Merge pull request #206597 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: huypub

articles/active-directory/devices/concept-azure-ad-join-hybrid.md

@@ -27,12 +27,12 @@ Hybrid Azure AD joined devices require network line of sight to your on-premises
 | **Primary audience** | Suitable for hybrid organizations with existing on-premises AD infrastructure |
 |   | Applicable to all users in an organization |
 | **Device ownership** | Organization |
-| **Operating Systems** | Windows 10 or newer, 8.1 and 7 |
-|   | Windows Server 2008/R2, 2012/R2, 2016 and 2019 |
-| **Provisioning** | Windows 10 or newer, Windows Server 2016/2019 |
+| **Operating Systems** | Windows 11, Windows 10 or 8.1 |
+|   | Windows Server 2008/R2, 2012/R2, 2016, 2019 and 2022 |
+| **Provisioning** | Windows 11, Windows 10, Windows Server 2016/2019/2022 |
 |   | Domain join by IT and autojoin via Azure AD Connect or ADFS config |
 |   | Domain join by Windows Autopilot and autojoin via Azure AD Connect or ADFS config |
-|   | Windows 8.1, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 - Require MSI |
+|   | Windows 8.1, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 - Require MSI |
 | **Device sign in options** | Organizational accounts using: |
 |   | Password |
 |   | Windows Hello for Business for Win10 and above |
@@ -48,7 +48,7 @@ Hybrid Azure AD joined devices require network line of sight to your on-premises
 
 Use Azure AD hybrid joined devices if:
 
-- You support down-level devices running Windows 7 and 8.1.
+- You support down-level devices running 8.1.
 - You want to continue to use [Group Policy](/mem/configmgr/comanage/faq#my-environment-has-too-many-group-policy-objects-and-legacy-authenticated-apps--do-i-have-to-use-hybrid-azure-ad-) to manage device configuration.
 - You want to continue to use existing imaging solutions to deploy and configure devices.
 - You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.

articles/active-directory/identity-protection/concept-workload-identity-risk.md

@@ -113,3 +113,4 @@ The [Azure AD Toolkit](https://github.com/microsoft/AzureADToolkit) is a PowerSh
 - [Microsoft Graph API](/graph/use-the-api)
 - [Azure AD audit logs](../reports-monitoring/concept-audit-logs.md)
 - [Azure AD sign-in logs](../reports-monitoring/concept-sign-ins.md)
+- [Simulate risk detections](howto-identity-protection-simulate-risk.md)

articles/active-directory/identity-protection/howto-identity-protection-simulate-risk.md

@@ -27,10 +27,11 @@ This article provides you with steps for simulating the following risk detection
 - Anonymous IP address (easy)
 - Unfamiliar sign-in properties (moderate)
 - Atypical travel (difficult)
+- Leaked credentials in GitHub for workload identities (moderate)
 
 Other risk detections cannot be simulated in a secure manner.
 
-More information about each risk detection can be found in the article, [What is risk](concept-identity-protection-risks.md).
+More information about each risk detection can be found in the article, What is risk for [user](concept-identity-protection-risks.md) and [workload identity](concept-workload-identity-risk.md).
 
 ## Anonymous IP address
 
@@ -81,6 +82,30 @@ Simulating the atypical travel condition is difficult because the algorithm uses
 
 The sign-in shows up in the Identity Protection dashboard within 2-4 hours.
 
+## Leaked Credentials for Workload Identities
+
+This risk detection indicates that the application's valid credentials have been leaked. This leak can occur when someone checks in the credentials in a public code artifact on GitHub. Therefore, to simulate this detection, you need a GitHub account and can [sign up a GitHub account](https://docs.github.com/get-started/signing-up-for-github) if you don't have one already.
+
+**To simulate Leaked Credentials in GitHub for Workload Identities, perform the following steps**:
+1. Navigate to the [Azure portal](https://portal.azure.com).
+2. Browse to **Azure Active Directory** > **App registrations**.
+3. Select **New registration** to register a new application or reuse an exsiting stale application.
+4. Select **Certificates & Secrets** > **New client Secret** , add a description of your client secret and set an expiration for the secret or specify a custom lifetime and click **Add**. Record the secret's value for later use for your GitHub Commit.
+
+   > [!Note]
+   > **You can not retrieve the secret again after you leave this page**.
+   
+5. Get the TenantID and Application(Client)ID in the **Overview** page.
+6. Ensure you disable the application via **Azure Active Directory** > **Enterprise Application** > **Properties** > Set **Enabled for users to sign-in** to **No**.
+7. Create a **public** GitHub Repository, add the following config and commit the change.
+   ```GitHub file
+     "AadClientId": "XXXX-2dd4-4645-98c2-960cf76a4357",
+     "AadSecret": "p3n7Q~XXXX",
+     "AadTenantDomain": "XXXX.onmicrosoft.com",
+     "AadTenantId": "99d4947b-XXX-XXXX-9ace-abceab54bcd4",
+   ```
+7. In about 8 hours, you will be able to view a leaked credentail detection under **Azure Active Directory** > **Security** > **Risk Detection** > **Workload identity detections** where the additional info will contain your the URL of your GitHub commit.
+
 ## Testing risk policies
 
 This section provides you with steps for testing the user and the sign-in risk policies created in the article, [How To: Configure and enable risk policies](howto-identity-protection-configure-risk-policies.md).
@@ -126,6 +151,8 @@ To test a sign in risk policy, perform the following steps:
 
 - [What is risk?](concept-identity-protection-risks.md)
 
+- [Securing workload identities with Identity](concept-workload-identity-risk.md)
+
 - [How To: Configure and enable risk policies](howto-identity-protection-configure-risk-policies.md)
 
 - [Azure Active Directory Identity Protection](overview-identity-protection.md)

articles/application-gateway/application-gateway-components.md

@@ -136,7 +136,7 @@ Application Gateway backend pool members aren't tied to an availability set. An
 
 If you use internal IPs as backend pool members, you must use [virtual network peering](../virtual-network/virtual-network-peering-overview.md) or a [VPN gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md). Virtual network peering is supported and beneficial for load-balancing traffic in other virtual networks.
 
