Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into fixESAN

Author: roygara

.openpublishing.publish.config.json

@@ -1091,6 +1091,7 @@
   "articles/azure-video-indexer/.openpublishing.redirection.azure-video-indexer.json",
   "articles/cloud-shell/.openpublishing.redirection.cloud-shell.json",
   "articles/communication-services/.openpublishing.redirection.communication-services.json",
+  "articles/communications-gateway/.openpublishing.redirection.communications-gateway.json",
   "articles/confidential-computing/.openpublishing.redirection.json",
   "articles/container-apps/.openpublishing.redirection.container-apps.json",
   "articles/cosmos-db/.openpublishing.redirection.cosmos-db.json",

.openpublishing.redirection.json

@@ -23792,11 +23792,6 @@
             "redirect_url": "/azure/private-5g-core/monitor-private-5g-core-with-platform-metrics",
             "redirect_document_id": false
         },
-        {
-            "source_path": "articles/communications-gateway/rotate-secrets.md",
-            "redirect_URL": "/azure/communications-gateway/whats-new",
-            "redirect_document_id": false
-        },
         {
             "source_path": "articles/batch/high-availability-disaster-recovery.md",
             "redirect_URL": "/azure/reliability/reliability-batch",
@@ -24266,6 +24261,11 @@
             "source_path_from_root": "/articles/reliability/reliability-postgre-flexible.md",
             "redirect_url": "/azure/reliability/reliability-postgresql-flexible-server",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/private-link/tutorial-private-endpoint-cosmosdb-portal.md",
+            "redirect_url": "/azure/cosmos-db/how-to-configure-private-endpoints",
+            "redirect_document_id": false
         }
     ]
 }

.openpublishing.redirection.virtual-desktop.json

@@ -194,6 +194,11 @@
             "source_path_from_root": "/articles/virtual-desktop/app-attach-glossary.md",
             "redirect_url": "/azure/virtual-desktop/what-is-app-attach",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/virtual-desktop/windows-10-multisession-faq.yml",
+            "redirect_url": "/azure/virtual-desktop/windows-multisession-faq",
+            "redirect_document_id": true
         }
     ]
 }

articles/active-directory/develop/custom-extension-configure-saml-app.md

@@ -3,7 +3,7 @@ title: Source claims from an external store (SAML app)
 titleSuffix: Microsoft identity platform
 description: Use a custom claims provider to augment tokens with claims from an external identity system. Configure a SAML app to receive tokens with external claims. 
 services: active-directory
-author: yoelhor
+author: davidmu1
 manager: CelesteDG
 
 ms.service: active-directory
@@ -40,9 +40,11 @@ The following steps are for registering a demo [XRayClaims](https://adfshelp.mic
 
 Add a new, non-gallery SAML application in your tenant:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
 
-1. Go to **Azure Active Directory** and then **Enterprise applications**.  Select **New application** and then **Create your own application**.
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.  
+
+1. Select **New application** and then **Create your own application**.
 
 1. Add a name for the app.  For example, **AzureADClaimsXRay**.  Select the **Integrate any other application you don't find in the gallery (Non-gallery)** option and select **Create**.
 

articles/active-directory/develop/custom-extension-get-started.md

@@ -3,7 +3,7 @@ title: Get started with custom claims providers (preview)
 titleSuffix: Microsoft identity platform
 description: Learn how to develop and register an Azure Active Directory custom authentication extensions REST API. The custom authentication extension allows you to source claims from a data store that is external to Azure Active Directory.  
 services: active-directory
-author: yoelhor
+author: davidmu1
 manager: CelesteDG
 
 ms.service: active-directory
@@ -157,14 +157,11 @@ The following screenshot demonstrates how to configure the Azure HTTP trigger fu
 
 In this step, you configure a custom authentication extension, which will be used by Azure AD to call your Azure function. The custom authentication extension contains information about your REST API endpoint, the claims that it parses from your REST API, and how to authenticate to your REST API. Follow these steps to register a custom authentication extension:
 
-# [Azure portal](#tab/azure-portal)
+# [Microsoft Entra admin center](#tab/entra-admin-center)
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Under **Azure services**, select **Azure Active Directory**.
-1. Ensure your user account has the Global Administrator or Application Administrator and Authentication Extensibility Administrator role. Otherwise, learn how to [assign a role](../roles/manage-roles-portal.md).
-1. From the menu, select **Enterprise applications**.
-1. Under **Manage**, select the **Custom authentication extensions**.
-1. Select **Create a custom authentication extension**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](../roles/permissions-reference.md#application-developer) and [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select **Custom authentication extensions**, and then select **Create a custom authentication extension**.
 1. In **Basics**, select the **tokenIssuanceStart** event and select **Next**.
 1. In **Endpoint Configuration**, fill in the following properties:
 
