Merge pull request #897 from MicrosoftDocs/main

12/18/2023 AM Publish

docs/external-id/auditing-and-reporting.md

@@ -6,7 +6,7 @@ description: Guest user properties are configurable in Microsoft Entra B2B colla
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 11/24/2022
+ms.date: 12/18/2023
 
 ms.author: cmulligan
 author: csmulligan
@@ -21,15 +21,15 @@ ms.collection: M365-identity-device-management
 With guest users, you have auditing capabilities similar to with member users.
 
 ## Access reviews
-You can use access reviews to periodically verify whether guest users still need access to your resources. The **Access reviews** feature is available in **Microsoft Entra ID** under **Identity Governance** > **Access reviews**. To learn how to use access reviews, see [Manage guest access with Microsoft Entra access reviews](~/id-governance/manage-guest-access-with-access-reviews.md).
+You can use access reviews to periodically verify whether guest users still need access to your resources. The **Access reviews** feature is available in **Microsoft Entra ID** under **Identity governance** > **Access reviews**. To learn how to use access reviews, see [Manage guest access with Microsoft Entra access reviews](~/id-governance/manage-guest-access-with-access-reviews.md).
 
 ## Audit logs
 
 The Microsoft Entra audit logs provide records of system and user activities, including activities initiated by guest users. To access audit logs, in **Identity**, under **Monitoring & health**, select **Audit logs**. To access audit logs of one specific user, select **Identity** > **Users** > **All users** > select the user > **Audit logs**.
 
 :::image type="content" source="media/auditing-and-reporting/audit-log.png" alt-text="Screenshot showing an example of audit log output." lightbox="media/auditing-and-reporting/audit-log-large.png":::
 
-You can dive into each of these events to get the details. For example, let's look at the user update details.
+You can dive into each of these events to get the details. For example, let's look at the user management details.
 
 :::image type="content" source="media/auditing-and-reporting/activity-details.png" alt-text="Screenshot showing an example of activity details output." lightbox="media/auditing-and-reporting/activity-details-large.png":::
 

docs/external-id/customize-invitation-api.md

@@ -7,7 +7,7 @@ ms.service: active-directory
 ms.subservice: B2B
 ms.custom: has-azure-ad-ps-ref
 ms.topic: how-to
-ms.date: 12/02/2022
+ms.date: 12/18/2023
 
 ms.author: cmulligan
 author: csmulligan

docs/external-id/hybrid-organizations.md

@@ -6,7 +6,7 @@ description: Give partners access to both on-premises and cloud resources with M
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 12/18/2023
 ms.author: cmulligan
 author: csmulligan
 manager: celestedg
@@ -23,7 +23,7 @@ Microsoft Entra B2B collaboration makes it easy for you to give your external pa
 
 ## Grant B2B users in Microsoft Entra ID access to your on-premises apps
 
-If your organization uses [Microsoft Entra B2B](what-is-b2b.md) collaboration capabilities to invite guest users from partner organizations to your Microsoft Entra ID, you can now provide these B2B users access to on-premises apps.
+If your organization uses Microsoft Entra B2B collaboration capabilities to invite guest users from partner organizations to your Microsoft Entra ID, you can now provide these B2B users access to on-premises apps.
 
 For apps that use SAML-based authentication, you can make these apps available to B2B users through the Azure portal, using Microsoft Entra application proxy for authentication.
 
@@ -47,5 +47,4 @@ For implementation details, see [Grant locally managed partner accounts access t
 ## Next steps
 
 - [Grant Microsoft Entra B2B users access to your on-premises applications](hybrid-cloud-to-on-premises.md)
-- [B2B direct connect](b2b-direct-connect-overview.md)
 - [Grant locally managed partner accounts access to cloud resources using Microsoft Entra B2B collaboration](hybrid-on-premises-to-cloud.md)

docs/fundamentals/frontline-worker-management.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 06/16/2022
+ms.date: 12/18/2023
 ms.author: cmulligan
 author: csmulligan
 manager: CelesteDG
@@ -33,7 +33,7 @@ Microsoft Entra ID in the My Staff portal enables delegation of user management.
 
