Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into 2023397-c

Author: ktoliver

.openpublishing.redirection.active-directory.json

@@ -4416,6 +4416,11 @@
       "redirect_url": "/azure/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/reference-reports-latencies.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/reference-azure-ad-sla-performance",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/customize-branding.md",
       "redirect_url": "/azure/active-directory/fundamentals/customize-branding",

.openpublishing.redirection.azure-monitor.json

@@ -5701,6 +5701,11 @@
             "source_path_from_root": "/articles/azure-monitor/autoscale/autoscale-resource-log-schema.md",
             "redirect_url": "/azure/azure-monitor/autoscale/autoscale-diagnostics",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/alerts/proactive-performance-diagnostics.md",
+            "redirect_url": "https://azure.microsoft.com/updates/public-preview-alerts-based-smart-detection-for-application-insights/",
+            "redirect_document_id": false
         }
     ]
 }

.openpublishing.redirection.json

@@ -13444,16 +13444,6 @@
             "redirect_url": "/azure/logic-apps/logic-apps-exception-handling",
             "redirect_document_id": false
         },
-        {
-            "source_path_from_root": "/articles/machine-learning/tutorial-power-bi-automated-model.md",
-            "redirect_url": "/azure/machine-learning/tutorial-power-bi-custom-model",
-            "redirect_document_id": false
-        },
-        {
-            "source_path_from_root": "/articles/machine-learning/tutorial-power-bi-designer-model.md",
-            "redirect_url": "/azure/machine-learning/tutorial-power-bi-custom-model",
-            "redirect_document_id": false
-        },
         {
             "source_path_from_root": "/articles/event-grid/cli-samples.md",
             "redirect_url": "/azure/event-grid/scripts/event-grid-cli-subscribe-custom-topic",
@@ -22671,6 +22661,11 @@
             "redirect_URL": "/azure/route-server/tutorial-protect-route-server-ddos",
             "redirect_document_id": false
         },
+        {
+            "source_path": "articles/external-attack-surface-management/data-connections-overview.md",
+            "redirect_URL": "/azure/external-attack-surface-management/index",
+            "redirect_document_id": true
+        },
         {
             "source_path": "articles/virtual-network/nat-gateway/tutorial-protect-nat-gateway.md",
             "redirect_URL": "/azure/virtual-network/nat-gateway/tutorial-protect-nat-gateway-ddos",

articles/active-directory/authentication/certificate-based-authentication-faq.yml

@@ -120,9 +120,15 @@ sections:
           The browser caches the certificate after the certificate picker appears. If the user retries, the cached certificate is used automatically. The user should close the browser, and reopen a new session to try CBA again.          
 
       - question: |
-          Why can't single-factor certificates be used to complete MFA?
+          Why does not proof up for registering other auth methods come up when I use single factor certificates?
         answer: |
-          There's no support for a second factor when the first factor is a single-factor certificate. We're working to add support for second factors.
+          A user will be considered MFA capable when a user is in scope for Certificate-based authentication auth method. This means user will not be able to use proof up as part of their authentication to registerd other available methods and should have MFA via another method to register other available auth methods.
+          
+      - question: |
+          How can I use single-factor certificates to complete MFA?
+        answer: |
+          We have support for single factor CBA to get MFA. CBA SF + PSI (passwordless phone sign in) and CBA SF + FIDO2 are the two supported combinations to get MFA using single factor certificates.
+          [MFA with single factor certificates](../authentication/concept-certificate-based-authentication-technical-deep-dive.md#mfa-authentication-flow-using-single-factor-certificates-and-passwordless-sign-in) 
           
       - question: |
           Will the changes to the Authentication methods policy take effect immediately?

articles/active-directory/authentication/concept-authentication-phone-options.md

@@ -30,7 +30,7 @@ To work properly, phone numbers must be in the format *+CountryCode PhoneNumber*
 > [!NOTE]
 > There needs to be a space between the country/region code and the phone number.
 >
-> Password reset doesn't support phone extensions. Even in the *+1 4251234567X12345* format, extensions are removed before the call is placed.
+> Password reset and Azure AD Multi-Factor Authentication don't support phone extensions. Even in the *+1 4251234567X12345* format, extensions are removed before the call is placed.
 
 ## Mobile phone verification
 

articles/active-directory/authentication/concept-certificate-based-authentication-migration.md

@@ -39,6 +39,9 @@ To configure Staged Rollout, follow these steps:
 
 For more information, see [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md).
 
+>[!NOTE]
+> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Azure AD. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail.
+
 ## Use Azure AD connect to update certificateUserIds attribute
 
 An AD FS admin can use **Synchronization Rules Editor** to create rules to sync the values of attributes from AD FS to Azure AD user objects. For more information, see [Sync rules for certificateUserIds](concept-certificate-based-authentication-certificateuserids.md#update-certificate-user-ids-using-azure-ad-connect).

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -72,9 +72,12 @@ Now we'll walk through each step:
 1. Azure AD completes the sign-in process by sending a primary refresh token back to indicate successful sign-in.
 1. If the user sign-in is successful, the user can access the application.
 
-## Single-factor certificate-based authentication
+## MFA with Single-factor certificate-based authentication
 
-Azure AD CBA supports second factors to meet MFA requirements with single-factor certificates. Users can use either passwordless sign-in or FIDO2 security keys as second factors when the first factor is single-factor CBA. Users need to register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
+Azure AD CBA supports second factors to meet MFA requirements with single-factor certificates. Users can use either passwordless sign-in or FIDO2 security keys as second factors when the first factor is single-factor CBA. Users need to have another way to get MFA and register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
+
+>[!IMPORTANT]
+>A user will be considered MFA capable when a user is in scope for Certificate-based authentication auth method. This means user will not be able to use proof up as part of their authentication to registerd other available methods. More info on [Azure AD MFA](../authentication/concept-mfa-howitworks.md)
 
 **Steps to set up passwordless phone signin(PSI) with CBA**
 

articles/active-directory/cloud-infrastructure-entitlement-management/how-to-add-remove-user-to-group.md

@@ -21,7 +21,7 @@ This article describes how you can add or remove a new user for a group in Permi
 
 ## Add a user
 
-1. Navigate to the [Microsoft Entra admin center](https://entr.microsoft.com/#home). 
+1. Navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home). 
 1. From the Azure Active Directory tile, select **Go to Azure Active Directory**. 
 1. From the navigation pane, select the **Groups** drop-down menu, then **All groups**.
 1. Select the group name for the group you want to add the user to.
@@ -37,7 +37,7 @@ This article describes how you can add or remove a new user for a group in Permi
 
 ## Remove a user
 
-1. Navigate to the Microsoft [Entra admin center](https://entr.microsoft.com/#home). 
+1. Navigate to the Microsoft [Entra admin center](https://entra.microsoft.com/#home). 
 1. From the Azure Active Directory tile, select **Go to Azure Active Directory**. 
 1. From the navigation pane, select the **Groups** drop-down menu, then **All groups**.
 1. Select the group name for the group you want to remove the user from.

articles/active-directory/cloud-sync/how-to-prerequisites.md

@@ -26,7 +26,7 @@ You need the following to use Azure AD Connect cloud sync:
 - On-premises firewall configurations.
 
 ## Group Managed Service Accounts
-A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management,the ability to delegate the management to other administrators, and also extends this functionality over multiple servers.  Azure AD Connect Cloud Sync supports and uses a gMSA for running the agent.  You will be prompted for administrative credentials during setup, in order to create this account.  The account will appear as (domain\provAgentgMSA$).  For more information on a gMSA, see [Group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) 
+A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers.  Azure AD Connect Cloud Sync supports and uses a gMSA for running the agent.  You will be prompted for administrative credentials during setup, in order to create this account.  The account will appear as (domain\provAgentgMSA$).  For more information on a gMSA, see [group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) 
 
 ### Prerequisites for gMSA:
 1.	The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later.
@@ -48,46 +48,9 @@ If you are creating a custom gMSA account, you need to ensure that the account h
 |Allow |gMSA Account |Read all properties |Descendant Contact objects| 
 |Allow |gMSA Account |Create/delete User objects|This object and all descendant objects| 
 
-For steps on how to upgrade an existing agent to use a gMSA account see [Group Managed Service Accounts](how-to-install.md#group-managed-service-accounts).
-
-#### Create gMSA account with PowerShell
-You can use the following PowerShell script to create a custom gMSA account.  Then you can use the [cloud sync gMSA cmdlets](how-to-gmsa-cmdlets.md) to apply more granular permissions.
-
-```powershell
-# Filename:    1_SetupgMSA.ps1
-# Description: Creates and installs a custom gMSA account for use with Azure AD Connect cloud sync.
-#
-# DISCLAIMER:
-# Copyright (c) Microsoft Corporation. All rights reserved. This 
-# script is made available to you without any express, implied or 
-# statutory warranty, not even the implied warranty of 
-# merchantability or fitness for a particular purpose, or the 
-# warranty of title or non-infringement. The entire risk of the 
-# use or the results from the use of this script remains with you.
-#
-#
-#
-#
-# Declare variables
-$Name = 'provAPP1gMSA'
-$Description = "Azure AD Cloud Sync service account for APP1 server"
-$Server = "APP1.contoso.com"
-$Principal = Get-ADGroup 'Domain Computers'
-
-# Create service account in Active Directory
-New-ADServiceAccount -Name $Name `
--Description $Description `
--DNSHostName $Server `
--ManagedPasswordIntervalInDays 30 `
--PrincipalsAllowedToRetrieveManagedPassword $Principal `
--Enabled $True `
--PassThru
-
-# Install the new service account on Azure AD Cloud Sync server
-Install-ADServiceAccount -Identity $Name
-```
-
-For additional information on the cmdlets above, see [Getting Started with Group Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)?redirectedfrom=MSDN).
+For steps on how to upgrade an existing agent to use a gMSA account see [group Managed Service Accounts](how-to-install.md#group-managed-service-accounts).
+
+For more information on how to prepare your Active Directory for group Managed Service Account, see [group Managed Service Accounts Overview](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
 
 ### In the Azure Active Directory admin center
 
@@ -104,7 +67,7 @@ Run the [IdFix tool](/office365/enterprise/prepare-directory-attributes-for-sync
 
 2. The PowerShell execution policy on the local server must be set to Undefined or RemoteSigned.
 
-3. If there's a firewall between your servers and Azure AD, configure see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.  
+3. If there's a firewall between your servers and Azure AD, see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.  
 
 >[!NOTE]
 > Installing the cloud provisioning agent on Windows Server Core is not supported.

articles/active-directory/develop/console-quickstart-portal-nodejs.md

@@ -25,8 +25,7 @@ ms.custom: mode-api
 
 > [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
 > # Quickstart: Acquire a token and call Microsoft Graph API from a Node.js console app using app's identity
->
-> [!div renderon="portal" class="sxs-lookup"]
+> 
 > In this quickstart, you download and run a code sample that demonstrates how a Node.js console application can get an access token using the app's identity to call the Microsoft Graph API and display a [list of users](/graph/api/user-list) in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity.
 > 
 > This quickstart uses the [Microsoft Authentication Library for Node.js (MSAL Node)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) with the [client credentials grant](v2-oauth2-client-creds-grant-flow.md).