Merge branch 'main' into WI-46175a-upcoming-changes-MDVM

Author: AlizaBernstein

articles/active-directory-b2c/whats-new-docs.md

@@ -15,6 +15,29 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the B2C service, see [What's new in Azure Active Directory](../active-directory/fundamentals/whats-new.md) and [Azure AD B2C developer release notes](custom-policy-developer-notes.md)
 
+## March 2023
+
+### Updated articles
+
+- [Configure SAML identity provider options with Azure Active Directory B2C](identity-provider-generic-saml-options.md)
+- [Tutorial: Configure BioCatch with Azure Active Directory B2C](partner-biocatch.md)
+- [Tutorial: Configure Nok Nok Passport with Azure Active Directory B2C for passwordless FIDO2 authentication](partner-nok-nok.md)
+- [Pass an identity provider access token to your application in Azure Active Directory B2C](idp-pass-through-user-flow.md)
+- [Tutorial: Configure Haventec Authenticate with Azure Active Directory B2C for single-step, multi-factor passwordless authentication](partner-haventec.md)
+- [Configure Trusona Authentication Cloud with Azure Active Directory B2C](partner-trusona.md)
+- [Tutorial: Configure IDEMIA Mobile ID with Azure Active Directory B2C](partner-idemia.md)
+- [Configure Azure Active Directory B2C with Bluink eID-Me for identity verification](partner-eid-me.md)
+- [Tutorial: Configure Azure Active Directory B2C with BlokSec for passwordless authentication](partner-bloksec.md)
+- [Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall](partner-azure-web-application-firewall.md)
+- [Tutorial to configure Saviynt with Azure Active Directory B2C](partner-saviynt.md)
+- [Tutorial: Configure Keyless with Azure Active Directory B2C](partner-keyless.md)
+- [Tutorial: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel](azure-sentinel.md)
+- [Configure authentication in a sample Python web app by using Azure AD B2C](configure-authentication-sample-python-web-app.md)
+- [Billing model for Azure Active Directory B2C](billing.md)
+- [Azure Active Directory B2C: Region availability & data residency](data-residency.md)
+- ['Azure AD B2C: Frequently asked questions (FAQ)'](faq.yml)
+- [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md)
+ 
 ## February 2023
 
 ### Updated articles

articles/active-directory-domain-services/migrate-from-classic-vnet.md

@@ -10,7 +10,7 @@ metadata:
   ms.subservice: app-mgmt
   ms.workload: identity
   ms.topic: landing-page
-  ms.date: 07/08/2021
+  ms.date: 04/17/2023
   author: CelesteDG
   ms.author: CelesteDG
 
@@ -89,6 +89,8 @@ landingContent:
         links:
           - text: Identity governance
             url: ../governance/identity-governance-overview.md
+          - text: User and admin consent
+            url: user-admin-consent-overview.md
       - linkListType: how-to-guide
         links:
           - text: Assign roles
@@ -139,6 +141,8 @@ landingContent:
             url: ../reports-monitoring/howto-download-logs.md
           - text: Set up access reviews
             url: ../governance/deploy-access-reviews.md
+          - text: Assign owners
+            url: assign-app-owners.md
   - title: Remote access to on-premises apps
     linkLists:
       - linkListType: concept
@@ -147,7 +151,7 @@ landingContent:
             url: ../app-proxy/application-proxy.md
       - linkListType: how-to-guide
         links:
-          - text: Application Proxy deployment
+          - text: Plan application Proxy deployment
             url: ../app-proxy/application-proxy-deployment-plan.md
           - text: Set up connectors
             url: ../app-proxy/application-proxy-connectors.md

articles/active-directory/manage-apps/index.yml

@@ -35,7 +35,7 @@ Administrators, users, or Microsoft security researchers may flag OAuth applicat
 When Azure AD disables an OAuth application, the following actions occur:
 
 - The malicious application and related service principals are placed into a fully disabled state. Any new token requests or requests for refresh tokens are denied, but existing access tokens are still valid until their expiration.
-- The disabled state is surfaced through an exposed property called *disabledByMicrosoftStatus* on the related [application](/graph/api/resources/application) and [service principal](/graph/api/resources/serviceprincipal) resource types in Microsoft Graph.
+- These applications will show `DisabledDueToViolationOfServicesAgreement` on the `disabledByMicrosoftStatus` property on the related [application](/graph/api/resources/application) and [service principal](/graph/api/resources/serviceprincipal) resource types in Microsoft Graph. To prevent them from being instantiated in your organization again in the future, you cannot delete these objects.
 - An email is sent to a global administrator when a user in an organization consented to an application before it was disabled. The email specifies the action taken and recommended steps they can do to investigate and improve their security posture.
 
