Merge pull request #151485 from MicrosoftDocs/master

3/22 AM Publish

Author: huypub

articles/active-directory-b2c/TOC.yml

@@ -496,6 +496,7 @@
     href: custom-policy-developer-notes.md
   - name: Page layout versions
     href: page-layout.md
+    displayName: Page version
   - name: Region availability & data residency
     href: data-residency.md
   - name: Build for resilience

articles/active-directory-b2c/identity-provider-apple-id.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/15/2021
+ms.date: 03/22/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
@@ -203,8 +203,8 @@ You can define an Apple ID as a claims provider by adding it to the **ClaimsProv
             <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
             <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="https://appleid.apple.com" AlwaysUseDefaultValue="true" />
             <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
-            <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="user.firstName"/>
-            <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="user.lastName"/>
+            <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="user.name.firstName"/>
+            <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="user.name.lastName"/>
             <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="user.email"/>
           </OutputClaims>
           <OutputClaimsTransformations>

articles/active-directory-b2c/javascript-and-page-layout.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 12/10/2020
+ms.date: 03/22/2021
 ms.custom: project-no-code, devx-track-js
 ms.author: mimart
 ms.subservice: B2C
@@ -151,7 +151,7 @@ Follow these guidelines when you customize the interface of your application usi
     - Don't use JavaScript directly to call Azure AD B2C endpoints.
 - You can embed your JavaScript or you can link to external JavaScript files. When using an external JavaScript file, make sure to use the absolute URL and not a relative URL.
 - JavaScript frameworks:
-    - Azure AD B2C uses a specific version of jQuery. Don’t include another version of jQuery. Using more than one version on the same page causes issues.
+    - Azure AD B2C uses a [specific version of jQuery](page-layout.md#jquery-version). Don’t include another version of jQuery. Using more than one version on the same page causes issues.
     - Using RequireJS isn't supported.
     - Most JavaScript frameworks are not supported by Azure AD B2C.
 - Azure AD B2C settings can be read by calling `window.SETTINGS`, `window.CONTENT` objects, such as the current UI language. Don’t change the value of these objects.

articles/active-directory-b2c/microsoft-graph-operations.md

@@ -135,7 +135,7 @@ For more information about accessing Azure AD B2C audit logs, see [Accessing Azu
 
 ## Conditional Access
 
-- [List all of the Conditional Access policies](/graph/api/resources/conditionalaccessroot-list-policies)
+- [List all of the Conditional Access policies](/graph/api/conditionalaccessroot-list-policies?view=graph-rest-beta&tabs=http)
 - [Read properties and relationships of a Conditional Access policy](/graph/api/conditionalaccesspolicy-get)
 - [Create a new Conditional Access policy](/graph/api/resources/application)
 - [Update a Conditional Access policy](/graph/api/conditionalaccesspolicy-update)

articles/active-directory-b2c/page-layout.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/09/2021
+ms.date: 03/22/2021
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -18,6 +18,16 @@ ms.subservice: B2C
 
 Page layout packages are periodically updated to include fixes and improvements in their page elements. The following change log specifies the changes introduced in each version.
 
+## jQuery version
+
+Azure AD B2C page layout uses the following version of the [jQuery library](https://jquery.com/):
+
+|From page layout version  |jQuery version  |
+|---------|---------|
+|2.1.4 | 3.5.1 |
+|1.2.0 | 3.4.1 |
+|1.1.0 | 1.10.2 |
+
 ## Self-asserted page (selfasserted)
 
 **2.1.2**

articles/active-directory-b2c/tutorial-create-user-flows.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 12/16/2020
+ms.date: 03/22/2021
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -21,8 +21,9 @@ In this article, you learn how to:
 
 > [!div class="checklist"]
 > * Create a sign-up and sign-in user flow
+> * Enable self-service password reset
 > * Create a profile editing user flow
-> * Create a password reset user flow
+
 
 This tutorial shows you how to create some recommended user flows by using the Azure portal. If you're looking for information about how to set up a resource owner password credentials (ROPC) flow in your application, see [Configure the resource owner password credentials flow in Azure AD B2C](add-ropc-policy.md).
 