@@ -361,8 +358,9 @@ Follow these steps to register the **jwt.ms** web application:
 
 ### 3.1 Register a test web application
 
-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Active Directory**.
-1. Select **App registrations**, and then select **New registration**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](../roles/permissions-reference.md#application-developer).
+1. Browse to **Identity** > **Applications** > **Application registrations**.
+1. Select **New registration**.
 1. Enter a **Name** for the application. For example, **My Test application**.
 1. Under **Supported account types**, select **Accounts in this organizational directory only**.
 1. In the **Select a platform** dropdown in **Redirect URI**, select **Web** and then enter `https://jwt.ms` in the URL text box.
@@ -414,12 +412,12 @@ For tokens to be issued with claims incoming from the custom authentication exte
 
 Follow these steps to connect the *My Test application* with your custom authentication extension:
 
-# [Azure portal](#tab/azure-portal)
+# [Microsoft Entra admin center](#tab/entra-admin-center)
 
 First assign the custom authentication extension as a custom claims provider source:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to **Azure Active Directory**.
-1. Select **App registrations**, and find the *My Test application* registration you created.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Application registrations**.
 1. In the **Overview** page, under **Managed application in local directory**, select **My Test application**.
 1. Under **Manage**, select **Single sign-on**.
 1. Under **Attributes & Claims**, select **Edit**.
@@ -630,7 +628,7 @@ If you configured the [Microsoft identity provider](#step-5-protect-your-azure-f
 
 1. Under the **App registration**, enter the application ID (client ID) of the *Azure Functions authentication events API* app registration [you created previously](#step-2-register-a-custom-authentication-extension).
 
-1. Go to your Azure AD tenant in which your custom authentication extension is registered, and select **Azure Active Directory** > **App registrations**.
+1. In the Microsoft Entra admin center:
     1. Select the *Azure Functions authentication events API* app registration [you created previously](#step-2-register-a-custom-authentication-extension).
     1. Select **Certificates & secrets** > **Client secrets** > **New client secret**.
     1. Add a description for your client secret.

articles/active-directory/develop/custom-extension-troubleshoot.md

@@ -3,7 +3,7 @@ title: Troubleshoot a custom claims provider
 titleSuffix: Microsoft identity platform
 description: Troubleshoot and monitor your custom claims provider API.  Learn how to use logging and Azure AD sign-in logs to find errors and issues in your custom claims provider API.
 services: active-directory
-author: yoelhor
+author: davidmu1
 manager: CelesteDG
 
 ms.service: active-directory
@@ -44,9 +44,9 @@ Azure AD sign-in logs also integrate with [Azure Monitor](../../azure-monitor/in
 
 To access the Azure AD sign-in logs:
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. In the **Enterprise apps** experience for your given application, select on the **Sign-in** logs tab.
-1. Select the latest sign-in log.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select **Sign-in logs**, and then select the latest sign-in log.
 1. For more details, select the **Authentication Events** tab. Information related to the custom authentication extension REST API call is displayed, including any [error codes](#error-codes-reference).
 
     :::image type="content" source="media/custom-extension-troubleshoot/authentication-events.png" alt-text="Screenshot that shows the authentication events information." :::
@@ -89,8 +89,8 @@ Use the following table to diagnose an error code.
 
 Your REST API is protected by Azure AD access token. You can test your API by obtaining an access token with the [application registration](custom-extension-get-started.md#22-grant-admin-consent) associated with the custom authentiction extensions. After you acquire an access token, pass it the HTTP `Authorization` header. To obtain an access token, follow these steps:
 
-1. Sign in to the [Azure portal](https://portal.azure.com) with your Azure administrator account.
-1. Select **Azure Active Directory** > **App registrations**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Application registrations**.
 1. Select the *Azure Functions authentication events API* app registration [you created previously](custom-extension-get-started.md#step-2-register-a-custom-authentication-extension). 
 1. Copy the [application ID](custom-extension-get-started.md#22-grant-admin-consent).
 1. If you haven't created an app secret, follow these steps:

articles/active-directory/develop/developer-support-help-options.md

@@ -23,11 +23,11 @@ If you need an answer to a question or help in solving a problem not covered in
     <img alt='Azure support' src='./media/common/logo_azure.svg'>
 </div>
 
-Explore the range of [Azure support options and choose the plan](https://azure.microsoft.com/support/plans) that best fits you. There are two options to create and manage support requests in the Azure portal:
+Explore the range of [Azure support options and choose the plan](https://azure.microsoft.com/support/plans) that best fits you. There are two options to create and manage support requests in the Microsoft Entra admin center:
 
-- If you already have an Azure Support Plan, [open a support request here](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).
+- If you already have an Azure Support Plan, [open a support request here](https://entra.microsoft.com/#view/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical).
 
