etherscan-io
diff --git a/‎articles/active-directory/develop/sample-v2-code.md
+4-3 b/‎articles/active-directory/develop/sample-v2-code.md
+4-3
diff --git a/‎articles/active-directory/develop/scenario-daemon-app-configuration.md
+3-1 b/‎articles/active-directory/develop/scenario-daemon-app-configuration.md
+3-1
diff --git a/‎articles/active-directory/develop/scenario-desktop-app-configuration.md
+1-1 b/‎articles/active-directory/develop/scenario-desktop-app-configuration.md
+1-1
diff --git a/‎articles/active-directory/develop/scenario-desktop-app-registration.md
+3-2 b/‎articles/active-directory/develop/scenario-desktop-app-registration.md
+3-2
@@ -57,7 +57,7 @@ The following samples illustrate web applications that sign in users. Some sampl
 
 | Platform | Only signs in users | Signs in users and calls Microsoft Graph |
 | -------- | ------------------- | --------------------------------- |
-| ![ASP.NET Core](media/sample-v2-code/logo_NETcore.png)</p>ASP.NET Core 2.1 | [ASP.NET Core WebApp signs-in users tutorial](https://aka.ms/aspnetcore-webapp-sign-in) | Same sample in the [ASP.NET Core Web App calls Microsoft Graph](https://aka.ms/aspnetcore-webapp-call-msgraph) phase |
+| ![ASP.NET Core](media/sample-v2-code/logo_NETcore.png)</p>ASP.NET Core 2.2 | [ASP.NET Core WebApp signs-in users tutorial](https://aka.ms/aspnetcore-webapp-sign-in) | Same sample in the [ASP.NET Core Web App calls Microsoft Graph](https://aka.ms/aspnetcore-webapp-call-msgraph) phase |
 | ![ASP.NET](media/sample-v2-code/logo_NETframework.png)</p> ASP.NET | [ASP.NET Quickstart](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) </p> [dotnet-webapp-openidconnect-v2](https://github.com/azure-samples/active-directory-dotnet-webapp-openidconnect-v2)  |  [dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2) </p> |[msgraph-training-aspnetmvcapp](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp)
 | ![Node.js](media/sample-v2-code/logo_nodejs.png)  |                   | [Node.js Quickstart](https://github.com/azureadquickstarts/appmodelv2-webapp-openidconnect-nodejs) |
 | ![Ruby](media/sample-v2-code/logo_ruby.png) |                   | [msgraph-training-rubyrailsapp](https://github.com/microsoftgraph/msgraph-training-rubyrailsapp) |
@@ -94,11 +94,12 @@ The following sample shows a public client application running on a device witho
 
 ## Web APIs
 
-The following sample shows how to protect a web API with the Microsoft identity platform endpoint. This API is exercised by a WPF application, but it can be called by any application. The web API also calls Microsoft Graph.
+The following samples shows how to protect a web API with the Microsoft identity platform endpoint, and how to call a downstream API from the Web API.
 
 | Platform | Sample |
 | -------- | ------------------- |
-| ![.NET/C#](media/sample-v2-code/logo_NET.png) | WebAPI (service) of [dotnet-native-aspnetcore-v2](https://aka.ms/msidentity-aspnetcore-webapi-calls-msgraph) |
+| ![ASP.NET Core](media/sample-v2-code/logo_NETcore.png)</p>ASP.NET Core 2.2 | ASP.NET Core Web API (service) of [dotnet-native-aspnetcore-v2](https://aka.ms/msidentity-aspnetcore-webapi-calls-msgraph)  |
+| ![ASP.NET](media/sample-v2-code/logo_NET.png)</p>ASP.NET MVC | Web API (service) of [ms-identity-aspnet-webapi-onbehalfof](https://github.com/Azure-Samples/ms-identity-aspnet-webapi-onbehalfof) |
 
 ## Other Microsoft Graph samples
 
 
@@ -38,7 +38,9 @@ The Microsoft libraries supporting daemon apps are:
 
 Given that the daemon applications don't use delegated permissions, but application permissions, their *supported account type* cannot be *Accounts in any organizational directory and personal Microsoft accounts (for example, Skype, Xbox, Outlook.com)*. Indeed, there is no tenant admin to grant consent to the daemon application for Microsoft personal accounts. You'll need to choose *accounts in my organization* or *accounts in any organization*.
 
-Therefore the authority specified in the application configuration should be tenant-ed (specifying a Tenant ID or a domain name associated with your organization). If you are an ISV and want to provide a multi-tenant tool, you can use `organizations`. But keep in mind that you will also need to explain to your customers how to grant admin consent. See [Requesting consent for an entire tenant](v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant) for details
+Therefore the authority specified in the application configuration should be tenant-ed (specifying a Tenant ID or a domain name associated with your organization).
+
+If you are an ISV and want to provide a multi-tenant tool, you can use `organizations`. But keep in mind that you will also need to explain to your customers how to grant admin consent. See [Requesting consent for an entire tenant](v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant) for details. Also there is currently a limitation in MSAL that `organizations` is only allowed when the client credentials are an application secret (not a certificate). See [MSAL.NET bug #891](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/891)
 
 ## Application configuration and instantiation
 
 
@@ -42,7 +42,7 @@ IPublicClientApplication app = PublicClientApplicationBuilder.Create(clientId)
     .Build();
 ```
 
-If you intend to use interactive authentication, as seen above, you want to use the `.WithRedirectUri` modifier:
+If you intend to use interactive authentication or Device Code Flow, as seen above, you want to use the `.WithRedirectUri` modifier:
 
 ```CSharp
 IPublicClientApplication app;
 
@@ -43,12 +43,13 @@ If  your desktop application uses interactive authentication, you can sign in us
 
 Again the redirect URIs to use in desktop application will depend on the flow you want to use.
 
-- If you're using the interactive authentication, you'll want to use `https://login.microsoftonline.com/common/oauth2/nativeclient`. You'll achieve this configuration by clicking the corresponding URL in the **Authentication** section for your application
+- If you're using the **interactive authentication** or **Device Code Flow**, you'll want to use `https://login.microsoftonline.com/common/oauth2/nativeclient`. You'll achieve this configuration by clicking the corresponding URL in the **Authentication** section for your application
 
   > [!IMPORTANT]
   > Today MSAL.NET uses another Redirect URI by default in desktop applications running on Windows (`urn:ietf:wg:oauth:2.0:oob`). In the future we'll want to change this default, and therefore we recommend that you use `https://login.microsoftonline.com/common/oauth2/nativeclient`
 
-- If your app is only using Integrated Windows authentication, Username/Password or Device Code Flow, you don't need to register a redirect URI for your application. Indeed, these flows do a round trip to the Microsoft identity platform v2.0 endpoint and your application won't be called back on any specific URI. In order to distinguish them from a confidential client application flow, which doesn't have redirect URIs either (the client credential flow used in daemon applications), you need to express that your application is a public client application. This configuration is achieved by going to the **Authentication** section for your application, and in the **Advanced settings** subsection, choose **Yes**, to the question **Treat application as a public client** (in the **Default client type** paragraph)
+- If your app is only using Integrated Windows authentication, Username/Password, you don't need to register a redirect URI for your application. Indeed, these flows do a round trip to the Microsoft identity platform v2.0 endpoint and your application won't be called back on any specific URI. 
+- In order to distinguish Device Code Flow, Integrated Windows Authentication and Username/Password from a confidential client application flow, which doesn't have redirect URIs either (the client credential flow used in daemon applications), you need to express that your application is a public client application. This configuration is achieved by going to the **Authentication** section for your application, and in the **Advanced settings** subsection, choose **Yes**, to the question **Treat application as a public client** (in the **Default client type** paragraph)
 
   ![Allow public client](media/scenarios/default-client-type.png)