Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into wifmsi

Author: rwike77

.openpublishing.publish.config.json

@@ -233,7 +233,13 @@
     {
       "path_to_root": "azure-functions-durable-js",
       "url": "https://github.com/Azure/azure-functions-durable-js",
-      "branch": "main",
+      "branch": "v2.x",
+      "branch_mapping": {}
+    },
+    {
+      "path_to_root": "azure-functions-durable-js-v3",
+      "url": "https://github.com/Azure/azure-functions-durable-js",
+      "branch": "v3.x",
       "branch_mapping": {}
     },
     {
@@ -536,6 +542,12 @@
       "branch": "main",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "azure-cosmos-db-mongodb-mern-web-app",
+      "url": "https://github.com/Azure-samples/msdocs-azure-cosmos-db-mongodb-mern-web-app/",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "azure-cosmos-spark",
       "url": "https://github.com/Azure/azure-cosmosdb-spark",

.openpublishing.redirection.active-directory.json

@@ -7274,6 +7274,11 @@
     {
       "source_path_from_root": "/articles/active-directory/active-directory-privileged-identity-management-how-to-require-mfa.md",
       "redirect_url": "/azure/active-directory/privileged-identity-management/pim-how-to-require-mfa",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/privileged-identity-management/pim-how-to-require-mfa.md",
+      "redirect_url": "/azure/active-directory/authentication/howto-mfa-getstarted",
       "redirect_document_id": true
     },
     {

.openpublishing.redirection.json

@@ -4,6 +4,11 @@
       "source_path": "articles/storage/tables/table-storage-design-encrypt-data.md",
       "redirect_url": "/previous-versions/azure/storage/tables/table-storage-design-encrypt-data",
       "redirect_document_id": false
+    },
+     {
+       "source_path": "articles/active-directory/external-identities/configure-saas-apps.md",
+       "redirect_url": "/azure/active-directory/saas-apps/dropboxforbusiness-tutorial",
+       "redirect_document_id": false
     },
     {
       "source_path": "articles/databox-online/azure-stack-edge-zero-touch-provisioning.md",
@@ -11503,6 +11508,11 @@
             "redirect_url": "/azure/firewall/ftp-support",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/firewall/firewall-network-rule-logging.md",
+            "redirect_url": "/azure/firewall/firewall-diagnostics",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/security/governance-in-azure.md",
             "redirect_url": "/azure/governance/",

articles/active-directory/authentication/how-to-mfa-authenticator-lite.md

@@ -103,6 +103,10 @@ If enabled for Authenticator Lite, users are prompted to register their account
 
 :::image type="content" border="true" source="./media/how-to-mfa-authenticator-lite/registration.png" alt-text="Screenshot of how to register Authenticator Lite.":::
 
+>[!NOTE]
+>Users with no MFA methods registered will be prompted to download the Authenticator App when they begin registration flow. For the most seamless Authenticator Lite registration experience, [provision your users a TAP](https://learn.microsoft.com/azure/active-directory/authentication/howto-authentication-temporary-access-pass) (temporary access pass) which they can use during registration.
+
+
 ## Monitoring Authenticator Lite usage
 [Sign-in logs](/graph/api/signin-list) can show which app was used to complete user authentication. To view the latest sign-ins, use the following call on the beta API endpoint:
 
@@ -151,6 +155,16 @@ Users can only register for Authenticator Lite from mobile Outlook. Authenticato
 
 Users that have Microsoft Authenticator on their device can't register Authenticator Lite. If a user has an Authenticator Lite registration and then later downloads Microsoft Authenticator, they can register both. If a user has two devices, they can register Authenticator Lite on one and Microsoft Authenticator on the other.
 
+
+## Known Issues (Public preview)
+
+### SSPR Notifications
+TOTP codes from Outlook will work for SSPR, but the push notification will not work and will return an error.
+
+### Conditional Access Registration Policies
+CA policies for registration do not currently apply in Outlook registration flows.
+
+
 ## Next steps
 
 [Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md)

articles/active-directory/conditional-access/concept-conditional-access-conditions.md

@@ -190,7 +190,7 @@ By selecting **Other clients**, you can specify a condition that affects apps th
 
 ## Device state (deprecated)
 
-**This preview feature has been deprecated.** Customers should use the **Filter for devices** condition in the Conditional Access policy, to satisfy scenarios previously achieved using device state (preview) condition.
+**This preview feature has been deprecated.** Customers should use the **Filter for devices** condition in the Conditional Access policy, to satisfy scenarios previously achieved using device state (deprecated) condition.
 
