Merge pull request #234312 from MicrosoftDocs/main

4/12/2023 PM Publish

Author: Taojunshen

articles/active-directory-b2c/media/azure-ad-b2c-global-identity-regional-design/traveling-user-sign-in.png

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 04/11/2023
+ms.date: 04/12/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -57,7 +57,7 @@ This article uses the following terms:
 
 * Target system - The repository of users that the Azure AD provisions to. The Target system is typically a SaaS application such as ServiceNow, Zscaler, and Slack. The target system can also be an on-premises system such as AD.
 
-* [System for Cross-domain Identity Management (SCIM)](https://aka.ms/scimoverview) -  An open standard that allows for the automation of user provisioning. SCIM communicates user identity data between identity providers such as Microsoft, and service providers like Salesforce or other SaaS apps that require user identity information.
+* [System for Cross-domain Identity Management (SCIM)](https://aka.ms/scimoverview) -  An open standard that allows for the automation of user provisioning. SCIM communicates user identity data between identity providers and service providers. Microsoft is an example of an identity provider. Salesforce is an example of a service provider. Service providers require user identity information and an identity provider fulfills that need. SCIM is the mechanism the identity provider and service provider use to send information back and forth.
 
 ### Training resources
 
@@ -128,7 +128,7 @@ When technology projects fail, it's typically because of mismatched expectations
 
 ### Plan communications
 
-Communication is critical to the success of any new service. Proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues.
+Communication is critical to the success of any new service. Proactively communicate to your users about their experience, how the experience is changing, when to expect any change, and how to gain support if they experience issues.
 
 ### Plan a pilot
 
@@ -140,7 +140,7 @@ A pilot allows you to test with a small group before deploying a capability for
 
 In your first wave, target IT, usability, and other appropriate users who can test and provide feedback. Use this feedback to further develop the communications and instructions you send to your users, and to give insights into the types of issues your support staff may see.
 
-Widen the rollout to larger groups of users by increasing the scope of the group(s) targeted. This can be done through [dynamic group membership](../enterprise-users/groups-dynamic-membership.md), or by manually adding users to the targeted group(s).
+Widen the rollout to larger groups of users by increasing the scope of the group(s) targeted. Increasing the scope of the group(s) is done through [dynamic group membership](../enterprise-users/groups-dynamic-membership.md), or by manually adding users to the targeted group(s).
 
 ## Plan application connections and administration
 
@@ -150,7 +150,7 @@ Use the Azure portal to view and manage all the applications that support provis
 
 The actual steps required to enable and configure automatic provisioning vary depending on the application. If the application you wish to automatically provision is listed in the [Azure AD SaaS app gallery](../saas-apps/tutorial-list.md), then you should select the [app-specific integration tutorial](../saas-apps/tutorial-list.md) to configure its pre-integrated user provisioning connector.
 
-If not, follow the steps below:
+If not, follow the steps:
 
 1. [Create a request](../manage-apps/v2-howto-app-gallery-listing.md) for a pre-integrated user provisioning connector. Our team will work with you and the application developer to onboard your application to our platform if it supports SCIM.
 
@@ -164,7 +164,7 @@ For more information, see [What applications and systems can I use with Azure AD
 
 Setting up automatic user provisioning is a per-application process. For each application, you need to provide [administrator credentials](../app-provisioning/configure-automatic-user-provisioning-portal.md) to connect to the target system’s user management endpoint.
 
-The image below shows one version of the required admin credentials:
+The image shows one version of the required admin credentials:
 
 ![Provisioning screen to manage user account provisioning settings](./media/plan-auto-user-provisioning/userprovisioning-admincredentials.png)
 
@@ -235,7 +235,7 @@ It's common for a security review to be required as part of a deployment. If you
 
 ### Plan rollback
 
-If the automatic user provisioning implementation fails to work as desired in the production environment, the following rollback steps below can assist you in reverting to a previous known good state:
+If the automatic user provisioning implementation fails to work as desired in the production environment, the following rollback steps can assist you in reverting to a previous known good state:
 
 1. Review the [provisioning logs](../app-provisioning/check-status-user-account-provisioning.md) to determine what incorrect operations occurred on the affected users and/or groups.
 

articles/active-directory/app-provisioning/plan-auto-user-provisioning.md

@@ -107,9 +107,10 @@ As part of enrolling users to use Microsoft Authenticator as a second factor, we
 Microsoft Identity Manager (MIM) SSPR can use MFA Server to invoke SMS one-time passcodes as part of the password reset flow. 
 MIM can't be configured to use Azure AD Multi-Factor Authentication. 
 We recommend you evaluate moving your SSPR service to Azure AD SSPR.
-
 You can use the opportunity of users registering for Azure AD Multi-Factor Authentication to use the combined registration experience to register for Azure AD SSPR.
 
