Merge pull request #194014 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: ttorble

.openpublishing.redirection.iot-hub.json

@@ -938,6 +938,81 @@
       "redirect_url": "/azure/iot-hub/tutorial-x509-scripts",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-500xxx-internal-errors.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#500xxx-internal-errors",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-400027-connectionforcefullyclosedonnewconnection.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#40027-connectionforcefullyclosedonnewconnection",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-401003-iothubunauthorized.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#401003-iothubunauthorized",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-403004-devicemaximumqueuedepthexceeded.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#403004-devicemaximumqueuedepthexceeded",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-403002-iothubquotaexceeded.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#403002-iothubquotaexceeded",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-403006-devicemaximumactivefileuploadlimitexceeded.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#403006-devicemaximumactivefileuploadlimitexceeded",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-404001-devicenotfound.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#404001-devicenotfound",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-404103-devicenotonline.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#404103-devicenotonline",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-404104-deviceconnectionclosedremotely.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#404104-deviceconnectionclosedremotely",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-409001-devicealreadyexists.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#409001-devicealreadyexists",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-409002-linkcreationconflict.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#409002-linkcreationconflict",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-412002-devicemessagelocklost.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#412002-devicemessagelocklost",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-429001-throttlingexception.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#429001-throttlingexception",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-503003-partitionnotfound.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#503003-partitionnotfound",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/iot-hub/iot-hub-troubleshoot-error-504101-gatewaytimeout.md",
+      "redirect_url": "/azure/iot-hub/troubleshoot-error-codes#504101-gatewaytimeout",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/iot-hub/iot-hub-gateway-kit-c-iot-gateway-connect-device-to-cloud.md",
       "redirect_url": "https://github.com/Azure/iot-edge/tree/master/v1/doc/commercial_gateway_kit/iot-hub-gateway-kit-c-iot-gateway-connect-device-to-cloud.md",
@@ -958,7 +1033,6 @@
       "redirect_url": "https://github.com/Azure/iot-edge/tree/master/v1/doc/commercial_gateway_kit/iot-hub-gateway-kit-c-use-iot-gateway-for-data-conversion.md",
       "redirect_document_id": false
     },
-
     {
       "source_path_from_root": "/articles/iot-hub/iot-hub-iot-edge-overview.md",
       "redirect_url": "https://github.com/Azure/iot-edge/tree/master/v1/doc/iot-hub-iot-edge-overview.md",

CODEOWNERS

@@ -12,14 +12,14 @@
 # Azure Monitor
 articles/azure-monitor/* @bwren
 articles/azure-monitor/agents @bwren
-articles/azure-monitor/alerts @rboucher @abbyMSFT
-articles/azure-monitor/app @bwren 
+articles/azure-monitor/alerts @abbyMSFT
+articles/azure-monitor/app @AaronMaxwell 
 articles/azure-monitor/autoscale @rboucher
 articles/azure-monitor/containers @bwren
 articles/azure-monitor/essentials @bwren @rboucher
 articles/azure-monitor/insights @bwren @rboucher 
-articles/azure-monitor/logs @bwren @abbyMSFT
-articles/azure-monitor/visualize @bwren  @rboucher
+articles/azure-monitor/logs @guywi-ms
+articles/azure-monitor/visualize @abbyMSFT @rboucher
 articles/azure-monitor/vm @bwren
 articles/advisor @rboucher
 articles/service-health @rboucher

