etherscan-io
diff --git a/‎articles/active-directory-domain-services/active-directory-ds-getting-started-password-sync-synced-tenant.md
+4-1 b/‎articles/active-directory-domain-services/active-directory-ds-getting-started-password-sync-synced-tenant.md
+4-1
diff --git a/‎articles/active-directory/develop/authentication-flows-app-scenarios.md
+3-1 b/‎articles/active-directory/develop/authentication-flows-app-scenarios.md
+3-1
diff --git a/‎articles/active-directory/develop/reference-v2-libraries.md
+3-1 b/‎articles/active-directory/develop/reference-v2-libraries.md
+3-1
diff --git a/‎articles/active-directory/develop/scenario-web-app-call-api-app-configuration.md
+7-2 b/‎articles/active-directory/develop/scenario-web-app-call-api-app-configuration.md
+7-2
diff --git a/‎articles/active-directory/manage-apps/use-scim-to-provision-users-and-groups.md
+6-5 b/‎articles/active-directory/manage-apps/use-scim-to-provision-users-and-groups.md
+6-5
@@ -37,7 +37,7 @@ The steps involved are different for cloud-only user accounts vs user accounts t
 A synced Azure AD tenant is set to synchronize with your organization's on-premises directory using Azure AD Connect. By default, Azure AD Connect does not synchronize NTLM and Kerberos credential hashes to Azure AD. To use Azure AD Domain Services, you need to configure Azure AD Connect to synchronize credential hashes required for NTLM and Kerberos authentication. The following steps enable synchronization of the required credential hashes from your on-premises directory to your Azure AD tenant.
 
 > [!NOTE]
-> **If your organization has user accounts that are synchronized from your on-premises directory, you must enable synchronization of NTLM and Kerberos hashes in order to use the managed domain.** A synced user account is an account that was created in your on-premises directory and is synchronized to your Azure AD tenant using Azure AD Connect.
+> **If your organization has user accounts that are synchronized from your on-premises directory, you must enable synchronization of NTLM and Kerberos hashes in order to use the managed domain.** A synced user account is an account that was created in your on-premises directory and is synchronized to your Azure AD tenant using Azure AD Connect.  The password hash sync is a different process from user/object sync. You need to disable/enable password hash sync to get full password sync, then you will see the batch password hash updates in the application event log.
 >
 >
 
@@ -74,6 +74,9 @@ Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConn
 
 Depending on the size of your directory (number of users, groups etc.), synchronization of credential hashes to Azure AD takes time. The passwords will be usable on the Azure AD Domain Services managed domain shortly after the credential hashes have synchronized to Azure AD.
 
+> [!NOTE]
+> **Password hash sync** is a different process from user/object sync. You need to disable/enable password hash sync to get full password sync, then you will see the batch password hash updates in the application event log.
+
 ## Related Content
 * [Enable password synchronization to AAD Domain Services for a cloud-only Azure AD directory](active-directory-ds-getting-started-password-sync.md)
 * [Manage an Azure AD Domain Services domain](manage-domain.md)
 
@@ -14,7 +14,7 @@ ms.devlang: na
 ms.topic: quickstart
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 07/19/2019
+ms.date: 07/25/2019
 ms.author: jmprieur
 ms.custom: aaddev 
 #Customer intent: As an application developer, I want to learn about authentication flows and application scenarios so I can create applications protected by the Microsoft identity platform.
@@ -194,5 +194,7 @@ Not every application type is available on every platform. You can also use vari
 | [Daemon app](scenario-daemon-overview.md) <br/> [![Daemon app](media/scenarios/daemon-app.svg)](scenario-daemon-overview.md) | ![.NET](media/sample-v2-code/logo_NET.png) MSAL.NET ![.NET Core](media/sample-v2-code/logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/logo_java.png) msal4j ![MSAL Python](media/sample-v2-code/logo_python.png) MSAL Python| ![.NET Core](media/sample-v2-code/logo_NETcore.png) MSAL.NET ![MSAL Java](media/sample-v2-code/logo_java.png) msal4j ![MSAL Python](media/sample-v2-code/logo_python.png) MSAL Python| ![.NET Core](media/sample-v2-code/logo_NETcore.png)MSAL.NET ![MSAL Java](media/sample-v2-code/logo_java.png) msal4j ![MSAL Python](media/sample-v2-code/logo_python.png) MSAL Python
 | [Web API that calls web APIs](scenario-web-api-call-api-overview.md) <br/> [![Web API that calls web APIs](media/scenarios/web-api.svg)](scenario-web-api-call-api-overview.md) | ![.NET](media/sample-v2-code/logo_NET.png) <br/> ASP.NET + MSAL.NET ![.NET Core](media/sample-v2-code/logo_NETcore.png) <br/> ASP.NET Core + MSAL.NET| ![.NET Core](media/sample-v2-code/logo_NETcore.png) <br/> ASP.NET Core + MSAL.NET| ![.NET Core](media/sample-v2-code/logo_NETcore.png)<br/> ASP.NET Core + MSAL.NET
 
+See also [Microsoft-supported libraries by OS / language](reference-v2-libraries.md#microsoft-supported-libraries-by-os--language)
+
 ## Next steps
 Learn more about [authentication basics](authentication-scenarios.md) and [access tokens](access-tokens.md).
@@ -14,7 +14,7 @@ ms.devlang: na
 ms.topic: article
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 07/19/2019
+ms.date: 07/25/2019
 ms.author: negoe
 ms.reviewer: jmprieur, saeeda
 ms.custom: aaddev
@@ -85,6 +85,8 @@ In term of supported operating systems vs languages, the mapping is the followin
 | ![Python](media/sample-v2-code/logo_python.png) Python     | MSAL Python | MSAL Python | MSAL Python |
 | ![Node.Js](media/sample-v2-code/logo_nodejs.png) Node.JS     | Passport.node | Passport.node | Passport.node |
 
+See also [Scenarios by supported platforms and languages](authentication-flows-app-scenarios.md#scenarios-and-supported-platforms-and-languages)
+
 ## Compatible client libraries
 
 | Platform | Library name | Tested version | Source code | Sample |
 
@@ -96,7 +96,12 @@ The comments in the code below will help you understand some tricky aspects of w
    };
 ```
 
-In ASP.NET Core, building the confidential client application uses information that is in the HttpContext. This `HttpContext` knows about the URL for the Web App, and the signed-in user (in a  `ClaimsPrincipal`). It also uses the ASP.NET Core configuration, which has an "AzureAD" section, and which is bound to the `_applicationOptions` data structure of type [AzureAdOptions](https://github.com/aspnet/AspNetCore/blob/master/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs). This type is defined in ASP.NET Core `Authentication.AzureAD.UI`. Finally the application needs to maintain token caches.
+In ASP.NET Core, building the confidential client application uses information that is in the HttpContext. This `HttpContext` knows about the URL for the Web App, and the signed-in user (in a  `ClaimsPrincipal`). 
+
+It also uses the ASP.NET Core configuration, which has an "AzureAD" section, and which is bound both to:
+
+- the `_applicationOptions` data structure of type [ConfidentialClientApplicationOptions](https://docs.microsoft.com/dotnet/api/microsoft.identity.client.confidentialclientapplicationoptions?view=azure-dotnet)
+- the `azureAdOptions` instance of type [AzureAdOptions](https://github.com/aspnet/AspNetCore/blob/master/src/Azure/AzureAD/Authentication.AzureAD.UI/src/AzureADOptions.cs) defined in ASP.NET Core `Authentication.AzureAD.UI`. Finally the application needs to maintain token caches.
 
 ```CSharp
 /// <summary>
@@ -113,7 +118,7 @@ private IConfidentialClientApplication BuildConfidentialClientApplication(HttpCo
  string currentUri = UriHelper.BuildAbsolute(request.Scheme, request.Host, request.PathBase, _applicationOptions.CallbackPath ?? string.Empty);
 
  // Updates the authority from the instance (including national clouds) and the tenant
- string authority = $"{_applicationOptions.Instance}{_applicationOptions.TenantId}/";
+ string authority = $"{azureAdOptions.Instance}{azureAdOptions.TenantId}/";
 
  // Instantiates the application based on the application options (including the client secret)
  var app = ConfidentialClientApplicationBuilder.CreateWithApplicationOptions(_applicationOptions)
 
@@ -71,7 +71,7 @@ Applications that support the SCIM profile described in this article can be conn
    *Figure 3: Configuring provisioning in the Azure portal*
 
 1. In the **Tenant URL** field, enter the URL of the application's SCIM endpoint. Example: https://api.contoso.com/scim/v2/
-1. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field.
+1. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field. If this field is left blank, Azure AD includes an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD-issued token.
 1. Select **Test Connection** to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempt fails, error information is displayed.  
 
     > [!NOTE]
@@ -675,8 +675,9 @@ The easiest way to implement a SCIM endpoint that can accept provisioning reques
 1. Enter a name for your application, and select **Add** to create an app object. The application object created is intended to represent the target app you would be provisioning to and implementing single sign-on for, and not just the SCIM endpoint.
 1. In the app management screen, select **Provisioning** in the left panel.
 1. In the **Provisioning Mode** menu, select **Automatic**.    
-1. In the **Tenant URL** field, enter the internet-exposed URL and port of your SCIM endpoint. The entry is something like http://testmachine.contoso.com:9000 or http://\<ip-address>:9000/, where \<ip-address> is the internet exposed IP address. 
-1. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field. 
+1. In the **Tenant URL** field, enter the internet-exposed URL and port of your SCIM endpoint. The entry is something like http://testmachine.contoso.com:9000 or http://\<ip-address>:9000/, where \<ip-address> is the internet exposed IP address.
+
+1. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the required OAuth bearer token into the optional **Secret Token** field. If this field is left blank, Azure AD includes an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD as an identity provider can validate this Azure AD-issued token.
 1. Select **Test Connection** to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempt fails, error information is displayed.  
 
