Merge pull request #161992 from MicrosoftDocs/master

Merge master to live, 4 AM

Author: ttorble

.openpublishing.redirection.json

@@ -14523,6 +14523,11 @@
       "redirect_url": "/azure/cdn/cdn-verizon-premium-rules-engine",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/cdn/cdn-troubleshoot-allowed-ca.md",
+      "redirect_url": "https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/cdn/cdn-rules-engine-reference.md",
       "redirect_url": "/azure/cdn/cdn-verizon-premium-rules-engine-reference",
@@ -42390,11 +42395,21 @@
       "redirect_url": "/azure/web-application-firewall/afds/waf-front-door-create-portal",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/frontdoor/front-door-troubleshoot-allowed-ca.md",
+      "redirect_url": "https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/frontdoor/waf-front-door-custom-rules.md",
       "redirect_url": "/azure/web-application-firewall/afds/waf-front-door-custom-rules",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/frontdoor/standard-premium/troubleshoot-allowed-certificate-authority.md",
+      "redirect_url": "https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/frontdoor/waf-front-door-custom-rules-powershell.md",
       "redirect_url": "/azure/web-application-firewall/afds/waf-front-door-custom-rules-powershell",

articles/active-directory-domain-services/join-windows-vm-template.md

@@ -77,7 +77,7 @@ If you need a Windows Server VM, you can create and configure one using a Resour
 
 To create a Windows Server VM then join it to a managed domain, complete the following steps:
 
-1. Browse to the [quickstart template](https://azure.microsoft.com/resources/templates/201-vm-domain-join/). Select the option to **Deploy to Azure**.
+1. Browse to the [quickstart template](https://azure.microsoft.com/resources/templates/vm-domain-join/). Select the option to **Deploy to Azure**.
 1. On the **Custom deployment** page, enter the following information to create and join a Windows Server VM to the managed domain:
 
     | Setting                   | Value |

articles/active-directory/fundamentals/whats-new.md

@@ -44,7 +44,19 @@ This page is updated monthly, so revisit it regularly. If you're looking for ite
 **Product capability:** User Authentication
 
 Azure AD customers can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim while respecting privacy. Digitally validate any piece of information about anyone and any business. [Learn more](../verifiable-credentials/index.yml).
+
+---
+
+### Public Preview - Device code flow now includes an app verification prompt
+
+**Type:** New feature  
+**Service category:** User Authentication  
+**Product capability:** Authentications (Logins)
 
+As a security improvement, the [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include an additional prompt, which validates that the user is signing into the app they expect. The roll roll out is planned to start in June and expected to be complete by June 30.
+
+To help prevent phishing attacks where an attacker tricks the user into signing into a malicious application, the following prompt is being added: “Are you trying to sign in to [application display name]?". All users will see this prompt while signing in using the device code flow. As a security measure, it cannot be removed or bypassed. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).
+
 ---
 
 ### Public Preview - build and test expressions for user provisioning
@@ -1111,4 +1123,4 @@ An extra option is now available in the approval process in Entitlement Manageme
 
 For more information, go to [Change approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers).
 
----
+---

articles/active-directory/reports-monitoring/media/quickstart-filter-audit-log/audit-log-details.png

@@ -0,0 +1,69 @@
+---
+title: Filter your Azure AD audit log
+description: In this quickstart, you learn how you can filter entries in your Azure AD audit log.
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: report-monitor
+ms.topic: quickstart 
+ms.date: 06/11/2021
+
+ms.author: markvi
+author: MarkusVi
+manager: mtillman
+ms.reviewer: besiler
+
+# Customer intent: As an IT admin, you need to know how to filter your audit log so that you can analyze management activities.
+
+ms.collection: M365-identity-device-management
+---
+# Quickstart: Filter your Azure AD audit log 
+
+With the information in the Azure AD audit log, you get access to records of system activities for compliance. 
+This quickstart shows how to you can locate a newly created user account in your audit log.
+
+
+## Prerequisites
+
+To complete the scenario in this quickstart, you need:
+
+- **Access to an Azure AD tenant** - If you don't have access to an Azure AD tenant, see [Create your Azure free account today](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). 
+- **A test account called Isabella Simonsen** - If you don't know how to create a test account, see [Add cloud-based users](../fundamentals/add-users-azure-active-directory.md#add-a-new-user).
+
+## Find the new user account
+
+This section provides you with the steps to filter your audit log.
+
+
+**To find the new user:**
+
+1. Navigate to the [audit log](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Audit).
+
+2. To list only records for Isabella Simonsen:
+
+    a. In the toolbar, click **Add filters**.
+    
+    ![Add user filter](./media/quickstart-analyze-sign-in/add-filters.png)   
+
+    b. In the **Pick a field** list, select **Target**, and then click **Apply**
+
+    c. In the **Target** textbox, type the **User Principal Name** of **Isabella Simonsen**, and then click **Apply**.
+
+3. Click the filtered item.
+
+    ![Filtered items](./media/quickstart-filter-audit-log/audit-log-list.png)  
+
+4.  Review the **Audit Log Details**.
+ 
+    ![Audit log details](./media/quickstart-filter-audit-log/audit-log-details.png)  
+ 
+  
+
+## Clean up resources
+
+When no longer needed, delete the test user. If you don't know how to delete an Azure AD user, see [Delete users from Azure AD](../fundamentals/add-users-azure-active-directory.md#delete-a-user).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [What are Azure Active Directory reports?](overview-reports.md)

articles/active-directory/reports-monitoring/media/quickstart-filter-audit-log/audit-log-list.png

@@ -12,6 +12,8 @@
 - name: Quickstarts
   expanded: true
   items:
+  - name: Filter your audit log 
+    href: quickstart-filter-audit-log.md
   - name: Analyze sign-ins 
     href: quickstart-analyze-sign-in.md
   - name: Access logs with the Graph API

articles/active-directory/reports-monitoring/quickstart-filter-audit-log.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 01/19/2021
+ms.date: 06/04/2021
 ms.author: jeedes
 ---
 # Tutorial: Azure Active Directory integration with Blackboard Learn - Shibboleth
@@ -31,7 +31,7 @@ To get started, you need the following items:
 
 In this tutorial, you configure and test Azure AD single sign-on in a test environment.
 
-* Blackboard Learn - Shibboleth supports **SP** initiated SSO
+* Blackboard Learn - Shibboleth supports **SP** initiated SSO.
 
 ## Add Blackboard Learn - Shibboleth from the gallery
 
@@ -57,7 +57,7 @@ To configure and test Azure AD SSO with Blackboard Learn - Shibboleth, perform t
     1. **[Create Blackboard Learn - Shibboleth test user](#create-blackboard-learn---shibboleth-test-user)** - to have a counterpart of B.Simon in Blackboard Learn - Shibboleth that is linked to the Azure AD representation of user.
 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
 
-### Configure Azure AD SSO
+## Configure Azure AD SSO
 
 In this section, you enable Azure AD single sign-on in the Azure portal.
 
@@ -118,15 +118,15 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
 1. In the **Add Assignment** dialog, click the **Assign** button.
 
-### Configure Blackboard Learn - Shibboleth SSO
+## Configure Blackboard Learn - Shibboleth SSO
 
-To configure single sign-on on **Blackboard Learn - Shibboleth** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Blackboard Learn - Shibboleth support team](https://www.blackboard.com/forms/contact-us_form.aspx). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure Blackboard Learn - Shibboleth single sign-on, please refer to this [document](https://help.blackboard.com/Learn/Administrator/SaaS/Authentication/Implement_Authentication/SAML_Authentication_Provider_Type).
 
 ### Create Blackboard Learn - Shibboleth test user
 
 In this section, you create a user called Britta Simon in Blackboard Learn - Shibboleth. Work with [Blackboard Learn - Shibboleth support team](https://www.blackboard.com/forms/contact-us_form.aspx) to add the users in the Blackboard Learn - Shibboleth platform. Users must be created and activated before you use single sign-on.
 
-### Test SSO
+## Test SSO
 
 In this section, you test your Azure AD single sign-on configuration with following options. 
 
@@ -138,4 +138,4 @@ In this section, you test your Azure AD single sign-on configuration with follow
 
 ## Next steps
 
-Once you configure Blackboard Learn - Shibboleth you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Blackboard Learn - Shibboleth you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).

articles/active-directory/reports-monitoring/toc.yml

@@ -194,36 +194,7 @@ Filesystem
 
  This option is optimized for random access workloads with in-place data updates and provides full POSIX file system support. This section shows you how to use NFS shares with the Azure File CSI driver on an AKS cluster.
 
-Make sure to check the [limitations](../storage/files/storage-files-compare-protocols.md#limitations) and [region availability](../storage/files/storage-files-compare-protocols.md#regional-availability) during the preview phase.
-
-### Register the `AllowNfsFileShares` preview feature
-
-To create a file share that leverages NFS 4.1, you must enable the `AllowNfsFileShares` feature flag on your subscription.
-
-Register the `AllowNfsFileShares` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:
-
-```azurecli-interactive
-az feature register --namespace "Microsoft.Storage" --name "AllowNfsFileShares"
-```
-
-It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature list][az-feature-list] command:
-
-```azurecli-interactive
-az feature list -o table --query "[?contains(name, 'Microsoft.Storage/AllowNfsFileShares')].{Name:name,State:properties.state}"
-```
-
-When ready, refresh the registration of the *Microsoft.Storage* resource provider by using the [az provider register][az-provider-register] command:
-
-```azurecli-interactive
-az provider register --namespace Microsoft.Storage
-```
-
-### Create a storage account for the NFS file share
-
-[Create a `Premium_LRS` Azure storage account](../storage/files/storage-how-to-create-file-share.md) with following configurations to support NFS shares:
-- account kind: FileStorage
-- secure transfer required(enable HTTPS traffic only): false
-- select the virtual network of your agent nodes in Firewalls and virtual networks - so you might prefer to create the Storage Account in the MC_ resource group.
+Make sure to check the [limitations](../storage/files/storage-files-compare-protocols.md#limitations) and [region availability](../storage/files/storage-files-compare-protocols.md#regional-availability).
 
 ### Create NFS file share storage class
 
@@ -236,8 +207,6 @@ metadata:
   name: azurefile-csi-nfs
 provisioner: file.csi.azure.com
 parameters:
-  resourceGroup: EXISTING_RESOURCE_GROUP_NAME  # optional, required only when storage account is not in the same resource group as your agent nodes
-  storageAccount: EXISTING_STORAGE_ACCOUNT_NAME
   protocol: nfs
 ```
 

articles/active-directory/saas-apps/blackboard-learn-shibboleth-tutorial.md

@@ -18,30 +18,6 @@ This feature can only be set at cluster creation or node pool creation time.
 > [!IMPORTANT]
 > Azure ultra disks require nodepools deployed in availability zones and regions that support these disks as well as only specific VM series. See the [**Ultra disks GA scope and limitations**](../virtual-machines/disks-enable-ultra-ssd.md#ga-scope-and-limitations).
 
-### Register the `EnableUltraSSD` preview feature
-
-To create an AKS cluster or a node pool that can leverage Ultra disks, you must enable the `EnableUltraSSD` feature flag on your subscription.
-
-Register the `EnableUltraSSD` feature flag using the [az feature register][az-feature-register] command as shown in the following example:
-
-```azurecli-interactive
-az feature register --namespace "Microsoft.ContainerService" --name "EnableUltraSSD"
-```
-
-It takes a few minutes for the status to show *Registered*. You can check on the registration status using the [az feature list][az-feature-list] command:
-
-```azurecli-interactive
-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableUltraSSD')].{Name:name,State:properties.state}"
-```
-
-When ready, refresh the registration of the *Microsoft.ContainerService* resource provider using the [az provider register][az-provider-register] command:
-
-```azurecli-interactive
-az provider register --namespace Microsoft.ContainerService
-```
-
-[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
-
 ### Install aks-preview CLI extension
 
 To create an AKS cluster or a node pool that can use Ultra Disks, you need the latest *aks-preview* CLI extension. Install the *aks-preview* Azure CLI extension using the [az extension add][az-extension-add] command, or install any available updates using the [az extension update][az-extension-update] command:
@@ -60,7 +36,7 @@ az extension update --name aks-preview
 
 ## Create a new cluster that can use Ultra disks
 
-Create an AKS cluster that is able to leverage Ultra Disks by using the following CLI commands. Use the `--aks-custom-headers` flag to set the `EnableUltraSSD` feature.
+Create an AKS cluster that is able to leverage Ultra Disks by using the following CLI commands. Use the `--enable-ultra-ssd` flag to set the `EnableUltraSSD` feature.
 
 Create an Azure resource group:
 
@@ -73,20 +49,20 @@ Create the AKS cluster with support for Ultra Disks.
 
 ```azurecli-interactive
 # Create an AKS-managed Azure AD cluster
-az aks create -g MyResourceGroup -n MyManagedCluster -l westus2 --node-vm-size Standard_L8s_v2 --zones 1 2 --node-count 2 --aks-custom-headers EnableUltraSSD=true
+az aks create -g MyResourceGroup -n MyManagedCluster -l westus2 --node-vm-size Standard_D2s_v3 --zones 1 2 --node-count 2 --enable-ultra-ssd
 ```
 
-If you want to create clusters without ultra disk support, you can do so by omitting the custom `--aks-custom-headers` parameter.
+If you want to create clusters without ultra disk support, you can do so by omitting the `--enable-ultra-ssd` parameter.
 
 ## Enable Ultra disks on an existing cluster
 
-You can enable ultra disks on existing clusters by adding a new node pool to your cluster that support ultra disks. Configure a new node pool to use ultra disks by using the `--aks-custom-headers` flag.
+You can enable ultra disks on existing clusters by adding a new node pool to your cluster that support ultra disks. Configure a new node pool to use ultra disks by using the `--enable-ultra-ssd` flag.
 
 ```azurecli
-az aks nodepool add --name ultradisk --cluster-name myAKSCluster --resource-group myResourceGroup --node-vm-size Standard_L8s_v2 --zones 1 2 --node-count 2 --aks-custom-headers EnableUltraSSD=true
+az aks nodepool add --name ultradisk --cluster-name myAKSCluster --resource-group myResourceGroup --node-vm-size Standard_D2s_v3 --zones 1 2 --node-count 2 --enable-ultra-ssd
 ```
 
-If you want to create new node pools without support for ultra disks, you can do so by omitting the custom `--aks-custom-headers` parameter.
+If you want to create new node pools without support for ultra disks, you can do so by omitting the `--enable-ultra-ssd` parameter.
 
 ## Use ultra disks dynamically with a storage class