Merge pull request #203188 from MicrosoftDocs/main

6/28 PM Publish

Author: huypub

CODEOWNERS

@@ -14,9 +14,9 @@ articles/azure-monitor/* @bwren
 articles/azure-monitor/agents @guywi-ms @bwren
 articles/azure-monitor/alerts @abbyMSFT
 articles/azure-monitor/app @AaronMaxwell 
-articles/azure-monitor/autoscale @rboucher
+articles/azure-monitor/autoscale @EdB-MSFT
 articles/azure-monitor/containers @bwren
-articles/azure-monitor/essentials @bwren @rboucher
+articles/azure-monitor/essentials @bwren @rboucher @EdB-MSFT
 articles/azure-monitor/insights @bwren @rboucher 
 articles/azure-monitor/logs @guywi-ms
 articles/azure-monitor/visualize @abbyMSFT @rboucher

articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md

@@ -261,7 +261,7 @@ To add authentication with the Microsoft identity platform (formerly Azure AD v2
      }).AddMicrosoftIdentityUI();
     ```
 
-3. In the `Configure` method in *Startup.cs*, enable authentication with a call to `app.UseAuthentication();`
+3. In the `Configure` method in *Startup.cs*, enable authentication with a call to `app.UseAuthentication();` and `app.MapControllers();`.
 
    ```c#
    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
@@ -270,6 +270,9 @@ To add authentication with the Microsoft identity platform (formerly Azure AD v2
     // more code here
     app.UseAuthentication();
     app.UseAuthorization();
+    
+    app.MapRazorPages();
+    app.MapControllers();
     // more code here
    }
    ```

articles/active-directory/enterprise-users/TOC.yml

@@ -64,6 +64,8 @@
       href: ../external-identities/what-is-b2b.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
     - name: Restrict guest user access
       href: users-restrict-guest-permissions.md
+    - name: Clean up unmanaged accounts
+      href: clean-up-unmanaged-azure-ad-accounts.md 
     - name: Dynamic groups and guests   
       href: ../external-identities/use-dynamic-groups.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context
   - name: Organization (tenant)
@@ -187,4 +189,4 @@
   - name:  Azure AD PowerShell for Graph
     href: /powershell/azure/active-directory/install-adv2
   - name: Azure AD service limits
-    href: directory-service-limits-restrictions.md
+    href: directory-service-limits-restrictions.md

articles/active-directory/enterprise-users/clean-up-unmanaged-azure-ad-accounts.md

