Merge pull request #189604 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

articles/active-directory/conditional-access/workload-identity.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 01/10/2022
+ms.date: 02/23/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,31 +19,25 @@ ms.collection: M365-identity-device-management
 
 Previously, Conditional Access policies applied only to users when they access apps and services like SharePoint online or the Azure portal. This preview adds support for Conditional Access policies applied to service principals owned by the organization. We call this capability  Conditional Access for workload identities. 
 
-A workload identity is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as:
+A [workload identity](../develop/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they:
 
-- They usually have no formal lifecycle process.
+- Can’t perform multi-factor authentication.
+- Often have no formal lifecycle process.
 - Need to store their credentials or secrets somewhere.
-- Applications may use multiple identities. 
- 
-These differences make workload identities difficult to manage, puts them at higher risk for leaks, and reduces the potential for securing access.
+
+These differences make workload identities harder to manage and put them at higher risk for compromise.
 
 > [!IMPORTANT]
 > In public preview, you can scope Conditional Access policies to service principals in Azure AD with an Azure Active Directory Premium P2 edition active in your tenant. After general availability, additional licenses might be required.
 
 > [!NOTE]
 > Policy can be applied to single tenant service principals that have been registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. Managed identities are not covered by policy. 
 
-This preview enables blocking service principals from outside of trusted IP ranges, such as a corporate network public IP ranges. 
+This preview enables blocking service principals from outside of trusted public IP ranges, or based on risk detected by Azure AD Identity Protection.
 
 ## Implementation
 
-### Step 1: Set up a sample application
-
-If you already have a test application that makes use of a service principal, you can skip this step.
-
-Set up a sample application that, demonstrates how a job or a Windows service can run with an application identity, instead of a user's identity. Follow the instructions in the article [Quickstart: Get a token and call the Microsoft Graph API by using a console app's identity](../develop/quickstart-v2-netcore-daemon.md) to create this application.
-
-### Step 2: Create a Conditional Access policy
+### Create a location-based Conditional Access policy
 
 Create a location based Conditional Access policy that applies to service principals.
 
@@ -60,6 +54,52 @@ Create a location based Conditional Access policy that applies to service princi
 1. Your policy can be saved in **Report-only** mode, allowing administrators to estimate the effects, or policy is enforced by turning policy **On**.
 1. Select **Create** to complete your policy.
 
+### Create a risk-based Conditional Access policy
+
+Use this sample JSON for a risk-based policy using the [Microsoft Graph beta endpoint](/graph/api/resources/conditionalaccesspolicy?view=graph-rest-1.0&preserve-view=true). 
+
+> [!NOTE]
+> Report-only mode doesn't report account risk on a risky workload identity.
+
+```json
+{
+"displayName": "Name",
+"state": "enabled OR disabled",
+"conditions": {
+"applications": {
+"includeApplications": [
+"All"
+],
+"excludeApplications": [],
+"includeUserActions": [],
+"includeAuthenticationContextClassReferences": [],
+"applicationFilter": null
+},
+"userRiskLevels": [],
+"signInRiskLevels": [],
+"clientApplications": {
+"includeServicePrincipals": [
+"ServicePrincipalsInMyTenant"
+],
+"excludeServicePrincipals": []
+},
+"servicePrincipalRiskLevels": [
+"low",
+"medium",
+"high"
+]
+},
+"grantControls": {
+"operator": "and",
+"builtInControls": [
+"block"
+],
+"customAuthenticationFactors": [],
+"termsOfUse": []
+}
+}
+```
+
 ## Roll back
 
 If you wish to roll back this feature, you can delete or disable any created policies.
@@ -77,14 +117,14 @@ Failure reason when Service Principal is blocked by Conditional Access: “Acces
 
 ### Finding the objectID
 
-You can get the objectID of the service principal from Azure AD Enterprise Applications. The Object ID in Azure AD App registrations cannot be used. This identifier is the Object ID of the app registration, not of the service principal.
+You can get the objectID of the service principal from Azure AD Enterprise Applications. The Object ID in Azure AD App registrations can’t be used. This identifier is the Object ID of the app registration, not of the service principal.
 
 1. Browse to the **Azure portal** > **Azure Active Directory** > **Enterprise Applications**, find the application you registered.
 1. From the **Overview** tab, copy the **Object ID** of the application. This identifier is the unique to the service principal, used by Conditional Access policy to find the calling app.
 
 ### Microsoft Graph
 
-Sample JSON for configuration using the Microsoft Graph beta endpoint.
+Sample JSON for location-based configuration using the Microsoft Graph beta endpoint.
 
 ```json
 {

articles/active-directory/devices/azuread-join-sso.md

@@ -39,9 +39,13 @@ If you have a hybrid environment, with both Azure AD and on-premises AD, it's li
 1. The local security authority (LSA) service enables Kerberos and NTLM authentication on the device.
 
 > [!NOTE]
-> Windows Hello for Business requires additional configuration to enable on-premises SSO from an Azure AD joined device. For more information, see [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base). 
+> Additional configuration is required when passwordless authentication to Azure AD joined devices is used.
 >
-> FIDO2 security key based passwordless authentication with Windows 10 or newer requires additional configuration to enable on-premises SSO from an Azure AD joined device. For more information, see [Enable passwordless security key sign-in to on-premises resources with Azure Active Directory](../authentication/howto-authentication-passwordless-security-key-on-premises.md). 
+> For FIDO2 security key based passwordless authentication and Windows Hello for Business Hybrid Cloud Trust, see [Enable passwordless security key sign-in to on-premises resources with Azure Active Directory](../authentication/howto-authentication-passwordless-security-key-on-premises.md).
+> 
+> For Windows Hello for Business Hybrid Key Trust, see [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base).
+> 
+> For Windows Hello for Business Hybrid Certificate Trust, see [Using Certificates for AADJ On-premises Single-sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert). 
 
 During an access attempt to a resource requesting Kerberos or NTLM in the user's on-premises environment, the device:
 

articles/active-directory/hybrid/how-to-connect-install-prerequisites.md

@@ -11,7 +11,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 01/21/2022
+ms.date: 02/23/2022
 ms.subservice: hybrid
 ms.author: billmath
 
@@ -88,7 +88,7 @@ We recommend that you harden your Azure AD Connect server to decrease the securi
 ### SQL Server used by Azure AD Connect
 * Azure AD Connect requires a SQL Server database to store identity data. By default, a SQL Server 2019 Express LocalDB (a light version of SQL Server Express) is installed. SQL Server Express has a 10-GB size limit that enables you to manage approximately 100,000 objects. If you need to manage a higher volume of directory objects, point the installation wizard to a different installation of SQL Server. The type of SQL Server installation can impact the [performance of Azure AD Connect](./plan-connect-performance-factors.md#sql-database-factors).
 * If you use a different installation of SQL Server, these requirements apply:
-  * Azure AD Connect supports all versions of SQL Server from 2012 (with the latest service pack) to SQL Server 2019. Azure SQL Database *isn't supported* as a database.
+  * Azure AD Connect supports all versions of SQL Server from 2012 (with the latest service pack) to SQL Server 2019. Azure SQL Database *isn't supported* as a database.  This includes both Azure SQL Database and Azure SQL Managed Instance.
   * You must use a case-insensitive SQL collation. These collations are identified with a \_CI_ in their name. Using a case-sensitive collation identified by \_CS_ in their name *isn't supported*.
   * You can have only one sync engine per SQL instance. Sharing a SQL instance with FIM/MIM Sync, DirSync, or Azure AD Sync *isn't supported*.
 

articles/active-directory/identity-protection/howto-export-risk-data.md

@@ -6,12 +6,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: identity-protection
 ms.topic: how-to
-ms.date: 07/30/2021
+ms.date: 02/18/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: karenhoran
-ms.reviewer: sahandle
+ms.reviewer: sahandle, etbasser
 
 ms.collection: M365-identity-device-management
 ---
@@ -26,18 +26,20 @@ Azure AD stores reports and security signals for a defined period of time. When
 | Azure AD MFA usage | 30 days | 30 days | 30 days |
 | Risky sign-ins | 7 days | 30 days | 30 days |
 
-Organizations can choose to store data for longer periods by changing diagnostic settings in Azure AD to send **RiskyUsers** and **UserRiskEvents** data to a Log Analytics workspace, archive data to a storage account, stream data to an Event Hub, or send data to a partner solution. Find these options in the **Azure portal** > **Azure Active Directory**, **Diagnostic settings** > **Edit setting**. If you don't have a diagnostic setting, follow the instructions in the article [Create diagnostic settings to send platform logs and metrics to different destinations](../../azure-monitor/essentials/diagnostic-settings.md) to create one.
+Organizations can choose to store data for longer periods by changing diagnostic settings in Azure AD to send **RiskyUsers**, **UserRiskEvents**, **RiskyServicePrincipals**, and **ServicePrincipalRiskEvents** data to a Log Analytics workspace, archive data to a storage account, stream data to an event hub, or send data to a partner solution. Find these options in the **Azure portal** > **Azure Active Directory**, **Diagnostic settings** > **Edit setting**. If you don't have a diagnostic setting, follow the instructions in the article [Create diagnostic settings to send platform logs and metrics to different destinations](../../azure-monitor/essentials/diagnostic-settings.md) to create one.
 
 [ ![Diagnostic settings screen in Azure AD showing existing configuration](./media/howto-export-risk-data/change-diagnostic-setting-in-portal.png) ](./media/howto-export-risk-data/change-diagnostic-setting-in-portal.png#lightbox)
 
 ## Log Analytics
 
 Log Analytics allows organizations to query data using built in queries or custom created Kusto queries, for more information, see [Get started with log queries in Azure Monitor](../../azure-monitor/logs/get-started-queries.md).
 
-Once enabled you will find access to Log Analytics in the **Azure portal** > **Azure AD** > **Log Analytics**. The tables of most interest to Identity Protection administrators are **AADRiskyUsers** and **AADUserRiskEvents**.
+Once enabled you'll find access to Log Analytics in the **Azure portal** > **Azure AD** > **Log Analytics**. The following tables are of most interest to Identity Protection administrators:
 
 - AADRiskyUsers - Provides data like the **Risky users** report in Identity Protection.
 - AADUserRiskEvents - Provides data like the **Risk detections** report in Identity Protection.
+- RiskyServicePrincipals - Provides data like the **Risky workload identities** report in Identity Protection.
+- ServicePrincipalRiskEvents - Provides data like the **Workload identity detections** report in Identity Protection.
 
 [ ![Log Analytics view showing a query against the AADUserRiskEvents table showing the top 5 events](./media/howto-export-risk-data/log-analytics-view-query-user-risk-events.png) ](./media/howto-export-risk-data/log-analytics-view-query-user-risk-events.png#lightbox)
 

articles/active-directory/identity-protection/media/howto-export-risk-data/change-diagnostic-setting-in-portal.png

@@ -113,6 +113,7 @@ Below are the current restrictions of WebSocket support in API Management:
 * WebSocket APIs are not supported yet in the Consumption tier.
 * WebSocket APIs are not supported yet in the [self-hosted gateway](./self-hosted-gateway-overview.md).
 * Azure CLI, PowerShell, and SDK currently do not support management operations of WebSocket APIs.
+* 200 active connections limit per unit.
 
 ### Unsupported policies
 

articles/api-management/websocket-api.md

@@ -653,10 +653,10 @@ Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/hybridRunbookW
 
 ## Next steps
 
-To learn about Azure VM extensions, see:
+- To learn how to configure your runbooks to automate processes in your on-premises datacenter or other cloud environments, see [Run runbooks on a Hybrid Runbook Worker](automation-hrw-run-runbooks.md).
 
- - [Azure VM extensions and features for Windows](/azure/virtual-machines/extensions/features-windows).
- - [Azure VM extensions and features for Linux](/azure/virtual-machines/extensions/features-linux).
+- To learn how to troubleshoot your Hybrid Runbook Workers, see [Troubleshoot Hybrid Runbook Worker issues](troubleshoot/extension-based-hybrid-runbook-worker.md).
 
-To learn about VM extensions for Arc-enabled servers, see:
--  [VM extension management with Azure Arc-enabled servers](/azure/azure-arc/servers/manage-vm-extensions). 
+- To learn about Azure VM extensions, see [Azure VM extensions and features for Windows](/azure/virtual-machines/extensions/features-windows) and [Azure VM extensions and features for Linux](/azure/virtual-machines/extensions/features-linux).
+
+- To learn about VM extensions for Arc-enabled servers, see [VM extension management with Azure Arc-enabled servers](/azure/azure-arc/servers/manage-vm-extensions). 

articles/automation/extension-based-hybrid-runbook-worker-install.md

@@ -116,7 +116,7 @@ In the Product Catalog, always-available services are listed as "non-regional" s
