Merge branch 'MicrosoftDocs:main' into cdcupdate

Author: n0elleli

.openpublishing.publish.config.json

@@ -878,6 +878,12 @@
       "branch": "docs-snippets",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "ms-identity-python-webapp",
+      "url": "https://github.com/Azure-Samples/ms-identity-python-webapp",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "ms-identity-node",
       "url": "https://github.com/Azure-Samples/ms-identity-node",

.openpublishing.redirection.azure-monitor.json

@@ -45,6 +45,16 @@
             "redirect_url": "/azure/azure-monitor/app/app-insights-overview",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/correlation.md",
+            "redirect_url": "/previous-versions/azure/azure-monitor/app/distributed-tracing-telemetry-correlation",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/distributed-tracing.md",
+            "redirect_url": "/previous-versions/azure/azure-monitor/app/distributed-tracing-telemetry-correlation",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/app/console.md",
             "redirect_url": "/previous-versions/azure/azure-monitor/app/console",

.openpublishing.redirection.json

@@ -7548,6 +7548,11 @@
             "redirect_url": "/azure/reliability/reliability-functions",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-functions/functions-bindings-triggers-python.md",
+            "redirect_url": "/azure/azure-functions/functions-reference-python?pivots=python-mode-decorators#triggers-and-inputs",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-government/documentation-government-k8.md",
             "redirect_url": "/azure/azure-government",

articles/active-directory-domain-services/join-ubuntu-linux-vm.md

@@ -55,7 +55,7 @@ Once the VM is deployed, follow the steps to connect to the VM using SSH.
 
 To make sure that the VM host name is correctly configured for the managed domain, edit the */etc/hosts* file and set the hostname:
 
-```console
+```bash
 sudo vi /etc/hosts
 ```
 
@@ -66,7 +66,7 @@ In the *hosts* file, update the *localhost* address. In the following example:
 
 Update these names with your own values:
 
-```console
+```config
 127.0.0.1 ubuntu.aaddscontoso.com ubuntu
 ```
 
@@ -78,7 +78,7 @@ The VM needs some additional packages to join the VM to the managed domain. To i
 
 During the Kerberos installation, the *krb5-user* package prompts for the realm name in ALL UPPERCASE. For example, if the name of your managed domain is *aaddscontoso.com*, enter *AADDSCONTOSO.COM* as the realm. The installation writes the `[realm]` and `[domain_realm]` sections in */etc/krb5.conf* configuration file. Make sure that you specify the realm an ALL UPPERCASE:
 
-```console
+```bash
 sudo apt-get update
 sudo apt-get install krb5-user samba sssd sssd-tools libnss-sss libpam-sss ntp ntpdate realmd adcli
 ```
@@ -89,13 +89,13 @@ For domain communication to work correctly, the date and time of your Ubuntu VM
 
 1. Open the *ntp.conf* file with an editor:
 
-    ```console
+    ```bash
     sudo vi /etc/ntp.conf
     ```
 
 1. In the *ntp.conf* file, create a line to add your managed domain's DNS name. In the following example, an entry for *aaddscontoso.com* is added. Use your own DNS name:
 
-    ```console
+    ```config
     server aaddscontoso.com
     ```
 
@@ -109,7 +109,7 @@ For domain communication to work correctly, the date and time of your Ubuntu VM
 
     Run the following commands to complete these steps. Use your own DNS name with the `ntpdate` command:
 
-    ```console
+    ```bash
     sudo systemctl stop ntp
     sudo ntpdate aaddscontoso.com
     sudo systemctl start ntp
@@ -121,7 +121,7 @@ Now that the required packages are installed on the VM and NTP is configured, jo
 
 1. Use the `realm discover` command to discover the managed domain. The following example discovers the realm *AADDSCONTOSO.COM*. Specify your own managed domain name in ALL UPPERCASE:
 
-    ```console
+    ```bash
     sudo realm discover AADDSCONTOSO.COM
     ```
 
@@ -135,13 +135,13 @@ Now that the required packages are installed on the VM and NTP is configured, jo
 
     Again, the managed domain name must be entered in ALL UPPERCASE. In the following example, the account named `[email protected]` is used to initialize Kerberos. Enter your own user account that's a part of the managed domain:
 
