Merge pull request #236437 from MicrosoftDocs/main

5/01 AM Publish

Author: huypub

articles/active-directory/fundamentals/whats-new.md

@@ -54,6 +54,18 @@ Last year we announced the combined registration user experience for MFA and  se
 
 ---
 
+### General Availability - System preferred MFA method
+
+**Type:** Changed feature   
+**Service category:** Authentications (Logins)                       
+**Product capability:** Identity Security & Protection            
+
+Currently, organizations and users rely on a range of authentication methods, each offering varying degrees of security. While Multifactor Authentication (MFA) is crucial, some MFA methods are more secure than others. Despite having access to more secure MFA options, users frequently choose less secure methods for various reasons.
+
+To address this challenge, we're introducing a new system-preferred authentication method for MFA. When users sign in, the system will determine and display the most secure MFA method that the user has registered. This prompts users to switch from the default method to the most secure option. While users may still choose a different MFA method, they'll always be prompted to use the most secure method first for every session that requires MFA. For more information, see: [System-preferred multifactor authentication - Authentication methods policy](../authentication/concept-system-preferred-multifactor-authentication.md).
+
+---
+
 ### General Availability - PIM alert: Alert on active-permanent role assignments in Azure or assignments made outside of PIM
 
 **Type:** Fixed     
@@ -70,7 +82,7 @@ Last year we announced the combined registration user experience for MFA and  se
 **Service category:** User Management                     
 **Product capability:** User Management            
 
-Admins can now define more properties when creating and inviting a user in the Entra admin portal. These improvements bring our UX to parity with our [Create User APIS](/graph/api/user-post-users). Additionally, admins can now add users to a group or administrative unit, as well as assign roles.  For more information, see: [Add or delete users using Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
+Admins can now define more properties when creating and inviting a user in the Entra admin portal. These improvements bring our UX to parity with our [Create User APIS](/graph/api/user-post-users). Additionally, admins can now add users to a group or administrative unit, and assign roles.  For more information, see: [Add or delete users using Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
 
 ---
 
@@ -90,7 +102,7 @@ The protected actions public preview introduces the ability to apply Conditional
 **Service category:** Conditional Access                  
 **Product capability:** User Authentication          
 
-Token Protection for sign-in sessions is our first release on a road-map to combat attacks involving token theft and replay. It provides conditional access enforcement of token proof-of-possession for supported clients and services that ensures that access to specified resources is only from a device to which the user has signed in. For more information, see: [Conditional Access: Token protection (preview)](../conditional-access/concept-token-protection.md).
+Token Protection for sign-in sessions is our first release on a road-map to combat attacks involving token theft and replay. It provides conditional access enforcement of token proof-of-possession for supported clients and services that ensure that access to specified resources is only from a device to which the user has signed in. For more information, see: [Conditional Access: Token protection (preview)](../conditional-access/concept-token-protection.md).
 
 ---
 

articles/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation.md

@@ -18,12 +18,14 @@ The purpose of this topic is to walk you through how to configure the attribute
 For a list of all geos supported by Azure AD Connect see [Microsoft 365 Multi-Geo availability](/microsoft-365/enterprise/microsoft-365-multi-geo#microsoft-365-multi-geo-availability)
 
 ## Enable synchronization of preferred data location
-By default, Microsoft 365 resources for your users are located in the same geo as your Azure AD tenant. For example, if your tenant is located in North America, then the users' Exchange mailboxes are also located in North America. For a multinational organization, this might not be optimal.
+By default, Microsoft 365 resources for your users are located in the same geo as your Azure AD tenant. For example, if the _Tenant_ is located in North America, then the users' Exchange mailboxes are also located in North America. For a multinational organization, this might not be optimal.
 
 By setting the attribute **preferredDataLocation**, you can define a user's geo. You can have the user's Microsoft 365 resources, such as the mailbox and OneDrive, in the same geo as the user, and still have one tenant for your entire organization.
 
