Merge branch 'main' into release-preview-mswb

Author: v-alje

.openpublishing.publish.config.json

@@ -1018,7 +1018,7 @@
 	  },
 	  {
       "path_to_root": "microsoft-graph",
-      "url": "https://github.com/MicrosoftGraph/microsoft-graph-docs",
+      "url": "https://github.com/MicrosoftGraph/microsoft-graph-docs-contrib",
       "branch": "main",
       "branch_mapping": {}
     },

.openpublishing.redirection.active-directory.json

@@ -105,6 +105,11 @@
       "redirect_url": "/azure/active-directory/saas-apps/gainsight-tutorial",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/saas-apps/postman-provisioning-tutorialy.md",
+      "redirect_url": "/azure/active-directory/saas-apps/postman-provisioning-tutorial",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/saas-apps/iauditor-tutorial.md",
       "redirect_url": "/azure/active-directory/saas-apps/safety-culture-tutorial",

articles/active-directory-b2c/custom-policy-developer-notes.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 06/06/2023
+ms.date: 09/06/2023
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -133,9 +133,11 @@ The following table summarizes the Security Assertion Markup Language (SAML) app
 
 |Feature  |User flow  |Custom policy  |Notes  |
 |---------|:---------:|:---------:|---------|
-|[API connectors](api-connectors-overview.md) | Preview | GA | |
-|[Secure with basic authentication](secure-rest-api.md#http-basic-authentication) | Preview | GA | |
-|[Secure with client certificate authentication](secure-rest-api.md#https-client-certificate-authentication) | Preview | GA | |
+|[After federating with an identity provider during sign-up](api-connectors-overview.md?pivots=b2c-user-flow#after-federating-with-an-identity-provider-during-sign-up) | GA | GA | |
+|[Before creating the user](api-connectors-overview.md?pivots=b2c-user-flow#before-creating-the-user) | GA | GA | |
+|[Before including application claims in token](api-connectors-overview.md?pivots=b2c-user-flow#before-sending-the-token-preview)| Preview | GA | |
+|[Secure with basic authentication](secure-rest-api.md#http-basic-authentication) | GA | GA | |
+|[Secure with client certificate authentication](secure-rest-api.md#https-client-certificate-authentication) | GA | GA | |
 |[Secure with OAuth2 bearer authentication](secure-rest-api.md#oauth2-bearer-authentication) | NA | GA | |
 |[Secure API key authentication](secure-rest-api.md#api-key-authentication) | NA | GA | |
 

articles/active-directory-domain-services/powershell-scoped-synchronization.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: how-to
-ms.date: 01/29/2023
+ms.date: 09/06/2023
 ms.author: justinha 
 ms.custom: has-azure-ad-ps-ref
 ---
@@ -86,7 +86,7 @@ foreach ($groupName in $groupsToAdd)
 Write-Output "****************************************************************************`n"
 Write-Output "`n****************************************************************************"
 
-$currentAssignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId
+$currentAssignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true
 Write-Output "Total current group-assignments: $($currentAssignments.Count), SP-ObjectId: $($sp.ObjectId)"
 
 $currAssignedObjectIds = New-Object 'System.Collections.Generic.HashSet[string]'

articles/active-directory/conditional-access/concept-continuous-access-evaluation-workload.md

@@ -15,17 +15,17 @@ ms.reviewer: joroja
 
 ms.collection: M365-identity-device-management
 ---
-# Continuous access evaluation for workload identities (preview)
+# Continuous access evaluation for workload identities
 
 Continuous access evaluation (CAE) for [workload identities](../workload-identities/workload-identities-overview.md) provides security benefits to your organization. It enables real-time enforcement of Conditional Access location and risk policies along with instant enforcement of token revocation events for workload identities. 
 
 Continuous access evaluation doesn't currently support managed identities.
 
 ## Scope of preview
 
-The continuous access evaluation for workload identities public preview scope includes support for Microsoft Graph as a resource provider.
+The continuous access evaluation for workload identities is supported only on access requests sent to Microsoft Graph as a resource provider.  More resource providers will be added over time.
 