+If you can't move your SSPR service, or you leverage MFA Server to invoke MFA requests for Privileged Access Management (PAM) scenarios, we recommend you update to an [alternate 3rd party MFA option](https://learn.microsoft.com/microsoft-identity-manager/working-with-custommfaserver-for-mim).
+
 ### RADIUS clients and Azure AD Multi-Factor Authentication
 
 MFA Server supports RADIUS to invoke multifactor authentication for applications and network devices that support the protocol. 

articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa.md

@@ -387,7 +387,7 @@ You can further restrict permissions by assigning roles at smaller scopes or by
 > | Create user | [User Administrator](permissions-reference.md#user-administrator) |  |
 > | Delete users | [User Administrator](permissions-reference.md#user-administrator) |  |
 > | Invalidate refresh tokens of limited admins | [User Administrator](permissions-reference.md#user-administrator) |  |
-> | Invalidate refresh tokens of non-admins | [Password Administrator](permissions-reference.md#password-administrator) | [User Administrator](permissions-reference.md#user-administrator) |
+> | Invalidate refresh tokens of non-admins | [Helpdesk Administrator](permissions-reference.md#helpdesk-administrator) | [User Administrator](permissions-reference.md#user-administrator) |
 > | Invalidate refresh tokens of privileged admins | [Privileged Authentication Administrator](permissions-reference.md#privileged-authentication-administrator) |  |
 > | Read basic configuration | [Default user role](../fundamentals/users-default-permissions.md) |  |
 > | Reset password for limited admins | [User Administrator](permissions-reference.md#user-administrator) |  |

articles/active-directory/roles/delegate-by-task.md

@@ -544,6 +544,8 @@
               href: dapr-settings.md
             - name: Migrate from Dapr OSS to the Dapr extension
               href: dapr-migration.md
+            - name: Deploy and run workflows with the Dapr extension
+              href: dapr-workflow.md
             - name: Troubleshoot the Dapr extension
               href: dapr-troubleshooting.md
         - name: Use GitOps