 > [!IMPORTANT]
-> Multi-Geo is currently available to customers with an active Enterprise Agreement and a minimum of 250 Microsoft 365 Services subscriptions. Please talk to your Microsoft representative for details.
+> As of June 1, 2023, Multi-Geo is available for CSP partners to purchase, at a minimum of 5% of their customer’s total Microsoft 365 subscription seats. 
+> 
+> Multi-Geo is also available to customers with an active Enterprise Agreement. Please talk to your Microsoft representative for details.
 >
 > For a list of all geos supported by Azure AD Connect see [Microsoft 365 Multi-Geo availability](/microsoft-365/enterprise/microsoft-365-multi-geo#microsoft-365-multi-geo-availability).
 

articles/active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md

@@ -18,7 +18,7 @@ ms.collection: M365-identity-device-management
 
 # Assign Azure resource roles in Privileged Identity Management
 
-With Azure AD Privileged Identity Management (Azure AD PIM), part of Microsoft Entra, can manage the built-in Azure resource roles, and custom roles, including (but not limited to):
+With Azure AD Privileged Identity Management (Azure AD PIM), part of Microsoft Entra, you can manage the built-in Azure resource roles, and custom roles, including (but not limited to):
 
 - Owner
 - User Access Administrator

articles/active-directory/standards/memo-22-09-meet-identity-requirements.md

@@ -10,56 +10,58 @@ author: gargi-sinha
 ms.author: gasinh
 manager: martinco
 ms.reviewer: martinco
-ms.date: 3/10/2022
+ms.date: 04/28/2023
 ms.custom: it-pro
 ms.collection: M365-identity-device-management
 ---
 
 # Meet identity requirements of memorandum 22-09 with Azure Active Directory
 
-US executive order [14028, Improving the Nation's Cyber Security](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity), directs federal agencies on advancing security measures that drastically reduce the risk of successful cyberattacks against the federal government's digital infrastructure. On January 26, 2022, the [Office of Management and Budget (OMB)](https://www.whitehouse.gov/omb/) released the federal Zero Trust strategy in [memorandum 22-09](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf), in support of EO 14028. 
+The [Executive Order on Improving the Nation’s Cybersecurity (14028)](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity), directs federal agencies to advance security measures that significantly reduce the risk of successful cyberattacks against federal government digital infrastructure. On January 26, 2022, in support of Executive Order (EO) 14028, the [Office of Management and Budget (OMB)](https://www.whitehouse.gov/omb/) released the federal Zero Trust strategy in [M 22-09 Memorandum for Heads of Executive Departments and Agencies](https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf). 
 
-This series of articles offers guidance for employing Azure Active Directory (Azure AD) as a centralized identity management system for implementing Zero Trust principles, as described in memorandum 22-09. 
+This article series has guidance to employ Azure Active Directory (Azure AD) as a centralized identity management system when implementing Zero Trust principles, as described in memorandum 22-09. 
 
-The release of memorandum 22-09 is designed to support Zero Trust initiatives within federal agencies. It also provides regulatory guidance in supporting federal cybersecurity and data privacy laws. The memo cites the [Department of Defense (DoD) Zero Trust Reference Architecture](https://cloudsecurityalliance.org/artifacts/dod-zero-trust-reference-architecture/): 
+Memorandum 22-09 supports Zero Trust initiatives in federal agencies. It has regulatory guidance for federal cybersecurity and data privacy laws. The memo cites the [US Department of Defense (DoD) Zero Trust Reference Architecture](https://cloudsecurityalliance.org/artifacts/dod-zero-trust-reference-architecture/): 
 
->"The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction."
+"*The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.*"
 
-The memo identifies five core goals that federal agencies must reach. These goals are organized through the Cybersecurity Information Systems Architecture (CISA) Maturity Model. CISA's Zero Trust model describes five complementary areas of effort, or pillars: identity, devices, networks, applications and workloads, and data. These themes cut across these areas: visibility and analytics, automation and orchestration, and governance.
+The memo identifies five core goals for federal agencies to reach, organized with the Cybersecurity Information Systems Architecture (CISA) Maturity Model. The CISA Zero Trust model describes five complementary areas of effort, or pillars: 
 
-## Scope of guidance
+* Identity
+* Devices 
+* Networks
+* Applications and workloads
+* Data
 
-This series of articles provides practical guidance for administrators and decision makers to adapt a plan to meet memo requirements. It assumes that you're using Microsoft 365 products and therefore have an Azure AD tenant available. If this is inaccurate, see [Create a new tenant in Azure Active Directory](../fundamentals/active-directory-access-create-new-tenant.md).
+The pillars intersect with: 
 
-The article series features guidance that encompasses existing agency investments in Microsoft technologies that align with the identity-related actions outlined in the memo:
+* Visibility
+* Analytics
+* Automation 
+* Orchestration
+* Governance
 
-* Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.
+## Scope of guidance
 
-*  Agencies must use strong multifactor authentication (MFA) throughout their enterprise:
+Use the article series to build a plan to meet memo requirements. It assumes use of Microsoft 365 products and an Azure AD tenant. 
 
