Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: siddomala

.github/workflows/stale.yml

@@ -23,11 +23,11 @@ jobs:
         # start-date: '2021-03-19'
         stale-pr-message: >
           This pull request has been inactive for at least 14 days.
-          If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation?branch=main) for instructions.
+          If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.learn.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation?branch=main) for instructions.
                     
-          [Get Help](https://review.docs.microsoft.com/help/contribute/help-options?branch=main)  
+          [Get Help](https://review.learn.microsoft.com/help/contribute/help-options?branch=main)  
           
           [Docs Support Teams Channel](https://teams.microsoft.com/l/channel/19%3a7ecffca1166a4a3986fed528cf0870ee%40thread.skype/General?groupId=de9ddba4-2574-4830-87ed-41668c07a1ca&tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47)  
           
-          [Resolve Merge Conflict](https://review.docs.microsoft.com/help/contribute/resolve-merge-conflicts?branch=main)  
+          [Resolve Merge Conflict](https://review.learn.microsoft.com/help/contribute/resolve-merge-conflicts?branch=main)  
         

.openpublishing.redirection.json

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 06/20/2022
+ms.date: 09/21/2022
 ms.author: justinha
 
 ---
@@ -108,14 +108,21 @@ The following sections cover network security groups and Inbound and Outbound po
 
 ### Inbound connectivity
 
-The following network security group Inbound rules are required for the managed domain to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet your managed domain is deployed into.
+The following network security group Inbound rules are required for the managed domain to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet for your managed domain.
 
 | Inbound port number | Protocol | Source                             | Destination | Action | Required | Purpose |
 |:-----------:|:--------:|:----------------------------------:|:-----------:|:------:|:--------:|:--------|
 | 5986        | TCP      | AzureActiveDirectoryDomainServices | Any         | Allow  | Yes      | Management of your domain. |
 | 3389        | TCP      | CorpNetSaw                         | Any         | Allow  | Optional      | Debugging for support. |
 
-An Azure standard load balancer is created that requires these rules to be place. This network security group secures Azure AD DS and is required for the managed domain to work correctly. Don't delete this network security group. The load balancer won't work correctly without it.
+Azure AD DS also relies on the Default Security rules AllowVnetInBound and AllowAzureLoadBalancerInBound.
+
+:::image type="content" border="true" source="./media/network-considerations/nsg.png" alt-text="Screenshot of network security group rules.":::
+
+The AllowVnetInBound rule allows all traffic within the VNet which allows the DCs to properly communicate and replicate as well as allow domain join and other domain services to domain members. For more information about required ports for Windows, see [Service overview and network port requirements for Windows](/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements).
+
+
+The AllowAzureLoadBalancerInBound rule is also required so that the service can properly communicate over the loadbalancer to manage the DCs. This network security group secures Azure AD DS and is required for the managed domain to work correctly. Don't delete this network security group. The load balancer won't work correctly without it. 
 
 If needed, you can [create the required network security group and rules using Azure PowerShell](powershell-create-instance.md#create-a-network-security-group).
 

articles/active-directory-domain-services/media/network-considerations/nsg.png

@@ -230,10 +230,11 @@ Use the **Activity triggers** dashboard to view information and set alerts and t
 -   **Group entitlements and Usage reports:** Provides guidance on cleaning up directly assigned permissions
 -   **Access Key Entitlements and Usage reports**: Identifies high risk service principals with old secrets that haven’t been rotated every 90 days (best practice) or decommissioned due to lack of use (as recommended by the Cloud Security Alliance).
 
-## Next Steps
-For more information about Permissions Management, see:                     
-                     
-**Microsoft Docs**: [Visit Docs](../cloud-infrastructure-entitlement-management/index.yml).
+## Next steps
+
+For more information about Permissions Management, see:
+
+**Microsoft Learn**: [Permissions management](../cloud-infrastructure-entitlement-management/index.yml).
 
 **Datasheet:** <https://aka.ms/PermissionsManagementDataSheet>
 

articles/active-directory-domain-services/network-considerations.md

@@ -195,7 +195,7 @@ The following are known limitations:
 
 ### Scoping filter
 When using OU scoping filter
-- You can only sync up to 59 separate OUs for a given configuration. 
+- You can only sync up to 59 separate OUs or Security Groups for a given configuration. 
 - Nested OUs are supported (that is, you **can** sync an OU that has 130 nested OUs, but you **cannot** sync 60 separate OUs in the same configuration). 
 
