Merge pull request #70142 from MicrosoftDocs/master

3/19 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -36152,11 +36152,6 @@
       "redirect_document_id": false
     },
     {
-      "source_path": "articles/hdinsight/hdinsight-autoscale-clusters.md",
-      "redirect_url": "/azure/hdinsight/hdinsight-scaling-best-practices",
-      "redirect_document_id": false
-    },
-	    {
       "source_path": "articles/application-insights/opencensus-go.md",
       "redirect_url": "/azure/azure-monitor/app/opencensus-go",
       "redirect_document_id": true

articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 03/06/2019
+ms.date: 03/18/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -65,11 +65,11 @@ As we continue to add more authentication methods such to Azure AD, those method
 
 ## Combined registration Modes
 
-There are two “modes” of combined registration: interrupt and manage. 
+There are two “modes” of combined registration: interrupt and manage.
 
-Interrupt mode, is a wizard-like experience, shown to a user when they register or refresh their security info at sign in. 
+Interrupt mode, is a wizard-like experience, shown to a user when they register or refresh their security info at sign in.
 
-Manage mode is part of the user’s profile and allows them to manage their security info. 
+Manage mode is part of the user’s profile and allows them to manage their security info.
 
 For both modes, if a user has previously registered a method that can be used for MFA, they will need to perform MFA before they can access their security info.
 

articles/active-directory/authentication/howto-registration-mfa-sspr-combined.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/20/2019
+ms.date: 03/18/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -42,6 +42,12 @@ Complete the following steps to enable combined registration:
 > [!NOTE]
 > Once you enable combined registration, users who register or confirm their phone number or mobile app through the new experience can use them for MFA and SSPR, if those methods are enabled in the MFA and SSPR policies. If you then disable this experience, users who go to the previous SSPR registration page at `https:/aka.ms/ssprsetup` will be required to perform multi-factor authentication before they can access the page.
 
+If you have configured the site to zone assignment list in Internet Explorer the following sites must be in the same zone:
+
+* [https://login.microsoftonline.com](https://login.microsoftonline.com)
+* [https://mysignins.microsoft.com](https://mysignins.microsoft.com)
+* [https://account.activedirectory.windowsazure.com](https://account.activedirectory.windowsazure.com)
+
 ## Next steps
 
 [Available methods for MFA and SSPR](concept-authentication-methods.md)

articles/active-directory/authentication/media/howto-registration-mfa-sspr-combined/combined-security-info-enable.png

@@ -32,8 +32,10 @@ In this tutorial, you enable users to reset their passwords from the Windows 10
    or
    * [Hybrid Azure AD-joined](../device-management-hybrid-azuread-joined-devices-setup.md), with network connectivity to a domain controller.
 * You must enable Azure AD self-service password reset.
-* If your Windows 10 devices are behind a proxy server or a firewall, you must add the URLs, `passwordreset.microsoftonline.com` and `ajax.aspnetcdn.com` to your HTTPS traffic (port 443) Allowed URLs list.
+* If your Windows 10 devices are behind a proxy server or a firewall, you must add the URLs, `passwordreset.microsoftonline.com` and `ajax.aspnetcdn.com` to your HTTPS traffic (port 443) allowed URLs list.
+* SSPR for Windows 10 is only supported with machine-level proxies
 * Review limitations below before trying this feature in your environment.
+* If using an image, prior to sysprep ensure that the web cache is cleared for the built-in Administrator prior to performing the CopyProfile step. More information about this can be found in the support article [Performance poor when using custom default user profile](https://support.microsoft.com/help/4056823/performance-issue-with-custom-default-user-profile).
 
 ## Configure Reset password link using Intune
 

articles/active-directory/authentication/tutorial-sspr-windows.md

@@ -169,7 +169,7 @@ The basic principle behind ADAL is that whenever your app needs an access token,
                 MessageBox.Show(ex.Message);
             }
 
