Merge pull request #180505 from MicrosoftDocs/master

Merge Master to Live, 4 AM

Author: PMEds28

.vscode/settings.json

@@ -0,0 +1,8 @@
+{
+    "markdownlint.config": {
+        "MD028": false,
+        "MD025": {
+            "front_matter_title": ""
+        }
+    }
+}

articles/active-directory-b2c/threat-management.md

@@ -14,10 +14,12 @@ ms.author: kengaderdus
 ms.subservice: B2C
 ---
 
-# Mitigate credential attacks in Azure AD B2C
+# Mitigate credential attacks in Azure AD B2C with smart lockout
 
 Credential attacks lead to unauthorized access to resources. Passwords that are set by users are required to be reasonably complex. Azure AD B2C has mitigation techniques in place for credential attacks. Mitigation includes detection of brute-force credential attacks and dictionary credential attacks. By using various signals, Azure Active Directory B2C (Azure AD B2C) analyzes the integrity of requests. Azure AD B2C is designed to intelligently differentiate intended users from hackers and botnets.
 
+## How smart lockout works
+
 Azure AD B2C uses a sophisticated strategy to lock accounts. The accounts are locked based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it's an attack. After a password is tried 10 times unsuccessfully (the default attempt threshold), a one-minute lockout occurs. The next time a login is unsuccessful after the account is unlocked (that is, after the account has been automatically unlocked by the service once the lockout period expires), another one-minute lockout occurs and continues for each unsuccessful login. Entering the same, or similar password repeatedly doesn't count as multiple unsuccessful logins.
 
 > [!NOTE]
@@ -27,16 +29,16 @@ Azure AD B2C uses a sophisticated strategy to lock accounts. The accounts are lo
 
 The first 10 lockout periods are one minute long. The next 10 lockout periods are slightly longer and increase in duration after every 10 lockout periods. The lockout counter resets to zero after a successful login when the account isn’t locked. Lockout periods can last up to five hours. Users must wait for the lockout duration to expire. However, the user can unlock by using self-service [password user flow](add-password-reset-policy.md).
 
-## Manage password protection settings
+## Manage smart lockout settings
 
-To manage password protection settings, including the lockout threshold:
+To manage smart lockout settings, including the lockout threshold:
 
 1. Sign in to the [Azure portal](https://portal.azure.com)
 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
 1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**.
 1. Under **Security**, select **Authentication methods (Preview)**, then select **Password protection**.
-1. Under **Custom smart lockout**, enter your desired password protection settings:
+1. Under **Custom smart lockout**, enter your desired smart lockout settings:
 
    - **Lockout threshold**: The number of failed sign-in tries that are allowed before the account is first locked out. If the first sign-in after a lockout also fails, the account locks again.
    - **Lockout duration in seconds**: The minimum duration of each lockout in seconds. If an account locks repeatedly, this duration increases.
@@ -46,7 +48,7 @@ To manage password protection settings, including the lockout threshold:
 
 1. Select **Save**.
 
-## Testing the password protection settings
+## Testing smart lockout
 
 The smart lockout feature uses many factors to determine when an account should be locked, but the primary factor is the password pattern. The smart lockout feature considers slight variations of a password as a set, and they’re counted as a single try. For example:
 

articles/active-directory/develop/scenario-protected-web-api-app-configuration.md

@@ -205,7 +205,8 @@ This table describes the validators:
 
 The validators are associated with properties of the **TokenValidationParameters** class. The properties are initialized from the ASP.NET and ASP.NET Core configuration.
 