articles/aks/TOC.yml

@@ -0,0 +1,204 @@
+---
+title: Deploy and run workflows with the Dapr extension for Azure Kubernetes Service (AKS)
+description: Learn how to deploy and run Dapr Workflow on your Azure Kubernetes Service (AKS) clusters via the Dapr extension.
+author: hhunter-ms
+ms.author: hannahhunter
+ms.reviewer: nuversky
+ms.service: azure-kubernetes-service
+ms.topic: article
+ms.date: 04/05/2023
+ms.custom: devx-track-azurecli
+---
+
+# Deploy and run workflows with the Dapr extension for Azure Kubernetes Service (AKS)
+
+With Dapr Workflow, you can easily orchestrate messaging, state management, and failure-handling logic across various microservices. Dapr Workflow can help you create long-running, fault-tolerant, and stateful applications.  
+
+In this guide, you use the [provided order processing workflow example][dapr-workflow-sample] to:
+
+> [!div class="checklist"]
+> - Create an Azure Container Registry and an AKS cluster for this sample.
+> - Install the Dapr extension on your AKS cluster.
+> - Deploy the sample application to AKS. 
+> - Start and query workflow instances using HTTP API calls.
+
+The workflow example is an ASP.NET Core project with:
+- A [`Program.cs` file][dapr-program] that contains the setup of the app, including the registration of the workflow and workflow activities.
+- Workflow definitions found in the [`Workflows` directory][dapr-workflow-dir].
+- Workflow activity definitions found in the [`Activities` directory][dapr-activities-dir].
+
+> [!NOTE]
+> Dapr Workflow is currently an [alpha][dapr-workflow-alpha] feature and is on a self-service, opt-in basis. Alpha Dapr APIs and components are provided "as is" and "as available," and are continually evolving as they move toward stable status. Alpha APIs and components are not covered by customer support.
+
+## Prerequisites
+
+- An [Azure subscription](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) with Owner or Admin role.
+- The latest version of the [Azure CLI][install-cli]
+- Latest [Docker][docker]
+- Latest [Helm][helm]
+
+## Set up the environment
+
+### Clone the sample project
+
+Clone the example workflow application. 
+
+```sh
+git clone https://github.com/Azure/dapr-workflows-aks-sample.git
+```
+
+Navigate to the sample's root directory.
+
+```sh
+cd dapr-workflows-aks-sample
+```
+
+### Create a Kubernetes cluster
+
+Create a resource group to hold the AKS cluster.
+
+```sh
+az group create --name myResourceGroup --location eastus
+```
+
+Create an AKS cluster.
+
+```sh
+az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 2 --generate-ssh-keys 
+```
+
+[Make sure `kubectl` is installed and pointed to your AKS cluster.][kubectl] If you use [the Azure Cloud Shell][az-cloud-shell], `kubectl` is already installed. 
+
+For more information, see the [Deploy an AKS cluster][cluster] tutorial.
+
+## Deploy the application to AKS
+
+### Install Dapr on your AKS cluster
+
+Install the Dapr extension on your AKS cluster. Before you start, make sure you've:
+- [Installed or updated the `k8s-extension`][k8s-ext]. 
+- [Registered the `Microsoft.KubernetesConfiguration` service provider][k8s-sp]
+
+```sh
+az k8s-extension create --cluster-type managedClusters --cluster-name myAKSCluster --resource-group myResourceGroup --name dapr --extension-type Microsoft.Dapr
+```
+
+Verify Dapr has been installed by running the following command:
+
+```sh
+kubectl get pods -A
+```
+
+### Deploy the Redis Actor state store component
+
+Navigate to the `Deploy` directory in your forked version of the sample:
+
+```sh
+cd Deploy
+```
+
+Deploy the Redis component:
+
+```sh
+helm repo add bitnami https://charts.bitnami.com/bitnami
+helm install redis bitnami/redis
+kubectl apply -f redis.yaml
+```
+
+### Run the application
+
+Once you've deployed Redis, deploy the application to AKS:
+
+```sh
+kubectl apply -f deployment.yaml
+```
+
+Expose the Dapr sidecar and the sample app:
+
+```sh
+kubectl apply -f service.yaml
+export APP_URL=$(kubectl get svc/workflows-sample -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+export DAPR_URL=$(kubectl get svc/workflows-sample-dapr -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+```
+
+Verify that the above commands were exported:
+
+```sh
+echo $APP_URL
+echo $DAPR_URL
+```
+
+## Start the workflow
+
+Now that the application and Dapr have been deployed to the AKS cluster, you can now start and query workflow instances. Begin by making an API call to the sample app to restock items in the inventory:
+
+```sh
+curl -X GET $APP_URL/stock/restock
+```
+
+Start the workflow:
+
+```sh
+curl -X POST $DAPR_URL/v1.0-alpha1/workflows/dapr/OrderProcessingWorkflow/1234/start \
+  -H "Content-Type: application/json" \
+  -d '{ "input" : {"Name": "Paperclips", "TotalCost": 99.95, "Quantity": 1}}'
+```
+
+Expected output:
+
+```json
+{"instance_id":"1234"}
+```
+
+Check the workflow status:
+
+```sh
+curl -X GET $DAPR_URL/v1.0-alpha1/workflows/dapr/OrderProcessingWorkflow/1234
+```
+
+Expected output:
+
+```json
+{
+  "WFInfo":
+    {
+      "instance_id":"1234"
+    },
+    "start_time":"2023-03-03T19:19:16Z",
+    "metadata":
+    {
+      "dapr.workflow.custom_status":"",
+      "dapr.workflow.input":"{\"Name\":\"Paperclips\",\"Quantity\":1,\"TotalCost\":99.95}",
+      "dapr.workflow.last_updated":"2023-03-03T19:19:33Z",
+      "dapr.workflow.name":"OrderProcessingWorkflow",
+      "dapr.workflow.output":"{\"Processed\":true}",
+      "dapr.workflow.runtime_status":"COMPLETED"
+    }
+}
+```
+
+Notice that the workflow status is marked as completed.
+
+## Next steps
+
+[Learn how to add configuration settings to the Dapr extension on your AKS cluster][dapr-config].
+
+<!-- Links Internal -->
+[deploy-cluster]: ./tutorial-kubernetes-deploy-cluster.md
+[install-cli]: /cli/azure/install-azure-cli
+[k8s-ext]: ./dapr.md#set-up-the-azure-cli-extension-for-cluster-extensions
+[cluster]: ./tutorial-kubernetes-deploy-cluster.md
+[k8s-sp]: ./dapr.md#register-the-kubernetesconfiguration-service-provider
+[dapr-config]: ./dapr-settings.md
+[az-cloud-shell]: ./learn/quick-kubernetes-deploy-powershell.md#azure-cloud-shell
+[kubectl]: ./tutorial-kubernetes-deploy-cluster.md#connect-to-cluster-using-kubectl
+
+<!-- Links External -->
+[dapr-workflow-sample]: https://github.com/Azure/dapr-workflows-aks-sample
+[dapr-program]: https://github.com/Azure/dapr-workflows-aks-sample/blob/main/Program.cs
+[dapr-workflow-dir]: https://github.com/Azure/dapr-workflows-aks-sample/tree/main/Workflows
+[dapr-activities-dir]: https://github.com/Azure/dapr-workflows-aks-sample/tree/main/Activities
+[dapr-workflow-alpha]: https://docs.dapr.io/operations/support/support-preview-features/#current-preview-features
+[deployment-yaml]: https://github.com/Azure/dapr-workflows-aks-sample/blob/main/Deploy/deployment.yaml
+[docker]: https://docs.docker.com/get-docker/
+[helm]: https://helm.sh/docs/intro/install/