Merge pull request #112952 from mmacy/msid-adal-tracking-metadata

[msid] ms.custom: has-adal-ref

Author: megvanhuygen

articles/active-directory/authentication/active-directory-certificate-based-authentication-get-started.md

@@ -14,6 +14,7 @@ manager: daveba
 ms.reviewer: annaba
 
 ms.collection: M365-identity-device-management
+ms.custom: has-adal-ref
 ---
 # Get started with certificate-based authentication in Azure Active Directory
 
@@ -42,7 +43,7 @@ To configure certificate-based authentication, the following statements must be
 - A client certificate for client authentication must have been issued to your client.
 
 >[!IMPORTANT]
->The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds.  If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates. 
+>The maximum size of a CRL for Azure Active Directory to successfully download and cache is 20MB, and the time required to download the CRL must not exceed 10 seconds.  If Azure Active Directory can't download a CRL, certificate based authentications using certificates issued by the corresponding CA will fail. Best practices to ensure CRL files are within size constraints are to keep certificate lifetimes to within reasonable limits and to clean up expired certificates.
 
 ## Step 1: Select your device platform
 

articles/active-directory/authentication/howto-mfa-nps-extension-errors.md

@@ -14,6 +14,7 @@ manager: daveba
 ms.reviewer: michmcla
 
 ms.collection: M365-identity-device-management
+ms.custom: has-adal-ref
 ---
 # Resolve error messages from the NPS extension for Azure Multi-Factor Authentication
 
@@ -63,9 +64,9 @@ If you encounter errors with the NPS extension for Azure Multi-Factor Authentica
 
 Sometimes, your users may get messages from Multi-Factor Authentication because their authentication request failed. These aren't errors in the product of configuration, but are intentional warnings explaining why an authentication request was denied.
 
-| Error code | Error message | Recommended steps | 
+| Error code | Error message | Recommended steps |
 | ---------- | ------------- | ----------------- |
-| **OathCodeIncorrect** | Wrong code entered\OATH Code Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. | 
+| **OathCodeIncorrect** | Wrong code entered\OATH Code Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. |
 | **SMSAuthFailedMaxAllowedCodeRetryReached** | Maximum allowed code retry reached | The user failed the verification challenge too many times. Depending on your settings, they may need to be unblocked by an admin now.  |
 | **SMSAuthFailedWrongCodeEntered** | Wrong code entered/Text Message OTP Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. |
 

articles/active-directory/b2b/code-samples.md

@@ -12,7 +12,7 @@ ms.author: mimart
 author: msmimart
 manager: celestedg
 ms.reviewer: elisolMS
-ms.custom: "it-pro, seo-update-azuread-jan"
+ms.custom: it-pro, seo-update-azuread-jan, has-adal-ref
 ms.collection: M365-identity-device-management
 ---
 
@@ -23,7 +23,7 @@ You can bulk-invite external users to an organization from email addresses that
 