 | [Azure Container Instances](../container-instances/container-instances-region-availability.md) | ![An icon that signifies this service is zonal](media/icon-zonal.svg) |
 | [Azure Container Registry](../container-registry/zone-redundancy.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | [Azure Data Explorer](/azure/data-explorer/create-cluster-database-portal) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
-| [Azure Data Factory](../data-factory/index.yml) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
+| [Azure Data Factory](../data-factory/concepts-data-redundancy.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | Azure Database for MySQL – [Flexible Server](../mysql/flexible-server/concepts-high-availability.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | Azure Database for PostgreSQL – [Flexible Server](../postgresql/flexible-server/overview.md) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |
 | [Azure DDoS Protection](../ddos-protection/ddos-faq.yml) | ![An icon that signifies this service is zone redundant.](media/icon-zone-redundant.svg) |

articles/availability-zones/az-region.md

@@ -3,7 +3,7 @@ title: Troubleshoot common Azure deployment errors
 description: Describes common errors for Azure resources deployed with Azure Resource Manager templates (ARM templates) or Bicep files.
 tags: top-support-issue
 ms.topic: troubleshooting
-ms.date: 01/13/2022
+ms.date: 02/23/2022
 ms.custom: devx-track-azurepowershell
 ---
 
@@ -74,6 +74,7 @@ If your error code isn't listed, submit a GitHub issue. On the right side of the
 | StorageAccountAlreadyExists <br> StorageAccountAlreadyTaken | Provide a unique name for the storage account. | [Resolve storage account name](error-storage-account-name.md)  |
 | StorageAccountNotFound | Check the subscription, resource group, and name of the storage account that you're trying to use. | |
 | SubnetsNotInSameVnet | A virtual machine can only have one virtual network. When deploying several NICs, make sure they belong to the same virtual network. | [Windows VM multiple NICs](../../virtual-machines/windows/multiple-nics.md) <br><br> [Linux VM multiple NICs](../../virtual-machines/linux/multiple-nics.md) |
+| SubnetIsFull | There aren't enough available addresses in the subnet to deploy resources. You can release addresses from the subnet, use a different subnet, or create a new subnet. | [Manage subnets](../../virtual-network/virtual-network-manage-subnet.md) and [Virtual network FAQ](../../virtual-network/virtual-networks-faq.md#are-there-any-restrictions-on-using-ip-addresses-within-these-subnets) <br><br> [Private IP addresses](../../virtual-network/ip-services/private-ip-addresses.md) |
 | SubscriptionNotFound | A specified subscription for deployment can't be accessed. It could be the subscription ID is wrong, the user deploying the template doesn't have adequate permissions to deploy to the subscription, or the subscription ID is in the wrong format. When using ARM template nested deployments to deploy across scopes, provide the subscription's GUID. | [ARM template deploy across scopes](../templates/deploy-to-resource-group.md) <br><br> [Bicep file deploy across scopes](../bicep/deploy-to-resource-group.md) |
 | SubscriptionNotRegistered | When deploying a resource, the resource provider must be registered for your subscription. When you use an Azure Resource Manager template for deployment, the resource provider is automatically registered in the subscription. Sometimes, the automatic registration doesn't complete in time. To avoid this intermittent error, register the resource provider before deployment. | [Resolve registration](error-register-resource-provider.md) |
 | TemplateResourceCircularDependency | Remove unnecessary dependencies. | [Resolve circular dependencies](error-invalid-template.md#circular-dependency) |

articles/azure-resource-manager/troubleshooting/common-deployment-errors.md

@@ -51,6 +51,9 @@ For more information, see the [*SignalR trigger* binding reference](../azure-fun
 
 You also need to configure your function endpoint as an upstream so that service will trigger the function when there is message from client. For more information about how to configure upstream, please refer to this [doc](concept-upstream.md).
 
+> [!NOTE]
+> StreamInvocation from client is not supported in Serverless Mode.
+
 ### Sending messages and managing group membership
 
 Use the *SignalR* output binding to send messages to clients connected to Azure SignalR Service. You can broadcast messages to all clients, or you can send them to a subset of clients that are authenticated with a specific user ID or have been added to a specific group.