Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory-b2c/add-api-connector-token-enrichment.md

@@ -247,8 +247,8 @@ After you deploy your REST API, set the metadata of the `REST-GetProfile` techni
 
 - **ServiceUrl**. Set the URL of the REST API endpoint.
 - **SendClaimsIn**. Specify how the input claims are sent to the RESTful claims provider.
-- **AuthenticationType**. Set the type of authentication being performed by the RESTful claims provider. 
-- **AllowInsecureAuthInProduction**. In a production environment, make sure to set this metadata to `true`
+- **AuthenticationType**. Set the type of authentication being performed by the RESTful claims provider such as `Basic` or `ClientCertificate` 
+- **AllowInsecureAuthInProduction**. In a production environment, make sure to set this metadata to `false`
 
 See the [RESTful technical profile metadata](restful-technical-profile.md#metadata) for more configurations.
 

articles/active-directory-b2c/relyingparty.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 06/27/2021
+ms.date: 11/09/2021
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -240,6 +240,7 @@ When the protocol is `SAML`, a metadata element contains the following elements.
 | UseDetachedKeys | No |  Possible values: `true`, or `false` (default). When the value is set to `true`, Azure AD B2C changes the format of the encrypted assertions. Using detached keys adds the encrypted assertion as a child of the EncrytedAssertion as opposed to the EncryptedData. |
 | WantsSignedResponses| No | Indicates whether Azure AD B2C signs the `Response` section of the SAML response. Possible values: `true` (default) or `false`.  |
 | RemoveMillisecondsFromDateTime| No | Indicates whether the milliseconds will be removed from datetime values within the SAML response (these include IssueInstant, NotBefore, NotOnOrAfter, and AuthnInstant). Possible values: `false` (default) or `true`.  |
+| RequestContextMaximumLengthInBytes| No | Indicates the maximum length of the [SAML applications](saml-service-provider.md) `RelayState` parameter. The default is 1000. The maximum is 2048.| 
 
 ### InputClaims
 

articles/active-directory/cloud-sync/bread/toc.yml

@@ -3,22 +3,9 @@
   topicHref: /azure/index
   items:
   - name: Active Directory
-    tocHref: /azure/active-directory/manage-apps/
-    topicHref: /azure/active-directory/index
-    items:
-    - name: Cloud sync
-      tocHref: /azure/active-directory/manage-apps/
-      topicHref: /azure/active-directory/cloud-sync/index
-  
-- name: Azure
-  tocHref: /azure/
-  topicHref: /azure/index
-  items:  
-  - name: Active Directory
-    tocHref: /azure/active-directory/hybrid/
+    tocHref: /azure/active-directory/
     topicHref: /azure/active-directory/index
     items:
     - name: Cloud sync
       tocHref: /azure/active-directory/hybrid/
-      topicHref: /azure/active-directory/cloud-sync/index
-
+      topicHref: /azure/active-directory/cloud-sync/index

articles/active-directory/devices/troubleshoot-device-dsregcmd.md

@@ -250,7 +250,7 @@ This section performs various tests to help diagnose join failures. The informat
 
 - **Client Time**: The system time, in UTC.
 - **AD Connectivity Test**: This test performs a connectivity test to the domain controller. An error in this test will likely result in join errors in the pre-check phase.
-- **AD Configuration Test**: This test reads and verifies whether the Special Containment Procedures (SCP) object is configured properly in the on-premises Active Directory forest. Errors in this test would likely result in join errors in the discover phase with the error code 0x801c001d.
+- **AD Configuration Test**: This test reads and verifies whether the Service Connection Point (SCP) object is configured properly in the on-premises Active Directory forest. Errors in this test would likely result in join errors in the discover phase with the error code 0x801c001d.
 - **DRS Discovery Test**: This test gets the DRS endpoints from discovery metadata endpoint and performs a user realm request. Errors in this test would likely result in join errors in the discover phase.
 - **DRS Connectivity Test**: This test performs a basic connectivity test to the DRS endpoint.
 - **Token Acquisition Test**: This test tries to get an Azure AD authentication token if the user tenant is federated. Errors in this test would likely result in join errors in the authentication phase. If authentication fails, sync-join will be attempted as fallback, unless fallback is explicitly disabled with the following registry key settings:

articles/active-directory/hybrid/how-to-connect-sync-endpoint-api-v2.md

@@ -15,7 +15,7 @@ ms.collection: M365-identity-device-management
 ---
 
 # Azure AD Connect sync V2 endpoint API 
-Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. By utilizing the new V2 endpoint, you will experience noticeable performance gains on export and import to Azure AD. This new endpoint supports the following:
+Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves the performance of the synchronization service operations to Azure Active Directory. By utilizing the new V2 endpoint, you will experience noticeable performance gains on export and import to Azure AD. This new endpoint supports:
 
  - syncing groups with up to 250k members
  - performance gains on export and import to Azure AD
@@ -32,12 +32,13 @@ Microsoft has deployed a new endpoint (API) for Azure AD Connect that improves t
 
 ## Prerequisites  
 In order to use the new V2 endpoint, you will need to use Azure AD Connect v2.0. When you deploy AADConnect V2.0, the V2 endpoint will be automatically enabled.
-Note that support for the V2 endpoint is no longer available for V1.x versions. If you need to sync groups with more than 50K members you need to upgrade to Azure AD Connect V2.0.
+Support for the V2 endpoint is no longer available for V1.x versions. If you need to sync groups with more than 50K members, you need to upgrade to Azure AD Connect V2.0.
 
 ## Frequently asked questions  
 
 **When will the new end point become the default for upgrades and new installations?**  
-The V2 endpoint is the default setting for AADConnect V2.0 and is not supported for AADConnect V1.x
+The V2 endpoint is the default setting for AADConnect V2.0 and is not supported for AADConnect V1.x.
+There is an issue where customers who have the V2 endpoint running with an older version and try to upgrade to a newer V1.6 release will see that the 50K limitation on group membership is reinstated. We won't fix this issue in V1.6 and will require customers to upgrade to AADConnect V2.0 if this is an issue for them.
 
 ## Next steps
 

articles/active-directory/hybrid/reference-connect-version-history.md

@@ -69,6 +69,9 @@ However, if you'd like all the latest features and updates, the best way to see
 - We fixed a bug where the Autoupgrade process attempted to upgrade AADConnect servers that are running older Windows OS version 2008 or 2008 R2 and failed. These versions of Windows Server are no longer supported. In this release we only attempt autoupgrade on machines that run Windows Server 2012 or newer.
 - We fixed an issue where, under certain conditions, miisserver would be crashing due to access violation exception.
 
+### Known Issues
+- There is an issue where customers who have the V2 endpoint running with an older version and try to upgrade to a newer V1.6 release will see that the 50K limitation on group membership is reinstated. We will not fix this issue in V1.6 and require customers to upgrade to AADConnect V2.0 if this is an issue for them.
+
 ## 2.0.28.0
 
 >[!NOTE] 

articles/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md

@@ -12,7 +12,7 @@ ms.devlang:
 ms.topic: conceptual
 ms.tgt_pltfrm: 
 ms.workload: identity
-ms.date: 10/15/2021
+ms.date: 11/09/2021
 ms.author: barclayn
 ---
 
@@ -34,7 +34,6 @@ If your infrastructure requires that multiple resources require access to the sa
 
 If you require that each resource has its own identity, or have resources that require a unique set of permissions and want the identity to be deleted as the resource is deleted, then you should use a system-assigned identity.
 
-
 | Scenario| Recommendation|Notes|
 |---|---|---|
 | Rapid creation of resources (for example, ephemeral computing) with managed identities |  User-assigned identity | If you attempt to create multiple managed identities in a short space of time – for example, deploying multiple virtual machines each with their own system-assigned identity - you may exceed the rate limit for Azure Active Directory object creations, and the request will fail with an HTTP 429 error. <br/><br/>If resources are being created or deleted rapidly, you may also exceed the limit on the number of resources in Azure Active Directory if using system-assigned identities. While a deleted  system-assigned identity is no longer accessible by any resource, it will count towards your limit until fully purged after 30 days.<br/><br/>Deploying the resources associated with a single user-assigned identity will require the creation of only one Service Principal in Azure Active Directory, avoiding the rate limit. Using a single identity that is created in advance will also reduce the risk of replication delays that could occur if multiple resources are created each with their own identity.<br/><br/>Read more about the [Azure subscription service limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#managed-identity-limits). |
@@ -85,7 +84,7 @@ When granting any identity, including a managed identity, permissions to access
 
 ### Consider the effect of assigning managed identities to Azure resources
 
-It is important to note that when an Azure resource, such as an Azure Logic App, an Azure function, or a Virtual Machine, etc. is assigned a managed identity, all the permissions granted to the managed identity are now available to the Azure resource. This is particularly important because if a user has access to install or execute code on this resource, then the user has access to all the identities assigned/associated to the Azure resource. The purpose of managed identity is to give code running on an Azure resource access to other resources, without developers needing to handle or put credentials directly into code to get that access.
+It is important to note that when an Azure resource, such as an Azure Logic App, an Azure function, or a Virtual Machine, etc. is assigned a managed identity, all the permissions granted to the managed identity are now available to the Azure resource. This is important because if a user has access to install or execute code on this resource, then the user has access to all the identities assigned/associated to the Azure resource. The purpose of managed identity is to give code running on an Azure resource access to other resources, without developers needing to handle or put credentials directly into code to get that access.
 
