Merge pull request #234388 from MicrosoftDocs/main

4/13/2023 AM Publish

Author: Taojunshen

articles/active-directory/fundamentals/whats-new-sovereign-clouds.md

@@ -21,6 +21,75 @@ Azure AD receives improvements on an ongoing basis. To stay up to date with the
 
 This page is updated monthly, so revisit it regularly.
 
+## March 2023 
+
+### General Availability - Provisioning Insights Workbook
+
+**Type:** New feature   
+**Service category:** Provisioning                     
+**Product capability:** Monitoring & Reporting            
+
+This new workbook makes it easier to investigate and gain insights into your provisioning workflows in a given tenant. This includes HR-driven provisioning, cloud sync, app provisioning, and cross-tenant sync.
+
+Some key questions this workbook can help answer are:
+
+- How many identities have been synced in a given time range?
+- How many create, delete, update, or other operations were performed?
+- How many operations were successful, skipped, or failed?
+- What specific identities failed? And what step did they fail on?
+- For any given user, what tenants / applications were they provisioned or deprovisioned to?
+
+For more information, see: [Provisioning insights workbook](../app-provisioning/provisioning-workbook.md).
+
+---
+
+### General Availability - Follow Azure Active Directory best practices with recommendations
+
+**Type:** New feature   
+**Service category:** Reporting                       
+**Product capability:** Monitoring & Reporting            
+
+Azure Active Directory recommendations help you improve your tenant posture by surfacing opportunities to implement best practices. On a daily basis, Azure AD analyzes the configuration of your tenant. During this analysis, Azure Active Directory compares the data of a recommendation with the actual configuration of your tenant. If a recommendation is flagged as applicable to your tenant, the recommendation appears in the Recommendations section of the Azure Active Directory Overview. 
+
+This release includes our first three recommendations:
+
+- Convert from per-user MFA to Conditional Access MFA
+- Migration applications from AD FS to Azure Active Directory
+- Minimize MFA prompts from known devices.
+
+We're developing more recommendations, so stay tuned!
+
+For more information, see: 
+
+- [What are Azure Active Directory recommendations?](../reports-monitoring/overview-recommendations.md).
+- [Use the Azure AD recommendations API to implement Azure AD best practices for your tenant](/graph/api/resources/recommendations-api-overview)
+
+---
+
+### General Availability - Improvements to Azure Active Directory Smart Lockout
+
+**Type:** Changed feature   
+**Service category:** Other                          
+**Product capability:** User Management             
+
+With a recent improvement, Smart Lockout now synchronizes the lockout state across Azure Active Directory data centers, so the total number of failed sign-in attempts allowed before an account is locked will match the configured lockout threshold.
+
+For more information, see: [Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md).
+
+---
+
+### General Availability- MFA events from ADFS and NPS adapter available in Sign-in logs
+
+**Type:** Changed feature   
+**Service category:** MFA                            
+**Product capability:** Identity Security & Protection              
+
+Customers with Cloud MFA activity from ADFS adapter, or NPS Extension, can now see these events in the Sign-in logs, rather than the legacy multi-factor authentication activity report.  Not all attributes in the sign-in logs are populated for these events due to limited data from the on-premises components. Customers with ADFS using AD Health Connect and customers using NPS with the latest NPS extension installed will have a richer set of data in the events.
+
+For more information, see: [Protect user accounts from attacks with Azure Active Directory smart lockout](../authentication/howto-password-smart-lockout.md).
+
+---
+
 ## February 2023
 
 ### General Availability - Filter and transform group names in token claims configuration using regular expression

articles/automation/TOC.yml

@@ -90,8 +90,6 @@
               href: troubleshoot/managed-identity.md 
         - name: Run As account
           items:
-            - name: Create Run As account
-              href: create-run-as-account.md
             - name: Delete Run As account
               href: delete-run-as-account.md
             - name: Manage Run As account

articles/automation/automation-security-overview.md

@@ -4,7 +4,7 @@ description: This article provides an overview of Azure Automation account authe
 keywords: automation security, secure automation; automation authentication
 services: automation
 ms.subservice: process-automation
-ms.date: 03/07/2023
+ms.date: 04/12/2023
 ms.topic: conceptual 
 ms.custom: devx-track-azurepowershell
 ---
@@ -37,9 +37,6 @@ A managed identity from Azure Active Directory (Azure AD) allows your runbook to
 
 Managed identities are the recommended way to authenticate in your runbooks, and is the default authentication method for your Automation account.
 
-> [!NOTE]
-> When you create an Automation account, the option to create a Run As account is no longer available. However, we continue to support a RunAs account for existing and new Automation accounts. You can [create a Run As account](create-run-as-account.md) in your Automation account from the Azure portal or by using PowerShell.
-
 Here are some of the benefits of using managed identities:
 
 - Using a managed identity instead of the Automation Run As account simplifies management. You don't have to renew the certificate used by a Run As account.
@@ -68,7 +65,7 @@ Run As accounts in Azure Automation provide authentication for managing Azure Re
 - Azure Run As Account
 - Azure Classic Run As Account
 
-To create or renew a Run As account, permissions are needed at three levels:
+To renew a Run As account, permissions are needed at three levels:
 
 - Subscription,
 - Azure Active Directory (Azure AD), and
@@ -82,11 +79,11 @@ You need the `Microsoft.Authorization/*/Write` permission. This permission is ob
 - [Owner](../role-based-access-control/built-in-roles.md#owner)
 - [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator)
 
-To configure or renew Classic Run As accounts, you must have the Co-administrator role at the subscription level. To learn more about classic subscription permissions, see [Azure classic subscription administrators](../role-based-access-control/classic-administrators.md#add-a-co-administrator).
+To renew Classic Run As accounts, you must have the Co-administrator role at the subscription level. To learn more about classic subscription permissions, see [Azure classic subscription administrators](../role-based-access-control/classic-administrators.md#add-a-co-administrator).
 
 ### Azure AD permissions
 
-To be able to create or renew the service principal, you need to be a member of one of the following Azure AD built-in roles:
+To renew the service principal, you need to be a member of one of the following Azure AD built-in roles:
 
 - [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator)
 - [Application Developer](../active-directory/roles/permissions-reference.md#application-developer)
@@ -95,7 +92,7 @@ Membership can be assigned to **ALL** users in the tenant at the directory level
 
 ### Automation account permissions
 
-To be able to create or update the Automation account, you need to be a member of one of the following Automation account roles:
+To update the Automation account, you need to be a member of one of the following Automation account roles:
 
 - [Owner](./automation-role-based-access-control.md#owner)
 - [Contributor](./automation-role-based-access-control.md#contributor)
@@ -105,40 +102,24 @@ To learn more about the Azure Resource Manager and Classic deployment models, se
 >[!NOTE]
 >Azure Cloud Solution Provider (CSP) subscriptions support only the Azure Resource Manager model. Non-Azure Resource Manager services are not available in the program. When you are using a CSP subscription, the Azure Classic Run As account is not created, but the Azure Run As account is created. To learn more about CSP subscriptions, see [Available services in CSP subscriptions](/azure/cloud-solution-provider/overview/azure-csp-available-services).
 
-When you create an Automation account, the Run As account is created by default at the same time with a self-signed certificate. If you chose not to create it along with the Automation account, it can be created individually at a later time. An Azure Classic Run As Account is optional, and is created separately if you need to manage classic resources.
-
-> [!NOTE]
-> Azure Automation does not automatically create the Run As account. It has been replaced by using managed identities.
-
-If you want to use a certificate issued by your enterprise or third-party certification authority (CA) instead of the default self-signed certificate, can use the [PowerShell script to create a Run As account](create-run-as-account.md#powershell-script-to-create-a-run-as-account) option for your Run As and Classic Run As accounts.
-
 > [!VIDEO https://www.microsoft.com/videoplayer/embed/RWwtF3]
 
 ### Run As account
 
-When you create a Run As account, it performs the following tasks:
-
-* Creates an Azure AD application with a self-signed certificate, creates a service principal account for the application in Azure AD, and assigns the [Contributor](../role-based-access-control/built-in-roles.md#contributor) role for the account in your current subscription. You can change the certificate setting to [Reader](../role-based-access-control/built-in-roles.md#reader) or any other role. For more information, see [Role-based access control in Azure Automation](automation-role-based-access-control.md).
-
-* Creates an Automation certificate asset named `AzureRunAsCertificate` in the specified Automation account. The certificate asset holds the certificate private key that the Azure AD application uses.
-
-* Creates an Automation connection asset named `AzureRunAsConnection` in the specified Automation account. The connection asset holds the application ID, tenant ID, subscription ID, and certificate thumbprint.
+Run As Account consists of the following components:
+- An Azure AD application with a self-signed certificate, and a service principal account for the application in Azure AD, which is assigned the [Contributor](../role-based-access-control/built-in-roles.md#contributor) role for the account in your current subscription. You can change the certificate setting to [Reader](../role-based-access-control/built-in-roles.md#reader) or any other role. For more information, see [Role-based access control in Azure Automation](automation-role-based-access-control.md).
+- An Automation certificate asset named `AzureRunAsCertificate` in the specified Automation account. The certificate asset holds the certificate private key that the Azure AD application uses.
+- An Automation connection asset named `AzureRunAsConnection` in the specified Automation account. The connection asset holds the application ID, tenant ID, subscription ID, and certificate thumbprint.
 
 ### Azure Classic Run As account
 
-> [!IMPORTANT]
-> Azure Automation Run As Account will retire on September 30, 2023 and will be replaced with Managed Identities. Before that date, you'll need to start migrating your runbooks to use [managed identities](automation-security-overview.md#managed-identities). For more information, see [migrating from an existing Run As accounts to managed identity](https://learn.microsoft.com/azure/automation/migrate-run-as-accounts-managed-identity?tabs=run-as-account#sample-scripts) to start migrating the runbooks from Run As account to managed identities before 30 September 2023.
-
-When you create an Azure Classic Run As account, it performs the following tasks:
+Azure Classic Run As Account consists of the following components:
+- A management certificate in the subscription.
+- An Automation certificate asset named `AzureClassicRunAsCertificate` in the specified Automation account. The certificate asset holds the certificate private key used by the management certificate.
+- An Automation connection asset named `AzureClassicRunAsConnection` in the specified Automation account. The connection asset holds the subscription name, subscription ID, and certificate asset name.
 
 > [!NOTE]
-> You must be a co-administrator on the subscription to create or renew this type of Run As account.
-
-* Creates a management certificate in the subscription.
-
-* Creates an Automation certificate asset named `AzureClassicRunAsCertificate` in the specified Automation account. The certificate asset holds the certificate private key used by the management certificate.
-
-* Creates an Automation connection asset named `AzureClassicRunAsConnection` in the specified Automation account. The connection asset holds the subscription name, subscription ID, and certificate asset name.
+> You must be a co-administrator on the subscription to renew this type of Run As account.
 
 ## Service principal for Run As account
 

articles/automation/delete-run-as-account.md

@@ -3,7 +3,7 @@ title: Delete an Azure Automation Run As account
 description: This article tells how to delete a Run As account with PowerShell or from the Azure portal.
 services: automation
 ms.subservice: process-automation
-ms.date: 01/06/2021
+ms.date: 04/12/2023
 ms.topic: conceptual
 ---
 
@@ -26,8 +26,9 @@ Run As accounts in Azure Automation provide authentication for managing resource
 
    ![Delete Run As account](media/delete-run-as-account/automation-account-delete-run-as.png)
 
-5. While the account is being deleted, you can track the progress under **Notifications** from the menu.
+5. While the account is being deleted, you can track the progress under **Notifications** from the menu. Run As accounts can't be restored after deletion.
 
 ## Next steps
 
-To recreate your Run As or Classic Run As account, see [Create Run As accounts](create-run-as-account.md).
+- [Use system-assigned managed identity](enable-managed-identity-for-automation.md).
+- [Use user-assigned managed identity](add-user-assigned-identity.md).

articles/automation/manage-run-as-account.md

@@ -2,7 +2,7 @@
 title: Manage an Azure Automation Run As account
 description: This article tells how to manage your Azure Automation Run As account with PowerShell or from the Azure portal.
 services: automation
-ms.date: 08/02/2021
+ms.date: 04/12/2023
 ms.topic: conceptual 
 ---
 
@@ -161,30 +161,9 @@ You can allow Azure Automation to verify if Key Vault and your Run As account se
 
 You can use the [Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1](https://aka.ms/AA5hugb) script in the PowerShell Gallery to grant your Run As account permissions to Key Vault. See [Assign a Key Vault access policy](../key-vault/general/assign-access-policy-powershell.md) for more details on setting permissions on Key Vault.
 
-## Resolve misconfiguration issues for Run As accounts
-
-Some configuration items necessary for a Run As or Classic Run As account might have been deleted or created improperly during initial setup. Possible instances of misconfiguration include:
-
-* Certificate asset
-* Connection asset
-* Run As account removed from the Contributor role
-* Service principal or application in Azure AD
-
-For such misconfiguration instances, the Automation account detects the changes and displays a status of *Incomplete* on the Run As Accounts properties pane for the account.
-
-:::image type="content" source="media/manage-run-as-account/automation-account-run-as-config-incomplete.png" alt-text="Incomplete Run As account configuration.":::
-
-When you select the Run As account, the account properties pane displays the following error message:
-
-```text
-The Run As account is incomplete. Either one of these was deleted or not created - Azure Active Directory Application, Service Principal, Role, Automation Certificate asset, Automation Connect asset - or the Thumbprint is not identical between Certificate and Connection. Please delete and then re-create the Run As Account.
-```
-
-You can quickly resolve these Run As account issues by [deleting](delete-run-as-account.md) and [re-creating](create-run-as-account.md) the Run As account.
 
 ## Next steps
 
 * [Application Objects and Service Principal Objects](../active-directory/develop/app-objects-and-service-principals.md).
 * [Certificates overview for Azure Cloud Services](../cloud-services/cloud-services-certs-create.md).
-* To create or re-create a Run As account, see [Create a Run As account](create-run-as-account.md).
 * If you no longer need to use a Run As account, see [Delete a Run As account](delete-run-as-account.md).

articles/azure-monitor/app/opencensus-python.md

@@ -206,9 +206,9 @@ import logging
 from opencensus.ext.azure.log_exporter import AzureEventHandler
 
 logger = logging.getLogger(__name__)
-logger.addHandler(AzureLogHandler())
+logger.addHandler(AzureEventHandler())
 # Alternatively manually pass in the connection_string
-# logger.addHandler(AzureLogHandler(connection_string=<appinsights-connection-string>))
+# logger.addHandler(AzureEventHandler(connection_string=<appinsights-connection-string>))
 
 logger.setLevel(logging.INFO)
 logger.info('Hello, World!')
@@ -519,7 +519,7 @@ Each of the Azure Monitor exporters supports configuration of securely sending t
 
 You can view the telemetry data that was sent from your application through the **Logs (Analytics)** tab.
 
-:::image type="content" source="./media/opencensus-python/0010-logs-query.png" lightbox="./media/opencensus-python/0010-logs-query.png" alt-text="Screenshot of the Overview pane with the Logs (Analytics) tab selected.":::
+![Screenshot of the Overview pane with the Logs (Analytics) tab selected.](./media/opencensus-python/0010-logs-query.png)
 
 In the list under **Active**:
 

articles/azure-monitor/app/resources-roles-access-control.md

@@ -2,9 +2,9 @@
 title: Resources, roles, and access control in Application Insights | Microsoft Docs
 description: Owners, contributors and readers of your organization's insights.
 ms.topic: conceptual
-ms.date: 02/14/2019 
+ms.date: 04/13/2023
 ms.custom: devx-track-azurepowershell   
-ms.reviewer: jogrima
+ms.reviewer: cogoodson
 ---
 
 # Resources, roles, and access control in Application Insights