MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/concept-authentication-passwordless.md
Lines changed: 3 additions & 1 deletion b/‎articles/active-directory/authentication/concept-authentication-passwordless.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/active-directory/develop/TOC.yml
Lines changed: 0 additions & 2 deletions b/‎articles/active-directory/develop/TOC.yml
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/active-directory/fundamentals/active-directory-deployment-plans.md
Lines changed: 104 additions & 71 deletions b/‎articles/active-directory/fundamentals/active-directory-deployment-plans.md
Lines changed: 104 additions & 71 deletions
diff --git a/‎articles/active-directory/governance/trigger-custom-task.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/governance/trigger-custom-task.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/identity-protection/overview-identity-protection.md
Lines changed: 1 addition & 2 deletions b/‎articles/active-directory/identity-protection/overview-identity-protection.md
Lines changed: 1 addition & 2 deletions
diff --git a/‎articles/active-directory/manage-apps/protect-against-consent-phishing.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/manage-apps/protect-against-consent-phishing.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/saas-apps/media/zenya-tutorial/information.png
-1.52 KB b/‎articles/active-directory/saas-apps/media/zenya-tutorial/information.png
-1.52 KB
diff --git a/‎articles/active-directory/saas-apps/zenya-tutorial.md
Lines changed: 3 additions & 1 deletion b/‎articles/active-directory/saas-apps/zenya-tutorial.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/aks/http-proxy.md
Lines changed: 26 additions & 19 deletions b/‎articles/aks/http-proxy.md
Lines changed: 26 additions & 19 deletions
@@ -113,6 +113,7 @@ The following providers offer FIDO2 security keys of different form factors that
 |---------------------------|:-----------------:|:---:|:---:|:---:|:--------------:|-----------------------------------------------------------------------------------------------------|
 | AuthenTrend               | ![y]              | ![y]| ![y]| ![y]| ![n]           | https://authentrend.com/about-us/#pg-35-3                                                           |
 | Ciright                   | ![n]              | ![n]| ![y]| ![n]| ![n]           | https://www.cyberonecard.com/                                                                       |
+| Crayonic                  | ![y]              | ![n]| ![y]| ![y]| ![n]           | https://www.crayonic.com/keyvault                                                                   |
 | Ensurity                  | ![y]              | ![y]| ![n]| ![n]| ![n]           | https://www.ensurity.com/contact                                                                    |
 | Excelsecu                 | ![y]              | ![y]| ![y]| ![y]| ![n]           | https://www.excelsecu.com/productdetail/esecufido2secu.html                                         |
 | Feitian                   | ![y]              | ![y]| ![y]| ![y]| ![y]           | https://shop.ftsafe.us/pages/microsoft                                                              |
@@ -121,9 +122,11 @@ The following providers offer FIDO2 security keys of different form factors that
 | GoTrustID Inc.            | ![n]              | ![y]| ![y]| ![y]| ![n]           | https://www.gotrustid.com/idem-key                                                                  |
 | HID                       | ![n]              | ![y]| ![y]| ![n]| ![n]           | https://www.hidglobal.com/contact-us                                                                |
 | Hypersecu                 | ![n]              | ![y]| ![n]| ![n]| ![n]           | https://www.hypersecu.com/hyperfido                                                                 |
+| Identiv                   | ![n]              | ![y]| ![y]| ![n]| ![n]           | https://www.identiv.com/products/logical-access-control/utrust-fido2-security-keys/nfc              |
 | IDmelon Technologies Inc. | ![y]              | ![y]| ![y]| ![y]| ![n]           | https://www.idmelon.com/#idmelon                                                                    |
 | Kensington                | ![y]              | ![y]| ![n]| ![n]| ![n]           | https://www.kensington.com/solutions/product-category/why-biometrics/                               |
 | KONA I                    | ![y]              | ![n]| ![y]| ![y]| ![n]           | https://konai.com/business/security/fido                                                            |
+| Movenda                   | ![y]              | ![n]| ![y]| ![y]| ![n]           | https://www.movenda.com/en/authentication/fido2/overview                                            |
 | NeoWave                   | ![n]              | ![y]| ![y]| ![n]| ![n]           | https://neowave.fr/en/products/fido-range/                                                          |
 | Nymi                      | ![y]              | ![n]| ![y]| ![n]| ![n]           | https://www.nymi.com/nymi-band                                                                      | 
 | Octatco                   | ![y]              | ![y]| ![n]| ![n]| ![n]           | https://octatco.com/                                                                                |
@@ -137,7 +140,6 @@ The following providers offer FIDO2 security keys of different form factors that
 | Yubico                    | ![y]              | ![y]| ![y]| ![n]| ![y]           | https://www.yubico.com/solutions/passwordless/                                                      |
 
