Merge pull request #206178 from MicrosoftDocs/main

7/27 PM Publish

Author: huypub

CODEOWNERS

@@ -25,17 +25,17 @@ articles/advisor @rboucher
 articles/service-health @rboucher
 
 # Azure Synapse Analytics
-/articles/synapse-analytics/ @julieMSFT @ryanmajidi @saveenr 
-/articles/synapse-analytics/backuprestore/ @joannapea @julieMSFT
+/articles/synapse-analytics/ @SnehaGunda @WilliamDAssafMSFT @ryanmajidi @saveenr 
+/articles/synapse-analytics/backuprestore/ @joannapea @WilliamDAssafMSFT 
 /articles/synapse-analytics/catalog-governance/@djpmsft @chanuengg 
-/articles/synapse-analytics/ccid/ @liudan66 @julieMSFT
+/articles/synapse-analytics/ccid/ @liudan66
 /articles/synapse-analytics/data-integration/ @kromerm @jonburchel 
 /articles/synapse-analytics/machine-learning/ @garyericson @NelGson @midesa 
-/articles/synapse-analytics/metadata/@MikeRys @julieMSFT @jocaplan
-/articles/synapse-analytics/security/ @RonyMSFT  @nanditavalsan @meenalsri @julieMSFT
+/articles/synapse-analytics/metadata/@MikeRys @jocaplan
+/articles/synapse-analytics/security/ @RonyMSFT @meenalsri 
 /articles/synapse-analytics/spark/ @euangms @mlee3gsd @midesa 
-/articles/synapse-analytics/sql/ @filippopovic @azaricstefan @anumjs @WilliamDAssafMSFT @jovanpop-msft
-/articles/synapse-analytics/sql-data-warehouse/ @anumjs @ronortloff @julieMSFT
+/articles/synapse-analytics/sql/ @filippopovic @azaricstefan @WilliamDAssafMSFT @jovanpop-msft
+/articles/synapse-analytics/sql-data-warehouse/ @SnehaGunda @WilliamDAssafMSFT
 /articles/synapse-analytics/synapse-link/ @Rodrigossz @SnehaGunda @jovanpop-msft
 
 # Cognitive Services

articles/active-directory/conditional-access/TOC.yml

@@ -39,14 +39,16 @@
     href: service-dependencies.md
   - name: Location conditions
     href: location-condition.md
+  - name: Continuous access evaluation
+    href: concept-continuous-access-evaluation.md
   - name: Workload identities
     href: workload-identity.md
+  - name: CAE for workload identities
+    href: concept-continuous-access-evaluation-workload.md
   - name: Filter for devices
     href: concept-condition-filters-for-devices.md
   - name: What if tool
     href: what-if-tool.md
-  - name: Continuous access evaluation
-    href: concept-continuous-access-evaluation.md
 - name: How-to guides
   expanded: true
   items:

articles/active-directory/conditional-access/concept-continuous-access-evaluation-workload.md

@@ -0,0 +1,63 @@
+---
+title: Continuous access evaluation for workload identities in Azure AD
+description: Respond to changes to applications with continuous access evaluation for workload identities in Azure AD
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: conditional-access
+ms.topic: conceptual
+ms.date: 07/22/2022
+
+ms.author: joflore
+author: MicrosoftGuyJFlo
+manager: karenhoran
+ms.reviewer: vmahtani
+
+ms.collection: M365-identity-device-management
+---
+# Continuous access evaluation for workload identities (preview)
+
+Continuous access evaluation (CAE) for [workload identities](../develop/workload-identities-overview.md) provides security benefits to your organization. It enables real-time enforcement of Conditional Access location and risk policies along with instant enforcement of token revocation events for workload identities. 
+
+Continuous access evaluation doesn't currently support managed identities.
+
+## Scope of preview
+
+The continuous access evaluation for workload identities public preview scope includes support for Microsoft Graph as a resource provider.
+
+The preview targets service principals for line of business (LOB) applications.
+
+We support the following revocation events:
+
+- Service principal disable
+- Service principal delete
+- High service principal risk as detected by Azure AD Identity Protection
+
+Continuous access evaluation for workload identities supports [Conditional Access policies that target location and risk](workload-identity.md#implementation).
+
+## Enable your application
+
+Developers can opt in to Continuous access evaluation for workload identities when their API requests `xms_cc` as an optional claim. The `xms_cc` claim with a value of `cp1` in the access token is the authoritative way to identify a client application is capable of handling a claims challenge. For more information about how to make this work in your application, see the article, [Claims challenges, claims requests, and client capabilities](../develop/claims-challenge.md).
+
+### Disable 
+
+In order to opt out, don't send the `xms_cc` claim with a value of `cp1`. 
+
+Organizations who have Azure AD Premium can create a [Conditional Access policy to disable continuous access evaluation](concept-conditional-access-session.md#customize-continuous-access-evaluation) applied to specific workload identities as an immediate stop-gap measure.
+
+## Troubleshooting
+
+When a client’s access to a resource is blocked due to CAE being triggered, the client’s session will be revoked, and the client will need to reauthenticate. This behavior can be verified in the sign-in logs. 
+
+The following steps detail how an admin can verify sign in activity in the sign-in logs: 
+
+1.	Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
+1.	Browse to **Azure Active Directory** > **Sign-in logs** > **Service Principal Sign-ins**. You can use filters to ease the debugging process. 
+1.	Select an entry to see activity details. The **Continuous access evaluation** field indicates whether a CAE token was issued in a particular sign-in attempt. 
+
+## Next steps
+
+- [Register an application with Azure AD and create a service principal](../develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)
+- [How to use Continuous Access Evaluation enabled APIs in your applications](../develop/app-resilience-continuous-access-evaluation.md)
+- [Sample application using continuous access evaluation](https://github.com/Azure-Samples/ms-identity-dotnetcore-daemon-graph-cae)
+- [What is continuous access evaluation?](../conditional-access/concept-continuous-access-evaluation.md)