-The preview targets service principals for line of business (LOB) applications.
+Service principals for line of business (LOB) applications are supported
 
 We support the following revocation events:
 

articles/active-directory/develop/identity-platform-integration-checklist.md

@@ -20,12 +20,12 @@ ms.custom: aaddev, identityplatformtop40, scenarios:getting-started, has-adal-re
 
 This article highlights best practices, recommendations, and common oversights when integrating with the Microsoft identity platform.  This checklist will guide you to a high-quality and secure integration. Review this list on a regular basis to make sure you maintain the quality and security of your app’s integration with the identity platform. The checklist isn't intended to review your entire application. The contents of the checklist are subject to change as we make improvements to the platform.
 
-If you’re just getting started, check out the [Microsoft identity platform documentation](index.yml) to learn about authentication basics, application scenarios in the Microsoft identity platform, and more.
+If you're just getting started, check out the [Microsoft identity platform documentation](index.yml) to learn about authentication basics, application scenarios in the Microsoft identity platform, and more.
 
 Use the following checklist to ensure that your application is effectively integrated with the [Microsoft identity platform](./index.yml).
 
 > [!TIP]
-> The *Integration assistant* in the Azure portal can help you apply many of these best practices and recommendations. Select any of your [app registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) in the Azure portal, and then select the **Integration assistant** menu item to get started with the assistant.
+> The *Integration assistant* can help you apply many of these best practices and recommendations. Select any of your app registrations, and then select the **Integration assistant** menu item to get started with the assistant.
 
 ## Basics
 
@@ -39,7 +39,7 @@ Use the following checklist to ensure that your application is effectively integ
 
 ![checkbox](./media/integration-checklist/checkbox-two.svg) Adhere to the [Branding guidelines for applications](/azure/active-directory/develop/howto-add-branding-in-apps).
 
-![checkbox](./media/integration-checklist/checkbox-two.svg) Provide a meaningful name and logo for your application. This information appears on your [application’s consent prompt](application-consent-experience.md). Make sure your name and logo are representative of your company/product so that users can make informed decisions. Ensure that you're not violating any trademarks.
+![checkbox](./media/integration-checklist/checkbox-two.svg) Provide a meaningful name and logo for your application. This information appears on your [application's consent prompt](application-consent-experience.md). Make sure your name and logo are representative of your company/product so that users can make informed decisions. Ensure that you're not violating any trademarks.
 
 ## Privacy
 
@@ -53,7 +53,7 @@ Use the following checklist to ensure that your application is effectively integ
 
 ![checkbox](./media/integration-checklist/checkbox-two.svg) Don't enable support for the [OAuth2 implicit grant flow](v2-oauth2-implicit-grant-flow.md) unless explicitly required. Learn about the valid scenario [here](v2-oauth2-implicit-grant-flow.md#suitable-scenarios-for-the-oauth2-implicit-grant).
 
-![checkbox](./media/integration-checklist/checkbox-two.svg) Move beyond username/password. Don't use [resource owner password credential flow (ROPC)](v2-oauth-ropc.md), which directly handles users’ passwords. This flow requires a high degree of trust and user exposure and should only be used when other, more secure, flows can't be used. This flow is still needed in some scenarios (like DevOps), but beware that using it will impose constraints on your application.  For more modern approaches, read [Authentication flows and application scenarios](authentication-flows-app-scenarios.md).
+![checkbox](./media/integration-checklist/checkbox-two.svg) Move beyond username/password. Don't use [resource owner password credential flow (ROPC)](v2-oauth-ropc.md), which directly handles users' passwords. This flow requires a high degree of trust and user exposure and should only be used when other, more secure, flows can't be used. This flow is still needed in some scenarios (like DevOps), but beware that using it will impose constraints on your application.  For more modern approaches, read [Authentication flows and application scenarios](authentication-flows-app-scenarios.md).
 
 ![checkbox](./media/integration-checklist/checkbox-two.svg) Protect and manage your confidential app credentials for web apps, web APIs and daemon apps. Use [certificate credentials](./certificate-credentials.md), not password credentials (client secrets). If you must use a password credential, don't set it manually. Don't store credentials in code or config, and never allow them to be handled by humans. If possible, use [managed identities for Azure resources](../managed-identities-azure-resources/overview.md) or [Azure Key Vault](../../key-vault/general/basic-concepts.md) to store and regularly rotate your credentials.
 
