MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/tutorial-enable-sspr.md
Lines changed: 4 additions & 0 deletions b/‎articles/active-directory/authentication/tutorial-enable-sspr.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎articles/active-directory/conditional-access/concept-token-protection.md
Lines changed: 18 additions & 11 deletions b/‎articles/active-directory/conditional-access/concept-token-protection.md
Lines changed: 18 additions & 11 deletions
diff --git a/‎articles/aks/azure-cni-powered-by-cilium.md
Lines changed: 1 addition & 1 deletion b/‎articles/aks/azure-cni-powered-by-cilium.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/aks/use-cvm.md
Lines changed: 2 additions & 4 deletions b/‎articles/aks/use-cvm.md
Lines changed: 2 additions & 4 deletions
diff --git a/‎articles/analysis-services/analysis-services-manage.md
Lines changed: 1 addition & 3 deletions b/‎articles/analysis-services/analysis-services-manage.md
Lines changed: 1 addition & 3 deletions
diff --git a/‎articles/analysis-services/analysis-services-overview.md
Lines changed: 2 additions & 2 deletions b/‎articles/analysis-services/analysis-services-overview.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/azure-monitor/app/separate-resources.md
Lines changed: 4 additions & 1 deletion b/‎articles/azure-monitor/app/separate-resources.md
Lines changed: 4 additions & 1 deletion
diff --git a/‎articles/azure-monitor/logs/log-analytics-workspace-health.md
Lines changed: 6 additions & 1 deletion b/‎articles/azure-monitor/logs/log-analytics-workspace-health.md
Lines changed: 6 additions & 1 deletion
diff --git a/‎articles/communication-services/tutorials/includes/proxy-calling-support-tutorial-android.md
Lines changed: 27 additions & 0 deletions b/‎articles/communication-services/tutorials/includes/proxy-calling-support-tutorial-android.md
Lines changed: 27 additions & 0 deletions
diff --git a/‎articles/communication-services/tutorials/includes/proxy-calling-support-tutorial-ios.md
Lines changed: 27 additions & 0 deletions b/‎articles/communication-services/tutorials/includes/proxy-calling-support-tutorial-ios.md
Lines changed: 27 additions & 0 deletions
@@ -29,6 +29,10 @@ In this tutorial you learn how to:
 > * Set up authentication methods and registration options
 > * Test the SSPR process as a user
 
+> [!IMPORTANT]
+> In March 2023, we announced the deprecation of managing authentication methods in the legacy multifactor authentication (MFA) and self-service password reset (SSPR) policies. Beginning September 30, 2024, authentication methods can't be managed in these legacy MFA and SSPR policies. We recommend customers use the manual migration control to migrate to the Authentication methods policy by the deprecation date.
+
+
 ## Video tutorial
 
 You can also follow along in a related video: [How to enable and configure SSPR in Azure AD](https://www.youtube.com/embed/rA8TvhNcCvQ?azure-portal=true).
 
@@ -4,7 +4,7 @@ description: Learn how to use token protection in Conditional Access policies.
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 07/18/2023
+ms.date: 08/14/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 
 Token protection (sometimes referred to as token binding in the industry) attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device. When an attacker is able to steal a token, by hijacking or replay, they can impersonate their victim until the token expires or is revoked. Token theft is thought to be a relatively rare event, but the damage from it can be significant. 
 
-Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). What this means is that a policy can ensure that only bound sign-in session (or refresh) tokens, otherwise known as Primary Refresh Tokens (PRTs) are used by applications when requesting access to a resource.
+Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). What this means: A policy can ensure that only bound sign-in session (or refresh) tokens, otherwise known as Primary Refresh Tokens (PRTs) are used by applications when requesting access to a resource.
 
 > [!IMPORTANT]
 > Token protection is currently in public preview. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
@@ -35,28 +35,35 @@ With this preview, we're giving you the ability to create a Conditional Access p
 
 ## Requirements
 
-This preview supports the following configurations:
+This preview supports the following configurations for access to resources with Token Protection conditional access policies applied:
 
 * Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
 * OneDrive sync client version 22.217 or later
 * Teams native client version 1.6.00.1331 or later 
+* Power BI desktop version 2.117.841.0 (May 2023) or later
+* Visual Studio 2022 or later when using the 'Windows authentication broker' Sign-in option
 * Office Perpetual clients aren't supported
 
 ### Known limitations
 
 - External users (Azure AD B2B) aren't supported and shouldn't be included in your Conditional Access policy.
 - The following applications don't support signing in using protected token flows and users are blocked when accessing Exchange and SharePoint:
-   - Power BI Desktop client 
    - PowerShell modules accessing Exchange, SharePoint, or Microsoft Graph scopes that are served by Exchange or SharePoint
    - PowerQuery extension for Excel
    - Extensions to Visual Studio Code which access Exchange or SharePoint
-   - Visual Studio
-   - The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in an August release.
+   - The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in a future service update.
 - The following Windows client devices aren't supported:
    - Windows Server 
    - Surface Hub
    - Windows-based Microsoft Teams Rooms (MTR) systems
 
+## Licensing requirements
+
+[!INCLUDE [Active Directory P2 license](../../../includes/active-directory-p2-license.md)]
+
+> [!NOTE]
+> Token Protection enforcement is part of Microsoft Entra ID Protection and will be part of the P2 license at general availability. 
+
 ## Deployment
 
 For users, the deployment of a Conditional Access policy to enforce token protection should be invisible when using compatible client platforms on registered devices and compatible applications.    
@@ -135,7 +142,7 @@ You can also use [Log Analytics](../reports-monitoring/tutorial-log-analytics-wi
 Here's a sample Log Analytics query searching the non-interactive sign-in logs for the last seven days, highlighting **Blocked** versus **Allowed** requests by **Application**. These queries are only samples and are subject to change.
 
 > [!NOTE]
-> **Sign In logs output:** The value of the string used in "enforcedSessionControls" and "sessionControlsNotSatisfied" changed from "Binding" to "SignInTokenProtection" in late June 2023. Queries on Sign In Log data should be updated to reflect this change.
+> **Sign In logs output:** The value of the string used in "enforcedSessionControls" and "sessionControlsNotSatisfied" changed from "Binding" to "SignInTokenProtection" in late June 2023. Queries on Sign In Log data should be updated to reflect this change. The examples cover both values to include historical data.
 
 ```kusto
 //Per Apps query 
@@ -150,10 +157,10 @@ AADNonInteractiveUserSignInLogs
 //Add userPrinicpalName if you want to filter  
 // | where UserPrincipalName =="<user_principal_Name>" 
 | mv-expand todynamic(ConditionalAccessPolicies) 
-| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["SignInTokenProtection"]' 
+| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["Binding"]' or ConditionalAccessPolicies ["enforcedSessionControls"] contains '["SignInTokenProtection"]' 
 | where ConditionalAccessPolicies.result !="reportOnlyNotApplied" and ConditionalAccessPolicies.result !="notApplied" 
 | extend SessionNotSatisfyResult = ConditionalAccessPolicies["sessionControlsNotSatisfied"] 
-| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow') 
+| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection' or SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow')
 | summarize by Id,UserPrincipalName, AppDisplayName, Result 
 | summarize Requests = count(), Users = dcount(UserPrincipalName), Block = countif(Result == "Block"), Allow = countif(Result == "Allow"), BlockedUsers = dcountif(UserPrincipalName, Result == "Block") by AppDisplayName 
 | extend PctAllowed = round(100.0 * Allow/(Allow+Block), 2) 
@@ -179,10 +186,10 @@ AADNonInteractiveUserSignInLogs
 //Add userPrincipalName if you want to filter  
 // | where UserPrincipalName =="<user_principal_Name>" 
 | mv-expand todynamic(ConditionalAccessPolicies) 
-| where ConditionalAccessPolicies.enforcedSessionControls contains '["SignInTokenProtection"]' 
+| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["Binding"]' or ConditionalAccessPolicies ["enforcedSessionControls"] contains '["SignInTokenProtection"]'
 | where ConditionalAccessPolicies.result !="reportOnlyNotApplied" and ConditionalAccessPolicies.result !="notApplied" 
 | extend SessionNotSatisfyResult = ConditionalAccessPolicies.sessionControlsNotSatisfied 
-| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow') 
+| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection' or SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow')
 | summarize by Id, UserPrincipalName, AppDisplayName, ResourceDisplayName,Result  
 | summarize Requests = count(),Block = countif(Result == "Block"), Allow = countif(Result == "Allow") by UserPrincipalName, AppDisplayName,ResourceDisplayName 
 | extend PctAllowed = round(100.0 * Allow/(Allow+Block), 2) 
 
@@ -49,7 +49,7 @@ Azure CNI powered by Cilium currently has the following limitations:
 
 * Hubble is disabled.
 
-* Not compatible with Istio or other sidecar-based service meshes ([Istio issue #27619](https://github.com/istio/istio/issues/27619)).
+* Network policies cannot use `ipBlock` to allow access to node or pod IPs ([Cilium issue #9209](https://github.com/cilium/cilium/issues/9209) and [#12277](https://github.com/cilium/cilium/issues/12277)).
 
 * Kubernetes services with `internalTrafficPolicy=Local` aren't supported ([Cilium issue #17796](https://github.com/cilium/cilium/issues/17796)).
 
 
@@ -3,7 +3,7 @@ title: Use Confidential Virtual Machines (CVM) in Azure Kubernetes Service (AKS)
 description: Learn how to create Confidential Virtual Machines (CVM) node pools with Azure Kubernetes Service (AKS)
 ms.topic: article
 ms.custom: ignite-2022
-ms.date: 05/08/2023
+ms.date: 08/14/2023
 ---
 
 # Use Confidential Virtual Machines (CVM) in Azure Kubernetes Service (AKS) cluster
@@ -16,9 +16,7 @@ Adding a node pool with CVM to your AKS cluster is currently in preview.
 
 Before you begin, make sure you have the following:
 
-- An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
-- [Azure CLI installed](/cli/azure/install-azure-cli).
