MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/concept-authentication-passwordless.md
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/authentication/concept-authentication-passwordless.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/concept-fido2-hardware-vendor.md
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/authentication/concept-fido2-hardware-vendor.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/conditional-access/workload-identity.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/conditional-access/workload-identity.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/develop/quickstart-daemon-app-java-acquire-token.md
Lines changed: 13 additions & 26 deletions b/‎articles/active-directory/develop/quickstart-daemon-app-java-acquire-token.md
Lines changed: 13 additions & 26 deletions
diff --git a/‎articles/active-directory/develop/quickstart-single-page-app-javascript-sign-in.md
Lines changed: 11 additions & 24 deletions b/‎articles/active-directory/develop/quickstart-single-page-app-javascript-sign-in.md
Lines changed: 11 additions & 24 deletions
diff --git a/‎articles/active-directory/develop/reference-error-codes.md
Lines changed: 1 addition & 0 deletions b/‎articles/active-directory/develop/reference-error-codes.md
Lines changed: 1 addition & 0 deletions
@@ -1775,6 +1775,11 @@
             "redirect_url": "/azure/site-recovery/failover-failback-overview-modernized",
             "redirect_document_id": false
         },
+        {
+            "source_path": "articles/site-recovery/vmware-physical-secondary-support-matrix.md",
+            "redirect_url": "/azure/site-recovery/vmware-physical-secondary-architecture",
+            "redirect_document_id": false
+        },
         {
             "source_path": "articles/site-recovery/switch-replication-appliance-preview.md",
             "redirect_url": "/azure/site-recovery/switch-replication-appliance-modernized",
 
@@ -122,6 +122,7 @@ The following providers offer FIDO2 security keys of different form factors that
 | [Feitian](https://shop.ftsafe.us/pages/microsoft) | ![y] | ![y]| ![y]| ![y]| ![y] |
 | [Fortinet](https://www.fortinet.com/) | ![n] | ![y]| ![n]| ![n]| ![n] |
 | [Giesecke + Devrient (G+D)](https://www.gi-de.com/en/identities/enterprise-security/hardware-based-authentication) | ![y] | ![y]| ![y]| ![y]| ![n] |
+| [Google](https://store.google.com/us/product/titan_security_key) | ![n] | ![y]| ![y]| ![n]| ![n] |
 | [GoTrustID Inc.](https://www.gotrustid.com/idem-key) | ![n] | ![y]| ![y]| ![y]| ![n] |
 | [HID](https://www.hidglobal.com/products/crescendo-key) | ![n] | ![y]| ![y]| ![n]| ![n] |
 | [HIDEEZ](https://hideez.com/products/hideez-key-4) | ![n] | ![y]| ![y]| ![y]| ![n] |
@@ -135,6 +136,7 @@ The following providers offer FIDO2 security keys of different form factors that
 | [Nymi](https://www.nymi.com/nymi-band) | ![y] | ![n]| ![y]| ![n]| ![n] |
 | [Octatco](https://octatco.com/) | ![y] | ![y]| ![n]| ![n]| ![n] |
 | [OneSpan Inc.](https://www.onespan.com/products/fido) | ![n] | ![y]| ![n]| ![y]| ![n] |
+| [PONE Biometrics](https://ponebiometrics.com/) | ![n] | ![n]| ![n]| ![y]| ![n] |
 | [Precision Biometric](https://www.innait.com/product/fido/) | ![n] | ![y]| ![n]| ![n]| ![n] |
 | [RSA](https://www.rsa.com/products/securid/) | ![n] | ![y]| ![n]| ![n]| ![n] |
 | [Sentry](https://sentryenterprises.com/) | ![n] | ![n]| ![y]| ![n]| ![n] |
 
@@ -43,6 +43,7 @@ The following table lists partners who are Microsoft-compatible FIDO2 security k
 | [Feitian](https://shop.ftsafe.us/pages/microsoft) | ![y] | ![y]| ![y]| ![y]| ![y] |
 | [Fortinet](https://www.fortinet.com/) | ![n] | ![y]| ![n]| ![n]| ![n] |
 | [Giesecke + Devrient (G+D)](https://www.gi-de.com/en/identities/enterprise-security/hardware-based-authentication) | ![y] | ![y]| ![y]| ![y]| ![n] |
+| [Google](https://store.google.com/us/product/titan_security_key) | ![n] | ![y]| ![y]| ![n]| ![n] |
 | [GoTrustID Inc.](https://www.gotrustid.com/idem-key) | ![n] | ![y]| ![y]| ![y]| ![n] |
 | [HID](https://www.hidglobal.com/products/crescendo-key) | ![n] | ![y]| ![y]| ![n]| ![n] |
 | [HIDEEZ](https://hideez.com/products/hideez-key-4) | ![n] | ![y]| ![y]| ![y]| ![n] |
@@ -56,6 +57,7 @@ The following table lists partners who are Microsoft-compatible FIDO2 security k
 | [Nymi](https://www.nymi.com/nymi-band) | ![y] | ![n]| ![y]| ![n]| ![n] |
 | [Octatco](https://octatco.com/) | ![y] | ![y]| ![n]| ![n]| ![n] |
 | [OneSpan Inc.](https://www.onespan.com/products/fido) | ![n] | ![y]| ![n]| ![y]| ![n] |
+| [PONE Biometrics](https://ponebiometrics.com/) | ![n] | ![n]| ![n]| ![y]| ![n] |
 | [Precision Biometric](https://www.innait.com/product/fido/) | ![n] | ![y]| ![n]| ![n]| ![n] |
 | [RSA](https://www.rsa.com/products/securid/) | ![n] | ![y]| ![n]| ![n]| ![n] |
 | [Sentry](https://sentryenterprises.com/) | ![n] | ![n]| ![y]| ![n]| ![n] |
 
@@ -73,7 +73,7 @@ Create a risk-based Conditional Access policy that applies to service principals
    1. Set the **Configure** toggle to **Yes**.
    1. Select the levels of risk where you want this policy to trigger.
    1. Select **Done**.
-1. Under **Grant**, **Block access** is the only available option. Access is blocked when a token request is made from outside the allowed range.
+1. Under **Grant**, **Block access** is the only available option. Access is blocked when the specified risk levels are seen.
 1. Your policy can be saved in **Report-only** mode, allowing administrators to estimate the effects, or policy is enforced by turning policy **On**.
 1. Select **Create** to complete your policy.
 
 
@@ -28,25 +28,12 @@ To run this sample, you need:
 - [Java Development Kit (JDK)](https://openjdk.java.net/) 8 or greater
 - [Maven](https://maven.apache.org/)
 
-
 ## Register and download your quickstart app
 
-You have two options to start your quickstart application: Express (Option 1 below), and Manual (Option 2)
-
-### Option 1: Register and auto configure your app and then download your code sample
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer).
-1. Browse to **Identity** > **Applications** > **App registrations**.
-1. Select **New registration**.
-1. Enter a name for your application and select **Register**.
-1. Follow the instructions to download and automatically configure your new application with just one click.
-
-### Option 2: Register and manually configure your application and code sample
-
-#### Step 1: Register your application
-
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
+### Step 1: Register the application
+
 To register your application and add the app's registration information to your solution manually, follow these steps:
 
 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer).
@@ -61,10 +48,10 @@ To register your application and add the app's registration information to your
 1. Select **Application permissions**.
 1. Under **User** node, select **User.Read.All**, then select **Add permissions**.
 
-#### Step 2: Download the Java project
+### Step 2: Download the Java project
 [Download the Java daemon project](https://github.com/Azure-Samples/ms-identity-java-daemon/archive/master.zip)
 
-#### Step 3: Configure the Java project
+### Step 3: Configure the Java project
 
 1. Extract the zip file to a local folder close to the root of the disk, for example, *C:\Azure-Samples*.
 1. Navigate to the sub folder **msal-client-credential-secret**.
@@ -81,18 +68,18 @@ To register your application and add the app's registration information to your
    - `Enter_the_Client_Secret_Here` - replace this value with the client secret created on step 1.
 
 >[!TIP]
->To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page in the Azure portal. To generate a new key, go to **Certificates & secrets** page.
+>To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page. To generate a new key, go to **Certificates & secrets** page.
 
-#### Step 4: Admin consent
+### Step 4: Admin consent
 
 If you try to run the application at this point, you'll receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This error happens because any *app-only permission* requires Admin consent: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role:
 
-##### Global tenant administrator
+#### Global tenant administrator
 
 
-If you are a global tenant administrator, go to **API Permissions** page in **App registrations** in the Azure portal and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory).
+If you are a global tenant administrator, go to **API Permissions** page in **App registrations** and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory).
 
-##### Standard user
+#### Standard user
 
 If you're a standard user of your tenant, then you need to ask a global administrator to grant admin consent for your application. To do this, give the following URL to your administrator:
 
@@ -105,7 +92,7 @@ https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_i
  * `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered.
 
 
-#### Step 5: Run the application
+### Step 5: Run the application
 
 You can test the sample directly by running the main method of ClientCredentialGrant.java from your IDE.
 
@@ -172,8 +159,8 @@ ConfidentialClientApplication cca =
 
 | Where: |Description |
 |---------|---------|
-| `CLIENT_SECRET` | Is the client secret created for the application in Azure portal. |
-| `CLIENT_ID` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |
+| `CLIENT_SECRET` | Is the client secret created for the application. |
+| `CLIENT_ID` | Is the **Application (client) ID** for the registered application. You can find this value in the app's **Overview** page. |
 | `AUTHORITY`    | The STS endpoint for user to authenticate. Usually `https://login.microsoftonline.com/{tenant}` for public cloud, where {tenant} is the name of your tenant or your tenant ID.|
 
 ### Requesting tokens
@@ -212,7 +199,7 @@ IAuthenticationResult result;
 
 |Where:| Description |
 |---------|---------|
-| `SCOPE` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under the **Expose an API** section in **App registrations** in the Azure portal.|
+| `SCOPE` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under the **Expose an API** section in **App registrations**.|
 
 [!INCLUDE [Help and support](includes/error-handling-and-tips/help-support-include.md)]
 
