MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 6 additions & 0 deletions b/‎.openpublishing.publish.config.json
Lines changed: 6 additions & 0 deletions
diff --git a/‎articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md
Lines changed: 3 additions & 0 deletions b/‎articles/active-directory/authentication/howto-password-ban-bad-on-premises-deploy.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
Lines changed: 3 additions & 0 deletions b/‎articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/msal-net-instantiate-public-client-config-options.md
Lines changed: 19 additions & 0 deletions b/‎articles/active-directory/develop/msal-net-instantiate-public-client-config-options.md
Lines changed: 19 additions & 0 deletions
@@ -357,6 +357,12 @@
       "branch": "main",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "media-services-v3-dotnet-core-functions-integration",
+      "url": "https://github.com/Azure-Samples/media-services-v3-dotnet-core-functions-integration",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "samples-javascript",
       "url": "https://github.com/Microsoft/tsiclient",
 
@@ -93,6 +93,9 @@ The following core requirements apply:
     |`https://login.microsoftonline.com`|Authentication requests|
     |`https://enterpriseregistration.windows.net`|Azure AD Password Protection functionality|
 
+> [!NOTE]
+> Some endpoints, such as the CRL endpoint, are not addressed in this article. For a list of all supported endpoints, see [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online).
+
 ### Azure AD Password Protection DC agent
 
 The following requirements apply to the Azure AD Password Protection DC agent:
 
@@ -140,6 +140,9 @@ Filters for devices (preview) condition in Conditional Access evaluates policy b
 | Include/exclude mode with negative operators (NotEquals, NotStartsWith, NotEndsWith, NotContains, NotIn) and use of any attributes including extensionAttributes1-15 | Registered device managed by Intune | Yes, if criteria are met |
 | Include/exclude mode with negative operators (NotEquals, NotStartsWith, NotEndsWith, NotContains, NotIn) and use of any attributes including extensionAttributes1-15 | Registered device not managed by Intune | Yes, if criteria are met and if device is compliant or Hybrid Azure AD joined |
 
+> [!IMPORTANT]
+> For unregistered devices, the only device information passed is the Operating System, Operating System Version, and the Browser.  This means for unregistered devices and Conditional Access policies using negative operators for filters for device, any value outside of these will be evaluated with an blank value.  For example, if an unregistered device was being evaluated with the following: **device.displayName -notContains *Example***. Since the unregistered device will pass a blank display name, which is not the value of *Example*, the resulting condition will be true.
+
 ## Next steps
 
 - [Conditional Access: Conditions](concept-conditional-access-conditions.md)
 
@@ -28,6 +28,25 @@ Before initializing an application, you first need to [register](quickstart-regi
 - The tenant ID if you are writing a line of business application solely for your organization (also named single-tenant application).
 - For web apps, and sometimes for public client apps (in particular when your app needs to use a broker), you'll have also set the redirectUri where the identity provider will contact back your application with the security tokens.
 
+## Default Reply Uri
+
+In MSAL.NET 4.1+ the default redirect URI (Reply URI) can now be set with the `public PublicClientApplicationBuilder WithDefaultRedirectUri()` method. This method will set the redirect uri property of public client application to the recommended default.
+
+This method's behavior is dependent upon the platform that you are using at the time. Here is a table that describes what redirect uri is set on certain platforms:
+
+Platform  | Redirect URI  
+---------  | --------------
+Desktop app (.NET FW) | `https://login.microsoftonline.com/common/oauth2/nativeclient` 
+UWP | value of `WebAuthenticationBroker.GetCurrentApplicationCallbackUri()`
+.NET Core | `http://localhost`
+
+For the UWP platform, is enhanced the experience by enabling SSO with the browser by setting the value to the result of `WebAuthenticationBroker.GetCurrentApplicationCallbackUri()`. 
+
+For .NET Core, MSAL.Net is setting the value to the local host to enable the user to use the system browser for interactive authentication.
+
+> [!NOTE]
+> For embedded browsers in desktop scenarios the redirect uri used is intercepted by MSAL to detect that a response is returned from the identity provider that an auth code has been returned. This uri can therefore be used in any cloud without seeing an actual redirect to that uri. This means you can and should use `https://login.microsoftonline.com/common/oauth2/nativeclient` in any cloud. If you prefer you can also use any other uri as long as you configure the redirect uri correctly with MSAL and in the app registration. Specifying the default Uri in the application registration means there is the least amount of setup in MSAL.
+
 
 A .NET Core console application could have the following *appsettings.json* configuration file: