Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into importOverview

Author: roygara

.openpublishing.redirection.json

@@ -9093,6 +9093,11 @@
             "redirect_url": "/azure/vpn-gateway/point-to-site-vpn-client-cert-windows",
             "redirect_document_id": false
         },
+        {
+         "source_path_from_root": "/articles/vpn-gateway/vpn-gateway-forced-tunneling-rm.md",
+         "redirect_url": "/azure/vpn-gateway/about-site-to-site-tunneling",
+         "redirect_document_id": false
+     },
         {
             "source_path_from_root": "/articles/azure-vmware/public-ip-usage.md",
             "redirect_url": "/azure/azure-vmware/enable-public-ip-nsx-edge",

articles/active-directory/develop/access-tokens.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 05/26/2023
+ms.date: 8/1/2023
 ms.author: davidmu
 ms.custom: aaddev, curation-claims
 ---
@@ -161,11 +161,15 @@ Azure AD also supports multi-tenant applications. These applications support:
 - Accounts in any organizational directory (any Azure AD directory): `https://login.microsoftonline.com/organizations`
 - Accounts in any organizational directory (any Azure AD directory) and personal Microsoft accounts (e.g. Skype, XBox): `https://login.microsoftonline.com/common`
 
-For these applications Azure AD exposes tenant-independent versions of the OIDC document at [https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) and [https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration](https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration) respectively. These endpoints return an issuer value, which is a template parametrized by the `tenantid`: `https://login.microsoftonline.com/{tenantid}/v2.0`. Applications may use these tenant-independent endpoints to validate tokens from every tenant with the following modifications: instead of expecting the issuer claim in the token to exactly match the issuer value from metadata, the application should replace the `{tenantid}` value in the issuer metadata with the tenant ID that is the target of the current request, and then check the exact match (`tid` claim of the token).
+For these applications Azure AD exposes tenant-independent versions of the OIDC document at [https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration](https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) and [https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration](https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration) respectively. These endpoints return an issuer value, which is a template parametrized by the `tenantid`: `https://login.microsoftonline.com/{tenantid}/v2.0`. Applications may use these tenant-independent endpoints to validate tokens from every tenant with the following stipulations:
+ - Validate the signing key issuer (below)
+ - Instead of expecting the issuer claim in the token to exactly match the issuer value from metadata, the application should replace the `{tenantid}` value in the issuer metadata with the tenant ID that is the target of the current request, and then check the exact match (`tid` claim of the token).
+ - Validate the `tid` claim is a GUID and the `iss` claim is of the form `https://login.microsoftonline.com/{tid}/v2.0` where `{tid}` is the exact `tid` claim. This ties the tenant back to the issuer and back to the scope of the signing key creating a chain of trust.
+ - Use `tid` claim when they locate data associated with the subject of the claim. In other words, the `tid` claim must be part of the key used to access the user's data.
 
 ### Validate the signing key issuer
 
-In addition to the issuer of the token, applications using the v2.0 tenant-independant metadata need to validate the signing key issuer.
+Applications using the v2.0 tenant-independant metadata need to validate the signing key issuer.
 
 #### Keys document and signing key issuer
 
@@ -194,15 +198,13 @@ tenant-independent "common" key endpoint [https://login.microsoftonline.com/comm
 
 The application should use the `issuer` property of the keys document, associated with the key used to sign the token, in order to restrict the scope of keys:
 - Keys that have an issuer value with a GUID like `https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0` should only be used when the `iss` claim in the token matches the value exactly.
-- Keys that have a templated issuer value like `https://login.microsoftonline.com/{tenantid}/v2.0` need to ensure that:
-  - the `tid` claim is a GUID and the `iss` claim is of the form `https://login.microsoftonline.com/{tid}/v2.0` where `{tid}` is the exact `tid` claim. This ties the tenant back to the issuer. back to the scope of the signing key creating a chain of trust.
-  - Multi-tenant applications must use `tid` claim when they locate data associated with the subject of the claim. In other words, the `tid` claim must be part of the key used to access the user's data.
+- Keys that have a templated issuer value like `https://login.microsoftonline.com/{tenantid}/v2.0` should only be used when the `iss` claim in the token matches this value after substituting the `tid` claim in the token for the `{tenantid}` placeholder.
 
 Using tenant-independent metadata is more efficient for applications that accept tokens from many tenants.
+
 > [!NOTE]
 > With Azure AD tenant-independent metadata, claims should be interpreted within the tenant, just as under standard OpenID Connect, claims are interpreted within the issuer. That is, `{"sub":"ABC123","iss":"https://login.microsoftonline.com/{example-tenant-id}/v2.0","tid":"{example-tenant-id}"}` and `{"sub":"ABC123","iss":"https://login.microsoftonline.com/{another-tenand-id}/v2.0","tid":"{another-tenant-id}"}` describe different users, even though the `sub` is the same, because claims like `sub` are interpreted within the context of the issuer/tenant.
 
-
 #### Recap
 
 Here is some pseudo code that recapitulates how to validate issuer and signing key issuer:
@@ -266,4 +268,3 @@ A *non-password-based* login is one where the user didn't type in a password to
 ## Next steps
 
 - Learn more about the [security tokens used in Azure AD](security-tokens.md).
-

articles/ai-services/document-intelligence/concept-document-intelligence-studio.md

@@ -23,9 +23,59 @@ The following image shows the landing page for Document Intelligence Studio.
 
 :::image border="true" type="content" source="media/studio/welcome-to-studio.png" alt-text="Document Intelligence Studio Homepage":::
 
-## Document Intelligence Studio features
+## July 2023 (GA) features and updates
 
-The following Document Intelligence service features are available in the Studio.
+✔️ **Analyze Options**</br>
+
+* Document Intelligence now supports more sophisticated analysis capabilities and the Studio allows one entry point (Analyze options button) for configuring the add-on capabilities with ease.
+* Depending on the document extraction scenario, configure the analysis range, document page range, optional detection, and premium detection features.
+
+    :::image type="content" source="media/studio/analyze-options.gif" alt-text="Animated screenshot showing use of the analyze options button to configure options in Studio.":::
+
+    > [!NOTE]
+    > Font extraction is not visualized in Document Intelligence Studio. However, you can check the styles seciton of the JSON output for the font detection results.
+
+✔️ **Auto labeling documents with prebuilt models or one of your own models**
+
+* In custom extraction model labeling page, you can now auto label your documents using one of Document Intelligent Service prebuilt models or models you have trained before.
+
+    :::image type="content" source="media/studio/auto-label.gif" alt-text="Animated screenshot showing auto labeling in Studio.":::
+
+* For some documents, there may be duplicate labels after running auto label. Make sure to modify the labels so that there are no duplicate labels in the labeling page afterwards.
+
+    :::image type="content" source="media/studio/duplicate-labels.png" alt-text="Screenshot showing duplicate label warning after auto labeling.":::
+
+✔️ **Auto labeling tables**
+
+* In custom extraction model labeling page, you can now auto label the tables in the document without having to label the tables manually.
+
+    :::image type="content" source="media/studio/auto-table-label.gif" alt-text="Animated screenshot showing auto table labeling in Studio.":::
+
+✔️ **Add test files directly to your training dataset**
+
+* Once you have trained a custom extraction model, make use of the test page to improve your model quality by uploading test documents to training dataset if needed.
+
+* If a low confidence score is returned for some labels, make sure they're correctly labeled. If not, add them to the training dataset and relabel to improve the model quality.
+
+:::image type="content" source="media/studio/add-from-test.gif" alt-text="Animated screenshot showing how to add test files to training dataset.":::
+
+✔️ **Make use of the document list options and filters in custom projects**
+
+* In custom extraction model labeling page, you can now navigate through your training documents with ease by making use of the search, filter and sort by feature.
+
+* Utilize the grid view to preview documents or use the list view to scroll through the documents more easily.
+
+    :::image type="content" source="media/studio/document-options.png" alt-text="Screenshot of document list view options and filters.":::
+
+✔️ **Project sharing**
+
+* Share custom extraction projects with ease. For more information, see [Project sharing with custom models](how-to-guides/project-share-custom-models.md).
+
+✔️ **Query fields**
+
+* With Document Intelligence [General documents](concept-general-document.md) model, utilize the query fields feature to add fields to the extraction process without the need for added training. For more information, see [Document Intelligence query field extraction](concept-query-fields.md).
+
+## Document Intelligence model support
 
 * **Read**: Try out Document Intelligence's Read feature to extract text lines, words, detected languages, and handwritten style if detected. Start with the [Studio Read feature](https://formrecognizer.appliedai.azure.com/studio/read). Explore with sample documents and your documents. Use the interactive visualization and JSON output to understand how the feature works. See the [Read overview](concept-read.md) to learn more and get started with the [Python SDK quickstart for Layout](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true).
 
@@ -41,12 +91,8 @@ The following Document Intelligence service features are available in the Studio
 
 * **Add-on Capabilities**: Document Intelligence now supports more sophisticated analysis capabilities. These optional capabilities can be enabled and disabled in the studio using the `Analze Options` button in each model page. There are four add-on capabilities available: highResolution, formula, font, and barcode extraction capabilities. See [Add-on capabilities](concept-add-on-capabilities.md) to learn more.
 
-
 ## Next steps
 
-* Follow our [**Document Intelligence v3.0 migration guide**](v3-migration-guide.md) to learn the differences from the previous version of the REST API.
-* Explore our [**v3.0 SDK quickstarts**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true) to try the v3.0 features in your applications using the new SDKs.
-* Refer to our [**v3.0 REST API quickstarts**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true) to try the v3.0features using the new REST API.
+* Visit the [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio) to begin using the models and features.
 
-> [!div class="nextstepaction"]
-> [Document Intelligence Studio  quickstart](quickstarts/try-document-intelligence-studio.md)
+* Get started with our [Document Intelligence Studio quickstart](quickstarts/try-document-intelligence-studio.md).

articles/ai-services/document-intelligence/containers/disconnected.md

@@ -119,7 +119,7 @@ The following example shows the formatting for the `docker run` command to use w
 
 ```docker
 
-docker run --rm -it -p 5000:5000 \
+docker run --rm -it -p 5000:5050 \
 
 -v {LICENSE_MOUNT} \
 
@@ -166,7 +166,7 @@ Placeholder | Value | Format or example |
   **Example `docker run` command**
 
 ```docker
-docker run --rm -it -p 5000:5000 --memory {MEMORY_SIZE} --cpus {NUMBER_CPUS} \
+docker run --rm -it -p 5000:5050 --memory {MEMORY_SIZE} --cpus {NUMBER_CPUS} \
 
 -v {LICENSE_MOUNT} \
 
@@ -194,7 +194,7 @@ services:
   volumes:
     - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
   ports:
-    - "5000:5000"
+    - "5000:5050"
  layout:
   container_name: azure-cognitive-service-layout
   image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/layout-3.0:latest

articles/ai-services/document-intelligence/containers/install-run.md

@@ -222,7 +222,7 @@ services:
       - billing={FORM_RECOGNIZER_ENDPOINT_URI}
       - apiKey={FORM_RECOGNIZER_KEY}
     ports:
-      - "5000:5000"
+      - "5000:5050"
     networks:
       - ocrvnet
 networks:
@@ -252,7 +252,7 @@ services:
         - apiKey={FORM_RECOGNIZER_KEY}
         - AzureCognitiveServiceLayoutHost=http://azure-cognitive-service-layout:5000
     ports:
-      - "5000:5000"
+      - "5000:5050"
   azure-cognitive-service-layout:
      container_name: azure-cognitive-service-layout
      image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/layout-3.0
@@ -285,7 +285,7 @@ services:
       - billing={FORM_RECOGNIZER_ENDPOINT_URI}
       - apiKey={FORM_RECOGNIZER_KEY}
     ports:
-      - "5000:5000"
+      - "5000:5050"
     networks:
       - ocrvnet
 networks:
@@ -315,7 +315,7 @@ services:
         - apiKey={FORM_RECOGNIZER_KEY}
         - AzureCognitiveServiceLayoutHost=http://azure-cognitive-service-layout:5000
     ports:
-      - "5000:5000"
+      - "5000:5050"
   azure-cognitive-service-layout:
     container_name: azure-cognitive-service-layout
     image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/layout-3.0
@@ -347,7 +347,7 @@ services:
         - apiKey={FORM_RECOGNIZER_KEY}
         - AzureCognitiveServiceReadHost=http://azure-cognitive-service-read:5000
     ports:
-          - "5000:5000"
+          - "5000:5050"
     azure-cognitive-service-read:
       container_name: azure-cognitive-service-read
       image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/read-3.0
@@ -379,7 +379,7 @@ services:
           - apiKey={FORM_RECOGNIZER_KEY}
           - AzureCognitiveServiceReadHost=http://azure-cognitive-service-read:5000
       ports:
-          - "5000:5000"
+          - "5000:5050"
   azure-cognitive-service-read:
       container_name: azure-cognitive-service-read
       image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/read-3.0
@@ -409,7 +409,7 @@ services:
         - apiKey={FORM_RECOGNIZER_KEY}
         - AzureCognitiveServiceLayoutHost=http://azure-cognitive-service-layout:5000
     ports:
-      - "5000:5000"
+      - "5000:5050"
   azure-cognitive-service-layout:
     container_name: azure-cognitive-service-layout
     image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/layout-3.0
@@ -581,7 +581,7 @@ services:
   volumes:
     - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
   ports:
-    - "5000:5000"
+    - "5000:5050"
  layout:
   container_name: azure-cognitive-service-layout
   image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/layout-3.0:latest
@@ -782,7 +782,7 @@ services:
       - apiKey={FORM_RECOGNIZER_KEY}
       - AzureCognitiveServiceLayoutHost=http://azure-cognitive-service-layout:5000
     ports:
-      - "5000:5000"
+      - "5000:5050"
     networks:
       - ocrvnet
   azure-cognitive-service-layout:
@@ -822,7 +822,7 @@ services:
       - apiKey={FORM_RECOGNIZER_KEY}
       - AzureCognitiveServiceReadHost=http://azure-cognitive-service-read:5000
     ports:
-      - "5000:5000"
+      - "5000:5050"
     networks:
       - ocrvnet
   azure-cognitive-service-read:
@@ -862,7 +862,7 @@ services:
       - apiKey={FORM_RECOGNIZER_KEY}
       - AzureCognitiveServiceReadHost=http://azure-cognitive-service-read:5000
     ports:
-      - "5000:5000"
+      - "5000:5050"
     networks:
       - ocrvnet
   azure-cognitive-service-read:
@@ -902,7 +902,7 @@ services:
       - apiKey={FORM_RECOGNIZER_KEY}
       - AzureCognitiveServiceReadHost=http://azure-cognitive-service-read:5000
     ports:
-      - "5000:5000"
+      - "5000:5050"
     networks:
       - ocrvnet
   azure-cognitive-service-read:
@@ -1059,7 +1059,7 @@ services:
   volumes:
     - ${NGINX_CONF_FILE}:/etc/nginx/nginx.conf
   ports:
-    - "5000:5000"
+    - "5000:5050"
  rabbitmq:
   container_name: ${RABBITMQ_HOSTNAME}
   image: rabbitmq:3