active-tasks.md
Lines changed: 4 additions & 5 deletions
diff --git a/‎articles/active-directory/develop/tutorial-blazor-webassembly.md
Lines changed: 3 additions & 9 deletions b/‎articles/active-directory/develop/tutorial-blazor-webassembly.md
Lines changed: 3 additions & 9 deletions
diff --git a/‎articles/active-directory/fundamentals/service-accounts-principal.md
Lines changed: 64 additions & 57 deletions b/‎articles/active-directory/fundamentals/service-accounts-principal.md
Lines changed: 64 additions & 57 deletions
@@ -3,14 +3,14 @@ metadata:
   title: 'Frequently asked questions (FAQ) for Azure Active Directory B2C'
   description: Answers to frequently asked questions about Azure Active Directory B2C.
   services: active-directory-b2c
-  author: kengaderdus
+  author: garrodonnell
   manager: CelesteDG
 
   ms.service: active-directory
   ms.workload: identity
   ms.topic: faq
-  ms.date: 01/03/2022
-  ms.author: kengaderdus
+  ms.date: 02/09/2023
+  ms.author: godonnell
   ms.subservice: B2C
   ms.custom: "b2c-support"
 title: 'Azure AD B2C: Frequently asked questions (FAQ)'
 
@@ -73,7 +73,11 @@ The Windows smart card sign-in works with the latest preview build of Windows 11
 |&#x2705; | &#x2705; | &#x2705; |&#x2705; |
 
 >[!NOTE] 
->Azure AD CBA supports both certificates on-device as well as external storage like security keys on Windows.
+>Azure AD CBA supports both certificates on-device as well as external storage like security keys on Windows. 
+
+## Windows Out of the box experience (OOBE)
+
+Windows OOBE should allow the user to login using an external smart card reader and authenticate against Azure AD CBA. Windows OOBE by default should have the necessary smart card drivers or the smart card drivers previously added to the Windows image before OOBE setup.
 
 ## Restrictions and caveats  
 
 
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: ciem
 ms.workload: identity
 ms.topic: how-to
-ms.date: 02/23/2022
+ms.date: 02/08/2023
 ms.author: jfields
 ---
 
@@ -48,11 +48,10 @@ When you select **Active Tasks**, the **Analytics** dashboard provides a high-le
 The **Active Tasks** table displays the results of your query.
 
 - **Task Name**: Provides the name of the task.
-    - To view details about the task, select the down arrow in the table.
+    - To view details about the task, select the down arrow next to the task in the table.
 
-        - A **Normal Task** icon displays to the left of the task name if the task is normal (that is, not risky).
-        - A **Deleted Task** icon displays to the left of the task name if the task involved deleting data.
-        - A **High-Risk Task** icon displays to the left of the task name if the task is high-risk.
+        - An icon (![Image of task icon](media/usage-analytics-active-tasks/normal-task.png)) displays to the left of the task name if the task is a **Normal Task** (that is, not risky).
+        - A highlighted icon (![Image of highlighted task icon](media/usage-analytics-active-tasks/high-risk-deleted-task.png)) displays to the left of the task name if the task involved deleting data &mdash; a **High-Delete Task** &mdash; or if the task is a **High-Risk Task**.
 
 - **Performed on (resources)**: The number of resources on which the task was used.
 
 
@@ -6,7 +6,7 @@ ms.author: henrymbugua
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: tutorial
-ms.date: 12/14/2022
+ms.date: 02/09/2023
 ms.reviewer: janicericketts
 #Customer intent: As a developer, I want to add authentication and authorization to a Blazor WebAssembly app and call Microsoft Graph.
 ---
@@ -40,13 +40,7 @@ Every app that uses Azure AD for authentication must be registered with Azure AD
 