@@ -0,0 +1,106 @@
+---
+title: Clean up unmanaged Azure AD accounts - Azure Active Directory | Microsoft Docs
+description: Clean up unmanaged accounts using email OTP and PowerShell modules in Azure Active Directory
+services: active-directory 
+author: gargi-sinha
+ms.author: gasinh
+manager: martinco
+ms.date: 06/28/2022
+ms.topic: how-to
+ms.service: active-directory
+ms.subservice: enterprise-users
+ms.workload: identity
+ms.custom: it-pro
+ms.collection: M365-identity-device-management
+---
+
+# Clean up unmanaged Azure Active Directory accounts
+
+Azure Active Directory (Azure AD) supports self-service sign-up for
+email-verified users. Users can create Azure AD accounts if they can
+verify email ownership. To learn more, see, [What is self-service
+sign-up for Azure Active
+Directory?](https://docs.microsoft.com/azure/active-directory/enterprise-users/directory-self-service-signup)
+
+However, if a user creates an account, and the domain isn't verified in
+an Azure AD tenant, the user is created in an unmanaged, or viral
+tenant. The user can create an account with an organization's domain,
+not under the lifecycle management of the organization's IT. Access can
+persist after the user leaves the organization.
+
+## Remove unmanaged Azure AD accounts
+
+You can remove unmanaged Azure AD accounts from your Azure AD tenants
+and prevent these types of accounts from redeeming future invitations.
+
+1. Read how to enable [one-time
+    passcodes](https://docs.microsoft.com/azure/active-directory/external-identities/one-time-passcode#enable-email-one-time-passcode)
+    (OTP)
+
+2. Use the sample application in [Azure-samples/Remove-unmanaged-guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests) or
+    go to
+    [AzureAD/MSIdentityTools](https://github.com/AzureAD/MSIdentityTools/wiki/)
+    PowerShell module to identify viral users in an Azure AD tenant and
+    reset user redemption status.
+
+Once the above steps are complete, when users with unmanaged Azure AD accounts try to access your tenant, they'll re-redeem their invitations. However, because Email OTP is enabled, Azure AD will prevent users from redeeming with an existing unmanaged Azure AD account and they’ll redeem with another account type. Google Federation and SAML/WS-Fed aren't enabled by default. So by default, these users will redeem with either an MSA or Email OTP, with MSA taking precedence. For a full explanation on the B2B redemption precedence, refer to the [redemption precedence flow chart](https://docs.microsoft.com/azure/active-directory/external-identities/redemption-experience#invitation-redemption-flow).
+
+## Overtaken tenants and domains
+
+Some tenants created as unmanaged tenants can be taken over and
+converted to a managed tenant. See, [take over an unmanaged directory as
+administrator in Azure AD](https://docs.microsoft.com/azure/active-directory/enterprise-users/domains-admin-takeover).
+
+In some cases, overtaken domains might not be updated, for example, missing a DNS TXT record and therefore become flagged as unmanaged. Implications are:
+
+- For guest users who belong to formerly unmanaged tenants, redemption status is reset and one consent prompt appears. Redemption occurs with same account as before.
+
+- After unmanaged user redemption status is reset, the tool might identify unmanaged users that are false positives.
+
+## Reset redemption using a sample application
+
+Before you begin, to identify and reset unmanaged Azure AD account redemption:
+
+1. Ensure email OTP is enabled.
+
+2. Use the sample application on
+    [Azure-Samples/Remove-Unmanaged-Guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests).
+
+## Reset redemption using MSIdentityTools PowerShell Module
+
+MSIdentityTools PowerShell Module is a collection of cmdlets and
+scripts. They are for use in the Microsoft identity platform and Azure
+AD; they augment capabilities in the PowerShell SDK. See, [Microsoft
+Graph PowerShell
+SDK](https://github.com/microsoftgraph/msgraph-sdk-powershell).
+
+Run the following cmdlets:
+
+- `Install-Module Microsoft.Graph -Scope CurrentUser`
+
+- `Install-Module MSIdentityTools`
+
+- `Import-Module msidentitytools,microsoft.graph`
+
+To identify unmanaged Azure AD accounts, run:
+
+- `Connect-MgGraph --Scope User.Read.All`
+
+- `Get-MsIdUnmanagedExternalUser`
+
+To reset unmanaged Azure AD account redemption status, run:
+
+- `Connect-MgGraph --Scope User.Readwrite.All`
+
+- `Get-MsIdUnmanagedExternalUser | Reset-MsIdExternalUser`
+
+To delete unmanaged Azure AD accounts, run:
+
+- `Connect-MgGraph --Scope User.Readwrite.All`
+
+- `Get-MsIdUnmanagedExternalUser | Remove-MgUser`
+
+## Next steps
+
+Examples of using
+[Get-MSIdUnmanagedExternalUser](https://github.com/AzureAD/MSIdentityTools/wiki/Get-MsIdUnmanagedExternalUser)

articles/aks/learn/quick-kubernetes-deploy-cli.md

@@ -3,7 +3,7 @@ title: 'Quickstart: Deploy an AKS cluster by using Azure CLI'
 description: Learn how to quickly create a Kubernetes cluster, deploy an application, and monitor performance in Azure Kubernetes Service (AKS) using the Azure CLI.
 services: container-service
 ms.topic: quickstart
-ms.date: 04/29/2022
+ms.date: 06/28/2022
 ms.custom: H1Hack27Feb2017, mvc, devcenter, seo-javascript-september2019, seo-javascript-october2019, seo-python-october2019, devx-track-azurecli, contperf-fy21q1, mode-api
 #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy an application so that I can see how to run and monitor applications using the managed Kubernetes service in Azure.
 ---
@@ -27,21 +27,21 @@ To learn more about creating a Windows Server node pool, see [Create an AKS clus
 
 - This article requires version 2.0.64 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
 
-- The identity you are using to create your cluster has the appropriate minimum permissions. For more details on access and identity for AKS, see [Access and identity options for Azure Kubernetes Service (AKS)](../concepts-identity.md).
+- The identity you are using to create your cluster has the appropriate minimum permissions. For more details on access and identity for AKS, see [Access and identity options for Azure Kubernetes Service (AKS)][aks-identity-concepts].
 
 - If you have multiple Azure subscriptions, select the appropriate subscription ID in which the resources should be billed using the
-[az account](/cli/azure/account) command.
+[az account][az-account] command.
 
