Merge branch 'main' into tamram22-1107

Author: tamram

articles/active-directory/develop/TOC.yml

@@ -183,6 +183,8 @@
           href: app-resilience-continuous-access-evaluation.md
         - name: Claims challenges and requests
           href: claims-challenge.md
+        - name: Configure app instance property lock
+          href: howto-configure-app-instance-property-locks.md
     - name: Test
       items:
         - name: Build a test environment

articles/active-directory/develop/howto-configure-app-instance-property-locks.md

@@ -0,0 +1,54 @@
+---
+title: "How to configure app instance property lock in your applications"
+description: How to increase app security by configuring property modification locks for sensitive properties of the application.
+services: active-directory
+manager: saumadan
+ms.service: active-directory
+ms.subservice: develop
+ms.topic: conceptual
+ms.workload: identity
+ms.date: 11/03/2022
+author: madansr7
+ms.author: saumadan
+ms.reviewer:
+# Customer intent: As an application developer, I want to learn how to protect properties of my application instance of being modified.
+---
+# How to configure app instance property lock for your applications (Preview)
+
+Application instance lock is a feature in Azure Active Directory (Azure AD) that allows sensitive properties of a multi-tenant application object to be locked for modification after the application is provisioned in another tenant. 
+This feature provides application developers with the ability to lock certain properties if the application doesn't support scenarios that require configuring those properties.  
+
+
+## What are sensitive properties?
+
+The following property usage scenarios are considered as sensitive:
+
+- Credentials (`keyCredentials`, `passwordCredentials`) where usage type is `Sign`. This is a scenario where your application supports a SAML flow.
+- Credentials (`keyCredentials`, `passwordCredentials`) where usage type is `Verify`. In this scenario, your application supports an OIDC client credentials flow.
+- `TokenEncryptionKeyId` which specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key to which this property points. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user.
+
+## Configure an app instance lock
+
+To configure an app instance lock using the Azure portal:
+
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration you want to configure. 
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations**, and then select the application you want to configure.
+1. Select **Authentication**, and then select **Configure** under the *App instance property lock* section.
+
+   :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-overview.png" alt-text="Screenshot of an app registration's app instance lock in the Azure portal.":::
+
+2. In the **App instance property lock** pane, enter the settings for the lock. The table following the image describes each setting and their parameters.
+
+   :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-properties.png" alt-text="Screenshot of an app registration's app instance property lock context pane in the Azure portal.":::
+
+   | Field                                    | Description                                                                                                                                                                                                                                                                                                       |
+   | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+   | **Enable property lock**                 | Specifies if the property locks are enabled.    | 
+   | **All properties**                 | Locks all sensitive properties without needing to select each property scenario. |
+   | **Credentials used for verification**                                | Locks the ability to add or update credential properties (`keyCredentials`, `passwordCredentials`) where usage type is `verify`. | 
+   | **Credentials used for signing tokens**                                | Locks the ability to add or update credential properties (`keyCredentials`, `passwordCredentials`) where usage type is `sign`. | 
+   | **Token Encryption KeyId**                                | Locks the ability to change the `tokenEncryptionKeyId` property.  | 
+
+3. Select **Save** to save your changes.

articles/active-directory/develop/media/howto-configure-app-instance-property-locks/app-instance-lock-configure-overview.png

@@ -67,7 +67,7 @@ Use the following steps to create a pre-hire workflow that will generate a TAP a
 
      :::image type="content" source="media/tutorial-lifecycle-workflows/configure-scope.png" alt-text="Screenshot of selecting a configuration scope." lightbox="media/tutorial-lifecycle-workflows/configure-scope.png":::
 
-   8.  Next, you will configure the scope. The scope determines which users this workflow will run against.  In this case, it will be on all users in the Sales department.  On the configure scope screen, under **Rule** add the following settings and then select **Next: Review tasks**
+   8.  Next, you will configure the scope. The scope determines which users this workflow will run against.  In this case, it will be on all users in the Sales department.  On the configure scope screen, under **Rule** add the following settings and then select **Next: Review tasks**. For a full list of supported user properties, see: [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)
 
        :::image type="content" source="media/tutorial-lifecycle-workflows/review-tasks.png" alt-text="Screenshot of selecting review tasks." lightbox="media/tutorial-lifecycle-workflows/review-tasks.png":::
 

articles/active-directory/develop/media/howto-configure-app-instance-property-locks/app-instance-lock-configure-properties.png