articles/active-directory-b2c/authorization-code-flow.md

@@ -62,7 +62,7 @@ client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6
 | client_id |Required |The application ID assigned to your app in the [Azure portal](https://portal.azure.com). |
 | response_type |Required |The response type, which must include `code` for the authorization code flow. |
 | redirect_uri |Required |The redirect URI of your app, where authentication responses are sent and received by your app. It must exactly match one of the redirect URIs that you registered in the portal, except that it must be URL-encoded. |
-| scope |Required |A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application will need a *refresh token* for extended access to resources. The `https://{tenant-name}/{app-id-uri}/{scope}` indicates a permission to protected resources, such as a web API. For more information, see [Request an access token](access-tokens.md#scopes). |
+| scope |Required |A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application will need a *refresh token* for extended access to resources.The client-id indicates the token issued are intended for use by Azure AD B2C registered client. The `https://{tenant-name}/{app-id-uri}/{scope}` indicates a permission to protected resources, such as a web API. For more information, see [Request an access token](access-tokens.md#scopes). |
 | response_mode |Recommended |The method that you use to send the resulting authorization code back to your app. It can be `query`, `form_post`, or `fragment`. |
 | state |Recommended |A value included in the request that can be a string of any content that you want to use. Usually, a randomly generated unique value is  used, to prevent cross-site request forgery attacks. The state also is used to encode information about the user's state in the app before the authentication request occurred. For example, the page the user was on, or the user flow that was being executed. |
 | prompt |Optional |The type of user interaction that is required. Currently, the only valid value is `login`, which forces the user to enter their credentials on that request. Single sign-on will not take effect. |

articles/active-directory-b2c/identity-provider-google.md

@@ -43,8 +43,12 @@ To enable sign-in for users with a Google account in Azure Active Directory B2C
 1. In the upper-left corner of the page, select the project list, and then select **New Project**.
 1. Enter a **Project Name**, select **Create**.
 1. Make sure you are using the new project by selecting the project drop-down in the top-left of the screen. Select your project by name, then select **Open**.
-1. Select **OAuth consent screen** in the left menu, select **External**, and then select **Create**.
-Enter a **Name** for your application. Enter *b2clogin.com* in the **Authorized domains** section and select **Save**.
+1. In the left menu, select **OAuth consent screen**, select **External**, and then select **Create**.
+    1. Enter a **Name** for your application. 
+    1. Select a **User support email**. 
+    1. In the **Authorized domains** section, enter *b2clogin.com*.
+    1. In the **Developer contact information** section, enter comma separated emails for Google to notify you about any changes to your project. 
+    1. Select **Save**.
 1. Select **Credentials** in the left menu, and then select **Create credentials** > **Oauth client ID**.
 1. Under **Application type**, select **Web application**.
     1. Enter a **Name** for your application.

articles/active-directory-b2c/saml-identity-provider-technical-profile.md

@@ -179,38 +179,6 @@ The **CryptographicKeys** element contains the following attributes:
 | SamlAssertionDecryption |No | The X509 certificate (RSA key set). A SAML identity provider uses the public portion of the certificate to encrypt the assertion of the SAML response. Azure AD B2C uses the private portion of the certificate to decrypt the assertion. |
 | MetadataSigning |No | The X509 certificate (RSA key set) to use to sign SAML metadata. Azure AD B2C uses this key to sign the metadata.  |
 
-## SAML entityID customization
-
-If you have multiple SAML applications that depend on different entityID values, you can override the `issueruri` value in your relying party file. To do this, copy the technical profile with the "Saml2AssertionIssuer" ID from the base file and override the `issueruri` value.
-
-> [!TIP]
-> Copy the `<ClaimsProviders>` section from the base and preserve these elements within the claims provider: `<DisplayName>Token Issuer</DisplayName>`, `<TechnicalProfile Id="Saml2AssertionIssuer">`, and `<DisplayName>Token Issuer</DisplayName>`.
- 
-Example:
-
-```xml
-   <ClaimsProviders>   
-    <ClaimsProvider>
-      <DisplayName>Token Issuer</DisplayName>
-      <TechnicalProfiles>
-        <TechnicalProfile Id="Saml2AssertionIssuer">
-          <DisplayName>Token Issuer</DisplayName>
-          <Metadata>
-            <Item Key="IssuerUri">customURI</Item>
-          </Metadata>
-        </TechnicalProfile>
-      </TechnicalProfiles>
-    </ClaimsProvider>
-  </ClaimsProviders>
-  <RelyingParty>
-    <DefaultUserJourney ReferenceId="SignUpInSAML" />
-    <TechnicalProfile Id="PolicyProfile">
-      <DisplayName>PolicyProfile</DisplayName>
-      <Protocol Name="SAML2" />
-      <Metadata>
-     …
-```
-
 ## Next steps
 
