Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into availability-zones

Author: greg-lindsay

.openpublishing.redirection.azure-monitor.json

@@ -346,6 +346,11 @@
             "redirect_url": "/azure/azure-monitor/faq#vm-insights",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/proactive-cloud-services.md" ,
+            "redirect_url": "https://docs.microsoft.com/azure/azure-monitor/alerts/alerts-overview",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/vm/vminsights-log-search.md" ,
             "redirect_url": "/azure/azure-monitor/alerts/vminsights-log-query",
@@ -420,6 +425,11 @@
             "source_path_from_root": "/articles/azure-monitor/insights/network-insights-overview.md" ,
             "redirect_url": "/azure/network-watcher/network-insights-overview",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/insights/key-vault-insights-overview.md" ,
+            "redirect_url": "/azure/key-vault/key-vault-insights-overview",
+            "redirect_document_id": false
         }
     ]
 }

CODEOWNERS

@@ -25,17 +25,17 @@ articles/advisor @rboucher
 articles/service-health @rboucher
 
 # Azure Synapse Analytics
-/articles/synapse-analytics/ @julieMSFT @ryanmajidi @saveenr 
-/articles/synapse-analytics/backuprestore/ @joannapea @julieMSFT
+/articles/synapse-analytics/ @SnehaGunda @WilliamDAssafMSFT @ryanmajidi @saveenr 
+/articles/synapse-analytics/backuprestore/ @joannapea @WilliamDAssafMSFT 
 /articles/synapse-analytics/catalog-governance/@djpmsft @chanuengg 
-/articles/synapse-analytics/ccid/ @liudan66 @julieMSFT
+/articles/synapse-analytics/ccid/ @liudan66
 /articles/synapse-analytics/data-integration/ @kromerm @jonburchel 
 /articles/synapse-analytics/machine-learning/ @garyericson @NelGson @midesa 
-/articles/synapse-analytics/metadata/@MikeRys @julieMSFT @jocaplan
-/articles/synapse-analytics/security/ @RonyMSFT  @nanditavalsan @meenalsri @julieMSFT
+/articles/synapse-analytics/metadata/@MikeRys @jocaplan
+/articles/synapse-analytics/security/ @RonyMSFT @meenalsri 
 /articles/synapse-analytics/spark/ @euangms @mlee3gsd @midesa 
-/articles/synapse-analytics/sql/ @filippopovic @azaricstefan @anumjs @WilliamDAssafMSFT @jovanpop-msft
-/articles/synapse-analytics/sql-data-warehouse/ @anumjs @ronortloff @julieMSFT
+/articles/synapse-analytics/sql/ @filippopovic @azaricstefan @WilliamDAssafMSFT @jovanpop-msft
+/articles/synapse-analytics/sql-data-warehouse/ @SnehaGunda @WilliamDAssafMSFT
 /articles/synapse-analytics/synapse-link/ @Rodrigossz @SnehaGunda @jovanpop-msft
 
 # Cognitive Services

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -23,27 +23,31 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
 - Administrator role for installing the agent. This task is a one-time effort and should be an Azure account that's either a hybrid administrator or a global administrator. 
 - Administrator role for configuring the application in the cloud (application administrator, cloud application administrator, global administrator, or a custom role with permissions).
 
-## On-premises app provisioning to SCIM-enabled apps
-To provision users to SCIM-enabled apps:
-
- 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM endpoint is hosted on.
- 1. Open the provisioning agent installer, agree to the terms of service, and select **Install**.
- 1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable.
- 1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.
- 1. Select **Confirm** to confirm the installation was successful.
- 1. Navigate to the Azure Portal and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
- 1. Select **On-Premises Connectivity**, and download the provisioning agent. 1. Go back to your application, and select **On-Premises Connectivity**.
- 1. Select the agent that you installed from the dropdown list, and select **Assign Agent(s)**.
- 1. Wait 20 minutes prior to completing the next step, to provide time for the agent assignment to complete.
- 1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim. 
-     ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
- 1. Select **Test Connection**, and save the credentials. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. 
- 1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
- 1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
- 1. Test provisioning a few users [on demand](provision-on-demand.md).
- 1. Add more users into scope by assigning them to your application.
- 1. Go to the **Provisioning** pane, and select **Start provisioning**.
- 1. Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
+## Deploying Azure AD provisioning agent
+The Azure AD Provisioning agent can be deployed on the same server hosting a SCIM enabled application, or a seperate server, providing it has line of sight to the application's SCIM endpoint. A single agent also supports provision to multiple applications hosted locally on the same server or seperate hosts, again as long as each SCIM endpoint is reachable by the agent.  
+
+ 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM application endpoint is hosted on.
+ 2. Run the provisioning agent installer, agree to the terms of service, and select **Install**.
+ 3. Once installed, locate  and launch the **AAD Connect Provisioning Agent wizard**, and when prompted for an extensions select **On-premises provisioning**
+ 4. For the agent to register itself with your tenant, provide credentials for an Azure AD admin with Hybrid administrator or global administrator permissions.
+ 5. Select **Confirm** to confirm the installation was successful.
+ 
+## Provisioning to SCIM-enabled application
+Once the agent is installed, no further configuration is necesary on-prem, and all provisioning configurations are then managed from the portal. Repeat the below steps for every on-premises application being provisioned via SCIM.
+ 
+ 1. In the Azure portal navigate to the Enterprise applications and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
+ 2. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
+ 3. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
+ 4.  Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
+ 5.  Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection.
+ 6.  In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolveable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
+ 7.  Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. 
+ 8.  Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
+ 9.  Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
+ 10.  Test provisioning a few users [on demand](provision-on-demand.md).
+ 11.  Add more users into scope by assigning them to your application.
+ 12.  Go to the **Provisioning** pane, and select **Start provisioning**.
+ 13.  Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
 
