Merge pull request #186150 from MicrosoftDocs/master

1/25 AM Publish

Author: huypub

articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md

@@ -53,6 +53,10 @@ You must also meet the following system requirements:
     - [Windows Server 2016](https://support.microsoft.com/help/4534307/windows-10-update-kb4534307)
     - [Windows Server 2019](https://support.microsoft.com/help/4534321/windows-10-update-kb4534321)
 
+- Have the credentials required to complete the steps in the scenario:
+    - An Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest. Referred to as **$domainCred**.
+    - An Azure Active Directory user who is a member of the Global Administrators role. Referred to as **$cloudCred**.
+ 
 ### Supported scenarios
 
 The scenario in this article supports SSO in both of the following instances:
@@ -108,10 +112,10 @@ Run the following steps in each domain and forest in your organization that cont
    $domain = "contoso.corp.com"
 
    # Enter an Azure Active Directory global administrator username and password.
-   $cloudCred = Get-Credential
+   $cloudCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest.'
 
    # Enter a domain administrator username and password.
-   $domainCred = Get-Credential
+   $domainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.'
 
    # Create the new Azure AD Kerberos Server object in Active Directory
    # and then publish it to Azure Active Directory.

articles/active-directory/cloud-sync/what-is-cloud-sync.md

@@ -1,25 +1,25 @@
 ---
-title: 'What is Azure AD Connect cloud sync. | Microsoft Docs'
+title: 'What is Azure AD Connect cloud sync? | Microsoft Docs'
 description: Describes Azure AD Connect cloud sync.
 services: active-directory
 author: billmath
 manager: karenhoran
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 10/07/2021
+ms.date: 01/25/2022
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 # What is Azure AD Connect cloud sync?
-Azure AD Connect cloud sync is new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups and contacts to Azure AD.  It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application.  However, it can be used alongside Azure AD Connect sync and it provides the following benefits:
+Azure AD Connect cloud sync is new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD.  It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application.  However, it can be used alongside Azure AD Connect sync and it provides the following benefits:
 
 - Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment: The common scenarios include merger & acquisition (where the acquired company's AD forests are isolated from the parent company's AD forests), and companies that have historically had multiple AD forests.
 - Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Azure AD, with all the sync configuration managed in the cloud. 
 - Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.
-- Support for large groups with up to 50K members. It is recommended to use only the OU scoping filter when synchronizing large groups.
+- Support for large groups with up to 50,000 members. It's recommended to use only the OU scoping filter when synchronizing large groups.
 
 ![What is Azure AD Connect](media/what-is-cloud-sync/architecture-1.png)
 
@@ -66,13 +66,14 @@ The following table provides a comparison between Azure AD Connect and Azure AD
 | Support for password writeback |● |● |
 | Support for device writeback|● | |
 | Support for group writeback|● | |
+| Support for merging user attributes from multiple domains|● | |
 | Azure AD Domain Services support|● | |
 | [Exchange hybrid writeback](../hybrid/reference-connect-sync-attributes-synchronized.md#exchange-hybrid-writeback) |● | |
 | Unlimited number of objects per AD domain |● | |
 | Support for up to 150,000 objects per AD domain |● |● |
 | Groups with up to 50,000 members |● |● |
 | Large groups with up to 250,000 members |● |  |
-| Cross domain references|● | |
+| Cross domain references|● |● |
 | On-demand provisioning|● |● |
 | Support for US Government|● |● |
 

articles/active-directory/develop/msal-net-client-assertions.md

@@ -71,36 +71,44 @@ jti | (a Guid) | The "jti" (JWT ID) claim provides a unique identifier for the J
 nbf | 1601519114 | The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. [RFC 7519, Section 4.1.5](https://tools.ietf.org/html/rfc7519#section-4.1.5).  Using the current time is appropriate. 
 sub | {ClientID} | The "sub" (subject) claim identifies the subject of the JWT, in this case also your application. Use the same value as `iss`. 
 