 1. Prepare the .CSV file
    Create a new CSV file and name it invitations.csv. In this example, the file is saved in C:\data, and contains the following information:
-  
+
    Name                  |  InvitedUserEmailAddress
    --------------------- | --------------------------
    Gmail B2B Invitee     | [email protected]
@@ -72,44 +72,44 @@ namespace SampleInviteApp
         /// Microsoft Graph resource.
         /// </summary>
         static readonly string GraphResource = "https://graph.microsoft.com";
- 
+
         /// <summary>
         /// Microsoft Graph invite endpoint.
         /// </summary>
         static readonly string InviteEndPoint = "https://graph.microsoft.com/v1.0/invitations";
- 
+
         /// <summary>
         ///  Authentication endpoint to get token.
         /// </summary>
         static readonly string EstsLoginEndpoint = "https://login.microsoftonline.com";
- 
+
         /// <summary>
         /// This is the tenantid of the tenant you want to invite users to.
         /// </summary>
         private static readonly string TenantID = "";
- 
+
         /// <summary>
         /// This is the application id of the application that is registered in the above tenant.
         /// The required scopes are available in the below link.
         /// https://developer.microsoft.com/graph/docs/api-reference/v1.0/api/invitation_post
         /// </summary>
         private static readonly string TestAppClientId = "";
- 
+
         /// <summary>
         /// Client secret of the application.
         /// </summary>
         private static readonly string TestAppClientSecret = @"";
- 
+
         /// <summary>
         /// This is the email address of the user you want to invite.
         /// </summary>
         private static readonly string InvitedUserEmailAddress = @"";
- 
+
         /// <summary>
         /// This is the display name of the user you want to invite.
         /// </summary>
         private static readonly string InvitedUserDisplayName = @"";
- 
+
         /// <summary>
         /// Main method.
         /// </summary>
@@ -119,7 +119,7 @@ namespace SampleInviteApp
             Invitation invitation = CreateInvitation();
             SendInvitation(invitation);
         }
- 
+
         /// <summary>
         /// Create the invitation object.
         /// </summary>
@@ -134,25 +134,25 @@ namespace SampleInviteApp
             invitation.SendInvitationMessage = true;
             return invitation;
         }
- 
+
         /// <summary>
         /// Send the guest user invite request.
         /// </summary>
         /// <param name="invitation">Invitation object.</param>
         private static void SendInvitation(Invitation invitation)
         {
             string accessToken = GetAccessToken();
- 
+
             HttpClient httpClient = GetHttpClient(accessToken);
- 
-            // Make the invite call. 
+
+            // Make the invite call.
             HttpContent content = new StringContent(JsonConvert.SerializeObject(invitation));
             content.Headers.Add("ContentType", "application/json");
             var postResponse = httpClient.PostAsync(InviteEndPoint, content).Result;
             string serverResponse = postResponse.Content.ReadAsStringAsync().Result;
             Console.WriteLine(serverResponse);
         }
- 
+
         /// <summary>
         /// Get the HTTP client.
         /// </summary>
@@ -170,15 +170,15 @@ namespace SampleInviteApp
                 httpClient.DefaultRequestHeaders.GetValues("client-request-id").Single());
             return httpClient;
         }
- 
+
         /// <summary>
         /// Get the access token for our application to talk to Microsoft Graph.
         /// </summary>
         /// <returns>Returns the access token for our application to talk to Microsoft Graph.</returns>
         private static string GetAccessToken()
         {
             string accessToken = null;
- 
+
             // Get the access token for our application to talk to Microsoft Graph.
             try
             {
@@ -194,10 +194,10 @@ namespace SampleInviteApp
                 Console.WriteLine("An exception was thrown while fetching the token: {0}.", ex);
                 throw;
             }
- 
+
             return accessToken;
         }
- 
+
         /// <summary>
         /// Invitation class.
         /// </summary>
@@ -207,17 +207,17 @@ namespace SampleInviteApp
             /// Gets or sets display name.
             /// </summary>
             public string InvitedUserDisplayName { get; set; }
- 
+
             /// <summary>
             /// Gets or sets display name.
             /// </summary>
             public string InvitedUserEmailAddress { get; set; }
- 
+
             /// <summary>
             /// Gets or sets a value indicating whether Invitation Manager should send the email to InvitedUser.
             /// </summary>
             public bool SendInvitationMessage { get; set; }
- 
+
             /// <summary>
             /// Gets or sets invitation redirect URL
             /// </summary>
@@ -231,4 +231,3 @@ namespace SampleInviteApp
 ## Next steps
 
 - [What is Azure AD B2B collaboration?](what-is-b2b.md)
-

articles/active-directory/develop/consent-framework.md

@@ -1,5 +1,5 @@
 ---
-title: Azure AD consent framework 
+title: Azure AD consent framework
 titleSuffix: Microsoft identity platform
 description: Learn about the consent framework in Azure Active Directory and how it makes it easy to develop multi-tenant web and native client applications.
 services: active-directory
@@ -13,7 +13,7 @@ ms.workload: identity
 ms.date: 11/30/2018
 ms.author: ryanwi
 ms.reviewer: zachowd, lenalepa, jesakowi
-ms.custom: aaddev
+ms.custom: aaddev, has-adal-ref
 ---
 
 # Azure Active Directory consent framework

articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md

@@ -16,8 +16,9 @@ ms.reviewer: jairoc
 #Customer intent: As an IT admin, I want to fix issues with my hybrid Azure AD joined devices so that my users can use this feature.
 
 ms.collection: M365-identity-device-management
+ms.custom: has-adal-ref
 ---
-# Troubleshooting hybrid Azure Active Directory joined devices 
+# Troubleshooting hybrid Azure Active Directory joined devices
 
 The content of this article is applicable to devices running Windows 10 or Windows Server 2016.
 
@@ -29,13 +30,13 @@ This article assumes that you have [configured hybrid Azure Active Directory joi
 - [Enterprise roaming of settings](../active-directory-windows-enterprise-state-roaming-overview.md)
 - [Windows Hello for Business](../active-directory-azureadjoin-passport-deployment.md)
 
-This document provides troubleshooting guidance to resolve potential issues. 
+This document provides troubleshooting guidance to resolve potential issues.
 
