Merge pull request #190685 from MicrosoftDocs/main

3/04 PM Publish

Author: huypub

.openpublishing.publish.config.json

@@ -34,7 +34,7 @@
   ],
   "branches_to_filter": [],
   "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/azure-docs",
-  "git_repository_branch_open_to_public_contributors": "master",
+  "git_repository_branch_open_to_public_contributors": "main",
   "skip_source_output_uploading": false,
   "need_preview_pull_request": true,
   "contribution_branch_mappings": {},
@@ -901,4 +901,4 @@
     "articles/container-apps/.openpublishing.redirection.container-apps.json",
     "articles/spring-cloud/.openpublishing.redirection.spring-cloud.json"
   ]
-}
+}

.vscode/settings.json

@@ -31,7 +31,7 @@ zone_pivot_groups: b2c-policy-type
 
 ## Create an application
 
-To enable sign-in for users with a Twitter account in Azure AD B2C, you need to create a Twitter application. If you don't already have a Twitter account, you can sign up at [`https://twitter.com/signup`](https://twitter.com/signup). You also need to [Apply for a developer account](https://developer.twitter.com/en/apply/user.html). For more information, see [Apply for access](https://developer.twitter.com/en/apply-for-access).
+To enable sign-in for users with a Twitter account in Azure AD B2C, you need to create a Twitter application. If you don't already have a Twitter account, you can sign up at [`https://twitter.com/signup`](https://twitter.com/signup). You also need to [Apply for a developer account](https://developer.twitter.com/). For more information, see [Apply for access](https://developer.twitter.com/en/apply-for-access).
 
 1. Sign in to the [Twitter Developer Portal](https://developer.twitter.com/portal/projects-and-apps) with your Twitter account credentials.
 1. Under **Standalone Apps**, select **+Create App**.

articles/active-directory-b2c/identity-provider-twitter.md

@@ -143,10 +143,22 @@ The top-level resource for policy keys in the Microsoft Graph API is the [Truste
 
 ## Application extension properties
 
+- [Create extension properties](/graph/api/application-post-extensionproperty)
 - [List extension properties](/graph/api/application-list-extensionproperty)
-- [Delete extension property](/graph/api/application-delete-extensionproperty)
+- [Get an extension property](/graph/api/extensionproperty-get)
+- [Delete extension property](/graph/api/extensionproperty-delete)
+- [Get available extension properties](/graph/api/directoryobject-getavailableextensionproperties)
+
+<!--
+#Hiding this note because user flows and extension attributes are different things in Microsoft Graph.
 
 Azure AD B2C provides a directory that can hold 100 custom attributes per user. For user flows, these extension properties are [managed by using the Azure portal](user-flow-custom-attributes.md). For custom policies, Azure AD B2C creates the property for you, the first time the policy writes a value to the extension property.
+-->
+
+Azure AD B2C provides a directory that can hold 100 extension values per user. To manage the extension values for a user, use the following [User APIs](/graph/api/resources/user) in Microsoft Graph.
+
+- [Update user](/graph/api/user-update): To write or remove the extension property value from the user.
+- [Get a user](/graph/api/user-get): To retrieve the extension property value for the user. The extension property will be returned by default through the `beta` endpoint, but only on `$select` through the `v1.0` endpoint.
 
 ## Audit logs
 

articles/active-directory-b2c/microsoft-graph-operations.md

@@ -177,19 +177,20 @@ The following example demonstrates the use of a custom attribute in Azure AD B2C
 
 ::: zone-end
 
-## Using custom attribute with MS Graph API
+## Manage extension attributes through Microsoft Graph
 
-[Microsoft Graph API][ms-graph-api] supports creating and updating a user with extension attributes. Extension attributes in the Microsoft Graph API are named by using the convention `extension_ApplicationClientID_attributename`, where the `ApplicationClientID` is the **Application (client) ID** of the `b2c-extensions-app` [application](#azure-ad-b2c-extensions-app). Note that the **Application (client) ID** as it's represented in the extension attribute name includes no hyphens. For example, the Microsoft Graph API identifies an extension attribute `loyaltyId` in Azure AD B2C as `extension_831374b3bd5041bfaa54263ec9e050fc_loyaltyId`. 
+You can use the Microsoft Graph API to create and manage extension attributes then set the values for a user.
 