-Here is an example of how to craft these claims:
+If you use a certificate as a client secret, the certificate must be deployed safely. We recommend that you store the certificate in a secure spot supported by the platform, such as in the certificate store on Windows or by using Azure Key Vault.
+
+Here's an example of how to craft these claims:
 
 ```csharp
-private static IDictionary<string, string> GetClaims()
+using System.Collections.Generic;
+private static IDictionary<string, object> GetClaims(string tenantId, string clientId)
 {
-      //aud = https://login.microsoftonline.com/ + Tenant ID + /v2.0
-      string aud = $"https://login.microsoftonline.com/{tenantId}/v2.0";
-
-      string ConfidentialClientID = "00000000-0000-0000-0000-000000000000" //client id
-      const uint JwtToAadLifetimeInSeconds = 60 * 10; // Ten minutes
-      DateTime validFrom = DateTime.UtcNow;
-      var nbf = ConvertToTimeT(validFrom);
-      var exp = ConvertToTimeT(validFrom + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds));
-
-      return new Dictionary<string, string>()
-           {
-                { "aud", aud },
-                { "exp", exp.ToString() },
-                { "iss", ConfidentialClientID },
-                { "jti", Guid.NewGuid().ToString() },
-                { "nbf", nbf.ToString() },
-                { "sub", ConfidentialClientID }
-            };
+    //aud = https://login.microsoftonline.com/ + Tenant ID + /v2.0
+    string aud = $"https://login.microsoftonline.com/{tenantId}/v2.0";
+
+    string ConfidentialClientID = clientId; //client id 00000000-0000-0000-0000-000000000000
+    const uint JwtToAadLifetimeInSeconds = 60 * 10; // Ten minutes
+    DateTimeOffset validFrom = DateTimeOffset.UtcNow;
+    DateTimeOffset validUntil = validFrom.AddSeconds(JwtToAadLifetimeInSeconds);
+
+    return new Dictionary<string, object>()
+    {
+        { "aud", aud },
+        { "exp", validUntil.ToUnixTimeSeconds() },
+        { "iss", ConfidentialClientID },
+        { "jti", Guid.NewGuid().ToString() },
+        { "nbf", validFrom.ToUnixTimeSeconds() },
+        { "sub", ConfidentialClientID }
+    };
 }
 ```
 