 ### Password Hash Sync

articles/active-directory/cloud-infrastructure-entitlement-management/permissions-management-trial-playbook.md

@@ -105,11 +105,22 @@ When these conditions are met, the app can extract the claims challenge from the
 
 ```javascript
 const authenticateHeader = response.headers.get('www-authenticate');
-const claimsChallenge = authenticateHeader
-        .split(' ')
-        .find((entry) => entry.includes('claims='))
-        .split('claims="')[1]
-        .split('",')[0];
+const claimsChallenge = parseChallenges(authenticateHeader).claims;
+
+// ...
+
+function parseChallenges(header) {
+    const schemeSeparator = header.indexOf(' ');
+    const challenges = header.substring(schemeSeparator + 1).split(',');
+    const challengeMap = {};
+
+    challenges.forEach((challenge) => {
+        const [key, value] = challenge.split('=');
+        challengeMap[key.trim()] = window.decodeURI(value.replace(/['"]+/g, ''));
+    });
+
+    return challengeMap;
+}
 ```
 
 Your app would then use the claims challenge to acquire a new access token for the resource.
@@ -118,22 +129,19 @@ Your app would then use the claims challenge to acquire a new access token for t
 let tokenResponse;
 
 try {
-
     tokenResponse = await msalInstance.acquireTokenSilent({
-                    claims: window.atob(claimsChallenge), // decode the base64 string
-                    scopes: scopes,  // e.g ['User.Read', 'Contacts.Read']
-                    account: account, // current active account
-                });
+        claims: window.atob(claimsChallenge), // decode the base64 string
+        scopes: scopes,  // e.g ['User.Read', 'Contacts.Read']
+        account: account, // current active account
+    });
 
 } catch (error) {
-
      if (error instanceof InteractionRequiredAuthError) {
-
         tokenResponse = await msalInstance.acquireTokenPopup({
-                        claims: window.atob(claimsChallenge), // decode the base64 string
-                        scopes: scopes, // e.g ['User.Read', 'Contacts.Read']
-                        account: account, // current active account
-                    });
+            claims: window.atob(claimsChallenge), // decode the base64 string
+            scopes: scopes, // e.g ['User.Read', 'Contacts.Read']
+            account: account, // current active account
+        });
     }
 
 }

articles/active-directory/cloud-sync/how-to-prerequisites.md

@@ -31,8 +31,8 @@ Confirm-DnsConnectivity [-Forest] <String> [-DCs] <Array> [-ReturnResultAsPSObje
 ### DESCRIPTION
 
 Runs local Dns connectivity tests.
-In order to configure the Active Directory connector, user must have both name resolutionthe 
-for the forest they is attempting to connect to as well as in the domain controllers
+In order to configure the Active Directory connector, AADConnect server must have both name resolution 
+for the forest it's attempting to connect to as well as to the domain controllers
 associated to this forest.
 
 ### EXAMPLES

articles/active-directory/develop/app-resilience-continuous-access-evaluation.md

@@ -33,7 +33,7 @@ To complete this quickstart, you need an Azure account with an active subscripti
 
      :::image type="content" source="./media/quickstart-wordpress/04-wordpress-basics-project-details.png?text=Azure portal WordPress Project Details" alt-text="Screenshot of WordPress project details.":::
 
-1. Under **Hosting details**, type a globally unique name for your web app and choose **Linux** for **Operating System**. Select **Basic** for **Hosting plan**. Select **Compare plans** to view features and price comparisons. See the table below for app and database SKUs for given hosting plans. You can view [hosting plans details in the announcement](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-the-general-availability-of-wordpress-on-azure-app/ba-p/3593481). For pricing, visit [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/linux/) and [Azure Database for MySQL pricing](https://azure.microsoft.com/pricing/details/mysql/flexible-server/). 
+1. Under **Hosting details**, type a globally unique name for your web app and choose **Linux** for **Operating System**. Select **Basic** for **Hosting plan**. Select **Compare plans** to view features and price comparisons.
 
      :::image type="content" source="./media/quickstart-wordpress/05-wordpress-basics-instance-details.png?text=WordPress basics instance details" alt-text="Screenshot of WordPress instance details.":::
 

articles/active-directory/hybrid/reference-connect-adconnectivitytools.md

@@ -4,7 +4,7 @@ description: "This article provides a conceptual overview of GitOps in Azure for
 keywords: "GitOps, Flux, Kubernetes, K8s, Azure, Arc, AKS, Azure Kubernetes Service, containers, devops"
 services: azure-arc, aks
 ms.service: azure-arc
-ms.date: 5/26/2022
+ms.date: 9/22/2022
 ms.topic: conceptual
 ---
 
@@ -94,6 +94,12 @@ For more information on private link scopes in Azure Arc, refer to [this documen
 ## Data residency
 The Azure GitOps service (Azure Kubernetes Configuration Management) stores/processes customer data. By default, customer data is replicated to the paired region. For the regions Singapore, East Asia, and Brazil South, all customer data is stored and processed in the region.
 
+## Apply Flux configurations at scale
+
+Because Azure Resource Manager manages your configurations, you can automate creating the same configuration across all Azure Kubernetes Service and Azure Arc-enabled Kubernetes resources using Azure Policy, within the scope of a subscription or a resource group. This at-scale enforcement ensures that specific configurations will be applied consistently across entire groups of clusters.
+
+[Learn how to use the built-in policies for Flux v2](./use-azure-policy-flux-2.md).
+
 ## Next steps
 
 Advance to the next tutorial to learn how to enable GitOps on your AKS or Azure Arc-enabled Kubernetes clusters