@@ -67,9 +67,9 @@ Use the following checklist to ensure that your application is effectively integ
 
 ![checkbox](./media/integration-checklist/checkbox-two.svg) Don't program directly against protocols such as OAuth 2.0 and Open ID. Instead, leverage the [Microsoft Authentication Library (MSAL)](msal-overview.md). The MSAL libraries securely wrap security protocols in an easy-to-use library, and you get built-in support for [Conditional Access](../conditional-access/overview.md) scenarios, device-wide [single sign-on (SSO)](../manage-apps/what-is-single-sign-on.md), and built-in token caching support. For more info, see the list of Microsoft-supported [client libraries](reference-v2-libraries.md). If you must hand-code for the authentication protocols, you should follow the [Microsoft SDL](https://www.microsoft.com/sdl/default.aspx) or similar development methodology. Pay close attention to the security considerations in the standards specifications for each protocol.
 
-![checkbox](./media/integration-checklist/checkbox-two.svg) Migrate existing apps from Azure Active Directory Authentication Library (ADAL) to the [Microsoft Authentication Library](/entra/msal). MSAL is Microsoft’s latest identity platform solution and is available on .NET, JavaScript, Android, iOS, macOS, Python, and Java. Read more about migrating [ADAL.NET](msal-net-migration.md), [ADAL.js](msal-compare-msal-js-and-adal-js.md), and [ADAL.NET and iOS broker](msal-net-migration-ios-broker.md) apps.
+![checkbox](./media/integration-checklist/checkbox-two.svg) Migrate existing apps from Azure Active Directory Authentication Library (ADAL) to the [Microsoft Authentication Library](/entra/msal). MSAL is Microsoft's latest identity platform solution and is available on .NET, JavaScript, Android, iOS, macOS, Python, and Java. Read more about migrating [ADAL.NET](msal-net-migration.md), [ADAL.js](msal-compare-msal-js-and-adal-js.md), and [ADAL.NET and iOS broker](msal-net-migration-ios-broker.md) apps.
 
-![checkbox](./media/integration-checklist/checkbox-two.svg) For mobile apps, configure each platform using the application registration experience. In order for your application to take advantage of the Microsoft Authenticator or Microsoft Company Portal for single sign-in, your app needs a “broker redirect URI” configured. This allows Microsoft to return control to your application after authentication. When configuring each platform, the app registration experience will guide you through the process. Use the quickstart to download a working example. On iOS, use brokers and system webview whenever possible.
+![checkbox](./media/integration-checklist/checkbox-two.svg) For mobile apps, configure each platform using the application registration experience. In order for your application to take advantage of the Microsoft Authenticator or Microsoft Company Portal for single sign-in, your app needs a "broker redirect URI" configured. This allows Microsoft to return control to your application after authentication. When configuring each platform, the app registration experience will guide you through the process. Use the quickstart to download a working example. On iOS, use brokers and system webview whenever possible.
 
 ![checkbox](./media/integration-checklist/checkbox-two.svg) In web apps or web APIs, keep one token cache per account.  For web apps, the token cache should be keyed by the account ID.  For web APIs, the account should be keyed by the hash of the token used to call the API. MSAL.NET provides custom token cache serialization in the .NET Framework and .NET Core subplatforms. For security and performance reasons, our recommendation is to serialize one cache per user. For more information, read about [token cache serialization](msal-net-token-cache-serialization.md).
 
@@ -83,17 +83,17 @@ Use the following checklist to ensure that your application is effectively integ
 
 ![checkbox](./media/integration-checklist/checkbox-two.svg) Minimize the number of times a user needs to enter login credentials while using your app by attempting silent authentication (silent token acquisition) before interactive flows.
 