-Here is how to craft a signed client assertion:
+Here's how to craft a signed client assertion:
 
 ```csharp
-string Encode(byte[] arg)
+using System.Collections.Generic;
+using System.Security.Cryptography.X509Certificates;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+...
+static string Base64UrlEncode(byte[] arg)
 {
     char Base64PadCharacter = '=';
     char Base64Character62 = '+';
@@ -116,30 +124,28 @@ string Encode(byte[] arg)
     return s;
 }
 
-string GetSignedClientAssertion()
+static string GetSignedClientAssertion(X509Certificate2 certificate, string tenantId, string clientId)
 {
-    //Signing with SHA-256
-    string rsaSha256Signature = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
-     X509Certificate2 certificate = new X509Certificate2("Certificate.pfx", "Password", X509KeyStorageFlags.EphemeralKeySet);
-
-    //Create RSACryptoServiceProvider
-    var x509Key = new X509AsymmetricSecurityKey(certificate);
-    var privateKeyXmlParams = certificate.PrivateKey.ToXmlString(true);
-    var rsa = new RSACryptoServiceProvider();
-    rsa.FromXmlString(privateKeyXmlParams);
+    // Get the RSA with the private key, used for signing.
+    var rsa = certificate.GetRSAPrivateKey();
 
     //alg represents the desired signing algorithm, which is SHA-256 in this case
-    //kid represents the certificate thumbprint
+    //x5t represents the certificate thumbprint base64 url encoded
     var header = new Dictionary<string, string>()
-         {
-              { "alg", "RS256"},
-              { "kid", Encode(certificate.GetCertHash()) }
-         };
+    {
+        { "alg", "RS256"},
+        { "typ", "JWT" },
+        { "x5t", Base64UrlEncode(certificate.GetCertHash()) }
+    };
 
     //Please see the previous code snippet on how to craft claims for the GetClaims() method
-    string token = Encode(Encoding.UTF8.GetBytes(JObject.FromObject(header).ToString())) + "." + Encode(Encoding.UTF8.GetBytes(JObject.FromObject(GetClaims()).ToString()));
+    var claims = GetClaims(tenantId, clientId);
 
-    string signature = Encode(rsa.SignData(Encoding.UTF8.GetBytes(token), new SHA256Cng()));
+    var headerBytes = JsonSerializer.SerializeToUtf8Bytes(header);
+    var claimsBytes = JsonSerializer.SerializeToUtf8Bytes(claims);
+    string token = Base64UrlEncode(headerBytes) + "." + Base64UrlEncode(claimsBytes);
+
+    string signature = Base64UrlEncode(rsa.SignData(Encoding.UTF8.GetBytes(token), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
     string signedClientAssertion = string.Concat(token, ".", signature);
     return signedClientAssertion;
 }
@@ -150,10 +156,8 @@ string GetSignedClientAssertion()
 You also have the option of using [Microsoft.IdentityModel.JsonWebTokens](https://www.nuget.org/packages/Microsoft.IdentityModel.JsonWebTokens/) to create the assertion for you. The code will be a more elegant as shown in the example below:
 
 ```csharp
-        string GetSignedClientAssertion()
+        string GetSignedClientAssertionAlt(X509Certificate2 certificate)
         {
-            var cert = new X509Certificate2("Certificate.pfx", "Password", X509KeyStorageFlags.EphemeralKeySet);
-
             //aud = https://login.microsoftonline.com/ + Tenant ID + /v2.0
             string aud = $"https://login.microsoftonline.com/{tenantID}/v2.0";
 
@@ -172,7 +176,7 @@ You also have the option of using [Microsoft.IdentityModel.JsonWebTokens](https:
             var securityTokenDescriptor = new SecurityTokenDescriptor
             {
                 Claims = claims,
-                SigningCredentials = new X509SigningCredentials(cert)
+                SigningCredentials = new X509SigningCredentials(certificate)
             };
 
