Merge pull request #219270 from MicrosoftDocs/main

Publish to live, Tuesday 4 AM PST, 11/22

Author: ttorble

.openpublishing.redirection.azure-monitor.json

@@ -5521,6 +5521,11 @@
             "source_path_from_root": "/articles/azure-monitor/app/powershell-azure-diagnostics.md",
             "redirect_url": "/azure/azure-monitor/agents/diagnostics-extension-to-application-insights",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/export-data-model.md",
+            "redirect_url": "/azure/azure-monitor/app/export-telemetry",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory/develop/media/workload-identity-federation-create-trust/add-credential.png

@@ -106,7 +106,7 @@ The list of authorities that are known and trusted by you. In addition to the au
 |-----------|-------------|-----------|--------|
 | `type` | String | Yes | Mirrors the audience or account type your app targets. Possible values: `AAD`, `B2C` |
 | `audience` | Object | No | Only applies when type=`AAD`. Specifies the identity your app targets. Use the value from your app registration |
-| `authority_url` | String | Yes | Required only when type=`B2C`. Specifies the authority URL or policy your app should use  |
+| `authority_url` | String | Yes | Required only when type=`B2C`. Optional for type=`AAD`. Specifies the authority URL or policy your app should use  |
 | `default` | boolean | Yes | A single `"default":true` is required when one or more authorities is specified. |
 
 #### Audience Properties

articles/active-directory/develop/msal-configuration.md

@@ -31,15 +31,15 @@ The solution outlined in this article works in all of these browsers, or anywher
 
 ## Overview of the solution
 
-To continue authenticating users in SPAs, app developers must use the [authorization code flow](v2-oauth2-auth-code-flow.md). In the auth code flow, the identity provider issues a code, and the SPA redeems the code for an access token and a refresh token. When the app requires additional tokens, it can use the [refresh token flow](v2-oauth2-auth-code-flow.md#refresh-the-access-token) to get new tokens. Microsoft Authentication Library (MSAL) for JavaScript v2.0, implements the authorization code flow for SPAs and, with minor updates, is a drop-in replacement for MSAL.js 1.x.
+To continue authenticating users in SPAs, app developers must use the [authorization code flow](v2-oauth2-auth-code-flow.md). In the auth code flow, the identity provider issues a code, and the SPA redeems the code for an access token and a refresh token. When the app requires new tokens, it can use the [refresh token flow](v2-oauth2-auth-code-flow.md#refresh-the-access-token) to get new tokens. Microsoft Authentication Library (MSAL) for JavaScript v2.0, implements the authorization code flow for SPAs and, with minor updates, is a drop-in replacement for MSAL.js 1.x.
 
 For the Microsoft identity platform, SPAs and native clients follow similar protocol guidance:
 
 - Use of a [PKCE code challenge](https://tools.ietf.org/html/rfc7636)
   - PKCE is _required_ for SPAs on the Microsoft identity platform. PKCE is _recommended_ for native and confidential clients.
 - No use of a client secret
 
-SPAs have two additional restrictions:
+SPAs have two more restrictions:
 
 - [The redirect URI must be marked as type `spa`](v2-oauth2-auth-code-flow.md#redirect-uris-for-single-page-apps-spas) to enable CORS on login endpoints.
 - Refresh tokens issued through the authorization code flow to `spa` redirect URIs have a 24-hour lifetime rather than a 90-day lifetime.
@@ -58,16 +58,16 @@ There are two ways of accomplishing sign-in:
   - Consider having a pre-load sequence in the app that checks for a login session and redirects to the login page before the app fully unpacks and executes the JavaScript payload.
 - **Popups**
   - If the user experience (UX) of a full page redirect doesn't work for the application, consider using a popup to handle authentication.
-  - When the popup finishes redirecting to the application after authentication, code in the redirect handler will store the code and tokens in local storage for the application to use. MSAL.js supports popups for authentication, as do most libraries.
+  - When the popup finishes redirecting to the application after authentication, code in the redirect handler will store the code, and tokens in local storage for the application to use. MSAL.js supports popups for authentication, as do most libraries.
   - Browsers are decreasing support for popups, so they may not be the most reliable option. User interaction with the SPA before creating the popup may be needed to satisfy browser requirements.
 
