Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into asc-melvyn-vmva

Author: memildin

.openpublishing.redirection.json

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 03/30/2020
+ms.date: 04/21/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -86,7 +86,14 @@ The following sections list available claim resolvers.
 | {Context:IPAddress} | The user IP address. | 11.111.111.11 |
 | {Context:KMSI} | Indicates whether [Keep me signed in](custom-policy-keep-me-signed-in.md) checkbox is selected. |  true |
 
-### Non-protocol parameters
+### Claims 
+
+| Claim | Description | Example |
+| ----- | ----------- | --------|
+| {Claim:claim type} | An identifier of a claim type already defined in the ClaimsSchema section in the policy file or parent policy file.  For example: `{Claim:displayName}`, or `{Claim:objectId}`. | A claim type value.|
+
+
+### OAuth2 key-value parameters
 
 Any parameter name included as part of an OIDC or OAuth2 request can be mapped to a claim in the user journey. For example, the request from the application might include a query string parameter with a name of `app_session`, `loyalty_number`, or any custom query string.
 
@@ -114,6 +121,7 @@ Any parameter name included as part of an OIDC or OAuth2 request can be mapped t
 | {SAML:AllowCreate} | The `AllowCreate` attribute value, from the `NameIDPolicy` element of the SAML request. | True |
 | {SAML:ForceAuthn} | The `ForceAuthN` attribute value, from the `AuthnRequest` element of the SAML request. | True |
 | {SAML:ProviderName} | The `ProviderName` attribute value, from the `AuthnRequest` element of the SAML request.| Contoso.com |
+| {SAML:RelayState} | The `RelayState` query string parameter.| 
 
 ## Using claim resolvers
 

articles/active-directory-b2c/claim-resolver-overview.md

@@ -70,7 +70,7 @@ To enable custom attributes in your policy, provide **Application ID** and Appli
             <Item Key="ApplicationObjectId"></Item>
           </Metadata>
         </TechnicalProfile>
-      <TechnicalProfiles> 
+      </TechnicalProfiles> 
     </ClaimsProvider>
     ```
 

articles/active-directory-b2c/custom-policy-custom-attributes.md

@@ -39,7 +39,9 @@ These three types of policy files are used:
 - **Extensions file** - holds the unique configuration changes for your tenant.
 - **Relying Party (RP) file** - The single task-focused file that is invoked directly by the application or service (also, known as a Relying Party). Each unique task requires its own RP and depending on branding requirements, the number might be "total of applications x total number of use cases."
 
-User flows in Azure AD B2C follow the three-file pattern depicted above, but the developer only sees the RP file, while the Azure portal makes changes in the background to the extensions file.
+User flows in Azure AD B2C follow the file pattern depicted above, but the developer only sees the RP file, while the Azure portal makes changes in the background to the extensions file.
+
+Although there are three types of policy files, you aren't restricted to only three files. You may have multiple files of each file type. For example, if you don't want to make changes to your Extensions file, you can create an Extensions2 file to further extend the Extensions file.
 
 ## Custom policy core concepts
 

articles/active-directory-b2c/custom-policy-overview.md

@@ -40,7 +40,7 @@ To enable sign-in for users from a specific Azure AD organization, you need to r
     https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp
     ```
 
-    For example, `https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/authresp`.
+    For example, `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`.
 
 1. Select **Register**. Record the **Application (client) ID** for use in a later step.
 1. Select **Certificates & secrets**, and then select **New client secret**.
@@ -53,10 +53,10 @@ If you want to get the `family_name` and `given_name` claims from Azure AD, you
 1. Sign in to the [Azure portal](https://portal.azure.com). Search for and select **Azure Active Directory**.
 1. From the **Manage** section, select **App registrations**.
 1. Select the application you want to configure optional claims for in the list.
-1. From the **Manage** section, select **Token configuration (preview)**.
+1. From the **Manage** section, select **Token configuration**.
 1. Select **Add optional claim**.
-1. Select the token type you want to configure.
-1. Select the optional claims to add.
+1. For the **Token type**, select **ID**.
+1. Select the optional claims to add, `family_name` and `given_name`.
 1. Click **Add**.
 
