Merge pull request #176829 from MicrosoftDocs/master

Merge master to live, 4AM

Author: v-ccolin

.github/workflows/stale.yml

@@ -19,7 +19,8 @@ jobs:
         close-pr-label: auto-close
         exempt-pr-labels: keep-open
         operations-per-run: 1200
-        ascending: false
+        ascending: true
+        start-date: '2020-07-09'
         stale-pr-message: >
           This pull request has been inactive for at least 14 days.
           If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation) for instructions.

.openpublishing.publish.config.json

@@ -833,6 +833,7 @@
     ".openpublishing.redirection.security-benchmark.json",
     ".openpublishing.redirection.synapse-analytics.json",
     "articles/azure-fluid-relay/.openpublishing.redirection.fluid-relay.json",
+    "articles/azure-netapp-files/.openpublishing.redirection.azure-netapp-files.json",   
     "articles/azure-relay/.openpublishing.redirection.relay.json",
     "articles/communication-services/.openpublishing.redirection.communication-services.json",
     "articles/cosmos-db/.openpublishing.redirection.cosmos-db.json",

.openpublishing.redirection.json

@@ -44283,6 +44283,16 @@
       "redirect_url": "/azure/azure-monitor/best-practices-analysis",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/azure-monitor/logs/powershell-sample-create-workspace.md",
+      "redirect_url": "/azure/azure-monitor/logs/powershell-workspace-configuration",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/azure-monitor/logs/examples.md",
+      "redirect_url": "/azure/data-explorer/kusto/query/samples?pivots=azuremonitor",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/load-balancer/tutorial-load-balancer-standard-manage-portal.md",
       "redirect_url": "/azure/load-balancer/quickstart-load-balancer-standard-public-portal",

articles/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 07/15/2020
+ms.date: 10/19/2021
 ms.author: jmprieur
 ms.custom: aaddev
 #Customer intent: As an application developer, I want to learn how to write a protected web API using the Microsoft identity platform for developers.
@@ -23,11 +23,10 @@ This article describes how you can add authorization to your web API. This prote
 - Applications on behalf of users who have the right scopes.
 - Daemon apps that have the right application roles.
 
-> [!NOTE]
-> The code snippets in this article are extracted from the following code samples on GitHub:
->
-> - [ASP.NET Core web API incremental tutorial](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/blob/master/1.%20Desktop%20app%20calls%20Web%20API/TodoListService/Controllers/TodoListController.cs)
-> - [ASP.NET web API sample](https://github.com/Azure-Samples/ms-identity-aspnet-webapi-onbehalfof/blob/master/TodoListService/Controllers/TodoListController.cs)
+The code snippets in this article are extracted from the following code samples on GitHub:
+
+- [ASP.NET Core web API incremental tutorial](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/blob/master/1.%20Desktop%20app%20calls%20Web%20API/TodoListService/Controllers/TodoListController.cs)
+- [ASP.NET web API sample](https://github.com/Azure-Samples/ms-identity-aspnet-webapi-onbehalfof/blob/master/TodoListService/Controllers/TodoListController.cs)
 
 To protect an ASP.NET or ASP.NET Core web API, you must add the `[Authorize]` attribute to one of the following items:
 
@@ -44,8 +43,8 @@ To protect an ASP.NET or ASP.NET Core web API, you must add the `[Authorize]` at
 
 But this protection isn't enough. It guarantees only that ASP.NET and ASP.NET Core validate the token. Your API needs to verify that the token used to call the API is requested with the expected claims. These claims in particular need verification:
 
-- The *scopes* if the API is called on behalf of a user.
-- The *app roles* if the API can be called from a daemon app.
+- The _scopes_ if the API is called on behalf of a user.
+- The _app roles_ if the API can be called from a daemon app.
 
 ## Verify scopes in APIs called on behalf of users
 
@@ -231,7 +230,7 @@ public class TodoListController : ApiController
     }
 ```
 
-Below is a simplified version of  `ValidateScopes`:
+Below is a simplified version of `ValidateScopes`:
 
 ```csharp
 private void ValidateScopes(IEnumerable<string> acceptedScopes)
@@ -251,7 +250,7 @@ private void ValidateScopes(IEnumerable<string> acceptedScopes)
 }
 ```
 
-For a full version of `ValidateScopes` for ASP.NET Core, [*ScopesRequiredHttpContextExtensions.cs*](https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web/Resource/ScopesRequiredHttpContextExtensions.cs)
+For a full version of `ValidateScopes` for ASP.NET Core, [_ScopesRequiredHttpContextExtensions.cs_](https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web/Resource/ScopesRequiredHttpContextExtensions.cs)
 
 ---
 
@@ -290,7 +289,6 @@ MyController : ApiController
 
 But for this, you'll need to map the Role claim to "roles" in the Startup.cs file:
 