 See the following articles for examples of working with SAML identity providers in Azure AD B2C:

articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md

@@ -7,7 +7,7 @@ manager: karenhoran
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 11/29/2021
+ms.date: 04/04/2022
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -79,9 +79,7 @@ Since ECMA Connector Host currently only supports the USER object type, the OBJE
 You can define one or more matching attribute(s) and prioritize them based on the precedence.  Should you want to change the matching attribute you can also do so.
  [![Matching attribute](.\media\on-premises-application-provisioning-architecture\match-1.png)](.\media\on-premises-application-provisioning-architecture\match-1.png#lightbox)
 
-2.  ECMA Connector Host receives the GET request and queries its internal cache to see if the user exists and has based imported.  This is done using the **query attribute**. The query attribute is defined in the object types page.  
- [![Query attribute](.\media\on-premises-application-provisioning-architecture\match-2.png)](.\media\on-premises-application-provisioning-architecture\match-2.png#lightbox)
-
+2.  ECMA Connector Host receives the GET request and queries its internal cache to see if the user exists and has based imported.  This is done using the matching attribute(s) above. If you define multiple matching attributes, the Azure AD provisioning service will send a GET request for each attribute and the ECMA host will check it's cache for a match until it finds one.   
 
 3. If the user does not exist, Azure AD will make a POST request to create the user.  The ECMA Connector Host will respond back to Azure AD with the HTTP 201 and provide an ID for the user. This ID is derived from the anchor value defined in the object types page. This anchor will be used by Azure AD to query the ECMA Connector Host for future and subsequent requests. 
 4. If a change happens to the user in Azure AD, then Azure AD will make a GET request to retrieve the user using the anchor from the previous step, rather than the matching attribute in step 1. This allows, for example, the UPN to change without breaking the link between the user in Azure AD and in the app.  

articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md

@@ -7,7 +7,7 @@ manager: karenhoran
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 02/03/2022
+ms.date: 04/04/2022
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -97,7 +97,27 @@ The file location for wizard logging is C:\Program Files\Microsoft ECMA2Host\Wiz
           <listeners> 
             <add initializeData="ECMA2Host" type="System.Diagnostics.EventLogTraceListener, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" name="ECMA2HostListener" traceOutputOptions="LogicalOperationStack, DateTime, Timestamp, Callstack" /> 
   ```
+## Query the ECMA Host Cache
 
+The ECMA Host has a cache of users in your application that is updated according to the schedule you specify in the properties page of the ECMA Host wizard. In order to query the cache, perform the steps below:
+1. Set the Debug flag to `true`.
+2. Restart the ECMA Host service.
+3. Query this endpoint from the server the ECMA Host is installed on, replacing  `{connector name}` with the name of your connector, specified in the properties page of the ECMA Host.  `https://localhost:8585/ecma2host_{connectorName}/scim/cache`
+
+Please be aware that setting the debug flag to  `true` disables authentication on the ECMA Host. You will want to set it back to `false` and restart the ECMA Host service once you are done querying the cache. 
+
+The file location for verbose service logging is C:\Program Files\Microsoft ECMA2Host\Service\Microsoft.ECMA2Host.Service.exe.config.
+  ```
+  <?xml version="1.0" encoding="utf-8"?> 
+  <configuration> 
+      <startup>  
+          <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6" /> 
+      </startup> 
+      <appSettings> 
+        <add key="Debug" value="true" /> 
+      </appSettings> 
+
+  ```
 ## Target attribute is missing 
 The provisioning service automatically discovers attributes in your target application. If you see that a target attribute is missing in the target attribute list in the Azure portal, perform the following troubleshooting step:
 

articles/active-directory/app-proxy/application-proxy-add-on-premises-application.md

@@ -8,10 +8,9 @@ ms.service: active-directory
 ms.subservice: app-proxy
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 02/17/2021
+ms.date: 04/04/2022
 ms.author: kenwith
 ms.reviewer: ashishj
-ms.custom: contperf-fy21q3-portal
 ---
 
 # Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory
@@ -127,7 +126,7 @@ Allow access to the following URLs:
 | `*.msappproxy.net` <br> `*.servicebus.windows.net` | 443/HTTPS | Communication between the connector and the Application Proxy cloud service |
 | `crl3.digicert.com` <br> `crl4.digicert.com` <br> `ocsp.digicert.com` <br> `crl.microsoft.com` <br> `oneocsp.microsoft.com` <br> `ocsp.msocsp.com`<br> | 80/HTTP   | The connector uses these URLs to verify certificates.        |
 | `login.windows.net` <br> `secure.aadcdn.microsoftonline-p.com` <br> `*.microsoftonline.com` <br> `*.microsoftonline-p.com` <br> `*.msauth.net` <br> `*.msauthimages.net` <br> `*.msecnd.net` <br> `*.msftauth.net` <br> `*.msftauthimages.net` <br> `*.phonefactor.net` <br> `enterpriseregistration.windows.net` <br> `management.azure.com` <br> `policykeyservice.dc.ad.msft.net` <br> `ctldl.windowsupdate.com` <br> `www.microsoft.com/pkiops` | 443/HTTPS | The connector uses these URLs during the registration process. |
-| `ctldl.windowsupdate.com` <br> `www.microsoft.com/pkiops` | 80/HTTP | The connector uses this URL during the registration process. |
+| `ctldl.windowsupdate.com` <br> `www.microsoft.com/pkiops` | 80/HTTP | The connector uses these URLs during the registration process. |
 
 You can allow connections to `*.msappproxy.net`, `*.servicebus.windows.net`, and other URLs above if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the [Azure IP ranges and Service Tags - Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). The IP ranges are updated each week.
 

articles/active-directory/app-proxy/application-proxy-configure-connectors-with-proxy-servers.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-proxy
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/27/2021
+ms.date: 04/04/2022
 ms.author: kenwith
 ms.reviewer: ashishj
 ---
@@ -113,7 +113,7 @@ Allow access to the following URLs:
 | &ast;.msappproxy.net<br>&ast;.servicebus.windows.net | 443/HTTPS | Communication between the connector and the Application Proxy cloud service |
 | crl3.digicert.com<br>crl4.digicert.com<br>ocsp.digicert.com<br>crl.microsoft.com<br>oneocsp.microsoft.com<br>ocsp.msocsp.com<br> | 80/HTTP | The connector uses these URLs to verify certificates. |
 | login.windows.net<br>secure.aadcdn.microsoftonline-p.com<br>&ast;.microsoftonline.com<br>&ast;.microsoftonline-p.com<br>&ast;.msauth.net<br>&ast;.msauthimages.net<br>&ast;.msecnd.net<br>&ast;.msftauth.net<br>&ast;.msftauthimages.net<br>&ast;.phonefactor.net<br>enterpriseregistration.windows.net<br>management.azure.com<br>policykeyservice.dc.ad.msft.net<br>ctldl.windowsupdate.com | 443/HTTPS | The connector uses these URLs during the registration process. |
-| ctldl.windowsupdate.com<br>www.microsoft.com/pkiops | 80/HTTP | The connector uses this URL during the registration process. |
+| ctldl.windowsupdate.com<br>www.microsoft.com/pkiops | 80/HTTP | The connector uses these URLs during the registration process. |
 
 If your firewall or proxy allows you to configure DNS allow lists, you can allow connections to \*.msappproxy.net and \*.servicebus.windows.net.