 ## Create a policy key

articles/active-directory-b2c/identity-provider-azure-ad-multi-tenant-custom.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 02/11/2020
+ms.date: 04/20/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -24,40 +24,8 @@ This article shows you how to enable sign-in for users from an Azure Active Dire
 
 Complete the steps in [Get started with custom policies in Azure Active Directory B2C](custom-policy-get-started.md).
 
-## Register an application
 
-To enable sign-in for users from a specific Azure AD organization, you need to register an application within the organizational Azure AD tenant.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Make sure you're using the directory that contains your organizational Azure AD tenant (for example, contoso.com). Select the **Directory + subscription filter** in the top menu, and then choose the directory that contains your Azure AD tenant.
-1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**.
-1. Select **New registration**.
-1. Enter a **Name** for your application. For example, `Azure AD B2C App`.
-1. Accept the default selection of **Accounts in this organizational directory only** for this application.
-1. For the **Redirect URI**, accept the value of **Web**, and enter the following URL in all lowercase letters, where `your-B2C-tenant-name` is replaced with the name of your Azure AD B2C tenant.
-
-    ```
-    https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp
-    ```
-
-    For example, `https://contoso.b2clogin.com/contoso.onmicrosoft.com/oauth2/authresp`.
-
-1. Select **Register**. Record the **Application (client) ID** for use in a later step.
-1. Select **Certificates & secrets**, and then select **New client secret**.
-1. Enter a **Description** for the secret, select an expiration, and then select **Add**. Record the **Value** of the secret for use in a later step.
-
-## Configuring optional claims
-
-If you want to get the `family_name` and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/active-directory-optional-claims.md).
-
-1. Sign in to the [Azure portal](https://portal.azure.com). Search for and select **Azure Active Directory**.
-1. From the **Manage** section, select **App registrations**.
-1. Select the application you want to configure optional claims for in the list.
-1. From the **Manage** section, select **Token configuration (preview)**.
-1. Select **Add optional claim**.
-1. Select the token type you want to configure.
-1. Select the optional claims to add.
-1. Click **Add**.
+[!INCLUDE [active-directory-b2c-identity-provider-azure-ad](../../includes/active-directory-b2c-identity-provider-azure-ad.md)]
 
 ## Create a policy key
 

articles/active-directory-b2c/identity-provider-azure-ad-single-tenant-custom.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 08/08/2019
+ms.date: 04/20/2020
 ms.author: mimart
 ms.subservice: B2C
 ms.custom: fasttrack-edit
@@ -19,51 +19,28 @@ ms.custom: fasttrack-edit
 
 To use an Azure Active Directory (Azure AD) as an [identity provider](authorization-code-flow.md) in Azure AD B2C, you need to create an application that represents it. This article shows you how to enable sign-in for users from a specific Azure AD organization using a user flow in Azure AD B2C.
 
-## Create an Azure AD app
-
-To enable sign-in for users from a specific Azure AD organization, you need to register an application within the organizational Azure AD tenant, which is not the same as your Azure AD B2C tenant.
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Make sure you're using the directory that contains your Azure AD tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your Azure AD tenant. This is not the same tenant as your Azure AD B2C tenant.
-3. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**.
-4. Select **New registration**.
-5. Enter a name for your application. For example, `Azure AD B2C App`.
-6. Accept the selection of **Accounts in this organizational directory only** for this application.
-7. For the **Redirect URI**, accept the value of **Web**, and enter the following URL in all lowercase letters, where `your-B2C-tenant-name` is replaced with the name of your Azure AD B2C tenant. For example, `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`:
-
-    ```
-    https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp
-    ```
-
-    All URLs should now be using [b2clogin.com](b2clogin.md).
-
-8. Click **Register**. Copy the **Application (client) ID** to be used later.
-9. Select **Certificates & secrets** in the application menu, and then select **New client secret**.
-10. Enter a name for the client secret. For example, `Azure AD B2C App Secret`.
-11. Select the expiration period. For this application, accept the selection of **In 1 year**.
-12. Select **Add** and copy the value of the new client secret that is displayed to be used later.
+[!INCLUDE [active-directory-b2c-identity-provider-azure-ad](../../includes/active-directory-b2c-identity-provider-azure-ad.md)]
 