 
-
 <!--Image references-->
 [y]: ./media/fido2-compatibility/yes.png
 [n]: ./media/fido2-compatibility/no.png
 
@@ -120,8 +120,6 @@
               href: support-fido2-authentication.md
         - name: Customize tokens and claims
           items:
-            - name: Claims mapping policy type
-              href: reference-claims-mapping-policy-type.md
             - name: Configure optional claims
               href: active-directory-optional-claims.md
             - name: Configure role claim
 
@@ -36,11 +36,11 @@ To use a custom task extension in your workflow, first a custom task extension m
 
 1. In the left menu, select **Workflows (Preview)**.
 
-1. On the workflows screen, select **custom task extension**. 
+1. On the workflows screen, select **Custom task extension**. 
     :::image type="content" source="media/trigger-custom-task/custom-task-extension-select.png" alt-text="Screenshot of selecting a custom task extension from a workflow overview page.":::
-1. On the custom task extensions page, select **create custom task extension**.
+1. On the custom task extensions page, select **Create custom task extension**.
     :::image type="content" source="media/trigger-custom-task/create-custom-task-extension.png" alt-text="Screenshot for creating a custom task extension selection.":::
-1. On the basics page you, give a display name and description for the custom task extension and select **Next**.
+1. On the basics page you, enter a unique display name and description for the custom task extension and select **Next**.
     :::image type="content" source="media/trigger-custom-task/custom-task-extension-basics.png" alt-text="Screenshot of the basics section for creating a custom task extension.":::
 1. On the **Task behavior** page, you specify how the custom task extension will behave after executing the Azure Logic App and select **Next**.
     :::image type="content" source="media/trigger-custom-task/custom-task-extension-behavior.png" alt-text="Screenshot for choose task behavior for custom task extension.":::
 
@@ -96,8 +96,7 @@ Conditional Access administrators can create policies that factor in user or sig
 
 | Capability | Details | Azure AD Free / Microsoft 365 Apps | Azure AD Premium P1 | Azure AD Premium P2 |
 | --- | --- | --- | --- | --- |
-| Risk policies | User risk policy (via Identity Protection) | No | No | Yes | 
-| Risk policies | Sign-in risk policy (via Identity Protection or Conditional Access) | No | No | Yes |
+| Risk policies | Sign-in and user risk policies (via Identity Protection or Conditional Access) | No | No | Yes |
 | Security reports | Overview | No | No | Yes |
 | Security reports | Risky users | Limited Information. Only users with medium and high risk are shown. No details drawer or risk history. | Limited Information. Only users with medium and high risk are shown. No details drawer or risk history. | Full access|
 | Security reports | Risky sign-ins | Limited Information. No risk detail or risk level is shown. | Limited Information. No risk detail or risk level is shown. | Full access |
 
@@ -62,9 +62,9 @@ Administrators should be in control of application use by providing the right in
   - Block [consent phishing emails with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/set-up-anti-phishing-policies#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365) by protecting against phishing campaigns where an attacker is impersonating a known user in the organization.
   - Configure Microsoft Defender for Cloud Apps policies to help manage abnormal application activity in the organization. For example, [activity policies](/cloud-app-security/user-activity-policies), [anomaly detection](/cloud-app-security/anomaly-detection-policy), and [OAuth app policies](/cloud-app-security/app-permission-policy).
   - Investigate and hunt for consent phishing attacks by following the guidance on [advanced hunting with Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview).
-- Allow access to trusted applications and protect against those applications that aren't:
-  - Use applications that have been publisher verified. [Publisher verification](../develop/publisher-verification-overview.md) helps administrators and users understand the authenticity of application developers through a Microsoft supported vetting process.
-  - [Configure user consent settings](./configure-user-consent.md?tabs=azure-portal) to allow users to only consent to specific trusted applications, such as applications developed by the organization or from verified publishers and only for low risk permissions you select.
+- Allow access to trusted applications that meet certain criteria and that protect against those applications that don't:
+  - [Configure user consent settings](./configure-user-consent.md?tabs=azure-portal) to allow users to only consent to applications that meet certain criteria, such as applications developed by your organization or from verified publishers and only for low risk permissions you select.
+  - Use applications that have been publisher verified. [Publisher verification](../develop/publisher-verification-overview.md) helps administrators and users understand the authenticity of application developers through a Microsoft supported vetting process. Even if an application does have a verified publisher, it is still important to review the consent prompt to understand and evaluate the request. For example, reviewing the permissions being requested to ensure they align with the scenario the app is requesting them to enable, additional app and publisher details on the consent prompt, etc.
   - Create proactive [application governance](/microsoft-365/compliance/app-governance-manage-app-governance) policies to monitor third-party application behavior on the Microsoft 365 platform to address common suspicious application behaviors.
 