 ## Recommended response and remediation
@@ -73,3 +73,4 @@ Administrators should be in control of application use by providing the right in
 - [Managing access to applications](./what-is-access-management.md)
 - [Restrict user consent operations in Azure AD](../../security/fundamentals/steps-secure-identity.md#restrict-user-consent-operations)
 - [Compromised and malicious applications investigation](/security/compass/incident-response-playbook-compromised-malicious-app)
+

articles/active-directory/manage-apps/protect-against-consent-phishing.md

@@ -365,7 +365,7 @@
                   href: workload-identity-overview.md
                 - name: Deploy and configure cluster
                   href: workload-identity-deploy-cluster.md
-                - name: Modernize your app with workload identity
+                - name: Migrate your app from pod identity to workload identity
                   href: workload-identity-migrate-from-pod-identity.md
             - name: Use Azure AD pod identity (preview)
               href: use-azure-ad-pod-identity.md
@@ -411,6 +411,8 @@
               href: configure-azure-cni-dynamic-ip-allocation.md
             - name: Use Azure CNI Overlay
               href: azure-cni-overlay.md
+            - name: Deploy Isovalent Cilium Enterprise
+              href: cilium-enterprise-marketplace.md
         - name: DNS
           items:
             - name: Use a static IP address and DNS label

articles/aks/TOC.yml

@@ -485,7 +485,7 @@ After the PVC is created, a pod can be spun up to access the Azure NetApp Files
     spec:
       containers:
       - name: nginx
-        image: mcr.microsoft.com/oss/nginx/nginx:latest1.15.5-alpine
+        image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine
         resources:
           requests:
             cpu: 100m

articles/aks/azure-netapp-files.md

@@ -19,10 +19,6 @@ This article shows you how certificate rotation works in your AKS cluster.
 
 This article requires that you are running the Azure CLI version 2.0.77 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
 
-## Limitation
-
-Certificate rotation is not supported for stopped AKS clusters. 
-
 ## AKS certificates, Certificate Authorities, and Service Accounts
 
 AKS generates and uses the following certificates, Certificate Authorities, and Service Accounts:

articles/aks/certificate-rotation.md

@@ -0,0 +1,89 @@
+---
+title: Isovalent Cilium Enterprise on Azure Marketplace (Preview)
+titleSuffix: Azure Kubernetes Service (AKS)
+description: Learn about Isovalent Cillium Enterprise on Azure Marketplace and how to deploy it on Azure. 
+author: asudbring
+ms.author: allensu
+ms.service: azure-kubernetes-service
+ms.subservice: aks-networking
+ms.topic: how-to
+ms.date: 04/18/2023
+ms.custom: template-how-to
+---
+
+# Isovalent Cilium Enterprise on Azure Marketplace (Preview)
+
+Isovalent Cilium Enterprise on Azure Marketplace is a powerful tool for securing and managing Kubernetes’ workloads on Azure. Cilium Enterprise's range of features and easy deployment make it an ideal solution for organizations of all sizes looking to secure their cloud-native applications. 
+
+Isovalent Cilium Enterprise is a network security platform for modern cloud-native workloads that provides visibility, security, and compliance across Kubernetes clusters. It uses eBPF technology to deliver network and application-layer security, while also providing observability and tracing for Kubernetes workloads. Azure Marketplace is an online store for buying and selling cloud computing solutions that allows you to deploy Isovalent Cilium Enterprise to Azure with ease. 
+
+:::image type="content" source="./media/cilium-enterprise-marketplace/cilium-enterprise-diagram.png" alt-text="Diagram of Isovalent Cilium Enterprise.":::
+
+> [!IMPORTANT]
+> Isovalent Cilium Enterprise is currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+Designed for platform teams and using the power of eBPF, Isovalent Cilium Enterprise:
+
+* Combines network and runtime behavior with Kubernetes identity to provide a single source of data for cloud native forensics, audit, compliance monitoring, and threat detection. Isovalent Cilium Enterprise is integrated into your SIEM/Log aggregation platform of choice.
+
+* Scales effortlessly for any deployment size. With capabilities such as traffic management, load balancing, and infrastructure monitoring.
+
+* Fully back-ported and tested. Available with 24x7 support.
+
+* Enables self-service for monitoring, troubleshooting, and security workflows in Kubernetes. Teams can access current and historical views of flow data, metrics, and visualizations for their specific namespaces.
+
+> [!NOTE]
+> If you are upgrading an existing AKS cluster, then it must be created with Azure CNI powered by Cilium. For more information, see [Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS) (Preview)](azure-cni-powered-by-cilium.md).
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+
+- An existing Azure Kubernetes Service (AKS) cluster running Azure CNI powered by Cilium. If you don't have an existing AKS cluster, you can create one from the Azure portal. For more information, see [Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS) (Preview)](azure-cni-powered-by-cilium.md).
+
+## Deploy Isovalent Cilium Enterprise on Azure Marketplace
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+
+1. In the search box at the top of the portal, enter **Cilium Enterprise** and select **Isovalent Cilium Enterprise** from the results.
+
+1. In the **Basics** tab of **Create Isovalent Cilium Enterprise**, enter or select the following information:
+
+| Setting | Value |
+| --- | --- |
+| **Project details** | |
+| Subscription | Select your subscription |
+| Resource group | Select **Create new** </br> Enter **test-rg** in **Name**. </br> Select **OK**. </br> Or, select an existing resource group that contains your AKS cluster. |
+| **Instance details** | |
+| Supported Regions | Select **West US 2**. |
+| Create new dev cluster? | Leave the default of **No**. |
+
+1. Select **Next: Cluster Details**.
+
+1. Select your AKS cluster from the **AKS Cluster Name** dropdown.
+
+1. Select **Review + create**.
+
+1. Select **Create**.
+
+Azure deploys Isovalent Cilium Enterprise to your selected subscription and resource group. This process may take some time and must be completed. 
+
+> [!IMPORTANT]
+> Note that Marketplace applications are deployed as AKS extensions onto AKS clusters. If you are upgrading the existing AKS cluster, AKS replaces the Cilium OSS images with Isovalent Cilium Enterprise images seamlessly without any downtime. 
+
+When the deployment is complete, you can access the Isovalent Cilium Enterprise by navigating to the resource group that contains the **Cilium Enterprise** resource in the Azure portal.
+
+Cilium can be reconfigured after deployment by updating the Helm values with Azure CLI:
+
+```azurecli
+az k8s-extension update -c <cluster> -t managedClusters -g <region> -n cilium --configuration-settings debug.enabled=true
+```
+
+You can uninstall an Isovalent Cilium Enterprise offer using the AKS extension delete command. Uninstall flow per AKS Cluster isn't added in Marketplace yet until ISV’s stop sell the whole offer. For more information about AKS extension delete, see [az k8s-extension delete](/cli/azure/k8s-extension#az-k8s-extension-delete).
+
+## Next steps
+
+- [Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS) (Preview)](azure-cni-powered-by-cilium.md)
+
+- [What is Azure Kubernetes Service?](intro-kubernetes.md)

articles/aks/cilium-enterprise-marketplace.md

@@ -6,7 +6,7 @@ ms.date: 04/06/2023
 ms.author: pgibson
 ---
 
-# Open Service Mesh (OSM) add-on in Azure Kubernetes Service (OSM)
+# Open Service Mesh (OSM) add-on in Azure Kubernetes Service (AKS)
 
 [Open Service Mesh (OSM)](https://docs.openservicemesh.io/) is a lightweight, extensible, cloud native service mesh that allows you to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.