Merge pull request #259895 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

articles/active-directory-b2c/add-password-reset-policy.md

@@ -2,18 +2,16 @@
 title: Set up a password reset flow
 titleSuffix: Azure AD B2C
 description: Learn how to set up a password reset flow in Azure Active Directory B2C (Azure AD B2C).
-
 author: garrodonnell
 manager: CelesteDG
-
 ms.service: active-directory
-
 ms.topic: how-to
-ms.date: 10/25/2022
-ms.custom:  
+ms.date: 11/27/2023
 ms.author: godonnell
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
+
+#Customer intent: As a developer, I want to enable my users to reset their passwords without the need for admin intervention, so that they can recover their accounts if they forget their passwords.
 ---
 
 # Set up a password reset flow in Azure Active Directory B2C
@@ -22,38 +20,25 @@ zone_pivot_groups: b2c-policy-type
 
 In a [sign-up and sign-in journey](add-sign-up-and-sign-in-policy.md), a user can reset their own password by using the **Forgot your password?** link. This self-service password reset flow applies to local accounts in Azure Active Directory B2C (Azure AD B2C) that use an [email address](sign-in-options.md#email-sign-in) or a [username](sign-in-options.md#username-sign-in) with a password for sign-in.
 
+> [!TIP]
+> A user can change their password by using the self-service password reset flow if they forget their password and want to reset it. You can also choose one of the following user flow options to change a user's password:
+> - If a user knows their password and wants to change it, use a [password change flow](add-password-change-policy.md).
+> - If you want to force a user to reset their password (for example, when they sign in for the first time, when their passwords have been reset by an admin, or after they've been migrated to Azure AD B2C with random passwords), use a [force password reset](force-password-reset.md) flow.
+
 The password reset flow involves the following steps:
 
 1. On the sign-up and sign-in page, the user selects the **Forgot your password?** link. Azure AD B2C initiates the password reset flow.
 1. In the next dialog that appears, the user enters their email address, and then selects **Send verification code**. Azure AD B2C sends a verification code to the user's email account. The user copies the verification code from the email, enters the code in the Azure AD B2C password reset dialog, and then selects **Verify code**.
-1. The user can then enter a new password. (After the email is verified, the user can still select the **Change e-mail** button; see [Hide the change email button](#hide-the-change-email-button).)
+1. The user can then enter a new password. (After the email is verified, the user can still select the **Change e-mail** button; see [Hide the change email button](#hide-the-change-email-button-optional) if you wish to remove it.)
 
 :::image type="content" source="./media/add-password-reset-policy/password-reset-flow.png" alt-text="Diagram that shows three dialogs in the password reset flow." lightbox="./media/add-password-reset-policy/password-reset-flow.png":::
 
-> [!TIP]
-> A user can change their password by using the self-service password reset flow if they forget their password and want to reset it. You can also choose one of the following user flow options:
-> - If a user knows their password and wants to change it, use a [password change flow](add-password-change-policy.md).
-> - If you want to force a user to reset their password (for example, when they sign in for the first time, when their passwords have been reset by an admin, or after they've been migrated to Azure AD B2C with random passwords), use a [force password reset](force-password-reset.md) flow.
-
 The default name of the **Change email** button in *selfAsserted.html* is **changeclaims**. To find the button name, on the sign-up page, inspect the page source by using a browser tool such as _Inspect_.
 
 ## Prerequisites
 
 [!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
 
-### Hide the change email button
-
-After the email is verified, the user can still select **Change email**, enter another email address, and then repeat email verification. If you'd prefer to hide the **Change email** button, you can modify the CSS to hide the associated HTML elements in the dialog. For example, you can add the following CSS entry to selfAsserted.html and [customize the user interface by using HTML templates](customize-ui-with-html.md):
-
-```html
-<style type="text/css">
-   .changeClaims
-   {
-     visibility: hidden;
-   }
-</style>
-```
-
 ## Self-service password reset (recommended)
 
 The new password reset experience is now part of the sign-up or sign-in policy. When the user selects the **Forgot your password?** link, they are immediately sent to the Forgot Password experience. Your application no longer needs to handle the [AADB2C90118 error code](#password-reset-policy-legacy), and you don't need a separate policy for password reset.
@@ -292,6 +277,19 @@ Your application might need to detect whether the user signed in by using the Fo
 