 ## Next steps
 
@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
 ms.subservice: pim
-ms.date: 10/20/2022
+ms.date: 1/9/2023
 ms.author: amsliu
 ms.custom: pim
 ms.collection: M365-identity-device-management
@@ -26,7 +26,7 @@ The need for access to privileged Azure resource and Azure AD roles by employees
 
  To create access reviews for Azure resources, you must be assigned to the [Owner](../../role-based-access-control/built-in-roles.md#owner) or the [User Access Administrator](../../role-based-access-control/built-in-roles.md#user-access-administrator) role for the Azure resources. To create access reviews for Azure AD roles, you must be assigned to the [Global Administrator](../roles/permissions-reference.md#global-administrator) or the [Privileged Role Administrator](../roles/permissions-reference.md#privileged-role-administrator) role.
 
-Access Reviews for **Service Principals** requires an Entra Workload Identities Premium plan. 
+Access Reviews for **Service Principals** requires an Entra Workload Identities Premium plan in addition to Azure AD Premium P2 license. 
 
 - Workload Identities Premium licensing: You can view and acquire licenses on the [Workload Identities blade](https://portal.azure.com/#view/Microsoft_Azure_ManagedServiceIdentity/WorkloadIdentitiesBlade) in the Azure portal.
 
 
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/21/2022
+ms.date: 01/09/2023
 ms.author: jeedes
 ---
 
@@ -93,6 +93,8 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 	b. Fill the **Identifier** box with the value that's displayed behind the label **EntityID** on the **Zenya SAML2 info** page. This page is still open in your other browser tab.
 
 	c. Fill the **Reply-URL** box with the value that's displayed behind the label **Reply URL** on the **Zenya SAML2 info** page. This page is still open in your other browser tab.
+	
+	d. Fill the **Logout-URL** box with the value that's displayed behind the label **Logout URL** on the **Zenya SAML2 info** page. This page is still open in your other browser tab.
 
 1. Zenya application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
 
 
@@ -4,7 +4,7 @@ description: Use the HTTP proxy configuration feature for Azure Kubernetes Servi
 services: container-service
 author: nickomang
 ms.topic: article
-ms.date: 05/23/2022
+ms.date: 01/09/2023
 ms.author: nickoman
 ---
 
@@ -19,21 +19,22 @@ Some more complex solutions may require creating a chain of trust to establish s
 ## Limitations and other details
 
 The following scenarios are **not** supported:
+
 - Different proxy configurations per node pool
 - Updating proxy settings post cluster creation
 - User/Password authentication
 - Custom CAs for API server communication
 - Windows-based clusters
 - Node pools using Virtual Machine Availability Sets (VMAS)
+- Using * as wildcard attached to a domain suffix for noProxy
 
 By default, *httpProxy*, *httpsProxy*, and *trustedCa* have no value.
 
 ## Prerequisites
 
-* An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
-* Latest version of [Azure CLI installed](/cli/azure/install-azure-cli).
+The latest version of the Azure CLI. Run `az --version` to find the version, and run `az upgrade` to upgrade the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
 
-## Configuring an HTTP proxy using Azure CLI 
+## Configuring an HTTP proxy using the Azure CLI
 
 Using AKS with an HTTP proxy is done at cluster creation, using the [az aks create][az-aks-create] command and passing in configuration as a JSON file.
 
@@ -50,13 +51,18 @@ The schema for the config file looks like this:
 }
 ```
 
-`httpProxy`: A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be `http`.
-`httpsProxy`: A proxy URL to use for creating HTTPS connections outside the cluster. If this is not specified, then `httpProxy` is used for both HTTP and HTTPS connections.
-`noProxy`: A list of destination domain names, domains, IP addresses or other network CIDRs to exclude proxying.
-`trustedCa`: A string containing the `base64 encoded` alternative CA certificate content. For now we only support `PEM` format. Another thing to note is that, for compatibility with Go-based components that are part of the Kubernetes system, the certificate MUST support `Subject Alternative Names(SANs)` instead of the deprecated Common Name certs.
+* `httpProxy`: A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be `http`.
+* `httpsProxy`: A proxy URL to use for creating HTTPS connections outside the cluster. If this isn't specified, then `httpProxy` is used for both HTTP and HTTPS connections.
+* `noProxy`: A list of destination domain names, domains, IP addresses or other network CIDRs to exclude proxying.
+* `trustedCa`: A string containing the `base64 encoded` alternative CA certificate content. Currently only the `PEM` format is supported.
+
+> [!IMPORTANT]
+> For compatibility with Go-based components that are part of the Kubernetes system, the certificate **must** support `Subject Alternative Names(SANs)` instead of the deprecated Common Name certs.
 
 Example input:
-Note the CA cert should be the base64 encoded string of the PEM format cert content.
+
+> [!NOTE]
+> The CA certificate should be the base64 encoded string of the PEM format cert content.
 