-     Apple [describes a popup method](https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/) as a temporary compatibility fix to give the original window access to third-party cookies. While Apple may remove this transferral of permissions in the future, it will not impact the guidance here.
+     Apple [describes a popup method](https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/) as a temporary compatibility fix to give the original window access to third-party cookies. While Apple may remove this transferal of permissions in the future, it will not impact the guidance here.
 
      Here, the popup is being used as a first party navigation to the login page so that a session is found and an auth code can be provided. This should continue working into the future.
 
 ### Using iframes
 
-A common pattern in web apps is to use an iframe to embed one app inside anotherd: the top-level frame handles authenticating the user and the application hosted in the iframe can trust that the user is signed in, fetching tokens silently using the implicit flow.
+A common pattern in web apps is to use an iframe to embed one app inside another: the top-level frame handles authenticating the user and the application hosted in the iframe can trust that the user is signed in, fetching tokens silently using the implicit flow. However, there are couple of caveats to this assumption irrespective of whether third-party cookies are enabled or blocked in the browser.
 
 Silent token acquisition no longer works when third-party cookies are blocked - the application embedded in the iframe must switch to using popups to access the user's session as it can't navigate to the login page.
 

articles/active-directory/develop/reference-third-party-cookies-spas.md

@@ -14,6 +14,9 @@ You need to establish an authentication mechanism when using [Azure Container Re
 
 You can set up the AKS to ACR integration using the Azure CLI or Azure PowerShell. The AKS to ACR integration assigns the [**AcrPull** role][acr-pull] to the [Azure Active Directory (Azure AD) **managed identity**][aad-identity] associated with your AKS cluster.
 
+> [!IMPORTANT]
+> There is a latency issue with Azure Active Directory groups when attaching ACR. If the AcrPull role is granted to an Azure AD group and the kubelet identity is added to the group to complete the RBAC configuration, there might be up to a one-hour delay before the RBAC group takes effect. We recommended you to use the [Bring your own kubelet identity][byo-kubelet-identity] as a workaround. You can pre-create a user-assigned identity, add it to the Azure AD group, then use the identity as the kubelet identity to create an AKS cluster. This ensures the identity is added to the Azure AD group before a token is generated by kubelet, which avoids the latency issue.
+
 > [!NOTE]
 > This article covers automatic authentication between AKS and ACR. If you need to pull an image from a private external registry, use an [image pull secret][image-pull-secret].
 
@@ -258,3 +261,4 @@ nginx0-deployment-669dfc4d4b-xdpd6   1/1     Running   0          20s
 [ps-detach]: /powershell/module/az.aks/set-azakscluster#-acrnametodetach
 [cli-param]: /cli/azure/aks#az-aks-update-optional-parameters
 [ps-attach]: /powershell/module/az.aks/set-azakscluster#-acrnametoattach
+[byo-kubelet-identity]: use-managed-identity.md#use-a-pre-created-kubelet-managed-identity

articles/aks/cluster-container-registry-integration.md

@@ -15,6 +15,7 @@ As part of the application and cluster lifecycle, you may want to upgrade to the
 In this tutorial, part seven of seven, you learn how to:
 
 > [!div class="checklist"]
+>
 > * Identify current and available Kubernetes versions.
 > * Upgrade your Kubernetes nodes.
 > * Validate a successful upgrade.
@@ -23,9 +24,8 @@ In this tutorial, part seven of seven, you learn how to:
 
 In previous tutorials, an application was packaged into a container image, and this container image was uploaded to Azure Container Registry (ACR). You also created an AKS cluster. The application was then deployed to the AKS cluster. If you have not done these steps and would like to follow along, start with [Tutorial 1: Prepare an application for AKS][aks-tutorial-prepare-app].
 
