Merge pull request #887 from MicrosoftDocs/main

Merge main to live, 4 AM

docs/identity-platform/app-objects-and-service-principals.md

@@ -5,12 +5,12 @@ author: rwike77
 manager: CelesteDG
 ms.author: ryanwi
 ms.custom: has-azure-ad-ps-ref
-ms.date: 05/22/2023
+ms.date: 12/15/2023
 ms.reviewer: sureshja
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
-#Customer intent:
+# Customer intent: As an application developer, I want to understand the relationship between application objects and service principal objects in Microsoft Entra ID, so that I can properly register and manage my application's identity and access management functions.
 ---
 
 # Application and service principal objects in Microsoft Entra ID

docs/identity-platform/apple-sso-plugin.md

@@ -338,20 +338,24 @@ For the SSO plug-in to function properly, Apple devices should be allowed to rea
 
 Here is the minimum set of URLs that need to be allowed for the SSO plug-in to function:
 
-  - `*.cdn-apple.com`
-  - `*.networking.apple`
-  - `login.microsoftonline.com`
-  - `login.microsoft.com`
-  - `sts.windows.net`
-  - `login.partner.microsoftonline.cn`
-  - `login.chinacloudapi.cn`
-  - `login.microsoftonline.us`
-  - `login-us.microsoftonline.com`
+  - `app-site-association.cdn-apple.com`
+  - `app-site-association.networking.apple`
+  - `login.microsoftonline.com`(*)
+  - `login.microsoft.com`(*)
+  - `sts.windows.net`(*)
+  - `login.partner.microsoftonline.cn`(*)(**)
+  - `login.chinacloudapi.cn`(*)(**)
+  - `login.microsoftonline.us`(*)(**)
+  - `login-us.microsoftonline.com`(*)(**)
+
+(*) Allowing Microsoft domains is only required on operating system versions released before 2022. On the latest operating system versions, Apple relies fully on its CDN. 
+
+(**) You only need to allow sovereign cloud domains if you rely on those in your environment. 
 
 > [!WARNING]
-> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.
+> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs will cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access. SSO plugin will not work reliably without fully excluding Apple CDN domains from interception, and you will experience intermittent issues until you do so.
 
-If your organization blocks these URLs users may see errors like `1012 NSURLErrorDomain error` or `1000 com.apple.AuthenticationServices.AuthorizationError`.
+If your organization blocks these URLs users may see errors like `1012 NSURLErrorDomain error`, `1000 com.apple.AuthenticationServices.AuthorizationError` or `1001 Unexpected`.
 
 Other Apple URLs that may need to be allowed are documented in their support article, [Use Apple products on enterprise networks](https://support.apple.com/HT210060).
 

docs/identity-platform/configurable-token-lifetimes.md

@@ -10,7 +10,7 @@ ms.reviewer: joroja
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
-#Customer intent:
+#Customer intent: As an IT admin, I want to configure the lifetime of access, ID, and SAML tokens for different types of applications, so that I can help mitigate the actions of a malicous actor who has obtained a token.
 ---
 # Configurable token lifetimes in the Microsoft identity platform (preview)
 

docs/identity-platform/configure-token-lifetimes.md

@@ -10,7 +10,7 @@ ms.reviewer: joroja
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
-#Customer intent:
+#Customer intent: As an IT admin, I want to create and assign token lifetime policies to apps and service principals, so that I can control the lifetime of access, SAML, or ID tokens for improved security and authentication management.
 ---
 # Configure token lifetime policies (preview)
 

docs/identity-platform/deploy-web-app-authentication-pipeline.md

@@ -10,7 +10,7 @@ ms.reviewer: mahender, jukullam
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
-#Customer intent:
+#Customer intent: As a developer, I want to deploy a web app in a pipeline and configure App Service authentication using Azure Pipelines, so that I can automate the deployment process and secure access to the web app.
 ---
 
 # Deploy a web app in a pipeline and configure App Service authentication

docs/identity-platform/developer-glossary.md

@@ -9,7 +9,7 @@ ms.reviewer:
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
-#Customer intent:
+#Customer intent: As a developer integrating with the Microsoft identity platform, I want to understand the terminology and concepts related to authentication and authorization, so that I can effectively implement secure access to protected resources in my application.
 ---
 
 # Glossary: Microsoft identity platform

docs/identity-platform/federation-metadata.md

@@ -10,12 +10,12 @@ ms.reviewer: ludwignick
 ms.service: active-directory
 ms.subservice: azuread-dev
 ms.topic: conceptual
-#Customer intent:
+#Customer intent: As a developer integrating with Microsoft Entra ID, I want to understand the federation metadata document format and endpoints, so that I can configure my application to validate the issuer and token signing certificates of security tokens issued by Microsoft Entra ID.
 ---
 
