Merge pull request #211159 from MicrosoftDocs/main

Publish to Live, Wednesday 4AM PST, 9/14

Author: PMEds28

.openpublishing.redirection.json

@@ -27872,6 +27872,11 @@
             "source_path_from_root": "/articles/virtual-machines/scripts/virtual-machines-cli-sample-copy-managed-disks-to-same-or-different-subscription.md",
             "redirect_url": "/previous-versions/azure/virtual-machines/scripts/virtual-machines-cli-sample-copy-managed-disks-to-same-or-different-subscription",
             "redirect_document_id": false
+        },        
+        {
+            "source_path_from_root": "/articles/virtual-machines/disks-cross-tenant-cmk.md",
+            "redirect_url": "/azure/virtual-machines/disks-cross-tenant-customer-managed-keys",
+            "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/virtual-machines/scripts/virtual-machines-cli-sample-copy-managed-disks-vhd.md",

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 08/17/2022
+ms.date: 09/13/2022
 
 ms.author: justinha
 author: justinha
@@ -179,7 +179,7 @@ Here are some factors for you to consider when choosing Microsoft passwordless t
 
 ||**Windows Hello for Business**|**Passwordless sign-in with the Authenticator app**|**FIDO2 security keys**|
 |:-|:-|:-|:-|
-|**Pre-requisite**| Windows 10, version 1809 or later<br>Azure Active Directory| Authenticator app<br>Phone (iOS and Android devices running Android 6.0 or above.)|Windows 10, version 1903 or later<br>Azure Active Directory|
+|**Pre-requisite**| Windows 10, version 1809 or later<br>Azure Active Directory| Authenticator app<br>Phone (iOS and Android devices running Android 8.0 or above.)|Windows 10, version 1903 or later<br>Azure Active Directory|
 |**Mode**|Platform|Software|Hardware|
 |**Systems and devices**|PC with a built-in Trusted Platform Module (TPM)<br>PIN and biometrics recognition |PIN and biometrics recognition on phone|FIDO2 security devices that are Microsoft compatible|
 |**User experience**|Sign in using a PIN or biometric recognition (facial, iris, or fingerprint) with Windows devices.<br>Windows Hello authentication is tied to the device; the user needs both the device and a sign-in component such as a PIN or biometric factor to access corporate resources.|Sign in using a mobile phone with fingerprint scan, facial or iris recognition, or PIN.<br>Users sign in to work or personal account from their PC or mobile phone.|Sign in using FIDO2 security device (biometrics, PIN, and NFC)<br>User can access device based on organization controls and authenticate based on PIN, biometrics using devices such as USB security keys and NFC-enabled smartcards, keys, or wearables.|

articles/active-directory/authentication/howto-authentication-passwordless-phone.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 07/19/2022
+ms.date: 09/13/2022
 
 
 ms.author: justinha
@@ -48,7 +48,7 @@ The Azure AD accounts can be in the same tenant or different tenants. Guest acco
 To use passwordless phone sign-in with Microsoft Authenticator, the following prerequisites must be met:
 
 - Recommended: Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help the Authenticator app to prevent unauthorized access to accounts and stop fraudulent transactions. The Authenticator app automatically generates codes when set up to do push notifications so a user has a backup sign-in method even if their device doesn't have connectivity. 
-- Latest version of Microsoft Authenticator installed on devices running iOS 12.0 or greater, or Android 6.0 or greater.
+- Latest version of Microsoft Authenticator installed on devices running iOS 12.0 or greater, or Android 8.0 or greater.
 - For Android, the device that runs Microsoft Authenticator must be registered to an individual user. We're actively working to enable multiple accounts on Android. 
 - For iOS, the device must be registered with each tenant where it's used to sign in. For example, the following device must be registered with Contoso and Wingtiptoys to allow all accounts to sign in:
   - [email protected]
@@ -152,4 +152,4 @@ To learn about Azure AD authentication and passwordless methods, see the followi
 
 - [Learn how passwordless authentication works](concept-authentication-passwordless.md)
 - [Learn about device registration](../devices/overview.md)
-- [Learn about Azure AD Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md)
+- [Learn about Azure AD Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md)

articles/active-directory/hybrid/reference-connect-health-version-history.md

@@ -22,7 +22,7 @@ ms.collection: M365-identity-device-management
 The Azure Active Directory team regularly updates Azure AD Connect Health with new features and functionality. This article lists the versions and features that have been released.  
 