 
 The device state condition was used to exclude devices that are hybrid Azure AD joined and/or devices marked as compliant with a Microsoft Intune compliance policy from an organization's Conditional Access policies.
@@ -206,7 +206,7 @@ The above scenario, can be configured using *All users* accessing the *Microsoft
 
 ## Filter for devices
 
-There’s a new optional condition in Conditional Access called filter for devices. When configuring filter for devices as a condition, organizations can choose to include or exclude devices based on a filter using a rule expression on device properties. The rule expression for filter for devices can be authored using rule builder or rule syntax. This experience is similar to the one used for dynamic membership rules for groups. For more information, see the article [Conditional Access: Filter for devices (preview)](concept-condition-filters-for-devices.md).
+There’s a new optional condition in Conditional Access called filter for devices. When configuring filter for devices as a condition, organizations can choose to include or exclude devices based on a filter using a rule expression on device properties. The rule expression for filter for devices can be authored using rule builder or rule syntax. This experience is similar to the one used for dynamic membership rules for groups. For more information, see the article [Conditional Access: Filter for devices](concept-condition-filters-for-devices.md).
 
 ## Next steps
 

articles/active-directory/conditional-access/concept-token-protection.md

@@ -4,7 +4,7 @@ description: Learn how to use token protection in Conditional Access policies.
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 03/09/2023
+ms.date: 03/24/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,7 +19,13 @@ Token protection (sometimes referred to as token binding in the industry) attemp
 
 Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). This connection means that any issued sign-in token is tied to the device significantly reducing the chance of theft and replay attacks.
 
-With this preview, we're giving you the ability to create a Conditional Access policy to require token protection for sign-in tokens for specific services. We support token protection for sign-in tokens in Conditional Access for desktop applications accessing Exchange Online and SharePoint Online on Windows devices.
+> [!IMPORTANT]
+> Token protection is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+With this preview, we're giving you the ability to create a Conditional Access policy to require token protection for sign-in tokens (refresh tokens) for specific services. We support token protection for sign-in tokens in Conditional Access for desktop applications accessing Exchange Online and SharePoint Online on Windows devices.
+
+> [!NOTE]
+> We may interchange sign in tokens and refresh tokens in this content. This preview doesn't currently support access tokens or web cookies.
 
 :::image type="content" source="media/concept-token-protection/complete-policy-components-session.png" alt-text="Screenshot showing a Conditional Access policy requiring token protection as the session control":::
 

articles/active-directory/develop/active-directory-configurable-token-lifetimes.md

@@ -117,6 +117,10 @@ A token's validity is evaluated at the time the token is used. The policy with t
 
 All timespans used here are formatted according to the C# [TimeSpan](/dotnet/api/system.timespan) object - D.HH:MM:SS.  So 80 days and 30 minutes would be `80.00:30:00`.  The leading D can be dropped if zero, so 90 minutes would be `00:90:00`.  
 
+## REST API reference
+
+You can configure token lifetime policies and assign them to apps and service principals using Microsoft Graph. For more information, see the [tokenLifetimePolicy resource type](/graph/api/resources/tokenlifetimepolicy) and its associated methods.
+
 ## Cmdlet reference
 
 These are the cmdlets in the [Azure Active Directory PowerShell for Graph Preview module](/powershell/module/azuread/?view=azureadps-2.0-preview&preserve-view=true#service-principals).

articles/active-directory/develop/msal-client-application-configuration.md

@@ -87,7 +87,7 @@ Using MSAL in your code, you specify the audience by using one of the following
 
 MSAL will throw a meaningful exception if you specify both the Azure AD authority audience and the tenant ID.
 
-If you don't specify an audience, your app will target Azure AD and personal Microsoft accounts as an audience. (That is, it will behave as though `common` were specified.)
+It is recommended to specify an audience, as many tenants, and the applications deployed in them will have guest users. If your application will have external users, the endpoints of `common` and `organization` are best avoided. If you don't specify an audience, your app will target Azure AD and personal Microsoft accounts as an audience and will behave as though `common` were specified.
 
 ### Effective audience
 

articles/active-directory/external-identities/configure-saas-apps.md

@@ -123,4 +123,3 @@ ContentType: application/json
 
 - [Add Azure Active Directory B2B collaboration users by using PowerShell](customize-invitation-api.md#powershell)
 - [Properties of an Azure AD B2B guest user](user-properties.md)
-- [B2B for Azure AD integrated apps](configure-saas-apps.md)