 ## Create the app using the .NET Core CLI
 
-To create the app, you need the latest Blazor templates. You can install them for the .NET Core CLI with the following command:
-
-```dotnetcli
-dotnet new install Microsoft.Identity.Web.ProjectTemplates
-```
-
-Then run the following command to create the application. Replace the placeholders in the command with the proper information from your app's overview page and execute the command in a command shell. The output location specified with the `-o|--output` option creates a project folder if it doesn't exist and becomes part of the app's name.
+To create the application, run the following command. Replace the placeholders in the command with the proper information from your app's overview page and execute the command in a command shell. The output location specified with the `-o|--output` option creates a project folder if it doesn't exist and becomes part of the app's name.
 
 ```dotnetcli
 dotnet new blazorwasm --auth SingleOrg --calls-graph -o {APP NAME} --client-id "{CLIENT ID}" --tenant-id "{TENANT ID}" -f net7.0
@@ -240,5 +234,5 @@ After granting consent, navigate to the "Fetch data" page to read some email.
 
 ## Next steps
 
-> [!div class="nextstepaction"]
+> [!div class="nextstepaction"] 
 > [Microsoft identity platform best practices and recommendations](./identity-platform-integration-checklist.md)
@@ -2,128 +2,135 @@
 title: Securing service principals in Azure Active Directory
 description: Find, assess, and secure service principals.
 services: active-directory
-author: janicericketts
+author: jricketts
 manager: martinco
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 11/28/2022
+ms.date: 02/08/2023
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---
 
-# Securing service principals 
+# Securing service principals in Azure Active Directory 
 
-An Azure Active Directory (Azure AD) [service principal](../develop/app-objects-and-service-principals.md) is the local representation of an application object in a single tenant or directory. It functions as the identity of the application instance. Service principals define who can access the application, and what resources the application can access. A service principal is created in each tenant where the application is used, and references the globally unique application object. The tenant secures the service principal sign-in and access to resources.  
+An Azure Active Directory (Azure AD) service principals are the local representation of an application object in a tenant or directory. It's the identity of the application instance. Service principals define application access, and resources the application accesses. A service principal is created in each tenant where the application is used, and references the globally unique application object. The tenant secures the service principal sign-in and access to resources. 
+
+Learn more: [Application and service principal objects in Azure AD](../develop/app-objects-and-service-principals.md)
 
 ### Tenant-service principal relationships
 
 A single-tenant application has one service principal in its home tenant. A multi-tenant web application or API requires a service principal in each tenant. A service principal is created when a user from that tenant consents to use of the application or API. This consent creates a one-to-many relationship between the multi-tenant application and its associated service principals.
 
-A multi-tenant application is homed in a single tenant and has instances in other tenants. Most software-as-a-service (SaaS) applications accommodate multi-tenancy. Use service principals to ensure the needed security posture for the application and its users in single-tenant and multi-tenant scenarios.
+A multi-tenant application is homed in a tenant and has instances in other tenants. Most software-as-a-service (SaaS) applications accommodate multi-tenancy. Use service principals to ensure the needed security posture for the application, and its users, in single- and multi-tenant scenarios.
 
 ## ApplicationID and ObjectID
 
-An application instance has two properties: the ApplicationID (also known as ClientID) and the ObjectID.
+An application instance has two properties: the ApplicationID (or ClientID) and the ObjectID.
 
 > [!NOTE] 
-> It's possible the terms application and service principal are used interchangeably when referring to an application in the context of authentication-related tasks. However, they are two representations of applications in Azure AD.
+> The terms **application** and **service principal** are used interchangeably, when referring to an application in authentication tasks. However, they are two representations of applications in Azure AD.
  
-The ApplicationID represents the global application and is the same for application instances across tenants. The ObjectID is a unique value for an application object. As with users, groups, and other resources, the ObjectID helps to identify an application instance in Azure AD.
+The ApplicationID represents the global application and is the same for application instances, across tenants. The ObjectID is a unique value for an application object. As with users, groups, and other resources, the ObjectID helps to identify an application instance in Azure AD.
+
+To learn more, see [Application and service principal relationship](../develop/app-objects-and-service-principals.md)
+
+### Create an application and its service principal object
 