-In most cases, you don't need to change the parameters. Apps that aren't single tenants are exceptions. These web apps accept users from any organization or from personal Microsoft accounts. Issuers in this case must be validated. Microsoft.Identity.Web takes care of the issuer validation as well. For details see Microsoft.Identity.Web [AadIssuerValidator](https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web/Resource/AadIssuerValidator.cs).
+In most cases, you don't need to change the parameters. Apps that aren't single tenants are exceptions. These web apps accept users from any organization or from personal Microsoft accounts. Issuers in this case must be validated. Microsoft.Identity.Web takes care of the issuer validation as well.
+
 
 In ASP.NET Core, if you want to customize the token validation parameters, use the following snippet in your *Startup.cs*:
 

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -219,7 +219,7 @@ require multi-factor authentication as a grant access control.
 ## Log in using Azure AD credentials to a Windows VM
 
 > [!IMPORTANT]
-> Remote connection to VMs joined to Azure AD is only allowed from Windows 10 PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the **same** directory as the VM. Additionally, to RDP using Azure AD credentials, the user must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login. If using an Azure AD registered Windows 10 PC, you must enter credentials in the `AzureAD\UPN` format (for example, `AzureAD\[email protected]`). At this time, Azure Bastion can't be used to log in by using Azure Active Directory authentication with the AADLoginForWindows extension; only direct RDP is supported.
+> Remote connection to VMs joined to Azure AD is only allowed from Windows 10 PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the **same** directory as the VM. Additionally, to RDP using Azure AD credentials, the user must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login. If using an Azure AD registered Windows 10 PC, you must enter credentials in the `AzureAD\UPN` format (for example, `AzureAD\[email protected]`). At this time, Azure Bastion can be used to log in with Azure AD authentication [using Azure CLI and the native RDP client **mstsc**](../../bastion/connect-native-client-windows.md). 
 
 To log in to your Windows Server 2019 virtual machine using Azure AD: 
 

articles/active-directory/fundamentals/multi-tenant-common-considerations.md

@@ -67,7 +67,7 @@ Some organizations use the mail-contact object to show users in the GAL. This ap
 A better approach to achieve this goal is to:
 * Invite guest users
 * Unhide them from the GAL
-* Disable them by [blocking them from sign in](/powershell/module/azuread/set-azureaduser&preserve-view=true).
+* Disable them by [blocking them from sign in](/powershell/module/azuread/set-azureaduser).
 
 A mail-contact object cannot be converted to a user object. Therefore, any properties associated with a mail-contact object cannot be transferred. For example, group memberships and other resource access aren't transferred.  
 
@@ -207,4 +207,4 @@ You can enable a full fidelity experience in Teams by using B2B External Members
 
 [Multi-tenant end user management scenarios](multi-tenant-user-management-scenarios.md)
 
-[Multi-tenant common solutions](multi-tenant-common-solutions.md)
+[Multi-tenant common solutions](multi-tenant-common-solutions.md)

articles/active-directory/fundamentals/multi-tenant-user-management-scenarios.md

@@ -175,7 +175,7 @@ This will require automatic synchronization and identity management to configure
 
 ### Provision accounts
 
-This advanced deployment uses [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) (MIM) as a synchronization engine. MIM calls the [MS Graph API](/developer.microsoft.com/graph/) and [Exchange Online PowerShell](/powershell/exchange/exchange-online/exchange-online-powershell?view=exchange-ps&preserve-view=true). Alternative implementations can include the cloud hosted [Active Directory Synchronization Services](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) (ADSS) managed service offering from [Microsoft Consulting Services](/industry/services/consulting). There are also non-Microsoft offerings that can be created from scratch with other identity management offerings.
+This advanced deployment uses [Microsoft Identity Manager](/microsoft-identity-manager/microsoft-identity-manager-2016) (MIM) as a synchronization engine. MIM calls the [MS Graph API](https://developer.microsoft.com/graph) and [Exchange Online PowerShell](/powershell/exchange/exchange-online/exchange-online-powershell?view=exchange-ps&preserve-view=true). Alternative implementations can include the cloud hosted [Active Directory Synchronization Services](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview) (ADSS) managed service offering from [Microsoft Consulting Services](https://www.microsoft.com/en-us/msservices). There are also non-Microsoft offerings that can be created from scratch with other identity management offerings.
 