 ## Accelerated onboarding with simplified authentication
 
-My Staff also enables frontline managers to register their team members' phone numbers for [SMS sign-in](~/identity/authentication/howto-authentication-sms-signin.md). In many verticals, frontline workers maintain a local username and password combination, a solution that is often cumbersome, expensive, and error-prone. When IT enables authentication using SMS sign-in, frontline workers can log in with [Single Sign-On (SSO)](~/identity/enterprise-apps/what-is-single-sign-on.md) for Microsoft Teams and other applications using just their phone number and a one-time passcode (OTP) sent via SMS. Single Sign-On makes signing in for frontline workers simple and secure, delivering quick access to the apps they need most.
+My Staff also enables frontline managers to register their team members' phone numbers for [SMS sign-in](~/identity/authentication/howto-authentication-sms-signin.md). In many verticals, frontline workers maintain a local username and password combination, a solution that is often cumbersome, expensive, and error-prone. When IT enables authentication using SMS sign-in, frontline workers can sign in with [single sign-on (SSO)](~/identity/enterprise-apps/what-is-single-sign-on.md) for Microsoft Teams and other applications using just their phone number and a one-time passcode (OTP) sent via SMS. Single sign-on makes signing in for frontline workers simple and secure, delivering quick access to the apps they need most.
 
 ![SMS sign-in](media/concept-fundamentals-frontline-worker/sms-signin.png)
 

docs/global-secure-access/how-to-configure-web-content-filtering.md

@@ -50,7 +50,7 @@ To enable the Microsoft Entra Internet Access forwarding profile to forward user
 
 ## Create a Web content filtering policy
 
-1. Browse to **Global Secure Access** > **Secure** **Web content filtering policy**.
+1. Browse to **Global Secure Access** > **Secure** > **Web content filtering policy**.
 1. Select **Create policy**.
 1. Enter a name and description for the policy and select **Next**.
 1. Select **Add rule**.

docs/identity-platform/scenario-desktop-acquire-token-username-password.md

@@ -4,41 +4,40 @@ description: Learn how to build a desktop app that calls web APIs to acquire a t
 author: Dickson-Mwendia
 manager: CelesteDG
 ms.author: dmwendia
-ms.custom: 
-ms.date: 07/10/2022
+ms.date: 12/18/2023
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 #Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
 ---
 
-# Desktop app that calls web APIs: Acquire a token using Username and Password
+# Desktop app that calls web APIs: Acquire a token using username and password
 
-You can also acquire a token by providing the username and password. This flow is limited and not recommended, but there are still use cases where it's necessary.
+In your desktop applications, you can use the username and password flow, also known as Resource Owner Password Credentials (ROPC), to acquire a token silently.
 
-## This flow isn't recommended
+>[!WARNING]
+> The username and password flow is **not recommended** as the application will be asking a user for their password directly, which is an insecure pattern. For more information about the risks and challenges the ROPC flow poses, refer to ["What’s the solution to the growing problem of passwords?](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/).
 
-The username and password flow is *not recommended* because having your application ask a user for their password isn't secure. For more information, see [What's the solution to the growing problem of passwords?](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/) The preferred flow for acquiring a token silently on Windows domain joined machines is [integrated Windows authentication](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication). You can also use [device code flow](https://aka.ms/msal-net-device-code-flow).
+Additionally, by using a username and password, developers give up a number of things, including:
 
-Using a username and password is useful in some cases, such as DevOps scenarios. But if you want to use a username and password in interactive scenarios where you provide your own UI, think about how to move away from it. By using a username and password, you're giving up a number of things:
+- Core tenets of modern identity - A password can get phished and replayed because a shared secret can be intercepted.
+- Multi-factor authentication (MFA) - Users can't sign in because there's no interaction.
+- Single sign-on (SSO) capabilities.
 
-- Core tenets of modern identity. A password can get phished and replayed because a shared secret can be intercepted. It's incompatible with passwordless.
-- Users who need to do MFA can't sign in because there's no interaction.
-- Users can't do single sign-on (SSO).
+The username and password flow also has the following constraints:
 
-## Constraints
+- The username and password flow isn't compatible with Conditional Access and multi-factor authentication. If your app runs in a Microsoft Entra tenant where the admin requires multi-factor authentication, like most organizations do, you can't use this flow.
+- It only works for work and school accounts, not personal Microsoft Accounts.
+- The flow is available on .NET desktop and .NET Core, but not on UWP.
 