 # Federation metadata
 
-Microsoft Entra ID publishes a federation metadata document for services that is configured to accept the security tokens that Microsoft Entra ID issues. The federation metadata document format is described in the [Web Services Federation Language (WS-Federation) Version 1.2](https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html), which extends [Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf).
+Microsoft Entra ID publishes a federation metadata document for services that are configured to accept the security tokens that Microsoft Entra ID issues. The federation metadata document format is described in the [Web Services Federation Language (WS-Federation) Version 1.2](https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html), which extends [Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf).
 
 ## Tenant-specific and tenant-independent metadata endpoints
 

docs/identity-platform/howto-add-branding-in-apps.md

@@ -5,11 +5,12 @@ author: rwike77
 manager: CelesteDG
 ms.author: ryanwi
 ms.custom: signin_art
-ms.date: 07/26/2023
+ms.date: 12/15/2023
 ms.reviewer: arielgo
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
+#Customer intent: As a developer integrating with Microsoft Entra ID, I want to understand the branding guidelines for applications, so that I can correctly use the appropriate Microsoft logo and images in my app.
 ---
 
 # Sign in with Microsoft: Branding guidelines for applications

docs/identity-platform/howto-add-terms-of-service-privacy-statement.md

@@ -5,12 +5,12 @@ author: rwike77
 manager: CelesteDG
 ms.author: ryanwi
 ms.custom:
-ms.date: 03/07/2023
+ms.date: 12/15/2023
 ms.reviewer: sureshja
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
-#Customer intent:
+#Customer intent: As an application developer building a multi-tenant app, I want to configure the terms of service and privacy statement for my app, so that I can help gain user's trust and encourage them to consent to using my app.
 ---
 
 # Configure terms of service and privacy statement for an app

docs/identity-platform/howto-authenticate-service-principal-powershell.md

@@ -5,13 +5,13 @@ author: rwike77
 manager: CelesteDG
 ms.author: ryanwi
 ms.custom: devx-track-azurepowershell
-ms.date: 03/07/2023
+ms.date: 12/15/2023
 ms.reviewer: tomfitz
 ms.service: active-directory
 ms.subservice: develop
 ms.tgt_pltfrm: multiple
 ms.topic: how-to
-#Customer intent:
+#Customer intent: As a developer, I want to create a service principal with a certificate, so my app or script can authenticate and access resources with its own credentials.
 ---
 
 # Use Azure PowerShell to create a service principal with a certificate

docs/identity-platform/mark-app-as-publisher-verified.md

@@ -10,52 +10,52 @@ ms.reviewer: xurobert
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
-#Customer intent:
+#Customer intent: As a developer integrating my app with the Microsoft identity platform, I want to complete the publisher verification process for my app registration, so that users can see that my app is publisher verified and trust its authenticity.
 ---
 
 # Mark your app as publisher verified
 
 When an app registration has a verified publisher, it means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Cloud Partner Program (CPP) account and has associated this CPP account with their app registration. This article describes how to complete the [publisher verification](publisher-verification-overview.md) process.
 
 ## Quickstart
-If you are already enrolled in the [Cloud Partner Program (CPP)](/partner-center/intro-to-cloud-partner-program-membership) and have met the [pre-requisites](publisher-verification-overview.md#requirements), you can get started right away: 
+If you're already enrolled in the [Cloud Partner Program (CPP)](/partner-center/intro-to-cloud-partner-program-membership) and have met the [prerequisites](publisher-verification-overview.md#requirements), you can get started right away: 
 
-1. Sign into the [App Registration portal](https://aka.ms/PublisherVerificationPreview) using [multi-factor authentication](~/identity/authentication/concept-mfa-licensing.md)
+1. Sign into the [App Registration portal](https://aka.ms/PublisherVerificationPreview) using [multifactor authentication](~/identity/authentication/concept-mfa-licensing.md)
 
-1. Choose an app and click **Branding & properties**. 
+1. Choose an app and select **Branding & properties**. 
 
-1. Click **Add Partner One ID to verify publisher** and review the listed requirements.
+1. Select **Add Partner One ID to verify publisher** and review the listed requirements.
 
-1. Enter your Partner One ID and click **Verify and save**.
+1. Enter your Partner One ID and select **Verify and save**.
 