 For example, if a managed Identity (ClientId = 1234) has been granted read/write access to ***StorageAccount7755*** and has been assigned to ***LogicApp3388***, then Alice, who does not have any direct permissions over the managed identity or the storage account but has permission to execute code within ***LogicApp3388*** can also read/write data to/from ***StorageAccount7755*** by executing the code that uses the managed identity.
 
@@ -106,3 +105,11 @@ Role assignments that are associated with deleted managed identities
 will be displayed with “Identity not found” when viewed in the portal. [Read more](../../role-based-access-control/troubleshooting.md#role-assignments-with-identity-not-found).
 
 :::image type="content" source="media/managed-identity-best-practice-recommendations/identity-not-found.png" alt-text="Identity not found for role assignment.":::
+
+## Limitation of using Azure AD Groups with managed identities for authorization
+
+Using Azure AD Groups for granting access to services is a great way to simplify the authorization process. The idea is simple – grant permissions to a group and add identities to the group so that they inherit the same permissions. This is a well-established pattern from various on-premises systems and works well when the identities represent users. However, for non-human identities, such as Azure AD Applications and Managed identities, the exact mechanism is not well suited today. Today’s implementation with Azure AD and Azure Role Based Access Control (Azure RBAC), uses access tokens issued by Azure AD for authentication of each identity. However, if the identity is added to a group, its group membership is expressed as a claim in the access token issued by Azure AD. Azure RBAC uses this claim to further evaluate the authorization rules for allowing or denying access.  
+
+As the group membership is a claim in the access token, group membership changes do not take effect until the token is refreshed. A human user can acquire a new access token by logging out and in again. Managed identity tokens are cached by the underlying Azure infrastructure for performance and resiliency purposes. This means that it can take several hours for changes to a managed identity’s group membership to take effect. Today, it is not possible to force a managed identity’s token to be refreshed before its expiry. If you change a managed identity’s group membership to add or remove permissions, you may therefore need to wait several hours for the Azure resource using the identity to have the correct access, compared to just a few minutes if you were to add or remove permissions directly on the identity.
+
+To ensure that changes to permissions for managed identities take effect quickly, we recommend that you group Azure resources using a [user-assigned managed identity](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azcli) with permissions applied directly to the identity, instead of adding to or removing managed identities from an Azure AD group that has permissions. A user-assigned managed identity can be used like a group because it can be assigned to one or more Azure resources to use it. The assignment operation can be controlled using the [Managed identity contributor](../../role-based-access-control/built-in-roles.md#managed-identity-contributor) and [Managed identity operator role](../../role-based-access-control/built-in-roles.md#managed-identity-operator).

articles/aks/azure-files-csi.md

@@ -3,7 +3,7 @@ title: Use Container Storage Interface (CSI) drivers for Azure Files on Azure Ku
 description: Learn how to use the Container Storage Interface (CSI) drivers for Azure Files in an Azure Kubernetes Service (AKS) cluster.
 services: container-service
 ms.topic: article
-ms.date: 08/27/2020
+ms.date: 11/09/2021
 author: palma21
 
 ---
@@ -254,7 +254,10 @@ kubectl apply -f private-pvc.yaml
 
 [Azure Files supports the NFS v4.1 protocol](../storage/files/storage-files-how-to-create-nfs-shares.md). NFS 4.1 support for Azure Files provides you with a fully managed NFS file system as a service built on a highly available and highly durable distributed resilient storage platform.
 
- This option is optimized for random access workloads with in-place data updates and provides full POSIX file system support. This section shows you how to use NFS shares with the Azure File CSI driver on an AKS cluster.
+This option is optimized for random access workloads with in-place data updates and provides full POSIX file system support. This section shows you how to use NFS shares with the Azure File CSI driver on an AKS cluster.
+
+> [!NOTE]
+> Make sure cluster `Control plane` identity(with name `AKS Cluster Name`) has `Contributor` permission on vnet resource group.
 
 ### Create NFS file share storage class
 

articles/analysis-services/analysis-services-gateway.md

@@ -4,7 +4,7 @@ description: An On-premises gateway is necessary if your Analysis Services serve
 author: minewiskan
 ms.service: azure-analysis-services
 ms.topic: conceptual
-ms.date: 04/27/2021
+ms.date: 11/09/2021
 ms.author: owend
 ms.reviewer: minewiskan
 ---
@@ -51,7 +51,7 @@ The following are fully qualified domain names used by the gateway.
 | *.frontend.clouddatahub.net |443 |HTTPS |
 | *.core.windows.net |443 |HTTPS |
 | login.microsoftonline.com |443 |HTTPS |
-| *.msftncsi.com |80 |Used to test internet connectivity if the gateway is unreachable by the Power BI service. |
+| *.msftncsi.com |443 |Used to test internet connectivity if the gateway is unreachable by the Power BI service. |
 | *.microsoftonline-p.com |443 |Used for authentication depending on configuration. |
 | dc.services.visualstudio.com    |443 |Used by AppInsights to collect telemetry. |