             var handler = new JsonWebTokenHandler();
@@ -183,7 +187,10 @@ You also have the option of using [Microsoft.IdentityModel.JsonWebTokens](https:
 Once you have your signed client assertion, you can use it with the MSAL apis as shown below.
 
 ```csharp
-            string signedClientAssertion = GetSignedClientAssertion();
+            X509Certificate2 certificate = ReadCertificate(config.CertificateName);
+            string signedClientAssertion = GetSignedClientAssertion(certificate, tenantId, ConfidentialClientID)
+            // OR
+            //string signedClientAssertion = GetSignedClientAssertionAlt(certificate);
 
             var confidentialApp = ConfidentialClientApplicationBuilder
                 .Create(ConfidentialClientID)

articles/active-directory/fundamentals/security-operations-privileged-accounts.md

@@ -198,7 +198,7 @@ You can monitor privileged account changes by using Azure AD Audit logs and Azur
 
 | What to monitor| Risk level| Where| Filter/subfilter| Notes |
 | - | - | - | - | - |
-| Added to eligible privileged role| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = ​<br>-and-<br>Activity type = Add member to role completed (eligible)<br>-and-<br>Status = Success or failure​<br>-and-<br>Modified properties = Role.DisplayName| Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml) |
+| Added to eligible privileged role| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role management​<br>-and-<br>Activity type = Add member to role completed (eligible)<br>-and-<br>Status = Success or failure​<br>-and-<br>Modified properties = Role.DisplayName| Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml) |
 | Roles assigned out of PIM| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role management​<br>-and-<br>Activity type = Add member to role (permanent)<br>-and-<br>Status = Success or failure<br>-and-<br>Modified properties = Role.DisplayName| These roles should be closely monitored and alerted. Users shouldn't be assigned roles outside of PIM where possible.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivlegedRoleAssignedOutsidePIM.yaml) |
 | Elevations| Medium| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity type = Add member to role completed (PIM activation)<br>-and-<br>Status = Success or failure <br>-and-<br>Modified properties = Role.DisplayName| After a privileged account is elevated, it can now make changes that could affect the security of your tenant. All elevations should be logged and, if happening outside of the standard pattern for that user, should be alerted and investigated if not planned. |
 | Approvals and deny elevation| Low| Azure AD Audit Logs| Service = Access Review<br>-and-<br>Category = UserManagement<br>-and-<br>Activity type = Request approved or denied<br>-and-<br>Initiated actor = UPN| Monitor all elevations because it could give a clear indication of the timeline for an attack.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PIMElevationRequestRejected.yaml) |

articles/active-directory/manage-apps/f5-big-ip-headers-easy-button.md

@@ -84,7 +84,7 @@ Prior BIG-IP experience isn’t necessary, but you’ll need:
 
 * An existing header-based application or [setup a simple IIS header app](/previous-versions/iis/6.0-sdk/ms525396(v=vs.90)) for testing
 
-## Big-IP configuration methods
+## BIG-IP configuration methods
 
 There are many methods to deploy BIG-IP for this scenario including a template-driven Guided Configuration, or an advanced configuration. This tutorial covers the Easy Button templates offered by the Guided Configuration 16.1 and upwards.
 

articles/active-directory/saas-apps/pendo-tutorial.md

@@ -70,8 +70,8 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 
 1. On the **Set-up single sign-on with SAML** page, perform the following steps:
 
-    a. In the **Identifier** text box, type a URL using the following pattern:
-    `https://sso.connect.pingidentity.com/<CUSTOM_GUID>`
+    a. In the **Identifier** text box, enter `PingConnect`. (If this identifier is already used by another application, contact the [Pendo support team](mailto:[email protected]).)
+    
 
     b. In the **Relay State** text box, type a URL using the following pattern:
     `https://pingone.com/1.0/<CUSTOM_GUID>`

articles/aks/use-managed-identity.md

@@ -2,7 +2,7 @@
 title: Use managed identities in Azure Kubernetes Service
 description: Learn how to use managed identities in Azure Kubernetes Service (AKS)
 ms.topic: article
-ms.date: 05/12/2021
+ms.date: 01/25/2022
 ---
 
 # Use managed identities in Azure Kubernetes Service
@@ -91,6 +91,9 @@ az aks update -g <RGName> -n <AKSName> --enable-managed-identity
 >
 > The Azure CLI will ensure your addon's permission is correctly set after migrating, if you're not using the Azure CLI to perform the migrating operation, you will need to handle the addon identity's permission by yourself. Here is one example using [ARM](../role-based-access-control/role-assignments-template.md). 
 
+> [!WARNING]
+> Nodepool upgrade will cause downtime for your AKS cluster as the nodes in the nodepools will be cordoned/drained and then reimaged.
+
 ## Obtain and use the system-assigned managed identity for your AKS cluster
 
 Confirm your AKS cluster is using managed identity with the following CLI command:

articles/api-management/zone-redundancy.md

@@ -5,7 +5,7 @@ author: dlepow
 
 ms.service: api-management
 ms.topic: how-to
-ms.date: 08/11/2021
+ms.date: 01/24/2022
 ms.author: danlep
 ms.custom: references_regions
 
@@ -28,6 +28,7 @@ Configuring API Management for zone redundancy is currently supported in the fol
 * Canada Central
 * Central India (*)
 * Central US
+* East Asia
 * East US
 * East US 2
 * France Central