-    ```console
-    kinit -V [email protected]
+    ```bash
+    sudo kinit -V [email protected]
     ```
 
 1. Finally, join the VM to the managed domain using the `realm join` command. Use the same user account that's a part of the managed domain that you specified in the previous `kinit` command, such as `[email protected]`:
 
-    ```console
+    ```bash
     sudo realm join --verbose AADDSCONTOSO.COM -U '[email protected]' --install=/
     ```
 
@@ -155,7 +155,7 @@ If your VM can't successfully complete the domain-join process, make sure that t
 
 If you received the error *Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)*, open the file */etc/krb5.conf* and add the following code in `[libdefaults]` section and try again:
 
-```console
+```config
 rdns=false
 ```
 
@@ -165,21 +165,21 @@ One of the packages installed in a previous step was for System Security Service
 
 1. Open the *sssd.conf* file with an editor:
 
-    ```console
+    ```bash
     sudo vi /etc/sssd/sssd.conf
     ```
 
 1. Comment out the line for *use_fully_qualified_names* as follows:
 
-    ```console
+    ```config
     # use_fully_qualified_names = True
     ```
 
     When done, save and exit the *sssd.conf* file using the `:wq` command of the editor.
 
 1. To apply the change, restart the SSSD service:
 
-    ```console
+    ```bash
     sudo systemctl restart sssd
     ```
 
@@ -193,37 +193,37 @@ By default, users can only sign in to a VM using SSH public key-based authentica
 
 1. Open the *sshd_conf* file with an editor:
 
-    ```console
+    ```bash
     sudo vi /etc/ssh/sshd_config
     ```
 
 1. Update the line for *PasswordAuthentication* to *yes*:
 
-    ```console
+    ```config
     PasswordAuthentication yes
     ```
 
     When done, save and exit the *sshd_conf* file using the `:wq` command of the editor.
 
 1. To apply the changes and let users sign in using a password, restart the SSH service:
 
-    ```console
+    ```bash
     sudo systemctl restart ssh
     ```
 
 ### Configure automatic home directory creation
 
 To enable automatic creation of the home directory when a user first signs in, complete the following steps:
 
-1. Open the */etc/pam.d/common-session* file in an editor:
+1. Open the `/etc/pam.d/common-session` file in an editor:
 
-    ```console
+    ```bash
     sudo vi /etc/pam.d/common-session
     ```
 
 1. Add the following line in this file below the line `session optional pam_sss.so`:
 
-    ```console
+    ```config
     session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
     ```
 
@@ -235,13 +235,13 @@ To grant members of the *AAD DC Administrators* group administrative privileges
 
 1. Open the *sudoers* file for editing:
 
-    ```console
+    ```bash
     sudo visudo
     ```
 
 1. Add the following entry to the end of */etc/sudoers* file:
 
-    ```console
+    ```config
     # Add 'AAD DC Administrators' group members as admins.
     %AAD\ DC\ Administrators ALL=(ALL) NOPASSWD:ALL
     ```
@@ -254,29 +254,29 @@ To verify that the VM has been successfully joined to the managed domain, start
 
 1. Create a new SSH connection from your console. Use a domain account that belongs to the managed domain using the `ssh -l` command, such as `[email protected]` and then enter the address of your VM, such as *ubuntu.aaddscontoso.com*. If you use the Azure Cloud Shell, use the public IP address of the VM rather than the internal DNS name.
 
-    ```console
-    ssh -l [email protected] ubuntu.aaddscontoso.com
+    ```bash
+    sudo ssh -l [email protected] ubuntu.aaddscontoso.com
     ```
 
 1. When you've successfully connected to the VM, verify that the home directory was initialized correctly:
 
-    ```console
-    pwd
+    ```bash
+    sudo pwd
     ```
 
     You should be in the */home* directory with your own directory that matches the user account.
 