-            // If user interaction is required, proceed to main page without singing the user in.
+            // If user interaction is required, proceed to main page without signing the user in.
             return;
         }
 

articles/active-directory/develop/quickstart-v1-dotnet.md

@@ -78,6 +78,7 @@
       href: qs-configure-rest-vm.md
     - name: Azure SDKs
       href: qs-configure-sdk-windows-vm.md
+    
   - name: Configure managed identities on virtual machine scale sets
     items:
     - name: Portal
@@ -90,6 +91,7 @@
       href: qs-configure-template-windows-vmss.md
     - name: REST
       href: qs-configure-rest-vmss.md
+      
   - name: Use managed identities on VMs
     items:
     - name: Acquire an access token
@@ -98,6 +100,9 @@
       href: how-to-use-vm-sign-in.md
     - name: Use with Azure SDKs
       href: how-to-use-vm-sdk.md
+    - name: Stop using VM extension and start using Azure IMDS
+      href: howto-migrate-vm-extension.md
+      
   - name: Assign a managed identity access to another Azure resource
     items:
     - name: Portal
@@ -106,6 +111,7 @@
       href: howto-assign-access-cli.md
     - name: PowerShell
       href: howto-assign-access-powershell.md
+      
   - name: Manage user-assigned managed identities
     items:
     - name: Portal
@@ -126,6 +132,7 @@
       href: how-to-view-managed-identity-service-principal-cli.md
     - name: PowerShell
       href: how-to-view-managed-identity-service-principal-powershell.md
+             
 - name: Reference
   items:
   - name: CLI
@@ -144,6 +151,7 @@
     href: /javascript/api/ms-rest-azure
   - name: Go 
     href: https://godoc.org/github.com/Azure/azure-sdk-for-go/services/msi/mgmt/2015-08-31-preview/msi
+    
 - name: Resources
   items:
   - name: FAQs and known issues