-- Verify *Microsoft.OperationsManagement* and *Microsoft.OperationalInsights* are registered on your subscription. To check the registration status:
+- Verify *Microsoft.OperationsManagement* and *Microsoft.OperationalInsights* providers are registered on your subscription. These are Azure resource providers required to support [Container insights][azure-monitor-containers]. To check the registration status, run the following commands:
 
-    ```azurecli-interactive
+    ```azurecli
     az provider show -n Microsoft.OperationsManagement -o table
     az provider show -n Microsoft.OperationalInsights -o table
     ```
 
-    If they are not registered, register *Microsoft.OperationsManagement* and *Microsoft.OperationalInsights* using:
+    If they are not registered, register *Microsoft.OperationsManagement* and *Microsoft.OperationalInsights* using the following commands:
 
-    ```azurecli-interactive
+    ```azurecli
     az provider register --namespace Microsoft.OperationsManagement
     az provider register --namespace Microsoft.OperationalInsights
     ```
@@ -51,7 +51,7 @@ To learn more about creating a Windows Server node pool, see [Create an AKS clus
 
 ## Create a resource group
 
-An [Azure resource group](../../azure-resource-manager/management/overview.md) is a logical group in which Azure resources are deployed and managed. When you create a resource group, you are prompted to specify a location. This location is:
+An [Azure resource group][azure-resource-group] is a logical group in which Azure resources are deployed and managed. When you create a resource group, you are prompted to specify a location. This location is:
 
 * The storage location of your resource group metadata.
 * Where your resources will run in Azure if you don't specify another region during resource creation.
@@ -81,10 +81,10 @@ The following output example resembles successful creation of the resource group
 
 ## Create AKS cluster
 
-Create an AKS cluster using the [az aks create][az-aks-create] command with the *--enable-addons monitoring* parameter to enable [Container insights][azure-monitor-containers]. The following example creates a cluster named *myAKSCluster* with one node:
+Create an AKS cluster using the [az aks create][az-aks-create] command with the *--enable-addons monitoring* parameter to enable [Container insights][azure-monitor-containers]. The following example creates a cluster named *myAKSCluster* with one node and enables a system-assigned managed identity:
 
 ```azurecli-interactive
-az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 1 --enable-addons monitoring --generate-ssh-keys
+az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identity --node-count 1 --enable-addons monitoring
 ```
 
 After a few minutes, the command completes and returns JSON-formatted information about the cluster.
@@ -102,9 +102,10 @@ To manage a Kubernetes cluster, use the Kubernetes command-line client, [kubectl
     az aks install-cli
     ```
 
-2. Configure `kubectl` to connect to your Kubernetes cluster using the [az aks get-credentials][az-aks-get-credentials] command. The following command:  
-      * Downloads credentials and configures the Kubernetes CLI to use them.
-      * Uses `~/.kube/config`, the default location for the [Kubernetes configuration file][kubeconfig-file]. Specify a different location for your Kubernetes configuration file using *--file* argument.
+2. Configure `kubectl` to connect to your Kubernetes cluster using the [az aks get-credentials][az-aks-get-credentials] command. The following command:
+
+    * Downloads credentials and configures the Kubernetes CLI to use them.
+    * Uses `~/.kube/config`, the default location for the [Kubernetes configuration file][kubeconfig-file]. Specify a different location for your Kubernetes configuration file using *--file* argument.
 
     ```azurecli-interactive
     az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
@@ -137,9 +138,9 @@ Two [Kubernetes Services][kubernetes-service] are also created:
 * An internal service for the Redis instance.
 * An external service to access the Azure Vote application from the internet.
 
-1. Create a file named `azure-vote.yaml`.
-    * If you use the Azure Cloud Shell, this file can be created using `code`, `vi`, or `nano` as if working on a virtual or physical system
-1. Copy in the following YAML definition:
+1. Create a file named `azure-vote.yaml` and copy in the following manifest.
+
+    * If you use the Azure Cloud Shell, this file can be created using `code`, `vi`, or `nano` as if working on a virtual or physical system.
 
     ```yaml
     apiVersion: apps/v1
@@ -303,7 +304,10 @@ This quickstart is for introductory purposes. For guidance on a creating full so
 <!-- LINKS - internal -->
 [kubernetes-concepts]: ../concepts-clusters-workloads.md
 [aks-monitor]: ../../azure-monitor/containers/container-insights-onboard.md
+[aks-identity-concepts]: ../concepts-identity.md
 [aks-tutorial]: ../tutorial-kubernetes-prepare-app.md
+[azure-resource-group]: ../../azure-resource-manager/management/overview.md
+[az-account]: /cli/azure/account
 [az-aks-browse]: /cli/azure/aks#az-aks-browse
 [az-aks-create]: /cli/azure/aks#az-aks-create
 [az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials