Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into tamram23-0317

Author: tamram

articles/active-directory/privileged-identity-management/groups-activate-roles.md

@@ -10,7 +10,7 @@ ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: pim
-ms.date: 01/12/2023
+ms.date: 3/15/2023
 ms.author: amsliu
 ms.reviewer: ilyal
 ms.custom: pim
@@ -23,6 +23,11 @@ In Azure Active Directory (Azure AD), part of Microsoft Entra, you can use Privi
 
 This article is for eligible members or owners who want to activate their group membership or ownership in PIM.
 
+>[!IMPORTANT]
+>When a group membership or ownership is activated, Azure AD PIM temporarily adds an active assignment. Azure AD PIM creates an active assignment (adds user as member or owner of the group) within seconds. When deactivation (manual or through activation time expiration) happens, Azure AD PIM removes user’s group membership or ownership within seconds as well.
+>
+>Application may provide access to users based on their group membership. In some situations, application access may not immediately reflect the fact that user was added to the group or removed from it. If application previously cached the fact that user is not member of the group – when user tries to access application again, access may not be provided. Similarly, if application previously cached the fact that user is member of the group – when group membership is deactivated, user may still get access. Specific situation depends on the application’s architecture. For some applications, signing out and signing back in may help to get access added or removed.
+
 ## Activate a role
 
 When you need to take on a group membership or ownership, you can request activation by using the **My roles** navigation option in PIM.
@@ -76,15 +81,6 @@ You can view the status of your pending requests to activate. It is specifically
 
 When you select **Cancel**, the request will be canceled. To activate the role again, you will have to submit a new request for activation.
 
-## Troubleshoot
-
-### Permissions are not granted after activating a role
-
-When you activate a role in PIM, the activation may not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. If your activation is delayed, here is what you should do.
-
-1. Sign out of the Azure portal and then sign back in.
-1. In PIM, verify that you are listed as the member of the role.
-
 ## Next steps
 
 - [Approve activation requests for group members and owners (preview)](groups-approval-workflow.md)

articles/active-directory/privileged-identity-management/pim-how-to-activate-role.md

@@ -6,14 +6,13 @@ documentationcenter: ''
 author: amsliu
 manager: amycolannino
 editor: ''
-
 ms.service: active-directory
 ms.topic: how-to
 ms.workload: identity
 ms.subservice: pim
-ms.date: 02/02/2022
+ms.date: 3/15/2023
 ms.author: amsliu
-ms.reviewer: shaunliu
+ms.reviewer: ilyal
 ms.custom: pim
 ms.collection: M365-identity-device-management
 ---
@@ -25,6 +24,11 @@ If you have been made *eligible* for an administrative role, then you must *acti
 
 This article is for administrators who need to activate their Azure AD role in Privileged Identity Management.
 
+>[!IMPORTANT]
+>When a role is activated, Azure AD PIM temporarily adds active assignment for the role. Azure AD PIM creates active assignment (assigns user to a role) within seconds. When deactivation (manual or through activation time expiration) happens, Azure AD PIM removes the active assignment within seconds as well.
+>
+>Application may provide access based on the role the user has. In some situations, application access may not immediately reflect the fact that user got role assigned or removed. If application previously cached the fact that user does not have a role – when user tries to access application again, access may not be provided. Similarly, if application previously cached the fact that user has a role – when role is deactivated, user may still get access. Specific situation depends on the application’s architecture. For some applications, signing out and signing back in may help get access added or removed.
+
 ## Activate a role
 
 When you need to assume an Azure AD role, you can request activation by opening **My roles** in Privileged Identity Management.
@@ -230,13 +234,7 @@ If you don't require activation of a role that requires approval, you can cancel
 
 ## Deactivate a role assignment
 
-When a role assignment is activated, you'll see a **Deactivate** option in the PIM portal for the role assignment. When you select **Deactivate**, there's a short time lag before the role is deactivated. Also, you can't deactivate a role assignment within five minutes after activation.
-
-## Troubleshoot portal delay
-
-### Permissions aren't granted after activating a role
-
-When you activate a role in Privileged Identity Management, the activation might not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal may cause a delay before the change takes effect. If your activation is delayed, sign out of the portal you're trying to perform the action and then sign back in. In the Azure portal, PIM signs you out and back in automatically.
+When a role assignment is activated, you'll see a **Deactivate** option in the PIM portal for the role assignment. Also, you can't deactivate a role assignment within five minutes after activation.
 
 ## Next steps
 

articles/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md

@@ -10,7 +10,7 @@ ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: pim
-ms.date: 3/1/2023
+ms.date: 3/15/2023
 ms.author: amsliu
 ms.reviewer: rianakarim
 ms.custom: pim
@@ -26,6 +26,11 @@ This article is for members who need to activate their Azure resource role in Pr
 >[!NOTE]
 >As of March 2023, you may now activate your assignments and view your access directly from blades outside of PIM in the Azure portal. Read more [here](pim-resource-roles-activate-your-roles.md#activate-with-azure-portal).
 
+>[!IMPORTANT]
+>When a role is activated, Azure AD PIM temporarily adds active assignment for the role. Azure AD PIM creates active assignment (assigns user to a role) within seconds. When deactivation (manual or through activation time expiration) happens, Azure AD PIM removes the active assignment within seconds as well.
+>
+>Application may provide access based on the role the user has. In some situations, application access may not immediately reflect the fact that user got role assigned or removed. If application previously cached the fact that user does not have a role – when user tries to access application again, access may not be provided. Similarly, if application previously cached the fact that user has a role – when role is deactivated, user may still get access. Specific situation depends on the application’s architecture. For some applications, signing out and signing back in may help get access added or removed.
+
 ## Activate a role
 
 When you need to take on an Azure resource role, you can request activation by using the **My roles** navigation option in Privileged Identity Management.
@@ -215,7 +220,7 @@ If you do not require activation of a role that requires approval, you can cance
 
 ## Deactivate a role assignment
 
-When a role assignment is activated, you'll see a **Deactivate** option in the PIM portal for the role assignment. When you select **Deactivate**, there's a short time lag before the role is deactivated. Also, you can't deactivate a role assignment within five minutes after activation.
+When a role assignment is activated, you'll see a **Deactivate** option in the PIM portal for the role assignment. Also, you can't deactivate a role assignment within five minutes after activation.
 
 ## Activate with Azure portal
 
@@ -233,15 +238,6 @@ In Access control (IAM) for a resource, you can now select “View my access”
 
 By integrating PIM capabilities into different Azure portal blades, this new feature allows you to gain temporary access to view or edit subscriptions and resources more easily.
 
-## Troubleshoot
-
-### Permissions are not granted after activating a role
-
-When you activate a role in Privileged Identity Management, the activation may not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. If your activation is delayed, here is what you should do.
-
-1. Sign out of the Azure portal and then sign back in.
-1. In Privileged Identity Management, verify that you are listed as the member of the role.
-
 ## Next steps
 
 - [Extend or renew Azure resource roles in Privileged Identity Management](pim-resource-roles-renew-extend.md)

articles/aks/concepts-vulnerability-management.md

@@ -3,7 +3,7 @@ title: Vulnerability management for Azure Kubernetes Service
 titleSuffix: Azure Kubernetes Service
 description: Learn how Microsoft manages security vulnerabilities for Azure Kubernetes Service (AKS) clusters.
 ms.topic: conceptual
-ms.date: 03/02/2023
+ms.date: 03/17/2023
 
 ---
 
@@ -27,9 +27,9 @@ Microsoft identifies and patches vulnerabilities and missing security updates fo
 
 ## AKS Container Images
 
-While the [Cloud Native Computing Foundation][cloud-native-computing-foundation] (CNCF) owns and maintains most of the code running in AKS, the Azure Container Upstream team takes responsibility for building the open-source packages that we deploy on AKS. With that responsibility, it includes having complete ownership of the build, scan, sign, validate, and hotfix process and control over the binaries in container images. By us having responsibility for building the open-source packages deployed on AKS, it enables us to both establish a software supply chain over the binary, and patch the software as needed.  
+While the [Cloud Native Computing Foundation][cloud-native-computing-foundation] (CNCF) owns and maintains most of the code running in AKS, Microsoft takes responsibility for building the open-source packages that we deploy on AKS. With that responsibility, it includes having complete ownership of the build, scan, sign, validate, and hotfix process and control over the binaries in container images. By us having responsibility for building the open-source packages deployed on AKS, it enables us to both establish a software supply chain over the binary, and patch the software as needed.  
 
-Microsoft has invested in engineers (the Azure Container Upstream team) and infrastructure in the broader Kubernetes ecosystem to help build the future of cloud-native compute in the wider CNCF community. A notable example of this is the donation of engineering time to help manage Kubernetes releases. This work not only ensures the quality of every Kubernetes release for the world, but also enables AKS quickly get new Kubernetes releases out into production for several years. In some cases, ahead of other cloud providers by several months. Microsoft collaborates with other industry partners in the Kubernetes security organization. For example, the Security Response Committee (SRC) receives, prioritizes, and patches embargoed security vulnerabilities before they're  announced to the public. This commitment ensures Kubernetes is secure for everyone, and enables AKS to patch and respond to vulnerabilities faster to keep our customers safe. In addition to Kubernetes, Microsoft has signed up to receive pre-release notifications for software vulnerabilities for products such as Envoy, container runtimes, and many other open-source projects.
+Microsoft is active in the broader Kubernetes ecosystem to help build the future of cloud-native compute in the wider CNCF community. This work not only ensures the quality of every Kubernetes release for the world, but also enables AKS quickly get new Kubernetes releases out into production for several years. In some cases, ahead of other cloud providers by several months. Microsoft collaborates with other industry partners in the Kubernetes security organization. For example, the Security Response Committee (SRC) receives, prioritizes, and patches embargoed security vulnerabilities before they're  announced to the public. This commitment ensures Kubernetes is secure for everyone, and enables AKS to patch and respond to vulnerabilities faster to keep our customers safe. In addition to Kubernetes, Microsoft has signed up to receive pre-release notifications for software vulnerabilities for products such as Envoy, container runtimes, and many other open-source projects.
 
 Microsoft scans container images using static analysis to discover vulnerabilities and missing updates in Kubernetes and Microsoft-managed containers. If fixes are available, the scanner automatically begins the update and release process.
 
@@ -133,4 +133,4 @@ See the overview about [Upgrading Azure Kubernetes Service clusters and node poo
 [mrc-create-report]: https://aka.ms/opensource/security/create-report
 [msrc-pgp-key-page]: https://aka.ms/opensource/security/pgpkey
 [microsoft-security-response-center]: https://aka.ms/opensource/security/msrc
-[azure-bounty-program-overview]: https://www.microsoft.com/msrc/bounty-microsoft-azure
+[azure-bounty-program-overview]: https://www.microsoft.com/msrc/bounty-microsoft-azure