-
 ```CSharp
  services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
  {
@@ -318,7 +316,7 @@ public class TodoListController : ApiController
     }
 ```
 
-A simplified version of  `ValidateAppRole` is:
+A simplified version of `ValidateAppRole` is:
 
 ```csharp
 private void ValidateAppRole(string appRole)
@@ -338,7 +336,7 @@ private void ValidateAppRole(string appRole)
 }
 ```
 
-For a full version of `ValidateAppRole` for ASP.NET Core, see [*RolesRequiredHttpContextExtensions.cs*](https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web/Resource/RolesRequiredHttpContextExtensions.cs) code.
+For a full version of `ValidateAppRole` for ASP.NET Core, see [_RolesRequiredHttpContextExtensions.cs_](https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web/Resource/RolesRequiredHttpContextExtensions.cs) code.
 
 ---
 
@@ -367,7 +365,7 @@ If you are using Microsoft.Identity.Web on ASP.NET core, you'll need to declare
 System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.
 ```
 
- To avoid this exception, set the `AllowWebApiToBeAuthorizedByACL` configuration property to true, in the appsettings.json or programmatically.
+To avoid this exception, set the `AllowWebApiToBeAuthorizedByACL` configuration property to true, in the appsettings.json or programmatically.
 
 ```Json
 {

articles/active-directory/enterprise-users/directory-delete-howto.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: enterprise-users
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/13/2021
+ms.date: 10/20/2021
 ms.author: curtand
 ms.reviewer: addimitu
 ms.custom: it-pro
@@ -23,8 +23,9 @@ When an Azure AD organization (tenant) is deleted, all resources that are contai
 
 ## Prepare the organization
 
-You can't delete a organization in Azure AD until it passes several checks. These checks reduce risk that deleting an Azure AD organization negatively impacts user access, such as the ability to sign in to Microsoft 365 or access resources in Azure. For example, if the organization associated with a subscription is unintentionally deleted, then users can't access the Azure resources for that subscription. The following conditions are checked:
+You can't delete a organization in Azure AD until it passes several checks. These checks reduce risk that deleting an Azure AD organization negatively impacts user access, such as the ability to sign in to Microsoft 365 or access resources in Azure. For example, if the organization associated with a subscription is unintentionally deleted, then users can't access the Azure resources for that subscription. The following conditions should be checked:
 
+* You must have paid all outstanding invoices and amounts due or overdue.
 * There can be no users in the Azure AD tenant except one global administrator who is to delete the organization. Any other users must be deleted before the organization can be deleted. If users are synchronized from on-premises, then sync must first be turned off, and the users must be deleted in the cloud organization using the Azure portal or Azure PowerShell cmdlets.
 * There can be no applications in the organization. Any applications must be removed before the organization can be deleted.
 * There can be no multi-factor authentication providers linked to the organization.

articles/active-directory/hybrid/reference-connect-version-history.md

@@ -17,6 +17,14 @@ The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect wi
 
 This article is designed to help you keep track of the versions that have been released, and to understand what the changes are in the latest version.
 
+## Looking for the latest versions?
+
+You can upgrade your AADConnect server from all supported versions with the latest versions:
+
+ - If you are using **Windows Server 2016 or newer** you should use ** Azure AD Connect V2.0**. You can download the latest version of Azure AD Connect 2.0 using [this link](https://www.microsoft.com/en-us/download/details.aspx?id=47594). The release notes for the latest V2.0 release are [here](reference-connect-version-history.md#20280)
+ - If you are still using an **older version of Windows Server** you should use** Azure AD Connect V1.6**. You can download the latest version of Azure AD Connect V1 using [this link](https://www.microsoft.com/download/details.aspx?id=103336). The release notes for the latest V1.6 release are [here](reference-connect-version-history.md#16160)
+ - We are only applying critical changes to the V1 versions going forward, and you may not find some of the features and fixes for V2 in the V1 releases - so you should upgrade to the V2 version as soon as possible.
+
 This table is a list of related topics:
 
 Topic |  Details
@@ -48,11 +56,6 @@ However, if you'd like all the latest features and updates, the best way to see
 >Please follow this link to read more about [auto upgrade](how-to-connect-install-automatic-upgrade.md)
 
 
-## Download links
- - If you are using Windows Server 2016 or newer you should use Azure AD Connect V2.0. You can download the latest version of Azure AD Connect 2.0 using [this link](https://www.microsoft.com/en-us/download/details.aspx?id=47594).
- - If you are still using an older version of Windows Server you should use Azure AD Connect V1.6. You can download the latest version of Azure AD Connect V1 using [this link](https://www.microsoft.com/download/details.aspx?id=103336). 