 ## Additional requirements
 * Ensure your [SCIM](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010) implementation meets the [Azure AD SCIM requirements](use-scim-to-provision-users-and-groups.md).

articles/active-directory/conditional-access/TOC.yml

@@ -39,14 +39,16 @@
     href: service-dependencies.md
   - name: Location conditions
     href: location-condition.md
+  - name: Continuous access evaluation
+    href: concept-continuous-access-evaluation.md
   - name: Workload identities
     href: workload-identity.md
+  - name: CAE for workload identities
+    href: concept-continuous-access-evaluation-workload.md
   - name: Filter for devices
     href: concept-condition-filters-for-devices.md
   - name: What if tool
     href: what-if-tool.md
-  - name: Continuous access evaluation
-    href: concept-continuous-access-evaluation.md
 - name: How-to guides
   expanded: true
   items:

articles/active-directory/conditional-access/concept-continuous-access-evaluation-workload.md

@@ -0,0 +1,63 @@
+---
+title: Continuous access evaluation for workload identities in Azure AD
+description: Respond to changes to applications with continuous access evaluation for workload identities in Azure AD
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 07/22/2022
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: karenhoran
+ms.reviewer: vmahtani
+
+ms.collection: M365-identity-device-management
+---
+# Continuous access evaluation for workload identities (preview)
+
+Continuous access evaluation (CAE) for [workload identities](../develop/workload-identities-overview.md) provides security benefits to your organization. It enables real-time enforcement of Conditional Access location and risk policies along with instant enforcement of token revocation events for workload identities. 
+
+Continuous access evaluation doesn't currently support managed identities.
+
+## Scope of preview
+
+The continuous access evaluation for workload identities public preview scope includes support for Microsoft Graph as a resource provider.
+
+The preview targets service principals for line of business (LOB) applications.
+
+We support the following revocation events:
+
+- Service principal disable
+- Service principal delete
+- High service principal risk as detected by Azure AD Identity Protection
+
+Continuous access evaluation for workload identities supports [Conditional Access policies that target location and risk](workload-identity.md#implementation).
+
+## Enable your application
+
+Developers can opt in to Continuous access evaluation for workload identities when their API requests `xms_cc` as an optional claim. The `xms_cc` claim with a value of `cp1` in the access token is the authoritative way to identify a client application is capable of handling a claims challenge. For more information about how to make this work in your application, see the article, [Claims challenges, claims requests, and client capabilities](../develop/claims-challenge.md).
+
+### Disable 
+
+In order to opt out, don't send the `xms_cc` claim with a value of `cp1`. 
+
+Organizations who have Azure AD Premium can create a [Conditional Access policy to disable continuous access evaluation](concept-conditional-access-session.md#customize-continuous-access-evaluation) applied to specific workload identities as an immediate stop-gap measure.
+
+## Troubleshooting
+
+When a client’s access to a resource is blocked due to CAE being triggered, the client’s session will be revoked, and the client will need to reauthenticate. This behavior can be verified in the sign-in logs. 
+
+The following steps detail how an admin can verify sign in activity in the sign-in logs: 
+
+1.	Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+1.	Browse to **Azure Active Directory** > **Sign-in logs** > **Service Principal Sign-ins**. You can use filters to ease the debugging process. 
+1.	Select an entry to see activity details. The **Continuous access evaluation** field indicates whether a CAE token was issued in a particular sign-in attempt. 
+
+## Next steps
+
+- [Register an application with Azure AD and create a service principal](../develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)
+- [How to use Continuous Access Evaluation enabled APIs in your applications](../develop/app-resilience-continuous-access-evaluation.md)
+- [Sample application using continuous access evaluation](https://github.com/Azure-Samples/ms-identity-dotnetcore-daemon-graph-cae)
+- [What is continuous access evaluation?](../conditional-access/concept-continuous-access-evaluation.md)

articles/active-directory/develop/access-tokens.md

@@ -269,7 +269,9 @@ Don't use mutable, human-readable identifiers like `email` or `upn` for uniquely
 
 #### Validate application sign-in
 
-Use the `scp` claim to validate that the user has granted the calling application permission to call the API. Ensure the calling client is allowed to call the API using the `appid` claim.
+* Use the `scp` claim to validate that the user has granted the calling app permission to call your API.
+* Ensure the calling client is allowed to call your API using the `appid` claim (for v1.0 tokens) or the `azp` claim (for v2.0 tokens).
+    * You only need to validate these claims (`appid`, `azp`) if you want to restrict your web API to be called only by pre-determined applications (e.g., line-of-business applications or web APIs called by well-known frontends). APIs intended to allow access from any calling application do not need to validate these claims.
 
 ## User and application tokens
 

articles/active-directory/develop/id-tokens.md

@@ -84,7 +84,7 @@ The table below shows the claims that are in most ID tokens by default (except w
 |`roles`| Array of strings | The set of roles that were assigned to the user who is logging in. |
 |`rh` | Opaque String |An internal claim used by Azure to revalidate tokens. Should be ignored. |
 |`sub` | String | The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused. The subject is a pairwise identifier - it is unique to a particular application ID. If a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim. This may or may not be wanted depending on your architecture and privacy requirements. |
-|`tid` | String, a GUID | Represents the tenant that the user is signing in to. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user is signing in to. For sign-ins to the personal Microsoft account tenant (services like Xbox, Teams for Life, or Outlook), the value is `9188040d-6c67-4c5b-b112-36a304b66dad`. To receive this claim, your app must request the `profile` scope. |
+|`tid` | String, a GUID | Represents the tenant that the user is signing in to. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user is signing in to. For sign-ins to the personal Microsoft account tenant (services like Xbox, Teams for Life, or Outlook), the value is `9188040d-6c67-4c5b-b112-36a304b66dad`.|
 | `unique_name` | String | Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. This value is not guaranteed to be unique within a tenant and should be used only for display purposes. |
 | `uti` | String | Token identifier claim, equivalent to `jti` in the JWT specification. Unique, per-token identifier that is case-sensitive.|
 |`ver` | String, either 1.0 or 2.0 | Indicates the version of the id_token. |

articles/active-directory/develop/index-web-app.yml

@@ -39,7 +39,7 @@ landingContent:
           - text: ASP.NET
             url: tutorial-v2-asp-webapp.md
           - text: Blazor Server
-            url: tutorial-blazor-webassembly.md
+            url: tutorial-blazor-server.md
           - text: Node.js with Express
             url: tutorial-v2-nodejs-webapp-msal.md
   - title: "Web apps in depth"

articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md

@@ -191,7 +191,7 @@ There are two ways to configure role assignments for a VM:
 - Azure Cloud Shell experience
 
 > [!NOTE]
-> The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](../../role-based-access-control/troubleshooting.md#azure-role-assignments-limit) per subscription.
+> The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](../../role-based-access-control/troubleshooting.md#limits) per subscription.
 
 ### Azure AD portal
 
@@ -443,7 +443,7 @@ If you get a message that says the token couldn't be retrieved from the local ca
 
 ### Access denied: Azure role not assigned
 
-If you see an "Azure role not assigned" error on your SSH prompt, verify that you've configured Azure RBAC policies for the VM that grants the user either the Virtual Machine Administrator Login role or the Virtual Machine User Login role. If you're having problems with Azure role assignments, see the article [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#azure-role-assignments-limit).
+If you see an "Azure role not assigned" error on your SSH prompt, verify that you've configured Azure RBAC policies for the VM that grants the user either the Virtual Machine Administrator Login role or the Virtual Machine User Login role. If you're having problems with Azure role assignments, see the article [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#limits).
 
 ### Problems deleting the old (AADLoginForLinux) extension
 

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -364,7 +364,7 @@ You might get the following error message when you initiate a remote desktop con
 Verify that you've [configured Azure RBAC policies](../../virtual-machines/linux/login-using-aad.md) for the VM that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role.
 
 > [!NOTE]
-> If you're having problems with Azure role assignments, see [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#azure-role-assignments-limit).
+> If you're having problems with Azure role assignments, see [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#limits).
  
 ### Unauthorized client or password change required