 For Windows 10 and Windows Server 2016, hybrid Azure Active Directory join supports the Windows 10 November 2015 Update and above.
 
 ## Troubleshoot join failures
 
-### Step 1: Retrieve the join status 
+### Step 1: Retrieve the join status
 
 **To retrieve the join status:**
 
@@ -87,22 +88,22 @@ WamDefaultAuthority: organizations
          AzureAdPrt: YES
 ```
 
-### Step 2: Evaluate the join status 
+### Step 2: Evaluate the join status
 
 Review the following fields and make sure that they have the expected values:
 
-#### DomainJoined : YES  
+#### DomainJoined : YES
 
-This field indicates whether the device is joined to an on-premises Active Directory or not. If the value is **NO**, the device cannot perform a hybrid Azure AD join.  
+This field indicates whether the device is joined to an on-premises Active Directory or not. If the value is **NO**, the device cannot perform a hybrid Azure AD join.
 
-#### WorkplaceJoined : NO  
+#### WorkplaceJoined : NO
 
 This field indicates whether the device is registered with Azure AD as a personal device (marked as *Workplace Joined*). This value should be **NO** for a domain-joined computer that is also hybrid Azure AD joined. If the value is **YES**, a work or school account was added prior to the completion of the hybrid Azure AD join. In this case, the account is ignored when using the Anniversary Update version of Windows 10 (1607).
 
-#### AzureAdJoined : YES  
+#### AzureAdJoined : YES
 
 This field indicates whether the device is joined. The value will be **YES** if the device is either an Azure AD joined device or a hybrid Azure AD joined device.
-If the value is **NO**, the join to Azure AD has not completed yet. 
+If the value is **NO**, the join to Azure AD has not completed yet.
 
 Proceed to next steps for further troubleshooting.
 
@@ -154,7 +155,7 @@ Possible reasons for failure:
    - A valid SCP object is required in the AD forest, to which the device belongs, that points to a verified domain name in Azure AD.
    - Details can be found in the section [Configure a Service Connection Point](hybrid-azuread-join-federated-domains.md#configure-hybrid-azure-ad-join).
 - Failure to connect and fetch the discovery metadata from the discovery endpoint.
-   - The device should be able to access `https://enterpriseregistration.windows.net`, in the SYSTEM context, to discover the registration and authorization endpoints. 
+   - The device should be able to access `https://enterpriseregistration.windows.net`, in the SYSTEM context, to discover the registration and authorization endpoints.
    - If the on-premises environment requires an outbound proxy, the IT admin must ensure that the computer account of the device is able to discover and silently authenticate to the outbound proxy.
 - Failure to connect to user realm endpoint and perform realm discovery. (Windows 10 version 1809 and later only)
    - The device should be able to access `https://login.microsoftonline.com`, in the SYSTEM context, to perform realm discovery for the verified domain and determine the domain type (managed/federated).
@@ -172,7 +173,7 @@ Possible reasons for failure:
    - Reason: Operation timed out while performing Discovery.
    - Resolution: Ensure that `https://enterpriseregistration.windows.net` is accessible in the SYSTEM context. For more information, see the section [Network connectivity requirements](hybrid-azuread-join-managed-domains.md#prerequisites).
 - **DSREG_AUTOJOIN_USERREALM_DISCOVERY_FAILED** (0x801c0021/-2145648611)
-   - Reason: Generic Realm Discovery failure. Failed to determine domain type (managed/federated) from STS. 
+   - Reason: Generic Realm Discovery failure. Failed to determine domain type (managed/federated) from STS.
    - Resolution: Find the suberror below to investigate further.
 
 **Common suberror codes:**
@@ -259,7 +260,7 @@ Use Event Viewer logs to locate the error code, suberror code, server error code
 
 - **ERROR_ADAL_PROTOCOL_NOT_SUPPORTED** (0xcaa90017/-894894057)
    - Reason: Authentication protocol is not WS-Trust.
-   - Resolution: The on-premises identity provider must support WS-Trust 
+   - Resolution: The on-premises identity provider must support WS-Trust
 - **ERROR_ADAL_FAILED_TO_PARSE_XML** (0xcaa9002c/-894894036)
    - Reason: On-premises federation service did not return an XML response.
    - Resolution: Ensure MEX endpoint is returning a valid XML. Ensure proxy is not interfering and returning non-xml responses.
@@ -277,7 +278,7 @@ Use Event Viewer logs to locate the error code, suberror code, server error code