- - We are only applying critical changes to the V1 versions going forward, and you may not find some of the features and fixes for V2 in the V1 releases - so you should upgrade to the V2 version as soon as possible.
-
 ## 1.6.16.0
 >[!NOTE] 
 >This is an update release of Azure AD Connect. This version is intended to be used by customers who are running an older version of Windows Server and cannot upgrade their server to Windows Server 2016 or newer at this time. You cannot use this version to update an Azure AD Connect V2.0 server. 

articles/advisor/advisor-high-availability-recommendations.md

@@ -55,6 +55,9 @@ Azure Advisor checks for any VPN gateways that use a Basic SKU and recommends th
 - Custom Ipsec/IKE policy. 
 - Higher stability and availability.
 
+## Ensure reliable outbound connectivity with VNet NAT
+Using default outbound connecitivty provided by a Standard Load Balancer or other Azure resources is not recommended for production workloads as this causes connection failures (also called SNAT port exhaustion). The recommended approach is using a VNet NAT which will prevent any failures of connectivty in this regard. NAT can scale seamlessly to ensure your application is never out ports. [Learn more about VNet NAT](https://docs.microsoft.com/azure/virtual-network/nat-overview).
+
 ## Ensure virtual machine fault tolerance (temporarily disabled)
 
 To provide redundancy for your application, we recommend that you group two or more virtual machines in an availability set. Advisor identifies virtual machines that aren't part of an availability set and recommends moving them into one. This configuration ensures that during either planned or unplanned maintenance, at least one virtual machine is available and meets the Azure virtual machine SLA. You can choose to create an availability set for the virtual machine or to add the virtual machine to an existing availability set.
@@ -127,4 +130,4 @@ For more information about Advisor recommendations, see:
 * [Advisor cost recommendations](advisor-cost-recommendations.md)
 * [Advisor performance recommendations](advisor-performance-recommendations.md)
 * [Advisor security recommendations](advisor-security-recommendations.md)
-* [Advisor operational excellence recommendations](advisor-operational-excellence-recommendations.md)
+* [Advisor operational excellence recommendations](advisor-operational-excellence-recommendations.md)

articles/aks/api-server-authorized-ip-ranges.md

@@ -25,7 +25,7 @@ You need the Azure CLI version 2.0.76 or later installed and configured. Run `a
 
 The API server Authorized IP ranges feature has the following limitations:
 - On clusters created after API server authorized IP address ranges moved out of preview in October 2019, API server authorized IP address ranges are only supported on the *Standard* SKU load balancer. Existing clusters with the *Basic* SKU load balancer and API server authorized IP address ranges configured will continue work as is but cannot be migrated to a *Standard* SKU load balancer. Those existing clusters will also continue to work if their Kubernetes version or control plane are upgraded. API server authorized IP address ranges are not supported for private clusters.
-- This feature is not compatible with clusters that use [Public IP per Node](use-multiple-node-pools.md#assign-a-public-ip-per-node-for-your-node-pools).
+- When using this feature with clusters that use [Public IP per Node](use-multiple-node-pools.md#assign-a-public-ip-per-node-for-your-node-pools), those node pools with public IP per node enabled must use public IP prefixes and those prefixes must be added as authorized ranges.
 
 ## Overview of API server authorized IP ranges
 

articles/api-management/api-management-howto-aad-b2c.md

@@ -112,7 +112,7 @@ The **Sign-up form: OAuth** widget represents a form used for signing up with OA
 [!INCLUDE [api-management-portal-legacy.md](../../includes/api-management-portal-legacy.md)]
 
 > [!NOTE]
-> To properly integrate B2C with the legacy developer portal, use **standard v1** user flows, in combination with enabling [password reset](/azure/active-directory-b2c/user-flow-self-service-password-reset) before signing up/signing into a developer account using Azure Active Directory B2C. 
+> To properly integrate B2C with the legacy developer portal, use **standard v1** user flows, in combination with enabling [password reset](/azure/active-directory-b2c/add-password-reset-policy) before signing up/signing into a developer account using Azure Active Directory B2C. 
 
 1. Open a new browser window and go to the legacy developer portal. Click the **Sign up** button.
 

articles/api-management/api-management-howto-properties.md

@@ -29,7 +29,7 @@ ms.author: danlep
 
 Plain values or secrets can contain [policy expressions](./api-management-policy-expressions.md). For example, the expression `@(DateTime.Now.ToString())` returns a string containing the current date and time.
 
-For details about the named value attributes, see the API Management [REST API reference](/rest/api/apimanagement/2020-06-01-preview/namedvalue/createorupdate).
+For details about the named value attributes, see the API Management [REST API reference](/rest/api/apimanagement/2021-04-01-preview/named-value/create-or-update).
 
 ## Key vault secrets
 
@@ -202,4 +202,3 @@ To delete a named value, select the name and then select **Delete** from the con
     -   [Policy expressions](./api-management-policy-expressions.md)
 
 [api-management-send-results]: ./media/api-management-howto-properties/api-management-send-results.png
-