Merge branch 'main' into Dynamic-Rules-Documentation

Author: JarbasHorst

.vscode/settings.json

@@ -3,6 +3,7 @@
         "main",
         "main",
         "main",
+        "main",
         "main"
     ],
     "json.schemas": [

README.md

@@ -4,8 +4,6 @@ Thank you for your interest in Microsoft Graph documentation! For the best exper
 
 ## Give us your feedback
 
-**Coming soon:** In March 2024, we will be phasing out the current feedback mechanism for content (GitHub issues) described below and replacing it with a new feedback system. For more information, see https://aka.ms/ContentUserFeedback.
-
 Your feedback is important to us.
 
 - To let us know about any questions or issues you find in the documentation, [leave feedback using the standard experience](https://learn.microsoft.com/en-us/contribute/content/provide-feedback#use-the-standard-experience).

api-reference/beta/api/agreement-get.md

@@ -24,7 +24,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "agreement_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/agreement-get-permissions.md)]
 
-[!INCLUDE [rbac-tou-apis](../includes/rbac-for-apis/rbac-tou-apis.md)]
+[!INCLUDE [rbac-tou-security-reader-apis](../includes/rbac-for-apis/rbac-tou-security-reader-apis.md)]
 
 ## HTTP request
 <!-- { "blockType": "ignored" } -->

api-reference/beta/api/agreement-list-acceptances.md

@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "agreement_list_acceptances" } -->
 [!INCLUDE [permissions-table](../includes/permissions/agreement-list-acceptances-permissions.md)]
 
+[!INCLUDE [rbac-tou-security-reader-apis](../includes/rbac-for-apis/rbac-tou-security-reader-apis.md)]
+
 ## HTTP request
 
 <!-- {

api-reference/beta/api/agreement-list-files.md

@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "agreement_list_files" } -->
 [!INCLUDE [permissions-table](../includes/permissions/agreement-list-files-permissions.md)]
 
+[!INCLUDE [rbac-tou-security-reader-apis](../includes/rbac-for-apis/rbac-tou-security-reader-apis.md)]
+
 
 ## HTTP request
 

api-reference/beta/api/agreement-post-files.md

@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "agreement_post_files" } -->
 [!INCLUDE [permissions-table](../includes/permissions/agreement-post-files-permissions.md)]
 
+[!INCLUDE [rbac-tou-apis](../includes/rbac-for-apis/rbac-tou-apis.md)]
+
 ## HTTP request
 
 <!-- {

api-reference/beta/api/agreementfile-get.md

@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "agreementfile_get" } -->
 [!INCLUDE [permissions-table](../includes/permissions/agreementfile-get-permissions.md)]
 
+[!INCLUDE [rbac-tou-security-reader-apis](../includes/rbac-for-apis/rbac-tou-security-reader-apis.md)]
+
 ## HTTP request
 
 <!-- {

api-reference/beta/api/agreementfile-list-localizations.md

@@ -23,6 +23,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "agreementfile_list_localizations" } -->
 [!INCLUDE [permissions-table](../includes/permissions/agreementfile-list-localizations-permissions.md)]
 
+[!INCLUDE [rbac-tou-security-reader-apis](../includes/rbac-for-apis/rbac-tou-security-reader-apis.md)]
+
 ## HTTP request
 
 <!-- {

api-reference/beta/api/application-post-federatedidentitycredentials.md

@@ -46,9 +46,10 @@ The following table lists the properties that are required when you create the [
 |Property|Type|Description|
 |:---|:---|:---|
 |audiences|String collection|Required. The audience that can appear in the external token. This field is mandatory and should be set to `api://AzureADTokenExchange` for Microsoft Entra ID. It says what Microsoft identity platform should accept in the `aud` claim in the incoming token. This value represents Microsoft Entra ID in your external identity provider and has no fixed value across identity providers - you may need to create a new application registration in your identity provider to serve as the audience of this token. This field can only accept a single value and has a limit of 600 characters.|
+| claimsMatchingExpression |[federatedIdentityExpression](../resources/federatedidentityexpression.md)| Nullable.  Defaults to `null` if not set. Enables the use of claims matching expressions against specified claims. If **claimsMatchingExpression** is defined, **subject** must be `null`. For the list of supported expression syntax and claims, visit the [Flexible FIC reference](https://aka.ms/flexiblefic). |
 |issuer|String|Required. The URL of the external identity provider and must match the issuer claim of the external token being exchanged. The combination of the values of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters.|
 |name|String|Required. The unique identifier for the federated identity credential, which has a limit of 120 characters and must be URL friendly. It is immutable once created.|
-|subject|String|Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each identity provider uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Microsoft Entra ID. It has a limit of 600 characters. The combination of **issuer** and **subject** must be unique on the app.|
+|subject|String|Nullable. Defaults to `null` if not set. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each identity provider uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Microsoft Entra ID. It has a limit of 600 characters. The combination of **issuer** and **subject** must be unique on the app. If **subject** is defined, **claimsMatchingExpression** must be `null`.|
 
 
 

api-reference/beta/api/appmanagementpolicy-post.md

@@ -218,7 +218,6 @@ Content-type: application/json
             "identifierUris": {
                 "nonDefaultUriAddition": {
                     "state": "disabled",
-                    "restrictForAppsCreatedAfterDateTime": null,
                     "excludeAppsReceivingV2Tokens": true,
                     "excludeSaml": true
                 }