 These are complex scenarios and we recommend you work with your partners, Microsoft account team, and any other available resources throughout your planning and execution. 
 

articles/active-directory/saas-apps/cpqsync-by-cincom-tutorial.md

@@ -84,7 +84,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
     `https://cincom.okta.com/`
 
 	> [!NOTE]
-	> These values are not real. Update these values with the actual Identifier and Reply URL. Contact [CPQSync by Cincom Client support team](https://cpqsupport.cincomcpq.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+	> These values are not real. Update these values with the actual Identifier and Reply URL. Contact [CPQSync by Cincom Client support team](https://supportweb.cincom.com/default.aspx) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
 
 4. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section,  find **Certificate (Raw)** and select **Download** to download the certificate and save it on your computer.
 
@@ -126,11 +126,11 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 ## Configure CPQSync by Cincom SSO
 
-To configure single sign-on on **CPQSync by Cincom** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [CPQSync by Cincom support team](https://cpqsupport.cincomcpq.com). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **CPQSync by Cincom** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [CPQSync by Cincom support team](https://supportweb.cincom.com/default.aspx). They set this setting to have the SAML SSO connection set properly on both sides.
 
 ### Create CPQSync by Cincom test user
 
-In this section, you create a user called B.Simon in CPQSync by Cincom. Work with [CPQSync by Cincom support team](https://cpqsupport.cincomcpq.com) to add the users in the CPQSync by Cincom platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called B.Simon in CPQSync by Cincom. Work with [CPQSync by Cincom support team](https://supportweb.cincom.com/default.aspx) to add the users in the CPQSync by Cincom platform. Users must be created and activated before you use single sign-on.
 
 ## Test SSO 
 
@@ -144,4 +144,4 @@ When you click the CPQSync by Cincom tile in the Access Panel, you should be aut
 
 - [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
 
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)

articles/api-management/how-to-configure-service-fabric-backend.md

@@ -112,17 +112,21 @@ Add the [`set-backend-service`](api-management-transformation-policies.md#SetBac
 
 1. On the **Design** tab, in the **Inbound processing** section, select the code editor (**</>**) icon. 
 1. Position the cursor inside the **&lt;inbound&gt;** element
-1. Add the following policy statement. In `backend-id`, substitute the name of your Service Fabric backend.
+1. Add the `set-service-backend` policy statement. 
+      * In `backend-id`, substitute the name of your Service Fabric backend.
 
-   The `sf-resolve-condition` is a retry condition if the cluster partition isn't resolved. The number of retries was set when configuring the backend.
+      * The `sf-resolve-condition` is a condition for re-resolving a service location and resending a request. The number of retries was set when configuring the backend. For example:
 
-    ```xml
-    <set-backend-service backend-id="mysfbackend" sf-resolve-condition="@(context.LastError?.Reason == "BackendConnectionFailure")"  />
+      ```xml
+      <set-backend-service backend-id="mysfbackend" sf-resolve-condition="@(context.LastError?.Reason == "BackendConnectionFailure")"/>
     ```
 1. Select **Save**.
 
     :::image type="content" source="media/backends/set-backend-service.png" alt-text="Configure set-backend-service policy":::
 
+> [!NOTE]
+> If one or more nodes in the Service Fabric cluster goes down or is removed, API Management does not get an automatic notification and continues to send traffic to these nodes. To handle these cases, configure a resolve condition similar to: `sf-resolve-condition="@((int)context.Response.StatusCode != 200 || context.LastError?.Reason == "BackendConnectionFailure" || context.LastError?.Reason == "Timeout")"`
+
 ### Test backend API
 