 ```json
 {
@@ -70,7 +76,7 @@ Note the CA cert should be the base64 encoded string of the PEM format cert cont
 }
 ```
 
-Create a file and provide values for *httpProxy*, *httpsProxy*, and *noProxy*. If your environment requires it, also provide a *trustedCa* value. Next, deploy a cluster, passing in your filename via the `http-proxy-config` flag.
+Create a file and provide values for *httpProxy*, *httpsProxy*, and *noProxy*. If your environment requires it, provide a value for *trustedCa*. Next, deploy a cluster, passing in your filename using the `http-proxy-config` flag.
 
 ```azurecli
 az aks create -n $clusterName -g $resourceGroup --http-proxy-config aks-proxy-config.json
@@ -80,7 +86,7 @@ Your cluster will initialize with the HTTP proxy configured on the nodes.
 
 ## Configuring an HTTP proxy using Azure Resource Manager (ARM) templates
 
-Deploying an AKS cluster with an HTTP proxy configured via ARM template is straightforward. The same schema used for CLI deployment exists in the `Microsoft.ContainerService/managedClusters` definition under properties:
+Deploying an AKS cluster with an HTTP proxy configured using an ARM template is straightforward. The same schema used for CLI deployment exists in the `Microsoft.ContainerService/managedClusters` definition under properties:
 
 ```json
 "properties": {
@@ -96,34 +102,34 @@ Deploying an AKS cluster with an HTTP proxy configured via ARM template is strai
 }
 ```
 
-In your template, provide values for *httpProxy*, *httpsProxy*, and *noProxy*. If necessary, also provide a value for `*trustedCa*. Deploy the template, and your cluster should initialize with your HTTP proxy configured on the nodes.
+In your template, provide values for *httpProxy*, *httpsProxy*, and *noProxy*. If necessary, provide a value for *trustedCa*. Deploy the template, and your cluster should initialize with your HTTP proxy configured on the nodes.
 
 ## Handling CA rollover
 
-Values for *httpProxy*, *httpsProxy*, and *noProxy* cannot be changed after cluster creation. However, to support rolling CA certs, the value for *trustedCa* can be changed and applied to the cluster with the [az aks update][az-aks-update] command.
+Values for *httpProxy*, *httpsProxy*, and *noProxy* can't be changed after cluster creation. However, to support rolling CA certs, the value for *trustedCa* can be changed and applied to the cluster with the [az aks update][az-aks-update] command.
 
-For example, assuming a new file has been created with the base64 encoded string of the new CA cert called *aks-proxy-config-2.json*, the following action will update the cluster:
+For example, assuming a new file has been created with the base64 encoded string of the new CA cert called *aks-proxy-config-2.json*, the following action updates the cluster:
 
 ```azurecli
 az aks update -n $clusterName -g $resourceGroup --http-proxy-config aks-proxy-config-2.json
 ```
 
 ## Monitoring add-on configuration
 
-When using the HTTP proxy with the Monitoring add-on, the following configurations are supported:
+The HTTP proxy with the Monitoring add-on supports the following configurations:
 
   - Outbound proxy without authentication
   - Outbound proxy with username & password authentication
   - Outbound proxy with trusted cert for Log Analytics endpoint
 
-The following configurations are not supported:
+The following configurations aren't supported:
 
-  - The Custom Metrics and Recommended Alerts features are not supported when using proxy with trusted cert
-  - Outbound proxy is not supported with Azure Monitor Private Link Scope (AMPLS)
+  - The Custom Metrics and Recommended Alerts features aren't supported when you use a proxy with trusted certificates
+  - Outbound proxy isn't supported with Azure Monitor Private Link Scope (AMPLS)
 
 ## Next steps
-- For more on the network requirements of AKS clusters, see [control egress traffic for cluster nodes in AKS][aks-egress].
 
+For more information regarding the network requirements of AKS clusters, see [control egress traffic for cluster nodes in AKS][aks-egress].
 
 <!-- LINKS - internal -->
 [aks-egress]: ./limit-egress-traffic.md
@@ -134,3 +140,4 @@ The following configurations are not supported:
 [az-provider-register]: /cli/azure/provider#az_provider_register
 [az-extension-add]: /cli/azure/extension#az_extension_add
 [az-extension-update]: /cli/azure/extension#az-extension-update
+[install-azure-cli]: /cli/azure/install-azure-cli