Merge pull request #240156 from MicrosoftDocs/main

Publish to live, Friday 4 AM PST, 6/2

Author: ttorble

.openpublishing.redirection.azure-monitor.json

@@ -6155,7 +6155,11 @@
             "source_path_from_root": "/articles/azure-monitor/app/opentelemetry-dotnet-exporter.md",
             "redirect_url": "/azure/azure-monitor/app/opentelemetry-enable",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/logs/api/app-insights-azure-ad-api.md",
+            "redirect_url": "/azure/azure-monitor/app/app-insights-azure-ad-api",
+            "redirect_document_id": false
         }
-        
     ]
 }

articles/active-directory-domain-services/template-create-instance.md

@@ -10,7 +10,7 @@ ms.subservice: domain-services
 ms.workload: identity
 ms.custom: devx-track-arm-template
 ms.topic: sample
-ms.date: 01/29/2023
+ms.date: 06/01/2023
 ms.author: justinha 
 ---
 # Create an Azure Active Directory Domain Services managed domain using an Azure Resource Manager template
@@ -67,10 +67,10 @@ First, register the Azure AD Domain Services resource provider using the [Regist
 Register-AzResourceProvider -ProviderNamespace Microsoft.AAD
 ```
 
-Create an Azure AD service principal using the [New-AzureADServicePrincipal][New-AzureADServicePrincipal] cmdlet for Azure AD DS to communicate and authenticate itself. A specific application ID is used named *Domain Controller Services* with an ID of *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. Don't change this application ID.
+Create an Azure AD service principal using the [New-AzureADServicePrincipal][New-AzureADServicePrincipal] cmdlet for Azure AD DS to communicate and authenticate itself. A specific application ID is used named *Domain Controller Services* with an ID of *2565bd9d-da50-47d4-8b85-4c97f669dc36* for Azure Global. For other Azure clouds, search for AppId value *6ba9a5d4-8456-4118-b521-9c5ca10cdf84*. 
 
 ```powershell
-New-AzureADServicePrincipal -AppId "6ba9a5d4-8456-4118-b521-9c5ca10cdf84"
+New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
 ```
 
 Now create an Azure AD group named *AAD DC Administrators* using the [New-AzureADGroup][New-AzureADGroup] cmdlet. Users added to this group are then granted permissions to perform administration tasks on the managed domain.

articles/active-directory/authentication/howto-authentication-use-email-signin.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/30/2023
+ms.date: 06/01/2023
 
 ms.author: justinha
 author: calui
@@ -135,7 +135,7 @@ Email as an alternate login ID applies to [Azure AD B2B collaboration](../extern
 
 Once users with the *ProxyAddresses* attribute applied are synchronized to Azure AD using Azure AD Connect, you need to enable the feature for users to sign in with email as an alternate login ID for your tenant. This feature tells the Azure AD login servers to not only check the sign-in identifier against UPN values, but also against *ProxyAddresses* values for the email address.
 
-During preview, you currently need *Global Administrator* permissions to enable sign-in with email as an alternate login ID. You can use either Azure portal or PowerShell to set up the feature.
+During preview, you currently need *Global Administrator* permissions to enable sign-in with email as an alternate login ID. You can use either Azure portal or Graph PowerShell to set up the feature.
 
 ### Azure portal
 
@@ -159,7 +159,7 @@ With the policy applied, it can take up to 1 hour to propagate and for users to
 
 Once users with the *ProxyAddresses* attribute applied are synchronized to Azure AD using Azure AD Connect, you need to enable the feature for users to sign-in with email as an alternate login ID for your tenant. This feature tells the Azure AD login servers to not only check the sign-in identifier against UPN values, but also against *ProxyAddresses* values for the email address.
 
-During preview, you can currently only enable email as an alternate login ID using PowerShell or the Microsoft Graph API. You need *Global Administrator* privileges to complete the following steps:
+You need *Global Administrator* privileges to complete the following steps:
 
 1. Open a PowerShell session as an administrator, then install the *Microsoft.Graph* module using the `Install-Module` cmdlet:
 

articles/active-directory/authentication/howto-mfa-reporting.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 10/04/2022
+ms.date: 06/01/2023
 
 ms.author: justinha
 author: justinha
@@ -41,7 +41,7 @@ To view the sign-in activity report in the [Azure portal](https://portal.azure.c
 1. Under *Activity* from the menu on the left-hand side, select **Sign-ins**.
 1. A list of sign-in events is shown, including the status. You can select an event to view more details.
 
-    The **Authentication Details** or **Conditional Access** tab of the event details shows you the status code or which policy triggered the MFA prompt.
+    The **Conditional Access** tab of the event details shows you which policy triggered the MFA prompt.
 
     [![Screenshot of example Azure Active Directory sign-ins report in the Azure portal](media/howto-mfa-reporting/sign-in-report-cropped.png)](media/howto-mfa-reporting/sign-in-report.png#lightbox)
 

articles/active-directory/authentication/howto-mfa-userdevicesettings.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 06/01/2023
 
 ms.author: justinha
 author: justinha
@@ -51,7 +51,7 @@ To add authentication methods for a user via the Azure portal:
 > [!NOTE]
 > The preview experience allows administrators to add any available authentication methods for users, while the original experience only allows updating of phone and alternate phone methods.
 
-### Manage methods using PowerShell:  
+### Manage methods using PowerShell
 
 Install the Microsoft.Graph.Identity.Signins PowerShell module using the following commands. 
 
@@ -79,7 +79,7 @@ Remove a specific phone method for a user
 Remove-MgUserAuthenticationPhoneMethod -UserId [email protected] -PhoneAuthenticationMethodId 3179e48a-750b-4051-897c-87b9720928f7
 ```
 
-Authentication methods can also be managed using Microsoft Graph APIs, more information can be found in the document [Azure AD authentication methods API overview](/graph/api/resources/authenticationmethods-overview)
+Authentication methods can also be managed using Microsoft Graph APIs. For more information, see [Authentication and authorization basics](/graph/auth/auth-concepts).
 
 ## Manage user authentication options
 

articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 03/23/2023
+ms.date: 06/01/2023
 
 ms.author: justinha
 author: justinha
@@ -92,6 +92,7 @@ The following core requirements apply:
     | --- | --- |
     |`https://login.microsoftonline.com`|Authentication requests|
     |`https://enterpriseregistration.windows.net`|Azure AD Password Protection functionality|
+    |`https://autoupdate.msappproxaxy.net` | Azure AD Password Protection auto-upgrade functionality |
 
 > [!NOTE]
 > Some endpoints, such as the CRL endpoint, are not addressed in this article. For a list of all supported endpoints, see [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online).
@@ -164,6 +165,7 @@ Choose one or more servers to host the Azure AD Password Protection proxy servic
 * You can run the Azure AD Password Protection proxy service on a domain controller for testing, but that domain controller then requires internet connectivity. This connectivity can be a security concern. We recommend this configuration for testing only.
 * We recommend at least two Azure AD Password Protection proxy servers per forest for redundancy, as noted in the previous section on [high availability considerations](#high-availability-considerations).
 * It's not supported to run the Azure AD Password Protection proxy service on a read-only domain controller.
+* If necessary, you can remove the proxy service by using **Add or remove programs**. No manual cleanup of the state that the proxy service maintains is needed.
 
 To install the Azure AD Password Protection proxy service, complete the following steps:
 

articles/active-directory/authentication/media/howto-mfa-reporting/sign-in-report.png

@@ -461,8 +461,7 @@
             - name: Customize SAML claims
               href: saml-claims-customization.md
             - name: Set an access token lifetime policy
-              href: configure-token-lifetimes.md
-            
+              href: configure-token-lifetimes.md    
             - name: SAML app multi-instancing
               displayName: Configure SAML app multi-instancing for an application
               href: reference-app-multi-instancing.md
@@ -580,7 +579,9 @@
     - name: Token claims reference
       items:
         - name: Access token
-          href: access-token-claims-reference.md            
+          href: access-token-claims-reference.md
+        - name: ID token
+          href: id-token-claims-reference.md            
         - name: SAML token
           href: reference-saml-tokens.md
     - name: Microsoft Authentication Library (MSAL) reference

articles/active-directory/develop/TOC.yml

@@ -113,7 +113,7 @@ String issuer = account.getClaims().get("iss"); // The tenant specific authority
 ```
 
 > [!TIP]
-> To see a list of claims available from the account object, refer to [claims in an id_token](./id-tokens.md#claims-in-an-id-token)
+> To see a list of claims available from the account object, refer to the [ID token claims reference](./id-token-claims-reference.md).
 
 > [!TIP]
 > To include additional claims in your id_token, refer to the optional claims documentation in [How to: Provide optional claims to your Azure AD app](./active-directory-optional-claims.md)