 > [!NOTE]
-> Connect Health agents are updated automatically when new version is released. Please ensure the auto-upgrade settings is enabled from Azure portal.
+> Azure AD Connect Health agents are updated automatically when new version is released.
 >
 
 Azure AD Connect Health for Sync is integrated with Azure AD Connect installation. Read more about [Azure AD Connect release history](./reference-connect-version-history.md)

articles/aks/api-server-vnet-integration.md

@@ -3,7 +3,7 @@ title: API Server VNet Integration in Azure Kubernetes Service (AKS)
 description: Learn how to create an Azure Kubernetes Service (AKS) cluster with API Server VNet Integration
 services: container-service
 ms.topic: article
-ms.date: 06/27/2022
+ms.date: 09/09/2022
 ms.custom: references_regions
 
 ---
@@ -12,29 +12,26 @@ ms.custom: references_regions
 
 An Azure Kubernetes Service (AKS) cluster with API Server VNet Integration configured projects the API server endpoint directly into a delegated subnet in the VNet where AKS is deployed. This enables network communication between the API server and the cluster nodes without any required private link or tunnel. The API server will be available behind an Internal Load Balancer VIP in the delegated subnet, which the nodes will be configured to utilize. By using API Server VNet Integration, you can ensure network traffic between your API server and your node pools remains on the private network only.
 
-
-
 [!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
 
 ## API server connectivity
 
 The control plane or API server is in an Azure Kubernetes Service (AKS)-managed Azure subscription. A customer's cluster or node pool is in the customer's subscription. The server and the virtual machines that make up the cluster nodes can communicate with each other through the API server VIP and pod IPs that are projected into the delegated subnet.
 
-At this time, API Server VNet integration is only supported for private clusters. Unlike standard public clusters, the agent nodes communicate directly with the private IP address of the ILB VIP for communication to the API server without using DNS. External clients needing to communicate with the cluster should follow the same private DNS setup methodology as standard [private clusters](private-clusters.md).
+API Server VNet Integration is supported for public or private clusters, and public access can be added or removed after cluster provisioning. Unlike non-VNet integrated clusters, the agent nodes always communicate directly with the private IP address of the API Server Internal Load Balancer (ILB) IP without using DNS. All node to API server traffic is kept on private networking and no tunnel is required for API server to node connectivity. Out-of-cluster clients needing to communicate with the API server can do so normally if public network access is enabled. If public network access is disabled, they should follow the same private DNS setup methodology as standard [private clusters](private-clusters.md).
 
 ## Region availability
 
 API Server VNet Integration is available in the following regions at this time:
 
-- canary regions
 - eastus2
 - northcentralus
 - westcentralus
 - westus2
 
 ## Prerequisites
 
-* Azure CLI with aks-preview extension 0.5.67 or later.
+* Azure CLI with aks-preview extension 0.5.97 or later.
 * If using ARM or the REST API, the AKS API version must be 2022-04-02-preview or later.
 
 ### Install the aks-preview CLI extension
@@ -69,9 +66,9 @@ When the feature has been registered, refresh the registration of the *Microsoft
 az provider register --namespace Microsoft.ContainerService
 ```
 
-## Create an AKS Private cluster with API Server VNet Integration using Managed VNet
+## Create an AKS cluster with API Server VNet Integration using Managed VNet
 
-AKS clusters with API Server VNet Integration can be configured in either managed VNet or bring-your-own VNet mode. 
+AKS clusters with API Server VNet Integration can be configured in either managed VNet or bring-your-own VNet mode. They can be created as either public clusters (with API server access available via a public IP) or private clusters (where the API server is only accessible via private VNet connectivity), and can be toggled between these two states without redeploying.
 
 ### Create a resource group
 
@@ -81,7 +78,19 @@ Create a resource group or use an existing resource group for your AKS cluster.
 az group create -l westus2 -n <resource-group>
 ```
 