articles/aks/TOC.yml

@@ -507,6 +507,8 @@
           href: deployment-center-launcher.md
         - name: GitHub Actions for Kubernetes
           href: ../aks/kubernetes-action.md
+        - name: Configure automated deployments (preview)
+          href: automated-deployments.md
         - name: CI/CD with Azure Pipelines
           href: ../aks/devops-pipeline.md
     - name: Troubleshoot

articles/aks/automated-deployments.md

@@ -0,0 +1,72 @@
+---
+title: Automated deployments for Azure Kubernetes Service (Preview)
+description: Learn how to use automated deployments to simplify the process of adding GitHub Actions to your Azure Kubernetes Service (AKS) project
+ms.author: qpetraroia
+ms.topic: tutorial
+ms.date: 7/21/2022
+author: qpetraroia
+---
+
+# Automated Deployments for Azure Kubernetes Service (Preview)
+
+Automated deployments simplify the process of setting up a GitHub Action and creating an automated pipeline for your code releases to your Azure Kubernetes Service (AKS) cluster. Once connected, every new commit will kick off the pipeline, resulting in your application being updated.
+
+[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
+
+> [!NOTE]
+> This feature is not yet available in all regions.
+
+## Prerequisites
+
+* A GitHub account.
+* An AKS cluster.
+* An Azure Container Registry (ACR)
+
+## Deploy an application to your AKS cluster
+
+1. In the Azure portal, navigate to the resource group containing the AKS cluster you want to deploy the application to.
+
+1. Select your AKS cluster, and then select **Automated deployments (preview)** on the left blade. Select **Create an automated deployment**.
+
+    :::image type="content" source="media/automated-deployments/ad-homescreen.png" alt-text="The automated deployments screen in the Azure portal."  lightbox="media/automated-deployments/ad-homescreen-expanded.png":::
+
+1. Name your workflow and click **Authorize** to connect your Azure account with your GitHub account. After your accounts are linked, choose which repository and branch you would like to create the GitHub Action for.
+
+    - **GitHub**: Authorize and select the repository for your GitHub account.
+
+        :::image type="content" source="media/automated-deployments/ad-ghactivate-repo.png" alt-text="The authorize and repository selection screen." lightbox="media/automated-deployments/ad-ghactivate-repo-expanded.png":::
+
+1. Pick your dockerfile and your ACR and image.
+
+    :::image type="content" source="media/automated-deployments/ad-image.png" alt-text="The image selection screen." lightbox="media/automated-deployments/ad-image-expanded.png":::
+
+1. Determine whether you'll deploy with Helm or regular Kubernetes manifests. Once decided, pick the appropriate deployment files from your repository and decide which namespace you want to deploy into.
+
+    :::image type="content" source="media/automated-deployments/ad-deployment-details.png" alt-text="The deployment details screen." lightbox="media/automated-deployments/ad-deployment-details-expanded.png":::
+
+1. Review your deployment before creating the pull request.
+
+1. Click **view pull request** to see your GitHub Action.
+
+    :::image type="content" source="media/automated-deployments/ad-view-pr.png" alt-text="The final screen of the deployment process. The view pull request button is highlighted." lightbox="media/automated-deployments/ad-view-pr-expanded.png" :::
+
+1. Merge the pull request to kick off the GitHub Action and deploy your application.
+
+    :::image type="content" source="media/automated-deployments/ad-accept-pr.png" alt-text="The pull request page in GitHub. The merge pull request button is highlighted." lightbox="media/automated-deployments/ad-accept-pr-expanded.png" :::
+
+1. Once your application is deployed, go back to automated deployments to see your history.
+
+    :::image type="content" source="media/automated-deployments/ad-view-history.png" alt-text="The history screen in Azure portal, showing all the previous automated deployments." lightbox="media/automated-deployments/ad-view-history-expanded.png" :::
+
+## Clean up resources
+
+You can remove any related resources that you created when you don't need them anymore individually or by deleting the resource group to which they belong. To delete your automated deployment, navigate to the automated deployment dashboard and select **...**, then select **delete** and confirm your action.
+
+## Next steps
+
+You can modify these GitHub Actions to meet the needs of your team by opening them up in an editor like Visual Studio Code and changing them as you see fit.
+
+Learn more about [GitHub Actions for Kubernetes][kubernetes-action].
+
+<!-- LINKS -->
+[kubernetes-action]: kubernetes-action.md