 
@@ -33,24 +33,12 @@ See [How the sample works](#how-the-sample-works) for an illustration.
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-To start your quickstart application, use either of the following options.
+### Step 1: Register your application
 
-### Option 1 (Express): Register and auto configure your app and then download your code sample
-
-1. Go to the [Azure portal - App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/AngularSpaQuickstartPage/sourceType/docs) quickstart experience.
-1. Enter a name for your application.
-1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**.
-1. Select **Register**.
-1. Go to the quickstart pane and follow the instructions to download and automatically configure your new application.
-
-### Option 2 (Manual): Register and manually configure your application and code sample
-
-#### Step 1: Register your application
-
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
-1. Search for and select **Azure Active Directory**.
-1. Under **Manage**, select **App registrations** > **New registration**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](../roles/permissions-reference.md#application-developer).
+1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application.
+1. Browse to **Identity** > **Applications** > **Application registrations**.
+1. Select **New registration**.
 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later.
 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**.
 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.
@@ -59,12 +47,11 @@ To start your quickstart application, use either of the following options.
 1. Set the **Redirect URI** value to `http://localhost:3000/`.
 1. Select **Configure**.
 
-#### Step 2: Download the project
+### Step 2: Download the project
 
 To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-v2/archive/master.zip).
 
-
-#### Step 3: Configure your JavaScript app
+### Step 3: Configure your JavaScript app
 
 In the *app* folder, open the *authConfig.js* file, and then update the `clientID`, `authority`, and `redirectUri` values in the `msalConfig` object.
 
@@ -87,17 +74,17 @@ Modify the values in the `msalConfig` section:
 
 - `Enter_the_Application_Id_Here` is the **Application (client) ID** for the application you registered.
 
-   To find the value of **Application (client) ID**, go to the app registration's **Overview** page in the Azure portal.
+   To find the value of **Application (client) ID**, go to the app registration's **Overview** page.
 - `Enter_the_Cloud_Instance_Id_Here` is the Azure cloud instance. For the main or global Azure cloud, enter `https://login.microsoftonline.com`. For **national** clouds (for example, China), see [National clouds](authentication-national-cloud.md).
 - `Enter_the_Tenant_info_here` is one of the following:
   - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.
 
-   To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page in the Azure portal.
+   To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page.
   - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.
   - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`.
   - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.
 
-   To find the value of **Supported account types**, go to the app registration's **Overview** page in the Azure portal.
+   To find the value of **Supported account types**, go to the app registration's **Overview** page.
 - `Enter_the_Redirect_Uri_Here` is `http://localhost:3000/`.
 
 The `authority` value in your *authConfig.js* should be similar to the following if you're using the main (global) Azure cloud:
@@ -130,7 +117,7 @@ graphMeEndpoint: "https://graph.microsoft.com/v1.0/me",
 graphMailEndpoint: "https://graph.microsoft.com/v1.0/me/messages"
 ```
 
-#### Step 4: Run the project
+### Step 4: Run the project
 
 Run the project with a web server by using Node.js.
 
 
@@ -111,6 +111,7 @@ The `error` field has several possible values - review the protocol documentatio
 | AADSTS50015 | ViralUserLegalAgeConsentRequiredState - The user requires legal age group consent. |
 | AADSTS50017 | CertificateValidationFailed - Certification validation failed, reasons for the following reasons:<ul><li>Cannot find issuing certificate in trusted certificates list</li><li>Unable to find expected CrlSegment</li><li>Cannot find issuing certificate in trusted certificates list</li><li>Delta CRL distribution point is configured without a corresponding CRL distribution point</li><li>Unable to retrieve valid CRL segments because of a timeout issue</li><li>Unable to download CRL</li></ul>Contact the tenant admin. |
 | AADSTS50020 | UserUnauthorized - Users are unauthorized to call this endpoint. User account '{email}' from identity provider '{idp}' does not exist in tenant '{tenant}' and cannot access the application '{appid}'({appName}) in that tenant. This account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. If this user should be a member of the tenant, they should be invited via the [B2B system](/azure/active-directory/b2b/add-users-administrator). For additional information, visit [AADSTS50020](/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist). |
+| AADSTS500208 | The domain is not a valid login domain for the account type - This situation occurs when the user's account does not match the expected account type for the given tenant.. For instance, if the tenant is configured to allow only work or school accounts, and the user tries to sign in with a personal Microsoft account, they will receive this error.
 | AADSTS500212 | NotAllowedByOutboundPolicyTenant - The user's administrator has set an outbound access policy that doesn't allow access to the resource tenant. |
 | AADSTS500213 | NotAllowedByInboundPolicyTenant - The resource tenant's cross-tenant access policy doesn't allow this user to access this tenant. |
 | AADSTS50027 | InvalidJwtToken - Invalid JWT token because of the following reasons:<ul><li>doesn't contain nonce claim, sub claim</li><li>subject identifier mismatch</li><li>duplicate claim in idToken claims</li><li>unexpected issuer</li><li>unexpected audience</li><li>not within its valid time range </li><li>token format isn't proper</li><li>External ID token from issuer failed signature verification.</li></ul> |