-* If you're using Azure CLI, this article requires that you're running Azure CLI version 2.34.1 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
+* If you're using Azure CLI, this tutorial requires that you're running Azure CLI version 2.34.1 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
 * If you're using Azure PowerShell, this tutorial requires that you're running Azure PowerShell version 5.9.0 or later. Run `Get-InstalledModule -Name Az` to find the version. If you need to install or upgrade, see [Install Azure PowerShell][azure-powershell-install].
-* If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
 
 ## Get available cluster versions
 

articles/aks/tutorial-kubernetes-upgrade-cluster.md

@@ -12,7 +12,7 @@ ms.date: 06/02/2020
 # Configure an ASP.NET app for Azure App Service
 
 > [!NOTE]
-> For ASP.NET Core, see [Configure an ASP.NET Core app for Azure App Service](configure-language-dotnetcore.md)
+> For ASP.NET Core, see [Configure an ASP.NET Core app for Azure App Service](configure-language-dotnetcore.md). If your ASP.NET app runs in a custom Windows or Linux container, see [Configure a custom container for Azure App Service](configure-custom-container.md).
 
 ASP.NET apps must be deployed to Azure App Service as compiled binaries. The Visual Studio publishing tool builds the solution and then deploys the compiled binaries directly, whereas the App Service deployment engine deploys the code repository first and then compiles the binaries.
 

articles/app-service/configure-language-dotnet-framework.md

@@ -13,7 +13,7 @@ zone_pivot_groups: app-service-platform-windows-linux
 # Configure an ASP.NET Core app for Azure App Service
 
 > [!NOTE]
-> For ASP.NET in .NET Framework, see [Configure an ASP.NET app for Azure App Service](configure-language-dotnet-framework.md)
+> For ASP.NET in .NET Framework, see [Configure an ASP.NET app for Azure App Service](configure-language-dotnet-framework.md). If your ASP.NET Core app runs in a custom Windows or Linux container, see [Configure a custom container for Azure App Service](configure-custom-container.md).
 
 ASP.NET Core apps must be deployed to Azure App Service as compiled binaries. The Visual Studio publishing tool builds the solution and then deploys the compiled binaries directly, whereas the App Service deployment engine deploys the code repository first and then compiles the binaries.
 

articles/app-service/configure-language-dotnetcore.md

@@ -9,10 +9,6 @@ ms.author: cephalin
 
 [Azure App Service](../../overview.md) provides pre-defined application stacks on Windows like ASP.NET or Node.js, running on IIS. However, the pre-configured application stacks [lock down the operating system and prevent low-level access](../../operating-system-functionality.md). Custom Windows containers don't have these restrictions, and let developers fully customize the containers and give containerized applications full access to Windows functionality. 
 
-> [!NOTE]
-> For information regarding running containerized applications in a serverless environment, please see [Container Apps](../../../container-apps/overview.md).
->
-
 This quickstart shows you how to deploy an ASP.NET app in a Windows image from Azure Container Registry to Azure App Service. 
 
 To complete this quickstart, you need:

articles/app-service/includes/quickstart-custom-container/quickstart-custom-container-windows-azure-portal-pivot.md

@@ -9,10 +9,6 @@ ms.author: msangapu
 
 [Azure App Service](../../overview.md) provides pre-defined application stacks on Windows like ASP.NET or Node.js, running on IIS. However, the pre-configured application stacks [lock down the operating system and prevent low-level access](../../operating-system-functionality.md). Custom Windows containers don't have these restrictions, and let developers fully customize the containers and give containerized applications full access to Windows functionality. 
 
-> [!NOTE]
-> For information regarding running containerized applications in a serverless environment, please see [Container Apps](../../../container-apps/overview.md).
->
-
 This quickstart shows you how to deploy an ASP.NET app in a Windows image from [Microsoft Artifact Registry](https://mcr.microsoft.com/) to Azure App Service.
 
 To complete this quickstart, you need: