Merging changes synced from https://github.com/MicrosoftDocs/entra-do…

…cs-pr (branch live)

docs/architecture/resilience-in-credentials.md

@@ -46,7 +46,7 @@ In addition to individual user resiliency described above, enterprises should pl
 * Deploy [Passwordless credentials](~/identity/authentication/howto-authentication-passwordless-deployment.md) such as Windows Hello for Business, Phone Authentication, and FIDO2 security keys to reduce dependencies.
 * Deploy the [Microsoft Authenticator App](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) as a second factor.
 * Turn on [password hash synchronization](~/identity/hybrid/connect/whatis-phs.md) for hybrid accounts that are synchronized from Windows Server Active Directory. This option can be enabled alongside federation services such as Active Directory Federation Services (AD FS) and provides a fallback in case the federation service fails.
-* [Analyze usage of multifactor authentication methods](/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/) to improve user experience.
+* [Analyze usage of multifactor authentication methods](~/identity/authentication/howto-authentication-methods-activity.md) to improve user experience.
 * [Implement a resilient access control strategy](~/identity/authentication/concept-resilient-controls.md)
 
 ## Next steps

docs/external-id/customers/how-to-multifactor-authentication-customers.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 
 ms.subservice: ciam
 ms.topic: how-to
-ms.date: 07/12/2023
+ms.date: 01/11/2024
 ms.author: mimart
 ms.custom: it-pro
 
@@ -19,8 +19,11 @@ ms.custom: it-pro
 
 [Multifactor authentication](~/identity/authentication/concept-mfa-howitworks.md) (MFA) adds a layer of security to your customer-facing applications. With MFA, customers who sign in with a username and password are prompted for a one-time passcode as a second verification method. This article describes how to enforce MFA for your customers by creating a Microsoft Entra Conditional Access policy and adding MFA to your sign-up and sign-in user flow.
 
-> [!NOTE]
-> If you want to enable MFA, set your local account authentication method to **Email with password**. If you set your local account option to **Email with one-time passcode**, customers who use this method won't be able to sign in because the one-time passcode is already their first-factor sign-in method and can't be used as a second factor. Currently, one-time passcode is the only method available for MFA in customer tenants.
+
+> [!TIP]
+> [![Try it now](./media/common/try-it-now.png)](https://woodgrovedemo.com/#usecase=MFA)
+> 
+> To try out this feature, go to the Woodgrove Groceries demo and start the “[Multi-factor authentication](https://woodgrovedemo.com/#usecase=MFA)” use case.
 
 ## Prerequisites
 
@@ -29,6 +32,9 @@ ms.custom: it-pro
 - An app that's registered in your customer tenant, added to the sign-up and sign-in user flow, and updated to point to the user flow for authentication.
 - An account with Conditional Access Administrator, Security Administrator, or Global Administrator privileges to configure Conditional Access policies and MFA.
 
+> [!NOTE]
+> If you want to enable MFA, set your local account authentication method to **Email with password**. If you set your local account option to **Email with one-time passcode**, customers who use this method won't be able to sign in because the one-time passcode is already their first-factor sign-in method and can't be used as a second factor. Currently, one-time passcode is the only method available for MFA in customer tenants.
+
 ## Create a Conditional Access policy
 
 Create a Conditional Access policy in your customer tenant that prompts users for MFA when they sign up or sign in to your app. (For more information, see [Common Conditional Access policy: Require MFA for all users](~/identity/conditional-access/howto-conditional-access-policy-all-users-mfa.md)).

docs/fundamentals/identity-fundamental-concepts.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
-ms.date: 06/05/2023
+ms.date: 01/10/2024
 ms.author: ryanwi
 ms.reviewer: 
 ---

docs/fundamentals/introduction-identity-access-management.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
-ms.date: 06/05/2023
+ms.date: 01/20/2024
 ms.author: ryanwi
 ms.reviewer: 
 ---

docs/identity-platform/custom-extension-attribute-collection.md

@@ -4,7 +4,7 @@ description: Learn how to develop and register a Microsoft Entra custom authenti
 author: msmimart
 manager: CelesteDG
 ms.author: mimart
-ms.date: 01/07/2024
+ms.date: 01/11/2024
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
@@ -23,14 +23,14 @@ This article describes how to extend the user sign-up experience in Microsoft En
     > [!TIP]
     > [![Try it now](./media/common/try-it-now.png)](https://woodgrovedemo.com/#usecase=PreAttributeCollection)
     > 
-    > To try out this feature, go to the Woodgrove Groceries demo and start the “Prepopulate sign-up attributes” use case.
+    > To try out this feature, go to the Woodgrove Groceries demo and start the “[Prepopulate sign-up attributes](https://woodgrovedemo.com/#usecase=PreAttributeCollection)” use case.
     
 - The **OnAttributeCollectionSubmit** event occurs after the user enters and submits attributes. You can add actions such as validating or modifying the user's entries.
 
     > [!TIP]
     > [![Try it now](./media/common/try-it-now.png)](https://woodgrovedemo.com/#usecase=PostAttributeCollection)
     > 
-    > To try out this feature, go to the Woodgrove Groceries demo and start the “Validate sign-up attributes” use case, or the “[Block a user from continuing the sign-up process](https://woodgrovedemo.com/#usecase=BlockSignUp)” use case.
+    > To try out this feature, go to the Woodgrove Groceries demo and start the “[Validate sign-up attributes](https://woodgrovedemo.com/#usecase=PostAttributeCollection)” use case, or the “[Block a user from continuing the sign-up process](https://woodgrovedemo.com/#usecase=BlockSignUp)” use case.
     
 In addition to creating a custom authentication extension for the attribute collection start and submit events, you need to create a REST API that defines the workflow actions to take for each event. You can use any programming language, framework, and hosting environment to create and host your REST API. This article demonstrates a quick way to get started using a C# Azure Function. With Azure Functions, you run your code in a serverless environment without having to first create a virtual machine (VM) or publish a web application.
 

docs/identity-platform/custom-extension-onattributecollectionstart-reference.md

@@ -4,7 +4,7 @@ description: Reference documentation for a custom authentication extension that
 author: msmimart
 manager: CelesteDG
 ms.author: mimart
-ms.date: 10/27/2023
+ms.date: 01/11/2024
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
@@ -24,6 +24,11 @@ To modify the sign-up experience for your customer self-service sign-up user flo
 
 This article describes the REST API schema for the OnAttributeCollectionStart event. (See also the related article [Custom Extension for OnAttributeCollectionSubmit event](custom-extension-OnAttributeCollectionSubmit-reference.md).)
 
+> [!TIP]
+> [![Try it now](./media/common/try-it-now.png)](https://woodgrovedemo.com/#usecase=PreAttributeCollection)
+> 
+> To try out this feature, go to the Woodgrove Groceries demo and start the “[Prepopulate sign-up attributes](https://woodgrovedemo.com/#usecase=PreAttributeCollection)” use case.
+    
 ## REST API schema
 
 To develop your own REST API for the attribute collection start event, use the following REST API data contract. The schema describes the contract to design the request and response handler.
@@ -175,4 +180,4 @@ HTTP/1.1 200 OK
     ]
   }
 }
-```
+```

docs/identity-platform/custom-extension-onattributecollectionsubmit-reference.md

@@ -4,7 +4,7 @@ description: Reference documentation for a custom authentication extension that
 author: msmimart
 manager: CelesteDG
 ms.author: mimart 
-ms.date: 10/27/2023
+ms.date: 01/11/2024
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
@@ -24,6 +24,11 @@ To modify the sign-up experience for your customer self-service sign-up user flo
 
 This article describes the REST API schema for the OnAttributeCollectionSubmit event. (See also the related article [Custom Extension for OnAttributeCollectionStart event](custom-extension-OnAttributeCollectionStart-reference.md).)
 
+> [!TIP]
+> [![Try it now](./media/common/try-it-now.png)](https://woodgrovedemo.com/#usecase=PostAttributeCollection)
+> 
+> To try out this feature, go to the Woodgrove Groceries demo and start the “[Validate sign-up attributes](https://woodgrovedemo.com/#usecase=PostAttributeCollection)” use case, or the “[Block a user from continuing the sign-up process](https://woodgrovedemo.com/#usecase=BlockSignUp)” use case.
+    
 ## REST API schema
 
 To develop your own REST API for the attribute collection submit event, use the following REST API data contract. The schema describes the contract to design the request and response handler.

docs/identity-platform/msal-node-migration.md

@@ -292,7 +292,7 @@ const msalTokenCache = publicClientApplication.getTokenCache();
 
 Importantly, your previous token cache with ADAL Node won't be transferable to MSAL Node, since cache schemas are incompatible. However, you may use the valid refresh tokens your app obtained previously with ADAL Node in MSAL Node. See the section on [refresh tokens](#remove-logic-around-refresh-tokens) for more.
 