-- If you're using Azure AD for customers (preview), the support request feature is currently unavailable in customer tenants. However, you can use the **Give Feedback** link on the **New support request** page to provide feedback. Or, you can switch to your Azure AD workforce tenant and [open a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).
+- If you're using Azure AD for customers (preview), the support request feature is currently unavailable in customer tenants. However, you can use the **Give Feedback** link on the **New support request** page to provide feedback. Or, you can switch to your Azure AD workforce tenant and [open a support request](https://entra.microsoft.com/#view/Microsoft_Azure_Support/NewSupportRequestV3Blade/callerName/ActiveDirectory/issueType/technical).
 
 - If you're not an Azure customer, you can open a support request with [Microsoft Support for business](https://support.serviceshub.microsoft.com/supportforbusiness).
 

articles/active-directory/external-identities/claims-mapping.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 11/24/2022
+ms.date: 08/30/2023
 
 ms.author: cmulligan
 author: csmulligan
@@ -32,7 +32,16 @@ There are two possible reasons why you might need to edit the claims that are is
 
 For information about how to add and edit claims, see [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/saml-claims-customization.md).
 
-For B2B collaboration users, mapping NameID and UPN cross-tenant are prevented for security reasons.
+## UPN claims behavior for B2B users
+
+If you need to issue the UPN value as an application token claim, the actual claim mapping may behave differently for B2B users. If the B2B user authenticates with an external Azure AD identity and you issue user.userprincipalname as the source attribute, Azure AD instead issues the mail attribute.  
+
+For example, let’s say you invite an external user whose email is `[email protected]` and whose identity exists in an external Azure AD tenant. James’ UPN in the inviting tenant is created from the invited email and the inviting tenant's original default domain. So, let’s say James’ UPN becomes `James_contoso.com#EXT#@fabrikam.onmicrosoft.com`. For the SAML application that issues user.userprincipalname as the NameID, the value passed for James is `[email protected]`.  
+
+All [other external identity types](redemption-experience.md#invitation-redemption-flow) such as SAML/WS-Fed, Google, Email OTP issues the UPN value rather than the email value when you issue user.userprincipalname as a claim. If you want the actual UPN to be issued in the token claim for all B2B users, you can set user.localuserprincipalname as the source attribute instead. 
+
+>[!NOTE]
+>The behavior mentioned in this section is same for both cloud-only B2B users and synced users who were [invited/converted to B2B collaboration](invite-internal-users.md). 
 
 ## Next steps
 

articles/active-directory/external-identities/cross-tenant-access-overview.md

@@ -19,6 +19,9 @@ ms.collection: M365-identity-device-management
 Azure AD organizations can use External Identities cross-tenant access settings to manage how they collaborate with other Azure AD organizations and other Microsoft Azure clouds through B2B collaboration and [B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md). [Cross-tenant access settings](cross-tenant-access-settings-b2b-collaboration.md) give you granular control over how external Azure AD organizations collaborate with you (inbound access) and how your users collaborate with external Azure AD organizations (outbound access). These settings also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and hybrid Azure AD joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Azure AD organizations.
 
 This article describes cross-tenant access settings, which are used to manage B2B collaboration and B2B direct connect with external Azure AD organizations, including across Microsoft clouds. More settings are available for B2B collaboration with non-Azure AD identities (for example, social identities or non-IT managed external accounts). These [external collaboration settings](external-collaboration-settings-configure.md) include options for restricting guest user access, specifying who can invite guests, and allowing or blocking domains.
+
+> [!IMPORTANT]
+> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
  
 ## Manage external access with inbound and outbound settings
 

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -18,6 +18,9 @@ ms.collection: M365-identity-device-management
 
 Use External Identities cross-tenant access settings to manage how you collaborate with other Azure AD organizations through B2B collaboration. These settings determine both the level of *inbound* access users in external Azure AD organizations have to your resources, and the level of *outbound* access your users have to external organizations. They also let you trust multi-factor authentication (MFA) and device claims ([compliant claims and hybrid Azure AD joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Azure AD organizations. For details and planning considerations, see [Cross-tenant access in Azure AD External Identities](cross-tenant-access-overview.md).
 
+> [!IMPORTANT]
+> Microsoft is beginning to move customers using cross-tenant access settings to a new storage model on August 30, 2023. You may notice an entry in your audit logs informing you that your cross-tenant access settings were updated as our automated task migrates your settings. For a brief window while the migration processes, you will be unable to make changes to your settings. If you are unable to make a change, you should wait a few moments and try the change again. Once the migration completes, [you will no longer be capped with 25kb of storage space](/azure/active-directory/external-identities/faq#how-many-organizations-can-i-add-in-cross-tenant-access-settings-) and there will be no more limits on the number of partners you can add.
+
 ## Before you begin
 
   > [!CAUTION]