-![checkbox](./media/integration-checklist/checkbox-two.svg) Don't use “prompt=consent” for every sign-in. Only use prompt=consent if you’ve determined that you need to ask for consent for additional permissions (for example, if you’ve changed your app’s required permissions).
+![checkbox](./media/integration-checklist/checkbox-two.svg) Don't use "prompt=consent" for every sign-in. Only use prompt=consent if you've determined that you need to ask for consent for additional permissions (for example, if you've changed your app's required permissions).
 
 ![checkbox](./media/integration-checklist/checkbox-two.svg) Where applicable, enrich your application with user data. Using the [Microsoft Graph API](https://developer.microsoft.com/graph) is an easy way to do this. The [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) tool that can help you get started.
 
 ![checkbox](./media/integration-checklist/checkbox-two.svg) Register the full set of permissions that your app requires so admins can grant consent easily to their tenant. Use [incremental consent](./permissions-consent-overview.md#consent) at run time to help users understand why your app is requesting permissions that may concern or confuse users when requested on first start.
 
-![checkbox](./media/integration-checklist/checkbox-two.svg) Implement a [clean single sign-out experience](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut). It’s a privacy and a security requirement, and makes for a good user experience.
+![checkbox](./media/integration-checklist/checkbox-two.svg) Implement a [clean single sign-out experience](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut). It's a privacy and a security requirement, and makes for a good user experience.
 
 ## Testing
 
-![checkbox](./media/integration-checklist/checkbox-two.svg) Test for [Conditional Access policies](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut) that may affect your users’ ability to use your application.
+![checkbox](./media/integration-checklist/checkbox-two.svg) Test for [Conditional Access policies](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut) that may affect your users' ability to use your application.
 
 ![checkbox](./media/integration-checklist/checkbox-two.svg) Test your application with all possible accounts that you plan to support (for example, work or school accounts, personal Microsoft accounts, child accounts, and sovereign accounts).
 

articles/active-directory/develop/jwt-claims-customization.md

@@ -10,7 +10,7 @@ ms.workload: identity
 ms.topic: how-to
 ms.date: 05/01/2023
 ms.author: davidmu
-ms.custom: aaddev, curation-claims
+ms.custom: aaddev, curation-claims, devx-track-dotnet
 ms.reviewer: rahulnagraj, alamaral
 ---
 

articles/active-directory/develop/quickstart-console-app-netcore-acquire-token.md

@@ -11,7 +11,7 @@ ms.workload: identity
 ms.date: 03/13/2023
 ms.author: owenrichards
 ms.reviewer: jmprieur
-ms.custom: devx-track-csharp, aaddev, identityplatformtop40, "scenarios:getting-started", "languages:aspnet-core", mode-other
+ms.custom: devx-track-csharp, aaddev, identityplatformtop40, 'scenarios:getting-started', 'languages:aspnet-core', mode-other, devx-track-dotnet
 #Customer intent: As an application developer, I want to learn how my .NET Core app can get an access token and call an API that's protected by the Microsoft identity platform by using the client credentials flow.
 ---
 

articles/active-directory/develop/quickstart-console-app-nodejs-acquire-token.md

@@ -9,8 +9,8 @@ ms.subservice: develop
 ms.topic: quickstart
 ms.date: 09/09/2022
 ms.author: cwerner
+ms.custom: mode-other, devx-track-js
 #Customer intent: As an application developer, I want to learn how my Node.js app can get an access token and call an API that is protected by a Microsoft identity platform endpoint using client credentials flow.
-ms.custom: mode-other
 ---
 
 # Quickstart: Acquire a token and call Microsoft Graph from a Node.js console app

articles/active-directory/develop/quickstart-daemon-app-java-acquire-token.md

@@ -10,7 +10,7 @@ ms.topic: quickstart
 ms.workload: identity
 ms.date: 01/10/2022
 ms.author: dmwendia
-ms.custom: aaddev, "scenarios:getting-started", "languages:Java", devx-track-java, mode-other
+ms.custom: aaddev, 'scenarios:getting-started', 'languages:Java', devx-track-java, mode-other, devx-track-extended-java
 #Customer intent: As an application developer, I want to learn how my Java app can get an access token and call an API that's protected by Microsoft identity platform endpoint using client credentials flow.
 ---