@@ -81,6 +82,24 @@ The sign-up and sign-in user flow handles both sign-up and sign-in experiences w
 > [!NOTE]
 > The "Run user flow" experience is not currently compatible with the SPA reply URL type using authorization code flow. To use the "Run user flow" experience with these kinds of apps, register a reply URL of type "Web" and enable the implicit flow as described [here](tutorial-register-spa.md).
 
+## Enable self-service password reset
+
+To enable [self-service password reset](add-password-reset-policy.md) for the sign-up or sign-in user flow:
+
+1. Select the sign-up or sign-in user flow  you created.
+1. Under **Settings** in the left menu, select **Properties**.
+1. Under **Password complexity**, select **Self-service password reset**.
+1. Select **Save**.
+
+### Test the user flow
+
+1. Select the user flow you created to open its overview page, then select **Run user flow**.
+1. For **Application**, select the web application named *webapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.
+1. Select **Run user flow**.
+1. From the sign-up or sign-in page, select **Forgot your password?**.
+1. Verify the email address of the account that you previously created, and then select **Continue**.
+1. You now have the opportunity to change the password for the user. Change the password and select **Continue**. The token is returned to `https://jwt.ms` and should be displayed to you.
+
 ## Create a profile editing user flow
 
 If you want to enable users to edit their profile in your application, you use a profile editing user flow.
@@ -100,26 +119,6 @@ If you want to enable users to edit their profile in your application, you use a
 1. Click **Run user flow**, and then sign in with the account that you previously created.
 1. You now have the opportunity to change the display name and job title for the user. Click **Continue**. The token is returned to `https://jwt.ms` and should be displayed to you.
 
-## Create a password reset user flow
-
-To enable users of your application to reset their password, you use a password reset user flow.
-
-1. In the Azure AD B2C tenant overview menu, select **User flows**, and then select **New user flow**.
-1. On the **Create a user flow** page, select the **Password reset** user flow. 
-1. Under **Select a version**, select **Recommended**, and then select **Create**.
-1. Enter a **Name** for the user flow. For example, *passwordreset1*.
-1. For **Identity providers**, enable **Reset password using email address**.
-2. Under Application claims, click **Show more** and choose the claims that you want returned in the authorization tokens sent back to your application. For example, select **User's Object ID**.
-3. Click **OK**.
-4. Click **Create** to add the user flow. A prefix of *B2C_1* is automatically appended to the name.
-
-### Test the user flow
-
-1. Select the user flow you created to open its overview page, then select **Run user flow**.
-1. For **Application**, select the web application named *webapp1* that you previously registered. The **Reply URL** should show `https://jwt.ms`.
-1. Click **Run user flow**, verify the email address of the account that you previously created, and select **Continue**.
-1. You now have the opportunity to change the password for the user. Change the password and select **Continue**. The token is returned to `https://jwt.ms` and should be displayed to you.
-
 ## Next steps
 
 In this article, you learned how to:

articles/active-directory/develop/authentication-national-cloud.md

@@ -51,7 +51,7 @@ The following table lists the base URLs for the Azure AD endpoints used to acqui
 |----------------|-------------------------|
 | Azure AD for US Government | `https://login.microsoftonline.us` |
 | Azure AD Germany| `https://login.microsoftonline.de` |
-| Azure AD China operated by 21Vianet | `https://login.chinacloudapi.cn` |
+| Azure AD China operated by 21Vianet | `https://login.partner.microsoftonline.cn/common` |
 | Azure AD (global service)| `https://login.microsoftonline.com` |
 