articles/active-directory/managed-identities-azure-resources/TOC.yml

@@ -0,0 +1,211 @@
+---
+title: Stop using the managed identity VM extension and start using the Azure Instance Metadata Service endpoint
+description: Step by step instructions to stop using the VM extension and start using the Azure Instance Metadata Service (IMDS) for authentication.
+services: active-directory
+documentationcenter: 
+author: priyamohanram
+manager: daveba
+editor: 
+
+ms.service: active-directory
+ms.subservice: msi
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 02/25/2018
+ms.author: priyamo
+---
+
+# How to stop using the virtual machine managed identities extension and start using the Azure Instance Metadata Service
+
+## Virtual machine extension for managed identities
+
+The virtual machine extension for managed identities is used to request tokens for a managed identity within the virtual machine. The workflow consists of the following steps:
+
+1. First, the workload within the resource calls the local endpoint `http://localhost/oauth2/token` to request an access token.
+2. The virtual machine extension then uses the credentials for the managed identity, to request an access token from Azure AD.. 
+3. The access token is returned to the caller, and can be used to authenticate to services that support Azure AD authentication, like Azure Key Vault or Azure Storage.
+
+Due to several limitations outlined in the next section, the managed identity VM extension has been deprecated in favor of using the equivalent endpoint in the Azure Instance Metadata Service (IMDS)
+
+### Provision the extension 
+
+When you configure a virtual machine or virtual machine scale set to have a managed identity, you may optional choose to, you may optionally choose to provision the managed identities for Azure resources VM extension using the `-Type` parameter on the [Set-AzVMExtension](https://docs.microsoft.com/powershell/module/az.compute/set-azvmextension) cmdlet. You can pass either `ManagedIdentityExtensionForWindows` or `ManagedIdentityExtensionForLinux`, depending on the type of virtual machine, and name it using the `-Name` parameter. The `-Settings` parameter specifies the port used by the OAuth token endpoint for token acquisition:
+
+```powershell
+   $settings = @{ "port" = 50342 }
+   Set-AzVMExtension -ResourceGroupName myResourceGroup -Location WestUS -VMName myVM -Name "ManagedIdentityExtensionForWindows" -Type "ManagedIdentityExtensionForWindows" -Publisher "Microsoft.ManagedIdentity" -TypeHandlerVersion "1.0" -Settings $settings 
+```
+
+You can also use the Azure Resource Manager deployment template to provision the VM extension, by adding the following JSON to the `resources` section to the template (use `ManagedIdentityExtensionForLinux` for the name and type elements for the Linux version).
+
+    ```json
+    {
+        "type": "Microsoft.Compute/virtualMachines/extensions",
+        "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
+        "apiVersion": "2018-06-01",
+        "location": "[resourceGroup().location]",
+        "dependsOn": [
+            "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
+        ],
+        "properties": {
+            "publisher": "Microsoft.ManagedIdentity",
+            "type": "ManagedIdentityExtensionForWindows",
+            "typeHandlerVersion": "1.0",
+            "autoUpgradeMinorVersion": true,
+            "settings": {
+                "port": 50342
+            }
+        }
+    }
+    ```
+    
+    
+If you're working with virtual machine scale sets, you can also provision the managed identities for Azure resources virtual machine scale set extension using the [Add-AzVmssExtension](/powershell/module/az.compute/add-azvmssextension) cmdlet. You can pass either `ManagedIdentityExtensionForWindows` or `ManagedIdentityExtensionForLinux`, depending on the type of virtual machine scale set, and name it using the `-Name` parameter. The `-Settings` parameter specifies the port used by the OAuth token endpoint for token acquisition:
+
+   ```powershell
+   $setting = @{ "port" = 50342 }
+   $vmss = Get-AzVmss
+   Add-AzVmssExtension -VirtualMachineScaleSet $vmss -Name "ManagedIdentityExtensionForWindows" -Type "ManagedIdentityExtensionForWindows" -Publisher "Microsoft.ManagedIdentity" -TypeHandlerVersion "1.0" -Setting $settings 
+   ```
+To provision the virtual machine scale set extension with the Azure Resource Manager deployment template, add the following JSON to the `extensionpProfile` section to the template (use `ManagedIdentityExtensionForLinux` for the name and type elements for the Linux version).
+
+    ```json
+    "extensionProfile": {
+        "extensions": [
+            {
+                "name": "ManagedIdentityWindowsExtension",
+                "properties": {
+                    "publisher": "Microsoft.ManagedIdentity",
+                    "type": "ManagedIdentityExtensionForWindows",
+                    "typeHandlerVersion": "1.0",
+                    "autoUpgradeMinorVersion": true,
+                    "settings": {
+                        "port": 50342
+                    },
+                    "protectedSettings": {}
+                }
+            }
+    ```
+
+Provisioning of the virtual machine extension might fail due to DNS lookup failures. If this happens, restart the virtual machine, and try again. 
+
+### Remove the extension 
+To remove the extension, use `-n ManagedIdentityExtensionForWindows` or `-n ManagedIdentityExtensionForLinux` switch (depending on the type of virtual machine) with [az vm extension delete](https://docs.microsoft.com/cli/azure/vm/), or [az vmss extension delete](https://docs.microsoft.com/cli/azure/vmss) for virtual machine scale sets using Azure CLI, or `Remove-AzVMExtension` for Powershell:
+
+```azurecli-interactive
+az vm identity --resource-group myResourceGroup --vm-name myVm -n ManagedIdentityExtensionForWindows
+```
+
+```azurecli-interactive
+az vmss extension delete -n ManagedIdentityExtensionForWindows -g myResourceGroup -vmss-name myVMSS
+```
+
+```powershell
+Remove-AzVMExtension -ResourceGroupName myResourceGroup -Name "ManagedIdentityExtensionForWindows" -VMName myVM
+```
+
+### Acquire a token using the virtual machine extension
+
+The following is a sample request using the managed identities for Azure resources VM Extension Endpoint:
+
+```
+GET http://localhost:50342/oauth2/token?resource=https%3A%2F%2Fmanagement.azure.com%2F HTTP/1.1
+Metadata: true
+```
+
+| Element | Description |
+| ------- | ----------- |
+| `GET` | The HTTP verb, indicating you want to retrieve data from the endpoint. In this case, an OAuth access token. | 
+| `http://localhost:50342/oauth2/token` | The managed identities for Azure resources endpoint, where 50342 is the default port and is configurable. |