-Learn how to [interact with resources in your Azure AD B2C tenant](microsoft-graph-operations.md#user-management) using Microsoft Graph API. 
- 
+Extension attributes in the Microsoft Graph API are named by using the convention `extension_ApplicationClientID_attributename`, where the `ApplicationClientID` is equivalent to the **appId** but without the hyphens. For example, if the **appId** of the `b2c-extensions-app` application is `25883231-668a-43a7-80b2-5685c3f874bc` and the **attributename** is `loyaltyId`, then the extension attribute will be named `extension_25883231668a43a780b25685c3f874bc_loyaltyId`.
+
+Learn how to [manage extension attributes in your Azure AD B2C tenant](microsoft-graph-operations.md#application-extension-properties) using the Microsoft Graph API. 
 
 ## Remove extension attribute
 
 Unlike built-in attributes, extension/custom attributes can be removed. The extension attributes' values can also be removed. 
 
 > [!Important]
-> Before you remove the extension/custom attribute, for each account in the directory, set the extension attribute value to null.  In this way you explicitly remove the extension attributes’s values. Then continue to remove the extension attribute itself. Extension/custom attribute is queryable using MS Graph API. 
+> Before you remove the extension/custom attribute, for each account in the directory, set the extension attribute value to `null`.  In this way you explicitly remove the extension attributes’s values. Then continue to remove the extension attribute itself. Extension/custom attribute is queryable using MS Graph API. 
 
 ::: zone pivot="b2c-user-flow"
 
@@ -207,7 +208,7 @@ Use the following steps to remove extension/custom attribute from a user flow in
 
 ::: zone pivot="b2c-custom-policy"
 
-To remove a custom attribute, use [MS Graph API](microsoft-graph-operations.md), and use the [Delete](/graph/api/application-delete-extensionproperty) command.
+Use the [Microsoft Graph API](microsoft-graph-operations.md#application-extension-properties) to delete the extension attribute from the application or to delete the extension attribute from the user.
 
 ::: zone-end
 

articles/active-directory-b2c/partner-bindid.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: troubleshooting
-ms.date: 08/07/2020
+ms.date: 03/04/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 
 The [What If tool](what-if-tool.md) in Conditional Access is powerful when trying to understand why a policy was or wasn't applied to a user in a specific circumstance or if a policy would apply in a known state.
 
-The What If tool is located in the **Azure portal** > **Azure Active Directory** > **Conditional Access** > **What If**.
+The What If tool is located in the **Azure portal** > **Azure Active Directory** > **Security** > **Conditional Access** > **What If**.
 
 ![Conditional Access What If tool at default state](./media/troubleshoot-conditional-access-what-if/conditional-access-what-if-tool.png)
 
@@ -75,4 +75,4 @@ This test could be expanded to incorporate other data points to narrow the scope
 * [What is Conditional Access?](overview.md)
 * [What is Azure Active Directory Identity Protection?](../identity-protection/overview-identity-protection.md)
 * [What is a device identity?](../devices/overview.md)
-* [How it works: Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md)
+* [How it works: Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md)

articles/active-directory-b2c/user-flow-custom-attributes.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 02/23/2022
+ms.date: 03/04/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -56,49 +56,25 @@ Create a location based Conditional Access policy that applies to service princi
 
 ### Create a risk-based Conditional Access policy
 
-Use this sample JSON for a risk-based policy using the [Microsoft Graph beta endpoint](/graph/api/resources/conditionalaccesspolicy?view=graph-rest-1.0&preserve-view=true). 
+Create a location based Conditional Access policy that applies to service principals.
 
-> [!NOTE]
-> Report-only mode doesn't report account risk on a risky workload identity.
+:::image type="content" source="media/workload-identity/conditional-access-workload-identity-risk-policy.png" alt-text="Creating a Conditional Access policy with a workload identity and risk as a condition." lightbox="media/workload-identity/conditional-access-workload-identity-risk-policy.png":::
 
-```json
-{
-"displayName": "Name",
-"state": "enabled OR disabled",
-"conditions": {
-"applications": {
-"includeApplications": [
-"All"
-],
-"excludeApplications": [],
-"includeUserActions": [],
-"includeAuthenticationContextClassReferences": [],
-"applicationFilter": null
-},
-"userRiskLevels": [],
-"signInRiskLevels": [],
-"clientApplications": {
-"includeServicePrincipals": [
-"ServicePrincipalsInMyTenant"
-],
-"excludeServicePrincipals": []
-},
-"servicePrincipalRiskLevels": [
-"low",
-"medium",
-"high"
-]
-},
-"grantControls": {
-"operator": "and",
-"builtInControls": [
-"block"
-],
-"customAuthenticationFactors": [],
-"termsOfUse": []
-}
-}
-```
+1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+1. Select **New policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users or workload identities**.
+   1. Under **What does this policy apply to?**, select **Workload identities (Preview)**.
+   1. Under **Include**, choose **Select service principals**, and select the appropriate service principals from the list.
+1. Under **Cloud apps or actions**, select **All cloud apps**. The policy will apply only when a service principal requests a token.
+1. Under **Conditions** > **Service principal risk (Preview)**
+   1. Set the **Configure** toggle to **Yes**.
+   1. Select the levels of risk where you want this policy to trigger.
+   1. Select **Done**.
+1. Under **Grant**, **Block access** is the only available option. Access is blocked when a token request is made from outside the allowed range.
+1. Your policy can be saved in **Report-only** mode, allowing administrators to estimate the effects, or policy is enforced by turning policy **On**.
+1. Select **Create** to complete your policy.
 
