Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-account-explorer.md

@@ -16,7 +16,7 @@ ms.author: v-ydequadros
 > CloudKnox Permissions Management (CloudKnox) is currently in PREVIEW.
 > Some information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
-You can  view information about users, groups, and resources that can access account information from an external account in CloudKnox Permissions Management (CloudKnox). 
+You can view information about users, groups, and resources that can access account information from an external account in CloudKnox Permissions Management (CloudKnox).
 
 ## Display information about users, groups, or tasks
 
@@ -31,61 +31,48 @@ You can  view information about users, groups, and resources that can access acc
 
 1. To choose an account from your authorization system, select the lock icon in the left panel.
 1. In the **Authorization systems** pane, select an account, then select **Apply**.
-
 1. To choose a user, role, or group, select the person icon. 
 1. Select a user or group, then select **Apply**. 
-
-1. To choose a task, select the clipboard icon.
-1. In the **Task** pane, select **All** or **High-risk tasks**, then select **Apply**. 
+1. To choose an account from your authorization system, select it from the Authorization Systems menu.
+1. In the user type filter, user, role, or group.
+1. In the **Task** filter, select **All** or **High-risk tasks**, then select **Apply**.
 1. To delete a task, select **Delete**, then select **Apply**.
 
-
 ## Export information about users, groups, or tasks
 
-- To export the data in comma-separated values (CSV) file format, in the **User analytics** dashboard, Click **Export** and selet **CSV**.
+To export the data in comma-separated values (CSV) file format, select **Export** from the top-right hand corner of the table.
 
 ## View users and roles
-
 1. To view users and roles, select the lock icon, and then select the person icon to open the **Users** pane.
+1. To view the **Role summary**, select the "eye" icon to the right of the role name.
 
-1. To view the **Role summary**, select the "eye" icon to the right of the role name. 
-
-    The following details display:
-
-     - **Policies**: A list of all the policies attached to the role.
-     - **Trusted entities**: The identities from external accounts that can assume this role.
+   The following details display:
+   - **Policies**: A list of all the policies attached to the role.
+   - **Trusted entities**: The identities from external accounts that can assume this role.
 
 1. To view all the identities from various accounts that can assume this role, select the down arrow to the left of the role name.
+1. To view a graph of all the identities that can access the specified account and through which role(s), select the role name.
 
-1. To view a graph of all the identities that can access the specified account and through which role(s), select the role name. 
-
-     If CloudKnox is monitoring the external account, it lists specific identities from the accounts that can assume this role. Otherwise, it lists the identities declared in the **Trusted entity** section.
+   If CloudKnox is monitoring the external account, it lists specific identities from the accounts that can assume this role. Otherwise, it lists the identities declared in the **Trusted entity** section.
 
-     - **Connecting roles**: Lists the following roles for each account:
-
-         - *Direct roles* that are trusted by the account role.
-         - *Intermediary roles* that aren't directly trusted by the account role but are assumable by identities through role-chaining.
+   **Connecting roles**: Lists the following roles for each account:
+      - *Direct roles* that are trusted by the account role.
+      - *Intermediary roles* that aren't directly trusted by the account role but are assumable by identities through role-chaining.
 
 1. To view all the roles from that account that are used to access the specified account, select the down arrow to the left of the account name.
+1. To view the trusted identities declared by the role, select the down arrow to the left of the role name.
 
-1. To view the trusted identities declared by the role, select the down arrow to the left of the role name. 
-
-     The trusted identities for the role are listed only if the account is being monitored by CloudKnox.
-
-1. To view the role definition, select the "eye" icon to the right of the role name. 
-
-     When you select the down arrow and expand details, a search box is displayed. Enter your criteria in this box to search for specific roles.
-
-     - **Identities with access**: Lists the identities that come from external accounts:
-
-        - To view all the identities from that account can access the specified account, select the down arrow to the left of the account name.
-        - To view the **Role summary** for EC2 instances and Lambda functions, select the "eye" icon to the right of the identity name. 
-        -  To view a graph of how the identity can access the specified account and through which role(s), select the identity name.
+   The trusted identities for the role are listed only if the account is being monitored by CloudKnox.
 