 For more details on specific benefits, requirements, and frequently asked questions see the [overview](publisher-verification-overview.md).
 
 ## Mark your app as publisher verified
-Make sure you meet the [pre-requisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified.  
+Make sure you meet the [prerequisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified.  
 
-1. Sign in using [multi-factor authentication](~/identity/authentication/concept-mfa-licensing.md) to an organizational (Microsoft Entra) account authorized to make changes to the app you want to mark as Publisher Verified and on the CPP Account in Partner Center.
+1. Sign in using [multifactor authentication](~/identity/authentication/concept-mfa-licensing.md) to an organizational (Microsoft Entra) account authorized to make changes to the app you want to mark as Publisher Verified and on the CPP Account in Partner Center.
 
     - The Microsoft Entra user must have one of the following [roles](~/identity/role-based-access-control/permissions-reference.md): Application Admin, Cloud Application Admin, or Global Administrator. 
 
     - The user in Partner Center must have the following [roles](/partner-center/permissions-overview): CPP Admin, Accounts Admin, or a Global Administrator (a shared role mastered in Microsoft Entra ID). 
 
 1. Navigate to the **App registrations** blade:  
 
-1. Click on an app you would like to mark as Publisher Verified and open the **Branding & properties** blade. 
+1. Select on an app you would like to mark as Publisher Verified and open the **Branding & properties** blade. 
 
 1. Ensure the app’s [publisher domain](howto-configure-publisher-domain.md) is set. 
 
 1. Ensure that either the publisher domain or a DNS-verified [custom domain](~/fundamentals/add-custom-domain.md) on the tenant matches the domain of the email address used during the verification process for your CPP account.
 
-1. Click **Add Partner One ID to verify publisher** near the bottom of the page. 
+1. Select **Add Partner One ID to verify publisher** near the bottom of the page. 
 
 1. Enter the **Partner One ID** for: 
 
     - A valid Cloud Partner Program account that has completed the verification process.  
 
     - The Partner global account (PGA) for your organization. 
 
-1. Click **Verify and save**. 
+1. Select **Verify and save**. 
 
 1. Wait for the request to process, this may take a few minutes. 
 

docs/identity-platform/publisher-verification-overview.md

@@ -10,7 +10,7 @@ ms.reviewer: xurobert
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
-#Customer intent:
+#Customer intent: As a developer integrating my app with the Microsoft identity platform, I want to learn about the publisher verification process, so that my organization can be identified as authentic by Microsoft and my app can gain increased transparency, improved branding, and smoother enterprise adoption.
 ---
 
 # Publisher verification

docs/identity-platform/reference-app-manifest.md

@@ -10,7 +10,7 @@ ms.reviewer: sureshja
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
-#Customer intent:
+#Customer intent: As an application developer, I want to configure the attributes of an application in the Microsoft Entra admin center or programmatically, so that I can update the application object and define permissions and roles for the app.
 ---
 
 # Microsoft Entra app manifest

docs/identity-platform/reference-breaking-changes.md

@@ -10,7 +10,7 @@ ms.reviewer: ludwignick
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
-#Customer intent:
+#Customer intent: As a developer, I want to stay updated on the changes and updates to the Microsoft identity platform, so that I can ensure the security, usability, and compliance of my applications.
 ---
 
 # What's new for authentication?

docs/identity-platform/reference-error-codes.md

@@ -10,7 +10,7 @@ ms.reviewer: ludwignick
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
-#Customer intent:
+#Customer intent: As a developer troubleshooting authentication errors, I want to understand the meaning and possible resolutions for the AADSTS error codes returned by the Microsoft Entra security token service, so that I can effectively debug and fix authentication issues in my application.
 ---
 
 # Microsoft Entra authentication and authorization error codes

docs/identity-platform/signing-key-rollover.md

@@ -10,7 +10,7 @@ ms.reviewer: paulgarn, ludwignick
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
-#Customer intent:
+#Customer intent: As a developer using the Microsoft identity platform for authentication in my web application, I want to ensure that my application can handle public key rollover automatically, so that my application will continue to validate token signatures without manual intervention.
 ---
 
 # Signing key rollover in the Microsoft identity platform

docs/identity-platform/single-and-multi-tenant-apps.md

@@ -10,7 +10,7 @@ ms.reviewer: justhu
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
-#Customer intent:
+#Customer intent: As a developer, I want to understand the concept of tenancy in Microsoft Entra ID, so that I can configure my app to be either single-tenant or multi-tenant during app registration and determine who can sign in to my app.
 ---
 
 # Tenancy in Microsoft Entra ID