+| `resource` | A query string parameter, indicating the App ID URI of the target resource. It also appears in the `aud` (audience) claim of the issued token. This example requests a token to access Azure Resource Manager, which has an App ID URI of https://management.azure.com/. |
+| `Metadata` | An HTTP request header field, required by managed identities for Azure resources as a mitigation against Server Side Request Forgery (SSRF) attack. This value must be set to "true", in all lower case.|
+| `object_id` | (Optional) A query string parameter, indicating the object_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.|
+| `client_id` | (Optional) A query string parameter, indicating the client_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.|
+
+
+Sample response:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+{
+  "access_token": "eyJ0eXAi...",
+  "refresh_token": "",
+  "expires_in": "3599",
+  "expires_on": "1506484173",
+  "not_before": "1506480273",
+  "resource": "https://management.azure.com/",
+  "token_type": "Bearer"
+}
+```
+
+| Element | Description |
+| ------- | ----------- |
+| `access_token` | The requested access token. When calling a secured REST API, the token is embedded in the `Authorization` request header field as a "bearer" token, allowing the API to authenticate the caller. | 
+| `refresh_token` | Not used by managed identities for Azure resources. |
+| `expires_in` | The number of seconds the access token continues to be valid, before expiring, from time of issuance. Time of issuance can be found in the token's `iat` claim. |
+| `expires_on` | The timespan when the access token expires. The date is represented as the number of seconds from "1970-01-01T0:0:0Z UTC"  (corresponds to the token's `exp` claim). |
+| `not_before` | The timespan when the access token takes effect, and can be accepted. The date is represented as the number of seconds from "1970-01-01T0:0:0Z UTC" (corresponds to the token's `nbf` claim). |
+| `resource` | The resource the access token was requested for, which matches the `resource` query string parameter of the request. |
+| `token_type` | The type of token, which is a "Bearer" access token, which means the resource can give access to the bearer of this token. |
+
+
+### Troubleshoot the virtual machine extension 
+
+#### Restart the virtual machine extension after a failure
+
+On Windows and certain versions of Linux, if the extension stops, the following cmdlet may be used to manually restart it:
+
+```powershell
+Set-AzVMExtension -Name <extension name>  -Type <extension Type>  -Location <location> -Publisher Microsoft.ManagedIdentity -VMName <vm name> -ResourceGroupName <resource group name> -ForceRerun <Any string different from any last value used>
+```
+
+Where: 
+- Extension name and type for Windows is: `ManagedIdentityExtensionForWindows`
+- Extension name and type for Linux is: `ManagedIdentityExtensionForLinux`
+
+#### "Automation script" fails when attempting schema export for managed identities for Azure resources extension
+
+When managed identities for Azure resources is enabled on a virtual machine, the following error is shown when attempting to use the “Automation script” feature for the virtual machine, or its resource group:
+
+![Managed identities for Azure resources automation script export error](./media/howto-migrate-vm-extension/automation-script-export-error.png)
+
+The managed identities for Azure resources virtual machine extension does not currently support the ability to export its schema to a resource group template. As a result, the generated template does not show configuration parameters to enable managed identities for Azure resources on the resource. These sections can be added manually by following the examples in [Configure managed identities for Azure resources on an Azure virtual machine using a templates](qs-configure-template-windows-vm.md).
+
+When the schema export functionality becomes available for the managed identities for Azure resources virtual machine extension (planned for deprecation in January 2019), it will be listed in [Exporting Resource Groups that contain VM extensions](../../virtual-machines/extensions/export-templates.md#supported-virtual-machine-extensions).
+
+## Limitations of the virtual machine extension 
+
+There are several major limitations to using the virtual machine extension. 
+
+ * The most serious limitation is the fact that the credentials used to request tokens are stored on the virtual machine. An attacker who successfully breaches the virtual machine can exfiltrate the credentials. 
+ * Furthermore, the virtual machine extension is still unsupported by several Linux distributions, with a huge development cost to modify, build and test the extension on each of those distributions. Currently, only the following Linux distributions are supported: 
+    * CoreOS Stable
+    * CentOS 7.1 
+    * Red Hat 7.2 
+    * Ubuntu 15.04 
+    * Ubuntu 16.04
+ * There is a performance impact to deploying virtual machines with managed identities, as the virtual machine extension also has to be provisioned. 
+ * Finally, the virtual machine extension can only support having 32 user-assigned managed identities per virtual machine. 
+
+## Azure Instance Metadata Service
+
+The [Azure Instance Metadata Service (IMDS)](https://docs.microsoft.com/azure/virtual-machines/instance-metadata-service) is a REST endpoint that provides information about running virtual machine instances that can be used to manage and configure your virtual machines. The endpoint is available at a well-known non-routable IP address (`169.254.169.254`) that can be accessed only from within the virtual machine.
+
+There are several advantages to using Azure IMDS to request tokens. 
+
+1. The service is external to the virtual machine, therefore the credentials used by managed identities are no longer present on the virtual machine. Instead, they are hosted and secured on the host machine of the Azure virtual machine.   
+2. All Windows and Linux operating systems supported on Azure IaaS can use managed identities.
+3. Deployment is faster and easier, since the VM extension no longer needs to be provisioned.
+4. With the IMDS endpoint, up to 1000 user-assigned managed identities can be assigned to a single virtual machine.
+5. There is no significant change to the requests using IMDS as opposed to those using the virtual machine extension, therefore it is fairly simple to port over existing deployments that currently use the virtual machine extension.
+
+For these reasons, the Azure IMDS service will be the defacto way to request tokens, once the virtual machine extension is deprecated. 
+
+
+## Next Steps
+
+* [How to use managed identities for Azure resources on an Azure virtual machine to acquire an access token](how-to-use-vm-token.md)
+* [Azure Instance Metadata Service](https://docs.microsoft.com/azure/virtual-machines/windows/instance-metadata-service)