-   *  MFA must be enforced at the application layer instead of the network layer.
+Learn more: [Quickstart: Create a new tenant in Azure AD](../fundamentals/active-directory-access-create-new-tenant.md).
 
-   *  For agency staff, contractors, and partners, phishing-resistant MFA is required. 
-   
-   *  For public users, phishing-resistant MFA must be an option.
-   
-   *  Password policies must not require the use of special characters or regular rotation.
+The article series instructions encompass agency investments in Microsoft technologies that align with the memo's identity-related actions.
 
-* When agencies are authorizing users to access resources, they must consider at least one device-level signal alongside identity information about the authenticated user.
+* For agency users, agencies employ centralized identity management systems that can be integrated with applications and common platforms
+*  Agencies use enterprise-wide, strong multi-factor authentication (MFA)
+   *  MFA is enforced at the application layer, not the network layer
+   *  For agency staff, contractors, and partners, phishing-resistant MFA is required
+   *  For public users, phishing-resistant MFA is an option
+   *  Password policies don't require special characters or regular rotation
+* When agencies authorize user access to resources, they consider at least one device-level signal, with identity information about the authenticated user
 
 
 ## Next steps
 
-The following articles are part of this documentation set:
-
-[Enterprise-wide identity management system](memo-22-09-enterprise-wide-identity-management-system.md)
-
-[Multifactor authentication](memo-22-09-multi-factor-authentication.md)
-
-[Authorization](memo-22-09-authorization.md)
-
-[Other areas of Zero Trust](memo-22-09-other-areas-zero-trust.md)
-
-For more information about Zero Trust, see:
-
-[Securing identity with Zero Trust](/security/zero-trust/deploy/identity)
+* [Enterprise-wide identity management system](memo-22-09-enterprise-wide-identity-management-system.md)
+* [Meet multifactor authentication requirements of memorandum 22-09](memo-22-09-multi-factor-authentication.md)
+* [Meet authorization requirements of memorandum 22-09](memo-22-09-authorization.md)
+* [Other areas of Zero Trust addressed in memorandum 22-09](memo-22-09-other-areas-zero-trust.md)
+* [Securing identity with Zero Trust](/security/zero-trust/deploy/identity)

articles/aks/workload-identity-overview.md

@@ -1,8 +1,8 @@
 ---
-title: Use an Azure AD workload identities (preview) on Azure Kubernetes Service (AKS)
-description: Learn about Azure Active Directory workload identity (preview) for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.  
+title: Use an Azure AD workload identities on Azure Kubernetes Service (AKS)
+description: Learn about Azure Active Directory workload identity for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.  
 ms.topic: article
-ms.date: 04/19/2023
+ms.date: 05/01/2023
 
 ---
 
@@ -154,4 +154,4 @@ The following table summarizes our migration or deployment recommendations for w
 [deploy-configure-workload-identity-new-cluster]: workload-identity-deploy-cluster.md
 [tutorial-use-workload-identity]: ./learn/tutorial-kubernetes-workload-identity.md
 [workload-identity-migration-sidecar]: workload-identity-migrate-from-pod-identity.md
-[auto-rotation]: certificate-rotation.md#certificate-auto-rotation
+[auto-rotation]: certificate-rotation.md#certificate-auto-rotation

articles/azure-app-configuration/quickstart-aspnet-core-app.md

@@ -210,7 +210,7 @@ In this example, you'll update a web page to display its content using the setti
 
         h1 {
             color: @Model.Settings.FontColor;
-            font-size: @Model.Settings.FontSize;
+            font-size: @(Model.Settings.FontSize)px;
         }
     </style>
 