 ::: zone-end
 
+### Hide the change email button (Optional)
+
+After the email is verified, the user can still select **Change email**, enter another email address, and then repeat email verification. If you'd prefer to hide the **Change email** button, you can modify the CSS to hide the associated HTML elements in the dialog. For example, you can add the following CSS entry to selfAsserted.html and [customize the user interface by using HTML templates](customize-ui-with-html.md):
+
+```html
+<style type="text/css">
+   .changeClaims
+   {
+     visibility: hidden;
+   }
+</style>
+```
+
 ### Test the password reset flow
 
 1. Select a sign-up or sign-in user flow (Recommended type) that you want to test.
@@ -313,9 +311,9 @@ The following diagram depicts the process:
 1. The user selects the **Forgot your password?** link. Azure AD B2C returns the `AADB2C90118` error code to the application.
 1. The application handles the error code and initiates a new authorization request. The authorization request specifies the password reset policy name, such as *B2C_1_pwd_reset*.
 
-    ![Diagram that shows the legacy password reset user flow.](./media/add-password-reset-policy/password-reset-flow-legacy.png)
+:::image type="content" source="./media/add-password-reset-policy/password-reset-flow-legacy.png" alt-text="Diagram that shows the legacy password reset user flow with numbered steps.":::
 
-You can see a basic [ASP.NET sample](https://github.com/AzureADQuickStarts/B2C-WebApp-OpenIDConnect-DotNet-SUSI), which demonstrates how user flows link.
+You can see a basic demonstration of how user flows link in our [ASP.NET sample](https://github.com/AzureADQuickStarts/B2C-WebApp-OpenIDConnect-DotNet-SUSI).
 
 ::: zone pivot="b2c-user-flow"
 

articles/aks/azure-cni-overlay.md

@@ -29,6 +29,12 @@ You can provide outbound (egress) connectivity to the internet for Overlay pods
 
 You can configure ingress connectivity to the cluster using an ingress controller, such as Nginx or [HTTP application routing](./http-application-routing.md). You cannot configure ingress connectivity using Azure App Gateway. For details see [Limitations with Azure CNI Overlay](#limitations-with-azure-cni-overlay).
 
+## Limitations
+
+Azure CNI Overlay networking in AKS currently has the following limitations:
+
+* In case you are using your own subnet to deploy the cluster, the names of the subnet, VNET and resource group which contains the VNET, must be 63 characters or less. This comes from the fact that these names will be used as labels in AKS worker nodes, and are therefore subjected to [Kubernetes label syntax rules](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set).  
+
 ## Regional availability for ARM64 node pools
 
 Azure CNI Overlay is currently unavailable for ARM64 node pools in the following regions:

articles/app-service/includes/tutorial-connect-msi-azure-database/code-mysql-mi.md