 1. On the **Test** tab, select the **GET** operation you created in a previous section.

articles/availability-zones/cross-region-replication-azure.md

@@ -61,7 +61,7 @@ Regions are paired for cross-region replication based on proximity and other fac
 | India |Central India |South India |
 | India |West India |South India |
 | Japan |Japan East |Japan West |
-| Korea |Korea Central |Korea South |
+| Korea |Korea Central |Korea South\* |
 | North America |East US |West US |
 | North America |East US 2 |Central US |
 | North America |North Central US |South Central US |

articles/azure-arc/servers/agent-overview.md

@@ -1,14 +1,14 @@
 ---
-title:  Overview of the Connected Machine agent
+title:  Overview of the Azure Connected Machine agent
 description: This article provides a detailed overview of the Azure Arc-enabled servers agent available, which supports monitoring virtual machines hosted in hybrid environments.
 ms.date: 11/03/2021
 ms.topic: conceptual 
 ms.custom: devx-track-azurepowershell
 ---
 
-# Overview of Azure Arc-enabled servers agent
+# Overview of Azure Connected Machine agent
 
-The Azure Arc-enabled servers Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers. This article provides a detailed overview of the agent, system and network requirements, and the different deployment methods.
+The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure on your corporate network or other cloud providers. This article provides a detailed overview of the agent, system and network requirements, and the different deployment methods.
 
 >[!NOTE]
 > The [Azure Monitor agent](../../azure-monitor/agents/azure-monitor-agent-overview.md) (AMA) does not replace the Connected Machine agent. The Azure Monitor agent will replace the Log Analytics agent, Diagnostics extension, and Telegraf agent for both Windows and Linux machines. Review the Azure Monitor documentation about the new agent for more details.
@@ -49,6 +49,10 @@ Metadata information about the connected machine is collected after the Connecte
 * Policy compliance status and details (if using guest configuration policies)
 * SQL Server installed (Boolean value)
 * Cluster resource ID (for Azure Stack HCI nodes)
+* Hardware manufacturer
+* Hardware model
+* Cloud provider
+* Amazon Web Services (AWS) account ID, instance ID and region (if running in AWS)
 
 The following metadata information is requested by the agent from Azure:
 
@@ -160,13 +164,12 @@ To ensure the security of data in transit to Azure, we strongly encourage you to
 
 ## Networking configuration
 
-The Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. If the machine needs to connect through a firewall or proxy server to communicate over the internet, the agent communicates outbound instead using the HTTP protocol. Proxy servers don't make the Connected Machine agent more secure because the traffic is already encrypted.
+The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. By default, the agent uses the default route to the internet to reach Azure services. You can optionally [configure the agent to use a proxy server](manage-agent.md#update-or-remove-proxy-settings) if your network requires it. Proxy servers don't make the Connected Machine agent more secure because the traffic is already encrypted.
 
 To further secure your network connectivity to Azure Arc, instead of using public networks and proxy servers, you can implement an [Azure Arc Private Link Scope](private-link-security.md) (preview).
 
 > [!NOTE]
 > Azure Arc-enabled servers does not support using a [Log Analytics gateway](../../azure-monitor/agents/gateway.md) as a proxy for the Connected Machine agent.
->
 
 If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked. When you only allow the IP ranges or domain names required for the agent to communicate with the service, you need to allow access to the following Service Tags and URLs.
 
@@ -182,7 +185,7 @@ URLs:
 
 | Agent resource | Description |
 |---------|---------|
-|`azgn*.servicebus.windows.net`|Azure Arc Connectivity Platform|
+|`azgn*.servicebus.windows.net`|Notification service for extensions|
 |`management.azure.com`|Azure Resource Manager|
 |`login.windows.net`|Azure Active Directory|
 |`login.microsoftonline.com`|Azure Active Directory|
@@ -313,7 +316,7 @@ After installing the Connected Machine agent for Linux, the following system-wid
 
 ### Agent resource governance
 
-Azure Arc-enabled servers Connected Machine agent is designed to manage agent and system resource consumption. The agent approaches resource governance under the following conditions:
+Azure Connected Machine agent is designed to manage agent and system resource consumption. The agent approaches resource governance under the following conditions:
 
 * The Guest Configuration agent is limited to use up to 5% of the CPU to evaluate policies.
 * The Extension Service agent is limited to use up to 5% of the CPU to install and manage extensions.