 ## Roll back
 

articles/active-directory/conditional-access/media/workload-identity/conditional-access-workload-identity-risk-policy.png

@@ -10,7 +10,7 @@ ms.subservice: develop
 ms.custom: aaddev
 ms.workload: identity
 ms.topic: reference
-ms.date: 01/04/2022
+ms.date: 03/04/2022
 ms.author: ryanwi
 ms.reviewer: paulgarn, ludwignick, jeedes, luleon
 ---
@@ -31,6 +31,10 @@ There are certain sets of claims that define how and when they're used in tokens
 | Basic claim set | Includes the claims that are emitted by default for tokens (in addition to the core claim set). You can [omit or modify basic claims](active-directory-claims-mapping.md#omit-the-basic-claims-from-tokens) by using the claims mapping policies. |
 | Restricted claim set | Can't be modified using policy. The data source cannot be changed, and no transformation is applied when generating these claims. |
 
+This section lists:
+- [Table 1: JSON Web Token (JWT) restricted claim set](#table-1-json-web-token-jwt-restricted-claim-set)
+- [Table 2: SAML restricted claim set](#table-2-saml-restricted-claim-set)
+
 ### Table 1: JSON Web Token (JWT) restricted claim set
 
 > [!NOTE]
@@ -175,6 +179,8 @@ There are certain sets of claims that define how and when they're used in tokens
 
 ### Table 2: SAML restricted claim set
 
+The following table lists the SAML claims that are by default in the restricted claim set.
+
 | Claim type (URI) |
 | ----- |
 |`http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged`|
@@ -200,8 +206,27 @@ There are certain sets of claims that define how and when they're used in tokens
 |`http://schemas.microsoft.com/ws/2008/06/identity/claims/role`|
 |`http://schemas.microsoft.com/ws/2008/06/identity/claims/wids`|
 |`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`|
-
-
+| `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` |
+| `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid` |
+| `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid` |
+| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid` |
+| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname` |
+| `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`  |
+| `http://schemas.microsoft.com/ws/2008/06/identity/claims/role` |
+
+These claims are restricted by default, but are not restricted if you [set the AcceptMappedClaims property](active-directory-claims-mapping.md#update-the-application-manifest) to `true` in your app manifest *or* have a [custom signing key](active-directory-claims-mapping.md#configure-a-custom-signing-key):
+
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`
+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname`
+
+These claims are restricted by default, but are not restricted if you have a [custom signing key](active-directory-claims-mapping.md#configure-a-custom-signing-key):
+
+ - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`
+ - `http://schemas.microsoft.com/ws/2008/06/identity/claims/role`
+ 
 ## Claims mapping policy properties
 
 To control what claims are emitted and where the data comes from, use the properties of a claims mapping policy. If a policy is not set, the system issues tokens that include the core claim set, the basic claim set, and any [optional claims](active-directory-optional-claims.md) that the application has chosen to receive.
@@ -299,6 +324,19 @@ The ID element identifies which property on the source provides the value for th
 | User | employeeid | Employee ID |
 | User | facsimiletelephonenumber | Facsimile Telephone Number |
 | User | assignedroles | list of App roles assigned to user|
+| User | accountEnabled | Account Enabled |
+| User | consentprovidedforminor | Consent Provided For Minor |
+| User | createddatetime | Created Date/Time| 
+| User | creationtype | Creation Type |
+| User | lastpasswordchangedatetime | Last Password Change Date/Time |
+| User | mobilephone | Mobile Phone |
+| User | officelocation | Office Location |
+| User | onpremisesdomainname | On-Premises Domain Name |
+| User | onpremisesimmutableid | On-Premises Imutable ID |
+| User | onpremisessyncenabled | On-Premises Sync Enabled |
+| User | preferreddatalocation | Preffered Data Location |
+| User | proxyaddresses | Proxy Addresses |
+| User | usertype | User Type |
 | application, resource, audience | displayname | Display Name |
 | application, resource, audience | objectid | ObjectID |
 | application, resource, audience | tags | Service Principal Tag |