-You can also write your cache to disk by providing your own **cache plugin**. The cache plugin must implement the interface [ICachePlugin](/javascript/api/%40azure/msal-node/icacheplugin). Like logging, caching is part of the configuration options and is created with the initialization of the MSAL Node instance:
+You can also write your cache to disk by providing your own **cache plugin**. The cache plugin must implement the interface `ICachePlugin`. Like logging, caching is part of the configuration options and is created with the initialization of the MSAL Node instance:
 
 ```javascript
 const msal = require('@azure/msal-node');

docs/identity-platform/publisher-verification-overview.md

@@ -5,7 +5,7 @@ author: rwike77
 manager: CelesteDG
 ms.author: ryanwi
 ms.custom: 
-ms.date: 08/17/2023
+ms.date: 01/10/2024
 ms.reviewer: xurobert
 ms.service: active-directory
 ms.subservice: develop

docs/identity-platform/quickstart-create-new-tenant.md

@@ -5,7 +5,7 @@ author: OwenRichards1
 manager: CelesteDG
 ms.author: ryanwi
 ms.custom: fasttrack-edit, mode-other
-ms.date: 07/11/2023
+ms.date: 01/10/2024
 ms.reviewer: jmprieur
 ms.service: active-directory
 ms.subservice: develop
@@ -25,14 +25,14 @@ Each Microsoft Entra tenant is distinct and separate from other Microsoft Entra
 
 An Azure account that has an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 
-## Determining the environment type
+## Determining the type of users you'll create apps for
 
-You can create two types of environments. The environment depends solely on the types of users your app will authenticate. 
+You can create a tenant with two different configurations:  workforce or customer. The environment depends solely on the types of users your app will authenticate. 
 
 This quickstart addresses two scenarios for the type of app you want to build:
 
-* Work and school accounts (Microsoft Entra ID) or Microsoft accounts (such as Outlook.com and Live.com)
-* Social and local (Azure AD B2C) accounts
+* Workforce-facing apps and services for work and school accounts (Microsoft Entra ID) or Microsoft accounts (such as Outlook.com and Live.com)
+* Customer-facing apps and services for social and local accounts
 
 ## Work and school accounts, or personal Microsoft accounts
 
@@ -77,7 +77,7 @@ You'll provide the following information to create your new tenant:
 
 ## Social and local accounts
 
-To begin building external facing applications that sign in social and local accounts, create an Azure AD B2C tenant. To begin, see [Create an Azure AD B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant).
+To begin building external facing applications that sign in social and local accounts, create a tenant with customer configurations. To begin, see [Create a tenant with customer configuration (preview)](../external-id/customers/quickstart-tenant-setup.md).
 
 ## Next steps
 

docs/identity/role-based-access-control/admin-units-assign-roles.md

@@ -12,7 +12,7 @@ ms.workload: identity
 ms.date: 11/15/2022
 ms.author: rolyon
 ms.reviewer: anandy
-ms.custom: oldportal, it-pro, has-azure-ad-ps-ref
+ms.custom: oldportal, it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done
 ms.collection: M365-identity-device-management
 ---
 
@@ -29,7 +29,7 @@ This article describes how to assign Microsoft Entra roles with administrative u
 - Microsoft Entra ID P1 or P2 license for each administrative unit administrator
 - Microsoft Entra ID Free licenses for administrative unit members
 - Privileged Role Administrator or Global Administrator
-- Azure AD PowerShell module when using PowerShell
+- Microsoft Graph PowerShell module when using PowerShell
 - Admin consent when using Graph explorer for Microsoft Graph API
 
 For more information, see [Prerequisites to use PowerShell or Graph Explorer](prerequisites.md).
@@ -102,14 +102,15 @@ You can assign a Microsoft Entra role with an administrative unit scope by using
 
 ### PowerShell
 
-Use the [New-AzureADMSRoleAssignment](/powershell/module/azuread/new-azureadmsroleassignment) command and the `DirectoryScopeId` parameter to assign a role with administrative unit scope.
+Use the [New-MgRoleManagementDirectoryRoleAssignment](/powershell/module/microsoft.graph.identity.governance/new-mgrolemanagementdirectoryroleassignment) command and the `DirectoryScopeId` parameter to assign a role with administrative unit scope.
 
 ```powershell
-$user = Get-AzureADUser -Filter "userPrincipalName eq 'Example_UPN'"
-$roleDefinition = Get-AzureADMSRoleDefinition -Filter "displayName eq 'Example_role_name'"
-$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayName eq 'Example_admin_unit_name'"
+$user = Get-MgUser -Filter "userPrincipalName eq 'Example_UPN'"
+$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Example_role_name'"
+$adminUnit = Get-MgDirectoryAdministrativeUnit -Filter "displayName eq 'Example_admin_unit_name'"
 $directoryScope = '/administrativeUnits/' + $adminUnit.Id
-$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $directoryScope -RoleDefinitionId $roleDefinition.Id -PrincipalId $user.objectId
+$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId $directoryScope `
+   -PrincipalId $user.Id -RoleDefinitionId $roleDefinition.Id
 ```
 
 ### Microsoft Graph API
@@ -151,11 +152,11 @@ You can view all the role assignments created with an administrative unit scope
 
 ### PowerShell
 
-Use the [Get-AzureADMSScopedRoleMembership](/powershell/module/azuread/get-azureadmsscopedrolemembership) command to list role assignments with administrative unit scope.
+Use the [Get-MgDirectoryAdministrativeUnitScopedRoleMember](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdirectoryadministrativeunitscopedrolemember) command to list role assignments with administrative unit scope.
 
 ```powershell
-$adminUnit = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Example_admin_unit_name'"
-Get-AzureADMSScopedRoleMembership -Id $adminUnit.Id | fl *
+$adminUnit = Get-MgDirectoryAdministrativeUnit -Filter "displayname eq 'Example_admin_unit_name'"
+Get-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeUnitId $adminUnit.Id | FL *
 ```
 
 ### Microsoft Graph API