-- An existing AKS cluster in the *westus*, *eastus*, *westeurope*, or *northeurope* region.
+- An existing AKS cluster.
 - The [DCasv5 and DCadsv5-series][cvm-subs-dc] or [ECasv5 and ECadsv5-series][cvm-subs-ec] SKUs available for your subscription.
 
 ## Limitations
 
@@ -53,8 +53,6 @@ To get all the latest features, and the smoothest experience when connecting to
 
 ## External open source tools
 
-**Tabular Editor** - An open-source tool for creating, maintaining, and managing tabular models using an intuitive, lightweight editor. A hierarchical view shows all objects in your tabular model. Objects are organized by display folders with support for multi-select property editing and DAX syntax highlighting. XMLA read-only is required for query operations. Read-write is required for metadata operations. To learn more, see [tabulareditor.github.io](https://tabulareditor.github.io/).
-
 **ALM Toolkit** - An open-source schema compare tool for Analysis Services tabular models and Power BI datasets, most often used for application lifecycle management (ALM) scenarios. Perform deployment across environments and retain incremental refresh historical data. Diff and merge metadata files, branches and repos. Reuse common definitions between datasets. Read-only is required for query operations. Read-write is required for metadata operations. To learn more, see [alm-toolkit.com](http://alm-toolkit.com/).
 
 **DAX Studio** – An open-source tool for DAX authoring, diagnosis, performance tuning, and analysis. Features include object browsing, integrated tracing, query execution breakdowns with detailed statistics, DAX syntax highlighting and formatting. XMLA read-only is required for query operations. To learn more, see [daxstudio.org](https://daxstudio.org/).
@@ -68,4 +66,4 @@ When connecting using SSMS, if you run into problems, you may need to clear the
 ## Next steps
 If you haven't already deployed a tabular model to your new server, now is a good time. To learn more, see [Deploy to Azure Analysis Services](analysis-services-deploy.md).
 
-If you've deployed a model to your server, you're ready to connect to it using a client application or tool. To learn more, see [Get data from Azure Analysis Services server](analysis-services-connect.md).
+If you've deployed a model to your server, you're ready to connect to it using a client application or tool. To learn more, see [Get data from Azure Analysis Services server](analysis-services-connect.md).
@@ -168,7 +168,7 @@ Azure Analysis Services Firewall blocks all client connections other than those
 
 ### Authentication
 
-User authentication is handled by [Azure Active Directory (AAD)](../active-directory/fundamentals/active-directory-whatis.md). When logging in, users use an organization account identity with role-based access to the database. User identities must be members of the default Azure Active Directory for the subscription that the server is in. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
+User authentication is handled by [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). When logging in, users use an organization account identity with role-based access to the database. User identities must be members of the default Azure Active Directory for the subscription that the server is in. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).
 
 ### Data security
 
@@ -215,7 +215,7 @@ Manage your servers and model databases by using [SQL Server Management Studio (
 
 ### Open-source tools
 
-Analysis Services has a vibrant community of developers who create tools. Be sure to check out [Tabular Editor](https://tabulareditor.github.io/), an open-source tool for creating, maintaining, and managing tabular models using an intuitive, lightweight editor. [DAX Studio](https://daxstudio.org/), is a great open-source tool for DAX authoring, diagnosis, performance tuning, and analysis.
+Analysis Services has a vibrant community of developers who create tools. [DAX Studio](https://daxstudio.org/), is a great open-source tool for DAX authoring, diagnosis, performance tuning, and analysis.
 
 ### PowerShell
 
 
@@ -85,7 +85,10 @@ var appInsights = window.appInsights || function(config){ ...
 
 ## Create more Application Insights resources
 
-To create an Applications Insights resource, see [Create an Application Insights resource](./create-new-resource.md).
+To create an Applications Insights resource, see [Create an Application Insights resource](./create-workspace-resource.md).
+
+> [!WARNING]
+> You may incur additional network costs if your Application Insights resource is monitoring an Azure resource (i.e., telemetry producer) in a different region. Costs will vary depending on the region the telemetry is coming from and where it is going. Refer to [Azure bandwidth pricing](https://azure.microsoft.com/pricing/details/bandwidth/) for details.
 
 ### Get the instrumentation key
 The instrumentation key identifies the resource that you created.
 
@@ -19,6 +19,11 @@ Azure Service Health monitors:
 - [Resource health](../../service-health/resource-health-overview.md): information about the health of your individual cloud resources, such as a specific Log Analytics workspace. 
 - [Service health](../../service-health/service-health-overview.md): information about the health of the Azure services and regions you're using, which might affect your Log Analytics workspace, including communications about outages, planned maintenance activities, and other health advisories.
 
+## Permissions required
+
+- To view Log Analytics workspace health, you need `*/read` permissions to the Log Analytics workspace, as provided by the [Log Analytics Reader built-in role](./manage-access.md#log-analytics-reader), for example.
+- To set up health status alerts, you need `Microsoft.Insights/ActivityLogAlerts/Write` permissions to the Log Analytics workspace, as provided by the [Monitoring Contributor built-in role](../roles-permissions-security.md#monitoring-contributor), for example.
+
 ## View Log Analytics workspace health and set up health status alerts 
 
 When Azure Service Health detects [average latency](../logs/data-ingestion-time.md#average-latency) in your Log Analytics workspace, the workspace resource health status is **Available**.
@@ -79,7 +84,7 @@ To view Log Analytics workspace health metrics:
 To investigate Log Analytics workspace health issues:
 
 - Use [Log Analytics Workspace Insights](../logs/log-analytics-workspace-insights-overview.md), which provides a unified view of your workspace usage, performance, health, agent, queries, and change log.
-- Query the data in your Log Analytics workspace to [understand which factors are contributing greater than expected latency in your workspace](../logs/data-ingestion-time.md).  
+- [Query](./queries.md) the data in your Log Analytics workspace to [understand which factors are contributing greater than expected latency in your workspace](../logs/data-ingestion-time.md).  
 - [Use the `_LogOperation` function to view and set up alerts about operational issues](../logs/monitor-workspace.md) logged in your Log Analytics workspace.
 
       
 
@@ -0,0 +1,27 @@
+---
+title: include file
+description: include file
+services: azure-communication-services
+ms.date: 08/14/2023
+ms.topic: include
+ms.service: azure-communication-services
+---
+
+## Force calling traffic to be proxied across your own server for Android SDK
+
+In certain situations, it might be useful to have all your client traffic proxied to a server that you can control. When the SDK is initializing, you can provide the details of your servers that you would like the traffic to route to. This tutorial guides on how to have Android SDK calling traffic be proxied to servers that you control.
+
+>[!IMPORTANT]
+> The proxy feature will be available in a future public preview version of the Calling SDK. 
+## Proxy signaling traffic
+
+To provide the URL of a proxy server, you need to pass it in as part of `CallClientOptions` through its property `CallNetworkOptions` while initializing the `CallClient`. For more details how to setup a call see [Azure Communication Services Android SDK](../../quickstarts/voice-video-calling/get-started-with-video-calling.md?pivots=platform-android)) for the Quickstart on how to setup Voice and Video.
+
+```java
+CallClientOptions callClientOptions = new CallClientOptions();
+CallNetworkOptions callNetworkOptions = new CallNetworkOptions();
+callNetworkOptions.setProxyAddress("https://myproxyserver.com");
+callClientOptions.setNetworkOptions(callNetworkOptions);
+CallClient callClient = new CallClient(callClientOptions);
+// ...continue normally with your SDK setup and usage.
+```
@@ -0,0 +1,27 @@
+---
+title: include file
+description: include file
+services: azure-communication-services
+ms.date: 08/14/2023
+ms.topic: include
+ms.service: azure-communication-services
+---
+
+## Force calling traffic to be proxied across your own server for iOS SDK
+
+In certain situations, it might be useful to have all your client traffic proxied to a server that you can control. When the SDK is initializing, you can provide the details of your servers that you would like the traffic to route to. This tutorial guides on how to have iOS SDK calling traffic be proxied to servers that you control.
+
+>[!IMPORTANT]
+> The proxy feature will be available in a future public preview version of the Calling SDK. 
+## Proxy signaling traffic
+
+To provide the URL of a proxy server, you need to pass it in as part of `CallClientOptions` through its property `CallNetworkOptions` while initializing the `CallClient`. For more details how to setup a call see [Azure Communication Services iOS SDK](../../quickstarts/voice-video-calling/get-started-with-video-calling.md?pivots=platform-ios)) for the Quickstart on how to setup Voice and Video.
+
+```swift
+let callClientOptions = CallClientOptions()
+let callNetworkOptions = CallNetworkOptions()
+callNetworkOptions.proxyAddress = proxyAddress
+callClientOptions.networkOptions = callNetworkOptions
+self.callClient = CallClient(options: callClientOptions)
+// ...continue normally with your SDK setup and usage.
+```