-The following constraints also apply:
+Using a username and password is useful in some cases, such as DevOps scenarios. However, if you want to use a username and password in interactive scenarios where you provide your own UI, consider moving away from it.
 
-- The username and password flow isn't compatible with Conditional Access and multi-factor authentication. As a consequence, if your app runs in a Microsoft Entra tenant where the tenant admin requires multi-factor authentication, you can't use this flow. Many organizations do that.
-- It works only for work and school accounts (not MSA).
-- The flow is available on .NET desktop and .NET Core, but not on UWP.
+The preferred flow for acquiring a token silently on Windows is using the [Windows authentication broker](scenario-desktop-acquire-token-wam.md). Alternatively, developers can also use the [Device code flow](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/device-code-flow) on devices without access to the web browser.
 
-## B2C specifics
+If you're building a desktop application that signs in users with social identities using the Resource Owner Password Credentials (ROPC) flow, see [how to sign in users with social identities by using Azure AD B2C](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/social-identities)
 
-For more information, see [Resource Owner Password Credentials (ROPC) with B2C](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-specifics#resource-owner-password-credentials-ropc-with-b2c).
 
-## Use it
+## Use the ROPC flow
 
 # [.NET](#tab/dotnet)
 
@@ -318,11 +317,11 @@ The following extract is from the [MSAL Java code samples](https://github.com/Az
 
 # [macOS](#tab/macOS)
 
-This flow isn't supported on MSAL for macOS.
+The ROPC flow isn't supported on MSAL for macOS.
 
 # [Node.js](#tab/nodejs)
 
-This extract is from the [MSAL Node dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/username-password). In the code snippet below, the username and password are hardcoded for illustration purposes only. This should be avoided in production. Instead, a basic UI prompting the user to enter her username/password would be recommended.
+This extract is from the [MSAL Node dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/username-password). In the following code snippet, the username and password are hardcoded for illustration purposes only. This should be avoided in production. Instead, a basic UI prompting the user to enter her username/password would be recommended.
 
 ```javascript
 const msal = require("@azure/msal-node");

docs/identity/app-provisioning/on-premises-scim-provisioning.md

@@ -26,44 +26,12 @@ The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommu
 
 <a name='download-install-and-configure-the-azure-ad-connect-provisioning-agent-package'></a>
 
-## Download, install, and configure the Microsoft Entra Connect Provisioning Agent Package
+[!INCLUDE [app-provisioning-provisioning-agent-install.md](~/includes/app-provisioning-provisioning-agent-install.md)]
 
-If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](~/identity/role-based-access-control/permissions-reference.md#hybrid-identity-administrator).
-1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud sync** > **Agents**.
-
-   :::image type="content" source="~/includes/media/entra-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="~/includes/media/entra-cloud-sync-how-to-install/new-ux-1.png":::
-
-1. Select **Download on-premises agent**, and select **Accept terms & download**.
-
-     >[!NOTE]
-     >Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect cloud sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. 
-
- 1. Open the provisioning agent installer, agree to the terms of service, and select **next**.
- 1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable.
- 1. The provisioning agent will use the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider.  If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
- 1. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.
- 1. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer.
 
 ## Provisioning to SCIM-enabled application
 Once the agent is installed, no further configuration is necessary on-premises, and all provisioning configurations are then managed from the portal. Repeat the below steps for every on-premises application being provisioned via SCIM.
-
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](~/identity/role-based-access-control/permissions-reference.md#application-administrator).
-1. Browse to **Identity** > **Applications** > **Enterprise applications**.
-1. Add the **On-premises SCIM app** from the [gallery](~/identity/enterprise-apps/add-application-portal.md).
-1. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
-1. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
-1. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
-1. Now either wait 10 minutes or restart the **Microsoft Entra Connect Provisioning Agent** before proceeding to the next step & testing the connection.
-1. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim 
-
-   ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png) 
-
-1. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. 
-
-   > [!NOTE]
-   > If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above. 
 
 1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
 1. Add users to scope by [assigning users and groups](~/identity/enterprise-apps/add-application-portal-assign-users.md) to the application.