 1. Now check that the group memberships are being resolved correctly:
 
-    ```console
-    id
+    ```bash
+    sudo id
     ```
 
     You should see your group memberships from the managed domain.
 
 1. If you signed in to the VM as a member of the *AAD DC Administrators* group, check that you can correctly use the `sudo` command:
 
-    ```console
+    ```bash
     sudo apt-get update
     ```
 

articles/active-directory/authentication/how-to-certificate-based-authentication.md

@@ -72,7 +72,10 @@ To enable the certificate-based authentication and configure user bindings in th
 1. To delete a CA certificate, select the certificate and click **Delete**.
 1. Click **Columns** to add or delete columns.
 
-### Configure certification authorities using PowerShell
+>[!NOTE]
+>Upload of new CAs will fail when any of the existing CAs are expired. Tenant Admin should delete the expired CAs and then upload the new CA.
+
+### Configure certification authorities(CA) using PowerShell
 
 Only one CRL Distribution Point (CDP) for a trusted CA is supported. The CDP can only be HTTP URLs. Online Certificate Status Protocol (OCSP) or Lightweight Directory Access Protocol (LDAP) URLs aren't supported.
 
@@ -87,6 +90,9 @@ Only one CRL Distribution Point (CDP) for a trusted CA is supported. The CDP can
 [!INCLUDE [Get-AzureAD](../../../includes/active-directory-authentication-get-trusted-azuread.md)]
 ### Add
 
+>[!NOTE]
+>Upload of new CAs will fail when any of the existing CAs are expired. Tenant Admin should delete the expired CAs and then upload the new CA.
+
 [!INCLUDE [New-AzureAD](../../../includes/active-directory-authentication-new-trusted-azuread.md)]
 
 **AuthorityType**

articles/active-directory/conditional-access/concept-conditional-access-report-only.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 01/24/2023
+ms.date: 03/30/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -31,7 +31,7 @@ Report-only mode is a new Conditional Access policy state that allows administra
 > [!WARNING]
 > Policies in report-only mode that require compliant devices may prompt users on Mac, iOS, and Android to select a device certificate during policy evaluation, even though device compliance is not enforced. These prompts may repeat until the device is made compliant. To prevent end users from receiving prompts during sign-in, exclude device platforms Mac, iOS and Android from report-only policies that perform device compliance checks. Note that report-only mode is not applicable for Conditional Access policies with "User Actions" scope.
 
-![Report-only tab in Azure AD sign-in log](./media/concept-conditional-access-report-only/report-only-detail-in-sign-in-log.png)
+![Screenshot showing the report-only tab in a sign-in log.](./media/concept-conditional-access-report-only/report-only-detail-in-sign-in-log.png)
 
 ## Policy results
 

articles/active-directory/conditional-access/concept-conditional-access-session.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 02/27/2023
+ms.date: 03/28/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -75,15 +75,20 @@ For more information, see the article [Configure authentication session manageme
 
 - **Disable** only work when **All cloud apps** are selected, no conditions are selected, and **Disable** is selected under **Session** > **Customize continuous access evaluation** in a Conditional Access policy. You can choose to disable all users or specific users and groups.
 
-
 :::image type="content" source="media/concept-conditional-access-session/continuous-access-evaluation-session-controls.png" alt-text="CAE Settings in a new Conditional Access policy in the Azure portal." lightbox="media/concept-conditional-access-session/continuous-access-evaluation-session-controls.png":::
 
-## Disable resilience defaults (Preview)
+## Disable resilience defaults
 
 During an outage, Azure AD extends access to existing sessions while enforcing Conditional Access policies.
 
 If resilience defaults are disabled, access is denied once existing sessions expire. For more information, see the article [Conditional Access: Resilience defaults](resilience-defaults.md).
 