-1. The **Info** tab displays the **Privilege creep index** and **Service control policy (SCP)** information about the account. 
+1. To view the role definition, select the "eye" icon to the right of the role name.
 
-     For more information about the **Privilege creep index** and SCP information, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md).
+   When you select the down arrow and expand details, a search box is displayed. Enter your criteria in this box to search for specific roles.
 
-<!---## Next steps--->
+   **Identities with access**: Lists the identities that come from external accounts:
+      - To view all the identities from that account can access the specified account, select the down arrow to the left of the account name.
+      - To view the **Role summary** for EC2 instances and Lambda functions, select the "eye" icon to the right of the identity name.
+      - To view a graph of how the identity can access the specified account and through which role(s), select the identity name.
 
+1. The **Info** tab displays the **Privilege creep index** and **Service control policy (SCP)** information about the account.
 
+For more information about the **Privilege creep index** and SCP information, see [View key statistics and data about your authorization system](cloudknox-ui-dashboard.md).

articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-product-rule-based-anomalies.md

@@ -29,28 +29,29 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen
 
       - **Alert name**: Lists the name of the alert.
 
-         - To view the specific identity, resource, and task names that occurred during the alert collection period, select the **Alert Name**.
+      - To view the specific identity, resource, and task names that occurred during the alert collection period, select the **Alert Name**.
 
       - **Anomaly alert rule**: Displays the name of the rule select when creating the alert.
       - **# of occurrences**: How many times the alert trigger has occurred.
-      - **Task**: How many tasks are affected by the alert.
-      - **Resources**: How many resources are affected by the alert.
-      - **Identity**: How many identities are affected by the alert.
+      - **Task**: How many tasks performed are triggered by the alert.
+      - **Resources**: How many resources accessed are triggered by the alert.
+      - **Identity**: How many identities performing unusual behavior are triggered by the alert.
       - **Authorization system**: Displays which authorization systems the alert applies to, Amazon Web Services (**AWS**), Microsoft **Azure**, or Google Cloud Platform (**GCP**). 
       - **Date/Time**: Lists the date and time of the alert.
       - **Date/Time (UTC)**: Lists the date and time of the alert in Coordinated Universal Time (UTC).
-      - **View trigger**: Displays the current trigger settings and applicable authorization system details.
-      - **Activity**: Displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date**, and **IP Address**.
+      
 
 1. To filter alerts:
 
     - From the **Alert Name** dropdown, select **All** or the appropriate alert name.  
     - From the **Date** dropdown menu, select **Last 24 Hours**, **Last 2 Days**, **Last Week**, or **Custom Range**, and select **Apply**.
 
-        - If you select **Custom Range**, also enter **From** and **To** duration settings.
+     - If you select **Custom Range**, also enter **From** and **To** duration settings.
 1. To view details that match the alert criteria, select the ellipses (**...**). 
 
-    For example, **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, and **Identities**.
+     - **View Trigger**: Displays the current trigger settings and applicable authorization system details
+     - **Details**: Displays details about **Authorization System Type**, **Authorization Systems**, **Resources**, **Tasks**, **Identities**, and **Activity**
+     - **Activity**: Displays details about the **Identity Name**, **Resource Name**, **Task Name**, **Date/Time**, **Inactive For**, and **IP Address**. Selecting the "eye" icon displays the **Raw Events Summary**
 
 ## Create a rule-based anomaly trigger
 
@@ -63,11 +64,11 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen
 1. Select one of the following conditions:
       - **Any Resource Accessed for the First Time**: The identity accesses a resource for the first time during the specified time interval.
       - **Identity Performs a Particular Task for the First Time**: The identity does a specific task for the first time during the specified time interval.
-      - **Inactive Identity Becomes Active**: An identity that hasn't been active for 90 days becomes active and does any task in the selected time interval.
+       - **Identity Performs a Task for the First Time**: The identity performs any task for the first time during the specified time interval
 1. Select **Next**.
-1. On the **Authorization systems** tab, select the available authorization systems accounts and folders, or select **All**. 
+1. On the **Authorization Systems** tab, select the available authorization systems and folders, or select **All**. 
 