    - Resolution: Retry after sometime or try joining from an alternate stable network location.
 - **ERROR_ADAL_INTERNET_SECURE_FAILURE** (0xcaa82f8f/-894947441)
    - Reason: The Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), certificate sent by the server could not be validated.
-   - Resolution: Check the client time skew. Retry after sometime or try joining from an alternate stable network location. 
+   - Resolution: Check the client time skew. Retry after sometime or try joining from an alternate stable network location.
 - **ERROR_ADAL_INTERNET_CANNOT_CONNECT** (0xcaa82efd/-894947587)
    - Reason: The attempt to connect to `https://login.microsoftonline.com` failed.
    - Resolution: Check network connection to `https://login.microsoftonline.com`.
@@ -292,11 +293,11 @@ Use Event Viewer logs to locate the error code, suberror code, server error code
    - Resolution: Check the federation server settings. Look for the server error code in the authentication logs.
 - **ERROR_ADAL_WSTRUST_TOKEN_REQUEST_FAIL** (0xcaa90006/-894894074)
    - Reason: Received an error when trying to get access token from the token endpoint.
-   - Resolution: Look for the underlying error in the ADAL log. 
+   - Resolution: Look for the underlying error in the ADAL log.
 - **ERROR_ADAL_OPERATION_PENDING** (0xcaa1002d/-895418323)
    - Reason: General ADAL failure
    - Resolution: Look for the suberror code or server error code from the authentication logs.
-    
+
 #### Join Phase
 
 Reasons for failure:
@@ -336,7 +337,7 @@ Use Event Viewer logs to locate the phase and errorcode for the join failures.
    - Reason: Received an error response from DRS with ErrorCode: "DirectoryError"
    - Resolution: Refer to the server error code for possible reasons and resolutions.
 - **DSREG_E_DEVICE_AUTHENTICATION_ERROR** (0x801c0002/-2145648638)
-   - Reason: Received an error response from DRS with ErrorCode: "AuthenticationError" and ErrorSubCode is NOT "DeviceNotFound". 
+   - Reason: Received an error response from DRS with ErrorCode: "AuthenticationError" and ErrorSubCode is NOT "DeviceNotFound".
    - Resolution: Refer to the server error code for possible reasons and resolutions.
 - **DSREG_E_DEVICE_INTERNALSERVICE_ERROR** (0x801c0006/-2145648634)
    - Reason: Received an error response from DRS with ErrorCode: "DirectoryError"
@@ -348,7 +349,7 @@ Use Event Viewer logs to locate the phase and errorcode for the join failures.
    - Reason: TPM operation failed or was invalid
    - Resolution: Likely due to a bad sysprep image. Ensure the machine from which the sysprep image was created is not Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
 - **TPM_E_PCP_INTERNAL_ERROR** (0x80290407/-2144795641)
-   - Reason: Generic TPM error. 
+   - Reason: Generic TPM error.
    - Resolution: Disable TPM on devices with this error. Windows 10 version 1809 and higher automatically detects TPM failures and completes hybrid Azure AD join without using the TPM.
 - **TPM_E_NOTFIPS** (0x80280036/-2144862154)
    - Reason: TPM in FIPS mode not currently supported.
@@ -397,20 +398,20 @@ Download the file Auth.zip from [https://github.com/CSS-Windows/WindowsDiag/tree
 
 ## Troubleshoot Post-Join issues
 
-### Retrieve the join status 
+### Retrieve the join status
 
 #### WamDefaultSet: YES and AzureADPrt: YES
-  
-These fields indicate whether the user has successfully authenticated to Azure AD when signing in to the device. 
+
+These fields indicate whether the user has successfully authenticated to Azure AD when signing in to the device.
 If the values are **NO**, it could be due:
 
 - Bad storage key in the TPM associated with the device upon registration (check the KeySignTest while running elevated).
 - Alternate Login ID
 - HTTP Proxy not found
 
 ## Known issues
-- Under Settings -> Accounts -> Access Work or School, Hybrid Azure AD joined devices may show two different accounts, one for Azure AD and one for on-premises AD, when connected to mobile hotspots or external WiFi networks. This is only a UI issue and does not have any impact on functionality. 
- 
+- Under Settings -> Accounts -> Access Work or School, Hybrid Azure AD joined devices may show two different accounts, one for Azure AD and one for on-premises AD, when connected to mobile hotspots or external WiFi networks. This is only a UI issue and does not have any impact on functionality.
+
 ## Next steps
 
 Continue [troubleshooting devices using the dsregcmd command](troubleshoot-device-dsregcmd.md)