-To learn more, see [Application and service principal relationship](../develop/app-objects-and-service-principals.md).
+You can create an application and its service principal object (ObjectID) in a tenant using:
 
-You can create an application and its service principal object (ObjectID) in a tenant using Azure PowerShell, Azure CLI, Microsoft Graph, the Azure portal, and other tools. 
+* Azure PowerShell
+* Azure command-line interface (CLI)
+* Microsoft Graph
+* The Azure portal
+* Other tools
 
-![Screen shot showing a new application registration, with the Application ID and Object ID fields highlighted.](./media/securing-service-accounts/secure-principal-image-1.png)
+![Screenshot of Application or Client ID and Object ID on the New App page.](./media/securing-service-accounts/secure-principal-image-1.png)
 
 ## Service principal authentication
 
-When using service principals—client certificates and client secrets, there are two mechanisms for authentication. 
+There are two mechanisms for authentication, when using service principals—client certificates and client secrets.
 
-![ Screen shot of New App page showing the Certificates and client secrets areas highlighted.](./media/securing-service-accounts/secure-principal-certificates.png)
+![Screenshot of Certificates and Client secrets under New App, Certificates and secrets.](./media/securing-service-accounts/secure-principal-certificates.png)
 
-Certificates are more secure, therefore use them, if possible. Unlike client secrets, client certificates can't be embedded in code, accidentally. When possible, use Azure Key Vault for certificate and secrets management to encrypt the following assets with keys protected by hardware security modules:
+Because certificates are more secure, it's recommended you use them, when possible. Unlike client secrets, client certificates can't be embedded in code, accidentally. When possible, use Azure Key Vault for certificate and secrets management to encrypt assets with keys protected by hardware security modules:
 
 * Authentication keys
-
 * Storage account keys
-
 * Data encryption keys
-
 * .pfx files
-
 * Passwords 
 
-For more information on Azure Key Vault and how to use it for certificate and secret management, see 
-[About Azure Key Vault](../../key-vault/general/overview.md) and [Assign a Key Vault access policy using the Azure portal](../../key-vault/general/assign-access-policy-portal.md). 
+For more information on Azure Key Vault and how to use it for certificate and secret management, see:
+
+* [About Azure Key Vault](../../key-vault/general/overview.md)
+* [Assign a Key Vault access policy](../../key-vault/general/assign-access-policy.md) 
 
  ### Challenges and mitigations
 
-Use the following table to match challenges and mitigations, when using service principals.
+When using service principals, use the following table to match challenges and mitigations.
 
-| Challenges| Mitigations |
+| Challenge| Mitigation|
 | - | - |
-| Access reviews for service principals assigned to privileged roles| This functionality is in preview, and not widely available |
-| Reviews service principal access| Manual check of resource access control list using the Azure portal |
-| Over-permissioned service principals| When you create automation service accounts or or service principals, provide permissions required for the task. Evaluate service principals to reduce privileges |
-|Identify modifications to service principal credentials or authentication methods |Use the Sensitive Operations Report workbook to mitigate. See also the Tech Community blog post [Azure AD workbook to help you assess Solorigate risk](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718).|
+| Access reviews for service principals assigned to privileged roles| This functionality is in preview |
+| Service principal access reviews| Manual check of resource access control list using the Azure portal |
+| Over-permissioned service principals| When you create automation service accounts, or service principals, grant permissions for the task. Evaluate service principals to reduce privileges. |
+|Identify modifications to service principal credentials or authentication methods | - See, [Sensitive operations report workbook](../reports-monitoring/workbook-sensitive-operations-report.md) </br> - See the Tech Community blog post, [Azure AD workbook to help you assess Solorigate risk](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718)|
 
 ## Find accounts using service principals
 
-Run the following commands to find accounts using service principals with Azure CLI or PowerShell.
-
-Azure CLI:
+To find accounts, run the following commands using service principals with Azure CLI or PowerShell.
 
-`az ad sp list`
+* Azure CLI - `az ad sp list`
+* PowerShell - `Get-AzureADServicePrincipal -All:$true` 
 
-PowerShell:
-
-`Get-AzureADServicePrincipal -All:$true` 
-
-For more information see [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal).
+For more information, see [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal)
 
 ## Assess service principal security
 
-To assess the security of your service principals, ensure you evaluate privileges and credential storage.
-
-Mitigate potential challenges using the following information.
+To assess the security, evaluate privileges and credential storage. Use the following table to help mitigate challenges:
 
-|Challenges | Mitigations|
+|Challenge | Mitigation|
 | - | - |
-| Detect the user who consented to a multi-tenant app, and detect illicit consent grants to a multi-tenant app | Run the following PowerShell to find multi-tenant apps.<br>`Get-AzureADServicePrincipal -All:$true ? {$_.Tags -eq WindowsAzureActiveDirectoryIntegratedApp"}`<br>Disable user consent. <br>Allow user consent from verified publishers, for selected permissions (recommended) <br> Configure them in the user context. Use their tokens to trigger the service principal.|
+| Detect the user who consented to a multi-tenant app, and detect illicit consent grants to a multi-tenant app | - Run the following PowerShell to find multi-tenant apps <br>`Get-AzureADServicePrincipal -All:$true ? {$_.Tags -eq WindowsAzureActiveDirectoryIntegratedApp"}`</br> - Disable user consent </br> - Allow user consent from verified publishers, for selected permissions (recommended) </br> - Configure them in the user context </br> - Use their tokens to trigger the service principal|
 |Use of a hard-coded shared secret in a script using a service principal|Use a certificate|
-|Tracking who uses the certificate or the secret| Monitor the service principal sign-ins using the Azure AD sign-in logs|
-Can't manage service principal sign-in with Conditional Access| Monitor the sign-ins using the Azure AD sign-in logs
-| Contributor is the default Azure role-based access control (RBAC) role|Evaluate needs and apply the role with the least possible permissions|
+|Tracking who uses the certificate or the secret| Monitor the service principal sign-ins using the Azure AD sign-in logs|
+|Can't manage service principal sign-in with Conditional Access| Monitor the sign-ins using the Azure AD sign-in logs
+| Contributor is the default Azure role-based access control (Azure RBAC) role|Evaluate needs and apply the least possible permissions|
 
-## Move from a user account to a service principal  
+Learn more: [What is Conditional Access?](../conditional-access/overview.md)
 
-If you're using an Azure user account as a service principal, evaluate if you can move to a [Managed Identity](../../app-service/overview-managed-identity.md?tabs=dotnet) or a service principal. If you can't use a managed identity, provision a service principal with enough permissions and scope to run the required tasks. You can create a service principal by [registering an application](../develop/howto-create-service-principal-portal.md), or with [PowerShell](../develop/howto-authenticate-service-principal-powershell.md).
+## Move from a user account to a service principal 
 
-When using Microsoft Graph, check the API documentation. See, [Create an Azure service principal](/powershell/azure/create-azure-service-principal-azureps). Ensure the permission type for application is supported.
+If you're using an Azure user account as a service principal, evaluate if you can move to a managed identity or a service principal. If you can't use a managed identity, grant a service principal enough permissions and scope to run the required tasks. You can create a service principal by registering an application, or with PowerShell.
 
-## Next steps
+When using Microsoft Graph, check the API documentation. Ensure the permission type for application is supported. </br>See, [Create servicePrincipal](/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http&preserve-view=true)
 
-Learn more about service principals:
+Learn more:
 
-[Create a service principal](../develop/howto-create-service-principal-portal.md)
+* [How to use managed identities for App Service and Azure Functions](../../app-service/overview-managed-identity.md?tabs=dotnet)
+* [Create an Azure AD application and service principal that can access resources](../develop/howto-create-service-principal-portal.md)
+* [Use Azure PowerShell to create a service principal with a certificate](../develop/howto-authenticate-service-principal-powershell.md)
 
-[Monitor service principal sign-ins](../reports-monitoring/concept-sign-ins.md)
-
-Learn more about securing service accounts:
+## Next steps
 
-[Introduction to Azure service accounts](service-accounts-introduction-azure.md)
+Learn more about service principals:
 
-[Securing managed identities](service-accounts-managed-identities.md)
+* [Create an Azure AD application and service principal that can access resources](../develop/howto-create-service-principal-portal.md)
+* [Sign-in logs in Azure AD](../reports-monitoring/concept-sign-ins.md)
 
-[Governing Azure service accounts](service-accounts-governing-azure.md)
+Secure service accounts:
 
-[Introduction to on-premises service accounts](service-accounts-on-premises.md)
+* [Securing cloud-based service accounts](service-accounts-introduction-azure.md)
+* [Securing managed identities in Azure AD](service-accounts-managed-identities.md)
+* [Governing Azure AD service accounts](service-accounts-governing-azure.md)
+* [Securing on-premises service accounts](service-accounts-on-premises.md)
 
 Conditional Access:
 
-Use Conditional Access to block service principals from untrusted locations. See, [Create a location-based Conditional Access policy](../conditional-access/workload-identity.md#create-a-location-based-conditional-access-policy).
+Use Conditional Access to block service principals from untrusted locations. 
+
+See, [Conditional Access for workload identities](../conditional-access/workload-identity.md#create-a-location-based-conditional-access-policy)