@@ -0,0 +1,161 @@
+---
+author: xiaofanzhou
+ms.service: service-connector
+ms.topic: include
+ms.date: 11/13/2023
+ms.author: xiaofanzhou
+---
+
+# [.NET](#tab/dotnet-mysql-mi)
+For .NET, get an access token for the managed identity using a client library such as [Azure.Identity](https://www.nuget.org/packages/Azure.Identity/). Then use the access token as a password to connect to the database. When using the code below, make sure you uncomment the part of the code snippet that corresponds to the authentication type you want to use.
+
+```csharp
+using Azure.Core;
+using Azure.Identity;
+using MySqlConnector;
+
+// Uncomment the following lines according to the authentication type.
+// For system-assigned managed identity.
+// var credential = new DefaultAzureCredential();
+
+// For user-assigned managed identity.
+// var credential = new DefaultAzureCredential(
+//     new DefaultAzureCredentialOptions
+//     {
+//         ManagedIdentityClientId = Environment.GetEnvironmentVariable("AZURE_MYSQL_CLIENTID");
+//     });
+
+var tokenRequestContext = new TokenRequestContext(
+    new[] { "https://ossrdbms-aad.database.windows.net/.default" });
+AccessToken accessToken = await credential.GetTokenAsync(tokenRequestContext);
+// Open a connection to the MySQL server using the access token.
+string connectionString =
+    $"{Environment.GetEnvironmentVariable("AZURE_MYSQL_CONNECTIONSTRING")};Password={accessToken.Token}";
+
+using var connection = new MySqlConnection(connectionString);
+Console.WriteLine("Opening connection using access token...");
+await connection.OpenAsync();
+
+// do something
+```
+
+# [Java](#tab/java-mysql-mi)
+
+1. Add the following dependencies in your *pom.xml* file:
+
+    ```xml
+    <dependency>
+        <groupId>mysql</groupId>
+        <artifactId>mysql-connector-java</artifactId>
+        <version>8.0.30</version>
+    </dependency>
+    <dependency>
+        <groupId>com.azure</groupId>
+        <artifactId>azure-identity-extensions</artifactId>
+        <version>1.1.5</version>
+    </dependency>
+    ```
+
+1. Get the connection string from the environment variable, and add the plugin name to connect to the database:
+
+    ```java
+    String url = System.getenv("AZURE_MYSQL_CONNECTIONSTRING");  
+    String pluginName = "com.azure.identity.extensions.jdbc.mysql.AzureMysqlAuthenticationPlugin";
+    Connection connection = DriverManager.getConnection(url + "&defaultAuthenticationPlugin=" +
+        pluginName + "&authenticationPlugins=" + pluginName);
+    ```
+
+For more information, see [Use Java and JDBC with Azure Database for MySQL - Flexible Server](../../../mysql/flexible-server/connect-java.md?tabs=passwordless).
+
+# [Python](#tab/python-mysql-mi)
+
+1. Install dependencies.
+
+   ```bash
+   pip install azure-identity
+   # install Connector/Python https://dev.mysql.com/doc/connector-python/en/connector-python-installation.html
+   pip install mysql-connector-python
+   ```
+
+1. Authenticate with an access token from the `azure-identity` library. Get the connection information from the environment variable added by Service Connector. When using the code below, make sure you uncomment the part of the code snippet that corresponds to the authentication type you want to use.
+    
+    ```python
+    from azure.identity import ManagedIdentityCredential, ClientSecretCredential
+    import mysql.connector
+    import os
+    
+    # Uncomment the following lines according to the authentication type.
+    # For system-assigned managed identity.
+    # cred = ManagedIdentityCredential()    
+
+    # For user-assigned managed identity.
+    # managed_identity_client_id = os.getenv('AZURE_MYSQL_CLIENTID')
+    # cred = ManagedIdentityCredential(client_id=managed_identity_client_id)
+
+    # acquire token
+    accessToken = cred.get_token('https://ossrdbms-aad.database.windows.net/.default')
+    
+    # open connect to Azure MySQL with the access token.
+    host = os.getenv('AZURE_MYSQL_HOST')
+    database = os.getenv('AZURE_MYSQL_NAME')
+    user = os.getenv('AZURE_MYSQL_USER')
+    password = accessToken.token
+      
+    cnx = mysql.connector.connect(user=user,
+                                  password=password,
+                                  host=host,
+                                  database=database)
+    cnx.close()
+    
+    ```
+
+# [NodeJS](#tab/nodejs-mysql-mi)
+
+1. Install dependencies.
+
+   ```bash
+   npm install --save @azure/identity
+   npm install --save mysql2
+   ```
+
+1. Get an access token using `@azure/identity` and the Azure MySQL database information from the environment variables added by Service Connector.  When using the code below, make sure you uncomment the part of the code snippet that corresponds to the authentication type you want to use.
+
+   ```javascript
+   import { DefaultAzureCredential,ClientSecretCredential } from "@azure/identity";
+   
+   const mysql = require('mysql2');
+
+   // Uncomment the following lines according to the authentication type.
+   // for system-assigned managed identity
+   // const credential = new DefaultAzureCredential();
+
+   // for user-assigned managed identity
+   // const clientId = process.env.AZURE_MYSQL_CLIENTID;
+   // const credential = new DefaultAzureCredential({
+   //    managedIdentityClientId: clientId
+   // });
+
+   // acquire token
+   var accessToken = await credential.getToken('https://ossrdbms-aad.database.windows.net/.default');
+   
+   const connection = mysql.createConnection({
+     host: process.env.AZURE_MYSQL_HOST,
+     user: process.env.AZURE_MYSQL_USER,
+     password: accessToken.token,
+     database: process.env.AZURE_MYSQL_DATABASE,
+     port: process.env.AZURE_MYSQL_PORT,
+     ssl: process.env.AZURE_MYSQL_SSL
+   });
+   
+   connection.connect((err) => {
+     if (err) {
+       console.error('Error connecting to MySQL database: ' + err.stack);
+       return;
+     }
+     console.log('Connected to MySQL database');
+   });
+   ```
+
+-----
+
+For more code samples, see [Create a passwordless connection to a database service via Service Connector](/azure/service-connector/tutorial-passwordless?tabs=user%2Cappservice&pivots=mysql#connect-to-a-database-with-microsoft-entra-authentication).