-    This screen defaults to **List** view, but you can change it to **Folder** view. You can select the applicable folder instead of individually by system. 
+    This screen defaults to **List** view, but you can change it to **Folders** view. You can select the applicable folder instead of individually selecting by authorization system. 
 
       - The **Status** column displays if the authorization system is online or offline. 
       - The **Controller** column displays if the controller is enabled or disabled.
@@ -82,14 +83,13 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen
 
     The **Alert triggers** subtab displays the following information:
 
-      - **Alert**: Displays the name of the alert.
+      - **Alerts**: Displays the name of the alert.
       - **Anomaly Alert Rule**: Displays the name of the selected rule when creating the alert.
       - **# of users subscribed**: Displays the number of users subscribed to the alert.
       - **Created by**: Displays the email address of the user who created the alert.
-      - **Last modified by**: Displays the email address of the user who last modified the alert.
-      - **Last modified on**: Displays the date and time the trigger was last modified.
-      - **Subscription**: Switches between **On** and **Off**.
-      - **View Trigger**: Displays the current trigger settings and applicable authorization system details.
+      - **Last Modified By**: Displays the email address of the user who last modified the alert.
+      - **Last Modified On**: Displays the date and time the trigger was last modified.
+      - **Subscription**: Subscribes you to receive alert emails. Switches between **On** and **Off**. 
 
 1. To view other options available to you, select the ellipses (**...**), and then select from the available options:
 
@@ -99,16 +99,16 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen
 
        Only the user who created the alert can edit the trigger screen, rename an alert, deactivate an alert, and delete an alert. Changes made by other users aren't saved.
 
-    - **Duplicate**: Create a duplicate of the alert called "**Copy of XXX**".
+    - **Duplicate**: Create a duplicate copy of the selected alert trigger.
     - **Rename**: Enter the new name of the query, and then select **Save.**
     - **Deactivate**: The alert will still be listed, but will no longer send emails to subscribed users.
     - **Activate**: Activate the alert trigger and start sending emails to subscribed users.
-    - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger and their **User status**. 
+    - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger. 
     - **Delete**: Delete the alert.
 
     If the **Subscription** is **Off**, the following options are available:
     - **View**: View  details of the alert trigger.
-    - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger and their **User status**. 
+    - **Notification settings**: View the **Email** of users who are subscribed to the alert trigger.
     - **Duplicate**: Create a duplicate copy of the selected alert trigger.
 
 1. To filter by **Activated** or **Deactivated**, in the **Status** section, select **All**, **Activated**, or **Deactivated**, and then select **Apply**.
@@ -120,4 +120,4 @@ Rule-based anomalies identify recent activity in CloudKnox Permissions Managemen
 - For an overview on activity triggers, see [View information about activity triggers](cloudknox-ui-triggers.md).
 - For information on activity alerts and alert triggers, see [Create and view activity alerts and alert triggers](cloudknox-howto-create-alert-trigger.md). 
 - For information on finding outliers in identity's behavior, see [Create and view statistical anomalies and anomaly triggers](cloudknox-product-statistical-anomalies.md).
-- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md).
+- For information on permission analytics triggers, see [Create and view permission analytics triggers](cloudknox-product-permission-analytics.md).

articles/active-directory/external-identities/cross-tenant-access-overview.md

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 02/07/2022
+ms.date: 02/23/2022
 
 ms.author: mimart
 author: msmimart
@@ -94,11 +94,16 @@ The output is a summary of all available sign-in events for inbound and outbound
 To determine your users' access to external Azure AD organizations, you can use the [Get-MgAuditLogSignIn](/powershell/module/microsoft.graph.reports/get-mgauditlogsignin) cmdlet in the Microsoft Graph PowerShell SDK to view data from your sign-in logs for the last 30 days. For example, run the following command:
 
 ```powershell
-Get-MgAuditLogSignIn ` 
--Filter “ResourceTenantID ne ‘your tenant id’” ` 
--all:$True| ` 
-group ResourceTenantId,AppDisplayName,UserPrincipalName| ` 
-select count, @{n=’Ext TenantID/App User Pair’;e={$_.name}}] 
+#Initial connection
+Connect-MgGraph -Scopes "AuditLog.Read.All"
+Select-MgProfile -Name "beta"
+
+#Get external access
+$TenantId = "<replace-with-your-tenant-ID>"
+
+Get-MgAuditLogSignIn -Filter "ResourceTenantId ne '$TenantID'" -All:$True |
+Group-Object ResourceTenantId,AppDisplayName,UserPrincipalName |
+Select-Object count,@{n='Ext TenantID/App User Pair';e={$_.name}}
 ```
 
 The output is a list of outbound sign-ins initiated by your users to apps in external tenants.

articles/advisor/resource-graph-samples.md

@@ -1,7 +1,7 @@
 ---
 title: Azure Resource Graph sample queries for Azure Advisor
 description: Sample Azure Resource Graph queries for Azure Advisor showing use of resource types and tables to access Azure Advisor related resources and properties.
-ms.date: 01/20/2022
+ms.date: 02/16/2022
 ms.topic: sample
 ms.custom: subject-resourcegraph-sample
 ---

articles/aks/nat-gateway.md

@@ -25,6 +25,17 @@ To use Managed NAT gateway, you must have the following:
 * The `aks-preview` extension version 0.5.31 or later
 * Kubernetes version 1.20.x or above
 
+### Install aks-preview CLI extension
+
+You also need the *aks-preview* Azure CLI extension version 0.5.31 or later. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.
+
+```azurecli-interactive
+# Install the aks-preview extension
+az extension add --name aks-preview
+
+# Update the extension to make sure you have the latest version installed
+az extension update --name aks-preview
+```
 
 ### Register the `AKS-NATGatewayPreview` feature flag
 
@@ -159,4 +170,6 @@ To create an AKS cluster with a user-assigned NAT Gateway, use `--outbound-type
 [az-feature-list]: /cli/azure/feature#az_feature_list
 [az-provider-register]: /cli/azure/provider#az_provider_register
 [byo-vnet-azure-cni]: configure-azure-cni.md
-[byo-vnet-kubenet]: configure-kubenet.md
+[byo-vnet-kubenet]: configure-kubenet.md
+[az-extension-add]: /cli/azure/extension#az_extension_add
+[az-extension-update]: /cli/azure/extension#az_extension_update

articles/app-service/overview-vnet-integration.md

@@ -91,6 +91,20 @@ Learn [how to configure application routing](./configure-vnet-integration-routin
 
 We recommend that you use the **Route All** configuration setting to enable routing of all traffic. Using the configuration setting allows you to audit the behavior with [a built-in policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F33228571-70a4-4fa1-8ca1-26d0aba8d6ef). The existing WEBSITE_VNET_ROUTE_ALL app setting can still be used, and you can enable all traffic routing with either setting.
 
+#### Configuration routing
+
+When you are using virtual network integration, you can configure how parts of the configuration traffic is managed. By default, the mentioned configurations will go directly to the internet unless you actively configure it to be routed through the virtual network integration.
+
+##### Content storage
+
+Bringing you own storage for content in often used in Functions where [content storage](./../azure-functions/configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network) is configured as part of the Functions app.
+
+To route content storage traffic through the virtual network integration, you need to add an app setting named `WEBSITE_CONTENTOVERVNET` with the value `1`. In addition to adding the app setting, you must also ensure that any firewall or Network Security Group configured on traffic from the subnet allow traffic to port 443 and 445.
+
+##### Container image pull
+
+When using custom containers for Linux, you can pull the container over the virtual network integration. To route the container pull traffic through the virtual network integration, you must add an app setting named `WEBSITE_PULL_IMAGE_OVER_VNET` with the value `true`.
+
 #### Network routing
 
 You can use route tables to route outbound traffic from your app to wherever you want. Route tables affect your destination traffic. When **Route All** is disabled in [application routing](#application-routing), only private traffic (RFC1918) is affected by your route tables. Common destinations can include firewall devices or gateways. Routes that are set on your integration subnet won't affect replies to inbound app requests.