-### Deploy the cluster
+### Deploy a public cluster
+
+```azurecli-interactive
+az aks create -n <cluster-name> \
+    -g <resource-group> \
+    -l <location> \
+    --network-plugin azure \
+    --enable-apiserver-vnet-integration
+```
+
+The `--enable-apiserver-vnet-integration` flag configures API Server VNet integration for Managed VNet mode.
+
+### Deploy a private cluster
 
 ```azurecli-interactive
 az aks create -n <cluster-name> \
@@ -92,7 +101,7 @@ az aks create -n <cluster-name> \
     --enable-apiserver-vnet-integration
 ```
 
-Where `--enable-private-cluster` is a mandatory flag for a private cluster, and `--enable-apiserver-vnet-integration` configures API Server VNet integration for Managed VNet mode.
+The `--enable-private-cluster` flag is mandatory for a private cluster, and `--enable-apiserver-vnet-integration` configures API Server VNet integration for Managed VNet mode.
 
 ## Create an AKS Private cluster with API Server VNet Integration using bring-your-own VNet
 
@@ -148,7 +157,20 @@ az role assignment create --scope <cluster-subnet-resource-id> \
     --assignee <managed-identity-client-id>
 ```
 
-### Create the AKS cluster
+### Deploy a public cluster
+
+```azurecli-interactive
+az aks create -n <cluster-name> \
+    -g <resource-group> \
+    -l <location> \
+    --network-plugin azure \
+    --enable-apiserver-vnet-integration \
+    --vnet-subnet-id <cluster-subnet-resource-id> \
+    --apiserver-subnet-id <apiserver-subnet-resource-id> \
+    --assign-identity <managed-identity-resource-id>
+```
+
+### Deploy a private cluster
 
 ```azurecli-interactive
 az aks create -n <cluster-name> \
@@ -162,9 +184,45 @@ az aks create -n <cluster-name> \
     --assign-identity <managed-identity-resource-id>
 ```
 
-## Limitations 
-* Existing AKS clusters cannot be converted to API Server VNet Integration clusters at this time.
-* Only [private clusters](private-clusters.md) are supported at this time.
+## Convert an existing AKS cluster to API Server VNet Integration
+
+Existing AKS public clusters can be converted to API Server VNet Integration clusters by supplying an API server subnet that meets the requirements above (in the same VNet as the cluster nodes, permissions granted for the AKS cluster identity, and size of at least /28). This is a one-way migration; clusters cannot have API Server VNet Integration disabled after it has been enabled.
+
+This upgrade will perform a node-image version upgrade on all node pools - all workloads will be restarted as all nodes will undergo a rolling image upgrade.
+
+> [!WARNING]
+> Converting a cluster to API Server VNet Integration will result in a change of the API Server IP address, though the hostname will remain the same. If the IP address of the API server has been configured in any firewalls or network security group rules, those rules may need to be updated.
+
+```azurecli-interactive
+az aks update -n <cluster-name> \
+    -g <resource-group> \
+    --enable-apiserver-vnet-integration \
+    --apiserver-subnet-id <apiserver-subnet-resource-id>
+```
+
+## Enable or disable private cluster mode on an existing cluster with API Server VNet Integration
+
+AKS clusters configured with API Server VNet Integration can have public network access/private cluster mode enabled or disabled without redeploying the cluster. The API server hostname will not change, but public DNS entries will be modified or removed as appropriate.
+
+### Enable private cluster mode
+
+```azurecli-interactive
+az aks update -n <cluster-name> \
+    -g <resource-group> \
+    --enable-private-cluster
+```
+
+### Disable private cluster mode
+
+```azurecli-interactive
+az aks update -n <cluster-name> \
+    -g <resource-group> \
+    --disable-private-cluster
+```
+
+## Limitations
+
+* Existing AKS private clusters cannot be converted to API Server VNet Integration clusters at this time.
 * [Private Link Service][private-link-service] will not work if deployed against the API Server injected addresses at this time, so the API server cannot be exposed to other virtual networks via private link. To access the API server from outside the cluster network, utilize either [VNet peering][virtual-network-peering] or [AKS run command][command-invoke].
 
 <!-- LINKS - internal -->