@@ -50,7 +50,7 @@ Use the following steps to create a scheduled leaver workflow that will configur
  7. Next, you will configure the basic information about the workflow.  This information includes when the workflow will trigger, known as **Days from event**.  So in this case, the workflow will trigger seven days after the employee's leave date.  On the post-offboarding of an employee screen, add the following settings and then select **Next: Configure Scope**. 
    :::image type="content" source="media/tutorial-lifecycle-workflows/leaver-basics.png" alt-text="Screenshot of leaver template basics information for a workflow." lightbox="media/tutorial-lifecycle-workflows/leaver-basics.png":::
 
- 8. Next, you will configure the scope. The scope determines which users this workflow will run against.  In this case, it will be on all users in the Marketing department.  On the configure scope screen, under **Rule** add the following and then select **Next: Review tasks**.
+ 8. Next, you will configure the scope. The scope determines which users this workflow will run against.  In this case, it will be on all users in the Marketing department.  On the configure scope screen, under **Rule** add the following and then select **Next: Review tasks**. For a full list of supported user properties, see: [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)
    :::image type="content" source="media/tutorial-lifecycle-workflows/leaver-scope.png" alt-text="Screenshot of reviewing scope details for a leaver workflow." lightbox="media/tutorial-lifecycle-workflows/leaver-scope.png":::
 
  9. On the following page, you may inspect the tasks if desired but no additional configuration is needed. Select **Next: Select users** when you are finished.

articles/active-directory/governance/tutorial-onboard-custom-workflow-portal.md

@@ -199,7 +199,7 @@ The following claims are additionally supported by the SevSnpVm attestation type
 
 - **x-ms-sevsnpvm-authorkeydigest**: SHA384 hash of the author signing key 
 - **x-ms-sevsnpvm-bootloader-svn** :AMD boot loader security version number (SVN)
-- **x-ms-sevsnpvm-familyId**: HCL family identification string
+- **x-ms-sevsnpvm-familyId**: Host Compatibility Layer (HCL) family identification string
 - **x-ms-sevsnpvm-guestsvn**: HCL security version number (SVN)
 - **x-ms-sevsnpvm-hostdata**: Arbitrary data defined by the host at VM launch time
 - **x-ms-sevsnpvm-idkeydigest**: SHA384 hash of the identification signing key

articles/active-directory/governance/tutorial-scheduled-leaver-portal.md

@@ -1,8 +1,6 @@
 ---
 title: 'Tutorial: Deploy configurations using GitOps on an Azure Arc-enabled Kubernetes cluster'
 description: This tutorial demonstrates applying configurations on an Azure Arc-enabled Kubernetes cluster. For a conceptual take on this process, see the Configurations and GitOps - Azure Arc-enabled Kubernetes article. 
-author: csand-msft
-ms.author: csand
 ms.service: azure-arc
 ms.topic: tutorial 
 ms.date: 05/24/2022

articles/attestation/claim-sets.md

@@ -20,7 +20,7 @@ Learn what's new in the service. These items may be release notes, videos, blog
 
 ### Computer Vision Image Analysis 4.0 public preview
 
-Version 4.0 of Computer Vision has been released in public preview. The new API includes image captioning, image tagging, object detection people detection, and Read OCR functionality, available in the same Analyze Image operation. The OCR is optimized for general, non-document images in a performance-enhanced synchronous API that makes it easier to embed OCR-powered experiences in your workflows.
+Image Analysis 4.0 has been released in public preview. The new API includes image captioning, image tagging, object detection, smart crops, people detection, and Read OCR functionality, all available through one Analyze Image operation. The OCR is optimized for general, non-document images in a performance-enhanced synchronous API that makes it easier to embed OCR-powered experiences in your workflows.
 
 ## September 2022
 

articles/azure-arc/kubernetes/tutorial-use-gitops-connected-cluster.md

@@ -114,7 +114,7 @@ This category contains the following entity:
 
         IBAN codes for payment instruction information. Also returned with `domain=phi`.
 
-        To get this entity category, add `InternationalBankingAccountNumber` to the `piiCategories` parameter. `InternationlBankingAccountNumber` will be returned in the API response if detected.
+        To get this entity category, add `InternationalBankingAccountNumber` to the `piiCategories` parameter. `InternationalBankingAccountNumber` will be returned in the API response if detected.
       
     :::column-end:::
     :::column span="2":::