 You can form requests to the Azure AD authorization or token endpoints by using the appropriate region-specific base URL. For example, for Azure Germany:

articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md

@@ -82,7 +82,7 @@ In ASP.NET Core, these settings are located in the [appsettings.json](https://gi
     // - "https://login.microsoftonline.com/" for Azure public cloud
     // - "https://login.microsoftonline.us/" for Azure US government
     // - "https://login.microsoftonline.de/" for Azure AD Germany
-    // - "https://login.chinacloudapi.cn/" for Azure AD China operated by 21Vianet
+    // - "https://login.partner.microsoftonline.cn/common" for Azure AD China operated by 21Vianet
     "Instance": "https://login.microsoftonline.com/",
 
     // Azure AD audience among:

articles/active-directory/develop/single-sign-out-saml-protocol.md

@@ -4,20 +4,19 @@ description: This article describes the Single Sign-Out SAML Protocol in Azure A
 services: active-directory
 author: kenwith
 manager: CelesteDG
-
 ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 07/19/2017
+ms.date: 03/22/2021
 ms.author: kenwith
 ms.custom: aaddev
 ms.reviewer: paulgarn
 ---
 
 # Single Sign-Out SAML Protocol
 
-Azure Active Directory (Azure AD) supports the SAML 2.0 web browser single sign-out profile. For single sign-out to work correctly, the **LogoutURL** for the application must be explicitly registered with Azure AD during application registration. Azure AD uses the LogoutURL to redirect users after they're signed out.
+Azure Active Directory (Azure AD) supports the SAML 2.0 web browser single sign-out profile. For single sign-out to work correctly, the **LogoutURL** for the application must be explicitly registered with Azure AD during application registration. If the app is [added to the Azure App Gallery](v2-howto-app-gallery-listing.md) then this value can be set by default. Otherwise, the value must be determined and set by the person adding the app to their Azure AD tenant. Azure AD uses the LogoutURL to redirect users after they're signed out. 
 
 Azure AD supports redirect binding (HTTP GET), and not HTTP POST binding.
 

articles/active-directory/external-identities/reset-redemption-status.md

@@ -27,9 +27,20 @@ After a guest user has redeemed your invitation for B2B collaboration, there mig
 
 To manage these scenarios previously, you had to manually delete the guest user’s account from your directory and reinvite the user. Now you can use PowerShell or the Microsoft Graph invitation API to reset the user's redemption status and reinvite the user while retaining the user's object ID, group memberships, and app assignments. When the user redeems the new invitation, the UPN of the user doesn't change, but the user's sign-in name changes to the new email. The user can subsequently sign in using the new email or an email you've added to the `otherMails` property of the user object.
 
+## Reset the email address used for sign-in
+
+If a user wants to sign in using a different email:
+
+1. Make sure the new email address is added to the `mail` or `otherMails` property of the user object. 
+2.  Replace the email address in the `InvitedUserEmailAddress` property with the new email address.
+3. Use one of the methods below to reset the user's redemption status.
+
+> [!NOTE]
+>During public preview, when you're resetting the user's email address, we recommend setting the `mail` property to the new email address. This way the user can redeem the invitation by signing into your directory in addition to using the redemption link in the invitation.
+>
 ## Use PowerShell to reset redemption status
 
-Install the latest AzureADPreview PowerShell module and create a new invitation with `InvitedUserEMailAddress` set to the new email address, and `ResetRedemption` set to `true`.
+Install the latest AzureADPreview PowerShell module and create a new invitation with `InvitedUserEmailAddress` set to the new email address, and `ResetRedemption` set to `true`.
 
 ```powershell  
 Uninstall-Module AzureADPreview 
@@ -42,7 +53,7 @@ New-AzureADMSInvitation -InvitedUserEmailAddress <<external email>> -SendInvitat
 
 ## Use Microsoft Graph API to reset redemption status
 
-Using the [Microsoft Graph invitation API](/graph/api/resources/invitation), set the `resetRedemption` property  to `true` and specify the new email address in the `invitedUserEmailAddress` property.
+Using the [Microsoft Graph invitation API](/graph/api/resources/invitation?view=graph-rest-1.0), set the `resetRedemption` property  to `true` and specify the new email address in the `invitedUserEmailAddress` property.
 
 ```json
 POST https://graph.microsoft.com/beta/invitations