 ## Configure Azure AD as an identity provider
 
 1. Make sure you're using the directory that contains Azure AD B2C tenant. Select the **Directory + subscription** filter in the top menu and choose the directory that contains your Azure AD B2C tenant.
 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
 1. Select **Identity providers**, and then select **New OpenID Connect provider**.
 1. Enter a **Name**. For example, enter *Contoso Azure AD*.
-1. For **Metadata url**, enter the following URL replacing `your-AD-tenant-domain` with the domain name of your Azure AD tenant:
+1. For **Metadata url**, enter the following URL replacing `{tenant}` with the domain name of your Azure AD tenant:
 
     ```
-    https://login.microsoftonline.com/your-AD-tenant-domain/.well-known/openid-configuration
+    https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
     ```
 
-    For example, `https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration`.
-
-    **Do not** use the Azure AD v2.0 metadata endpoint, for example `https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration`. Doing so results in an error similar to `AADB2C: A claim with id 'UserId' was not found, which is required by ClaimsTransformation 'CreateAlternativeSecurityId' with id 'CreateAlternativeSecurityId' in policy 'B2C_1_SignUpOrIn' of tenant 'contoso.onmicrosoft.com'` when attempting to sign in.
+    For example, `https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration`.
 
 1. For **Client ID**, enter the application ID that you previously recorded.
 1. For **Client secret**, enter the client secret that you previously recorded.
-1. Leave the default values for **Scope**, **Response type**, and **Response mode**.
-1. (Optional) Enter a value for **Domain_hint**. For example, *ContosoAD*. This is the value to use when referring to this identity provider using *domain_hint* in the request.
-1. Under **Identity provider claims mapping**, enter the following claims mapping values:
+1. For the **Scope**, enter the `openid profile`.
+1. Leave the default values for **Response type**, and **Response mode**.
+1. (Optional) For the **Domain hint**, enter `contoso.com`. For more information, see [Set up direct sign-in using Azure Active Directory B2C](direct-signin.md#redirect-sign-in-to-a-social-provider).
+1. Under **Identity provider claims mapping**, select the following claims:
 
     * **User ID**: *oid*
     * **Display name**: *name*

articles/active-directory-b2c/identity-provider-azure-ad-single-tenant.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 12/10/2019
+ms.date: 04/21/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -219,6 +219,39 @@ In the following example, the claims transformation extracts the `id` element fr
 - Output claims:
     - **extractedClaim**: 6353399
 
+## GetSingleItemFromJson
+
+Gets the first element from a JSON data.
+
+| Item | TransformationClaimType | Data Type | Notes |
+| ---- | ----------------------- | --------- | ----- |
+| InputClaim | inputJson | string | The ClaimTypes that are used by the claims transformation to get the item from the JSON data. |
+| OutputClaim | key | string | The first element key in the JSON. |
+| OutputClaim | value | string | The first element value in the JSON. |
+
+In the following example, the claims transformation extracts the first element (given name) from the JSON data.
+
+```XML
+<ClaimsTransformation Id="GetGivenNameFromResponse" TransformationMethod="GetSingleItemFromJson">
+  <InputClaims>
+    <InputClaim ClaimTypeReferenceId="json" TransformationClaimType="inputJson" />
+  </InputClaims>
+  <OutputClaims>
+    <OutputClaim ClaimTypeReferenceId="givenNameKey" TransformationClaimType="key" />
+    <OutputClaim ClaimTypeReferenceId="givenName" TransformationClaimType="value" />
+  </OutputClaims>
+</ClaimsTransformation>
+```
+
+### Example
+
+- Input claims:
+  - **inputJson**: {"givenName": "Emilty", "lastName": "Smith"}
+- Output claims:
+  - **key**: givenName
+  - **value**: Emilty
+
+
 ## GetSingleValueFromJsonArray
 
 Gets the first element from a JSON data array.
@@ -290,3 +323,5 @@ Output claim:
   }
 }
 ```
+
+