+## Require token protection for sign-in sessions (preview)
+
+Token protection (sometimes referred to as token binding in the industry) attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device. When an attacker is able to steal a token, by hijacking or replay, they can impersonate their victim until the token expires or is revoked. Token theft is thought to be a relatively rare event, but the damage from it can be significant.
+
+The preview works for specific scenarios only. For more information, see the article [Conditional Access: Token protection (preview)](concept-token-protection.md).
+
 ## Next steps
 
 - [Conditional Access common policies](concept-conditional-access-policy-common.md)

articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 02/27/2023
+ms.date: 03/28/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -43,7 +43,7 @@ To access the insights and reporting workbook:
 
 The insights and reporting dashboard lets you see the impact of one or more Conditional Access policies over a specified period. Start by setting each of the parameters at the top of the workbook. 
 
-![Conditional Access Insights and Reporting dashboard in the Azure portal](./media/howto-conditional-access-insights-reporting/conditional-access-insights-and-reporting-dashboard.png)
+:::image type="content" source="media/howto-conditional-access-insights-reporting/conditional-access-insights-and-reporting-dashboard.png" alt-text="Screenshot showing the Conditional Access insights and reporting workbook." lightbox="media/howto-conditional-access-insights-reporting/conditional-access-insights-and-reporting-dashboard-expanded.png":::
 
 **Conditional Access policy**: Select one or more Conditional Access policies to view their combined impact. Policies are separated into two groups: Enabled and Report-only policies. By default, all Enabled policies are selected. These enabled policies are the policies currently enforced in your tenant.  
 
@@ -59,7 +59,7 @@ The insights and reporting dashboard lets you see the impact of one or more Cond
 
 Once the parameters have been set, the impact summary loads. The summary shows how many users or sign-ins during the time range resulted in “Success”, “Failure”, ”User action required” or “Not applied” when the selected policies were evaluated.  
 
-![Impact summary in the Conditional Access workbook](./media/howto-conditional-access-insights-reporting/workbook-impact-summary.png)
+![Screenshot showing an example impact summary in the Conditional Access workbook.](./media/howto-conditional-access-insights-reporting/workbook-impact-summary.png)
 
 **Total**: The number of users or sign-ins during the time period where at least one of the selected policies was evaluated.
 
@@ -73,15 +73,15 @@ Once the parameters have been set, the impact summary loads. The summary shows h
 
 ### Understanding the impact 
 
-![Workbook breakdown per condition and status](./media/howto-conditional-access-insights-reporting/workbook-breakdown-condition-and-status.png)
+![Screenshot showing a workbook breakdown per condition and status.](./media/howto-conditional-access-insights-reporting/workbook-breakdown-condition-and-status.png)
 
 View the breakdown of users or sign-ins for each of the conditions. You can filter the sign-ins of a particular result (for example, Success or Failure) by selecting on of the summary tiles at the top of the workbook. You can see the breakdown of sign-ins for each of the Conditional Access conditions: device state, device platform, client app, location, application, and sign-in risk.  
 
 ## Sign-in details 
 
-![Workbook sign-in details](./media/howto-conditional-access-insights-reporting/workbook-sign-in-details.png)
+![Screenshot showing workbook sign-in details.](./media/howto-conditional-access-insights-reporting/workbook-sign-in-details.png)
 
-You can also investigate the sign-ins of a specific user by searching for sign-ins at the bottom of the dashboard. The query on the left displays the most frequent users. Selecting a user filters the query to the right.  
+You can also investigate the sign-ins of a specific user by searching for sign-ins at the bottom of the dashboard. The query displays the most frequent users. Selecting a user filters the query.  
 
 > [!NOTE]
 > When downloading the Sign-ins logs, choose JSON format to include Conditional Access report-only result data.
@@ -110,7 +110,7 @@ In order to access the workbook, you need the proper Azure AD permissions and Lo
 1. Type `SigninLogs` into the query box and select **Run**.
 1. If the query doesn't return any results, your workspace may not have been configured correctly. 
 
-![Troubleshoot failing queries](./media/howto-conditional-access-insights-reporting/query-troubleshoot-sign-in-logs.png)
+![Screenshot showing how to troubleshoot failing queries.](./media/howto-conditional-access-insights-reporting/query-troubleshoot-sign-in-logs.png)
 
 For more information about how to stream Azure AD sign-in logs to a Log Analytics workspace, see the article [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).