     > [!NOTE]
@@ -830,7 +831,7 @@ To host the service within Internet Information Services, a developer would buil
 
 ### Handling endpoint authentication
 
-Requests from Azure Active Directory include an OAuth 2.0 bearer token.   Any service receiving the request should authenticate the issuer as being Azure Active Directory for the expected Azure Active Directory tenant, for access to the Azure Active Directory Graph web service.  In the token, the issuer is identified by an iss claim, like "iss":"https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/".  In this example, the base address of the claim value, https://sts.windows.net, identifies Azure Active Directory as the issuer, while the relative address segment, cbb1a5ac-f33b-45fa-9bf5-f37db0fed422, is a unique identifier of the Azure Active Directory tenant for which the token was issued.  If the token was issued for accessing the Azure Active Directory Graph web service, then the identifier of that service, 00000002-0000-0000-c000-000000000000, should be in the value of the token’s aud claim.  Each of the applications that are registered in a single tenant may receive the same `iss` claim with SCIM requests.
+Requests from Azure Active Directory include an OAuth 2.0 bearer token.   Any service receiving the request should authenticate the issuer as being Azure Active Directory for the expected Azure Active Directory tenant, for access to the Azure Active Directory Graph web service.  In the token, the issuer is identified by an iss claim, like "iss":"https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/".  In this example, the base address of the claim value, https://sts.windows.net, identifies Azure Active Directory as the issuer, while the relative address segment, cbb1a5ac-f33b-45fa-9bf5-f37db0fed422, is a unique identifier of the Azure Active Directory tenant for which the token was issued. The audience for the token will be the application template id for the app in the gallery. The application template id for all custom apps is 8adf8e6e-67b2-4cf2-a259-e3dc5476c621. The application template id for each app in the gallery varies. Please contact ProvisioningFeedback@microsoft.com for questions on the application template id for a gallery application. Each of the applications registered in a single tenant may receive the same `iss` claim with SCIM requests.
 
 Developers using the CLI libraries provided by Microsoft for building a SCIM service can authenticate requests from Azure Active Directory using the Microsoft.Owin.Security.ActiveDirectory package by following these steps: 
 
@@ -868,7 +869,7 @@ Developers using the CLI libraries provided by Microsoft for building a SCIM ser
        SystemIdentityModel.Tokens.TokenValidationParameters tokenValidationParameters =     
          new TokenValidationParameters()
          {
-           ValidAudience = "00000002-0000-0000-c000-000000000000"
+           ValidAudience = "8adf8e6e-67b2-4cf2-a259-e3dc5476c621"
          };
 
        // WindowsAzureActiveDirectoryBearerAuthenticationOptions is defined in
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ The steps involved are different for cloud-only user accounts vs user accounts t`
`37`	`37`	A synced Azure AD tenant is set to synchronize with your organization's on-premises directory using Azure AD Connect. By default, Azure AD Connect does not synchronize NTLM and Kerberos credential hashes to Azure AD. To use Azure AD Domain Services, you need to configure Azure AD Connect to synchronize credential hashes required for NTLM and Kerberos authentication. The following steps enable synchronization of the required credential hashes from your on-premises directory to your Azure AD tenant.
`38`	`38`
`39`	`39`	`> [!NOTE]`
`40`		`-> If your organization has user accounts that are synchronized from your on-premises directory, you must enable synchronization of NTLM and Kerberos hashes in order to use the managed domain. A synced user account is an account that was created in your on-premises directory and is synchronized to your Azure AD tenant using Azure AD Connect.`
	`40`	+> If your organization has user accounts that are synchronized from your on-premises directory, you must enable synchronization of NTLM and Kerberos hashes in order to use the managed domain. A synced user account is an account that was created in your on-premises directory and is synchronized to your Azure AD tenant using Azure AD Connect. The password hash sync is a different process from user/object sync. You need to disable/enable password hash sync to get full password sync, then you will see the batch password hash updates in the application event log.
`41`	`41`	`>`
`42`	`42`	`>`
`43`	`43`
`@@ -74,6 +74,9 @@ Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConn`
`74`	`74`
`75`	`75`	`Depending on the size of your directory (number of users, groups etc.), synchronization of credential hashes to Azure AD takes time. The passwords will be usable on the Azure AD Domain Services managed domain shortly after the credential hashes have synchronized to Azure AD.`
`76`	`76`
	`77`	`+> [!NOTE]`
	`78`	`+> Password hash sync is a different process from user/object sync. You need to disable/enable password hash sync to get full password sync, then you will see the batch password hash updates in the application event log.`
	`79`	`+`
`77`	`80`	`## Related Content`
`78`	`81`	`* [Enable password synchronization to AAD Domain Services for a cloud-only Azure AD directory](active-directory-ds-getting-started-password-sync.md)`
`79`	`82`	`* [Manage an Azure AD Domain Services domain](manage-domain.md)`