Merge pull request #6825 from MicrosoftDocs/main

2/5/2025 PM Publish

docs/identity-platform/msal-acquire-cache-tokens.md

@@ -81,6 +81,7 @@ For web applications that use the [OpenID Connect authorization code flow](v2-pr
 
 The method of acquiring a token depends on whether it's a public client or confidential client application.
 
+
 ### Public client applications
 
 In public client applications (desktop and mobile), you can:
@@ -113,6 +114,10 @@ When your client requests an access token, Microsoft Entra ID also returns an au
 
 [!INCLUDE [advanced-token-caching](~/includes/advanced-token-cache.md)]
 
+
+> [!NOTE]
+> When acquiring tokens interactivelly using [authentication broker](msal-net-use-brokers-with-xamarin-apps.md), the authentication broker will do cache-lookup first and return cached token if available ([GitHub issue - acquireToken uses caching](https://github.com/AzureAD/microsoft-authentication-library-for-android/issues/2197#issuecomment-2447771586)).
+
 ## See also
 
 Several of the platforms supported by MSAL have additional token cache-related information in the documentation for that platform's library. For example:

docs/identity/authentication/how-to-certificate-based-authentication.md

@@ -66,15 +66,15 @@ The PKI-based trust store has higher limits for the number of CAs and the size o
 
 An admin must configure the trusted CAs that issue user certificates. 
 Only least-privileged administrators are needed to make changes. 
-A PKI-based trust store has RBAC roles [Privilege Authentication Administrator](../role-based-access-control/permissions-reference.md#privileged-authentication-administrator) and [Authentication Administrator](../role-based-access-control/permissions-reference.md#authentication-administrator).
+A PKI-based trust store has RBAC role [Privilege Authentication Administrator](../role-based-access-control/permissions-reference.md#privileged-authentication-administrator).
 
 Upload PKI feature of the PKI-based trust store is available only with  Microsoft Entra ID P1 or P2 license. However, with free license as well, admins can upload all the CAs individually instead of the PKI file and configure the PKI-based trust store.
 
 ### Configure certificate authorities by using the Microsoft Entra admin center
 
 #### Create a PKI container object
 1.	Create a PKI container object.
-   1. Sign in to the Microsoft Entra admin center as an [Authentication Policy Administrator](../role-based-access-control/permissions-reference.md#authentication-policy-administrator).
+   1. Sign in to the Microsoft Entra admin center as an [Privilege Authentication Administrator](../role-based-access-control/permissions-reference.md#privileged-authentication-administrator).
    1. Browse to **Protection** > **Show more** > **Security Center** (or **Identity Secure Score**) > **Public key infrastructure (Preview)**.
    1. Click **+ Create PKI**.
    1. Enter **Display Name**.

docs/identity/conditional-access/concept-conditional-access-cloud-apps.md

@@ -131,6 +131,8 @@ To view [sign-in logs](/entra/identity/monitoring-health/concept-sign-ins) for t
 1. Add a filter for **Client credential type**.
 1. Adjust the filter to view a specific set of logs based on the client credential used in the sign-in.
 
+For more information see the article [Public client and confidential client applications](/entra/identity-platform/msal-client-applications).
+
 <a name='all-cloud-apps'></a>
 
 ### All resources

docs/identity/hybrid/connect/choose-ad-authn.md

@@ -174,7 +174,7 @@ The following diagrams outline the high-level architecture components required f
 |Is Windows Hello for Business supported?|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust)<br><br>*Both require Windows Server 2016 Domain functional level*|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust)<br><br>[Certificate trust model](/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs)|
 |What are the multifactor authentication options?|[Microsoft Entra multifactor authentication](/azure/multi-factor-authentication/)<br><br>[Custom Controls with Conditional Access*](~/identity/conditional-access/controls.md)|[Microsoft Entra multifactor authentication](~/identity/authentication/index.yml)<br><br>[Custom Controls with Conditional Access*](~/identity/conditional-access/controls.md)|[Microsoft Entra multifactor authentication](~/identity/authentication/index.yml)<br><br>[Third-party MFA](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs)<br><br>[Custom Controls with Conditional Access*](~/identity/conditional-access/controls.md)|
 |What user account states are supported?|Disabled accounts<br>(up to 30-minute delay)|Disabled accounts<br><br>Account locked out<br><br>Account expired<br><br>Password expired<br><br>Sign-in hours|Disabled accounts<br><br>Account locked out<br><br>Account expired<br><br>Password expired<br><br>Sign-in hours|
-|What are the Conditional Access options?|[Microsoft Entra Conditional Access, with Microsoft Entra ID P1 or P2](~/identity/conditional-access/overview.md)|[Microsoft Entra Conditional Access, with Microsoft Entra ID P1 or P2](~/identity/conditional-access/overview.md)|[Microsoft Entra Conditional Access, with Microsoft Entra ID P1 or P2](~/identity/conditional-access/overview.md)<br><br>[AD FS claim rules](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator)|
+|What are the Conditional Access options?|[Microsoft Entra Conditional Access, with Microsoft Entra ID P1 or P2](~/identity/conditional-access/overview.md)|[Microsoft Entra Conditional Access, with Microsoft Entra ID P1 or P2](~/identity/conditional-access/overview.md)|[Microsoft Entra Conditional Access, with Microsoft Entra ID P1 or P2](~/identity/conditional-access/overview.md)|
 |Is blocking legacy protocols supported?|[Yes](~/identity/conditional-access/overview.md)|[Yes](~/identity/conditional-access/overview.md)|[Yes](/windows-server/identity/ad-fs/operations/access-control-policies-w2k12)|
 |Can you customize the logo, image, and description on the sign-in pages?|[Yes, with Microsoft Entra ID P1 or P2](~/fundamentals/how-to-customize-branding.md)|[Yes, with Microsoft Entra ID P1 or P2](~/fundamentals/how-to-customize-branding.md)|[Yes](how-to-connect-fed-management.md)|
 |What advanced scenarios are supported?|[Smart password lockout](~/identity/authentication/howto-password-smart-lockout.md)<br><br>[Leaked credentials reports, with Microsoft Entra ID P2](~/id-protection/overview-identity-protection.md)|[Smart password lockout](~/identity/authentication/howto-password-smart-lockout.md)|Multisite low-latency authentication system<br><br>[AD FS extranet lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection)<br><br>[Integration with third-party identity systems](how-to-connect-fed-compatibility.md)|

docs/identity/hybrid/connect/how-to-connect-health-ad-fs-sign-in.md

@@ -84,7 +84,6 @@ If a single factor authentication is performed, two rows are populated with the
 In cases of multifactor authentication, there are three rows with a shared correlation ID and three corresponding Authentication Methods (that is, Forms, Microsoft Entra multifactor authentication, Multifactor). In this particular example, the multifactor in this case shows that the SSO has an MFA.
 
 ***What are the errors that I can see in the report?***
-For a full list of AD FS related errors that are populated in the sign-in report and descriptions, visit [AD FS Help Error Code Reference](https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference)
 
 ***I am seeing “00000000-0000-0000-0000-000000000000” in the “User” section of a sign-in. What does that 
 mean?***

docs/identity/hybrid/connect/how-to-connect-health-adfs.md

@@ -175,7 +175,7 @@ After enabling AD FS audit logs, you should be able to check the AD FS audit log
 2. Go to **Windows Logs**, and then select **Security**.
 3. In the right pane, select **Filter Current Logs**.
 4. For **Event sources**, select **AD FS Auditing**.
-5. You can get a complete list of AD FS events [here](https://adfshelp.microsoft.com/AdfsEventViewer/GetAdfsEventList).
+
 
 For more information about audit logs, see [Operations questions](./reference-connect-health-faq.yml).
 
@@ -195,7 +195,7 @@ The following tables provide a list of common events that correspond to audit le
 |1202|FreshCredentialSuccessAudit|The Federation Service validated a new credential.|
 |1203|FreshCredentialFailureAudit|The Federation Service failed to validate a new credential.|
 
-For more information see the  complete list of AD FS events [here](https://adfshelp.microsoft.com/AdfsEventViewer/GetAdfsEventList).
+
 
 ##### Verbose audit level events
 
@@ -209,7 +209,6 @@ For more information see the  complete list of AD FS events [here](https://adfsh
 |500|IssuedIdentityClaims|More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information.|
 |501|CallerIdentityClaims|More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information.|
 
-For more information, see the complete list of AD FS events [here](https://adfshelp.microsoft.com/AdfsEventViewer/GetAdfsEventList).
 
 ## Test connectivity to the Microsoft Entra Connect Health service
 

docs/identity/hybrid/connect/how-to-connect-health-alert-catalog.md

@@ -41,7 +41,7 @@ Microsoft Entra Connect Health alerts get resolved on a success condition. Micro
 | High CPU Usage detected | The percentage of CPU consumption crossed the recommended threshold on this server. | <li>This could be a temporary spike in CPU consumption. Check the CPU usage trend from the Monitoring section.</li><li>Inspect the top processes consuming the highest CPU usage on the server.<ol type="a"><li>You might use the Task Manager or execute the following PowerShell Command: <br> <i>get-process \| Sort-Object -Descending CPU \| Select-Object -First 10</i></li><li>If there are unexpected processes consuming high CPU usage, stop the processes using the following PowerShell command: <br> <i>stop-process -ProcessName [name of the process]</i></li></li></ol><li>If the processes seen in the previous list are the intended processes running on the server and the CPU consumption is continuously near the threshold, consider reevaluating the deployment requirements of this server.</li><li>As a fail-safe option you might consider restarting the server. |
 | High Memory Consumption Detected | The percentage of memory consumption of the server is beyond the recommended threshold on this server. | Inspect the top processes consuming the highest memory on the server. You might use the Task Manager or execute the following PowerShell Command:<br> <i>get-process \| Sort-Object -Descending WS \| Select-Object -First 10</i> </br> If there are unexpected processes consuming high memory, stop the processes using the following PowerShell command:<br><i>stop-process -ProcessName [name of the process] </i></li><li> If the processes seen in the previous list are the intended processes running on the server, consider reevaluating the deployment requirements of this server.</li><li>As a failsafe option, you might consider restarting the server. | 
 | Password Hash Synchronization stopped working | Password Hash Synchronization is stopped. As a result passwords won't be synchronized with Microsoft Entra ID. | Restart Microsoft Entra ID Sync Services: <br /> Any synchronization operations currently running are interrupted. You can choose to perform below steps when no synchronization operation is in progress. <br /> <ol> <li>Select <b>Start</b>, select <b>Run</b>, type <b>Services.msc</b>, and then select <b>OK</b>.</li> <li>Locate the <b>Microsoft Entra ID Sync</b>, right-select it, and then select <b>Restart</b>.</li> </ol> </p>  | 
-| Export to Microsoft Entra ID was Stopped. Accidental delete threshold was reached | The export operation to Microsoft Entra ID failed. There were more objects to be deleted than the configured threshold. As a result, no objects were exported. | <li> The number of objects are marked for deletion are greater than the set threshold. Ensure this outcome is desired.</li> <li> To allow the export to continue, perform the following steps: <ol type="a"> <li>Disable Threshold by running Disable-ADSyncExportDeletionThreshold</li> <li>Start Synchronization Service Manager</li> <li>Run Export on Connector with type = Microsoft Entra ID</li> <li>After successfully exporting the objects, enable Threshold by running: Enable-ADSyncExportDeletionThreshold</li> </ol> </li> |
+| Export to Microsoft Entra ID was Stopped. Accidental delete threshold was reached |The export operation to Microsoft Entra ID failed. There were more objects to be deleted than the configured threshold. As a result, no objects were exported. | The number of objects marked for deletion is greater than the maximum threshold set. To evaluate the objects pending deletion, see [prevent accidental deletes](/entra/identity/hybrid/connect/how-to-connect-sync-feature-prevent-accidental-deletes). |
 
 ## Alerts for Active Directory Federation Services
 | Alert Name | Description | Remediation |