articles/azure-monitor/essentials/data-collection-rule-edit.md

@@ -75,8 +75,8 @@ Our final step is to update DCR back in the system. This is accomplished by “P
 1.	If you are using Azure Cloud Shell, save the file and close the embedded editor, or [upload modified DCR file back to the Cloud Shell environment](../../cloud-shell/using-the-shell-window.md#upload-and-download-files).
 2.	Execute the following commands to load DCR content from the file and place HTTP call to update the DCR in the system. Replace `<ResourceId>` with DCR ResourceID and `<FilePath>` with the name of the file modified in the previous part of the tutorial. You can omit first two lines if you read and write to the DCR within the same PowerShell session.
     ```PowerShell
-    $ResourceId = “<ResourceId>” # Resource ID of the DCR to edit
-    $FilePath = “<FilePath>” # Store DCR content in this file
+    $ResourceId = "<ResourceId>" # Resource ID of the DCR to edit
+    $FilePath = "<FilePath>" # Store DCR content in this file
     $DCRContent = Get-Content $FilePath -Raw 
     Invoke-AzRestMethod -Path ("$ResourceId"+"?api-version=2021-09-01-preview") -Method PUT -Payload $DCRContent 
     ```

articles/azure-monitor/logs/azure-monitor-data-explorer-proxy.md

@@ -31,6 +31,7 @@ adx('https://help.kusto.windows.net/Samples').StormEvents
 >* Cross-resource query as an alert isn't supported.
 >* Identifying the Timestamp column in the cluster isn't supported. The Log Analytics Query API won't pass along the time filter.
 > * The cross-service query ability is used for data retrieval only. For more information, see [Function supportability](#function-supportability).
+> * Private Link is not supported with this feature.
 
 ## Function supportability
 

articles/azure-monitor/logs/basic-logs-configure.md

@@ -52,6 +52,7 @@ Configure a table for Basic logs if:
     | Container Insights | [ContainerLogV2](/azure/azure-monitor/reference/tables/containerlogv2) |
     | Communication Services | [ACSCallAutomationIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallAutomationIncomingOperations)<br>[ACSCallRecordingSummary](/azure/azure-monitor/reference/tables/acscallrecordingsummary)<br>[ACSRoomsIncomingOperations](/azure/azure-monitor/reference/tables/acsroomsincomingoperations) |
     | Confidential Ledgers | [CCFApplicationLogs](/azure/azure-monitor/reference/tables/CCFApplicationLogs) |
+    | Data Manager for Energy | [OEPDataplaneLogs](/azure/azure-monitor/reference/tables/OEPDataplaneLogs) |
     | Dedicated SQL Pool | [SynapseSqlPoolSqlRequests](/azure/azure-monitor/reference/tables/synapsesqlpoolsqlrequests)<br>[SynapseSqlPoolRequestSteps](/azure/azure-monitor/reference/tables/synapsesqlpoolrequeststeps)<br>[SynapseSqlPoolExecRequests](/azure/azure-monitor/reference/tables/synapsesqlpoolexecrequests)<br>[SynapseSqlPoolDmsWorkers](/azure/azure-monitor/reference/tables/synapsesqlpooldmsworkers)<br>[SynapseSqlPoolWaits](/azure/azure-monitor/reference/tables/synapsesqlpoolwaits) |
     | Dev Center | [DevCenterDiagnosticLogs](/azure/azure-monitor/reference/tables/DevCenterDiagnosticLogs) |
     | Firewalls | [AZFWFlowTrace](/azure/azure-monitor/reference/tables/AZFWFlowTrace) |

articles/azure-monitor/logs/private-link-design.md

@@ -220,7 +220,8 @@ Bundle the JavaScript code in your script so that the browser doesn't attempt to
 If you're connecting to your Azure Monitor resources over a private link, traffic to these resources must go through the private endpoint that's configured on your network. To enable the private endpoint, update your DNS settings as explained in [Connect to a private endpoint](./private-link-configure.md#connect-to-a-private-endpoint). Some browsers use their own DNS settings instead of the ones you set. The browser might attempt to connect to Azure Monitor public endpoints and bypass the private link entirely. Verify that your browser settings don't override or cache old DNS settings.
 
 ### Querying limitation: externaldata operator
-The [`externaldata` operator](/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuremonitor) isn't supported over a private link because it reads data from storage accounts but doesn't guarantee the storage is accessed privately.
+* The [`externaldata` operator](/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuremonitor) isn't supported over a private link because it reads data from storage accounts but doesn't guarantee the storage is accessed privately.
+* The [Azure Data Explorer proxy (ADX proxy)](azure-monitor-data-explorer-proxy.md) allows log queries to query Azure Data Explorer. The ADX proxy isn't supported over a private link because it doesn't guarantee the targeted resource is accessed privately. 
 
 ## Next steps
 - Learn how to [configure your private link](private-link-configure.md).