-An application gateway can also communicate with to on-premises servers when they're connected by Azure ExpressRoute or VPN tunnels if traffic is allowed.
+An application gateway can also communicate with on-premises servers when they're connected by Azure ExpressRoute or VPN tunnels if traffic is allowed.
 
 You can create different backend pools for different types of requests. For example, create one backend pool for general requests, and then another backend pool for requests to the microservices for your application.
 

articles/azure-monitor/logs/logs-export-logic-app.md

@@ -26,7 +26,7 @@ This procedure uses the [Azure Monitor Logs connector](/connectors/azuremonitorl
 
 When you export data from a Log Analytics workspace, you should filter and aggregate your log data and optimize query and limit the amount of data processed by your Logic App workflow, to the required data. For example, if you need to archive sign-in events, you should filter for required events and project only the required fields. For example: 
 
-```json
+```Kusto
 SecurityEvent
 | where EventID == 4624 or EventID == 4625
 | project TimeGenerated , Account , AccountType , Computer

articles/azure-vmware/enable-public-ip-nsx-edge.md

@@ -78,7 +78,7 @@ A Sourced Network Translation Service (SNAT) with Port Address Translation (PAT)
 1. Enter a name.
 1. Select **SNAT**. 
 1. Optionally, enter a source such as a subnet to SNAT or destination.
-1. Enter the translated IP.   This IP is from the range of Public IPs you reserved from the Azure VMware Solution Portal.
+1. Enter the translated IP. This IP is from the range of Public IPs you reserved from the Azure VMware Solution Portal.
 1. Optionally, give the rule a higher priority number. This prioritization will move the rule further down the rule list to ensure more specific rules are matched first.
 1. Click **SAVE**.
 
@@ -106,8 +106,8 @@ A Destination Network Translation Service (DNAT) is used to expose a VM on a spe
 **Configure the DNAT rule**
   1. Name the rule.
    1. Select **DNAT** as the action.
-   1. Enter the reserved Public IP in the destination match.
-   1. Enter the VM Private IP in the translated IP. This IP is from the range of Public IPs reserved from the Azure VMware Solution Portal.
+   1. Enter the reserved Public IP in the destination match. This IP is from the range of Public IPs reserved from the Azure VMware Solution Portal.
+   1. Enter the VM Private IP in the translated IP.
    1. Select **SAVE**. 
    1. Optionally, configure the Translated Port or source IP for more specific matches.
 

articles/defender-for-cloud/integration-defender-for-endpoint.md

@@ -315,6 +315,7 @@ To remove the Defender for Endpoint solution from your machines:
 
 - [What's this "MDE.Windows" / "MDE.Linux" extension running on my machine?](#whats-this-mdewindows--mdelinux-extension-running-on-my-machine)
 - [What are the licensing requirements for Microsoft Defender for Endpoint?](#what-are-the-licensing-requirements-for-microsoft-defender-for-endpoint)
+- [Do I need to buy a separate anti-malware solution to protect my machines?](#do-i-need-to-buy-a-separate-anti-malware-solution-to-protect-my-machines)
 - [If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Microsoft Defender for Servers?](#if-i-already-have-a-license-for-microsoft-defender-for-endpoint-can-i-get-a-discount-for-microsoft-defender-for-servers)
 - [How do I switch from a third-party EDR tool?](#how-do-i-switch-from-a-third-party-edr-tool)
 
@@ -324,7 +325,8 @@ In the past, Microsoft Defender for Endpoint was provisioned by the Log Analytic
 
 Defender for Cloud automatically deploys the extension to machines running:
 
-- Windows Server 2019 and Windows Server 2022.
+- Windows Server 2019 and Windows Server 2022
+- Windows Server 2012 R2 and 2016 if [MDE Unified Solution integration](#enable-the-integration) is enabled
 - Windows 10 on Azure Virtual Desktop.
 - Other versions of Windows Server if Defender for Cloud doesn't recognize the OS version (for example, when a custom VM image is used). In this case, Microsoft Defender for Endpoint is still provisioned by the Log Analytics agent.
 - Linux.

articles/purview/tutorial-using-python-sdk.md

@@ -254,7 +254,7 @@ In this section, you'll register your Blob Storage.
     body_input = {
             "kind": "AzureStorage",
             "properties": {
-                "endpoint": "endpoint": f"https://{storage_name}.blob.core.windows.net/",
+                "endpoint": f"https://{storage_name}.blob.core.windows.net/",
                 "resourceGroup": rg_name,
                 "location": rg_location,
                 "resourceName": storage_name,

articles/virtual-machines/workloads/sap/automation-configure-devops.md

@@ -82,7 +82,7 @@ Push the changes back to the repository by selecting the source control icon and
 Azure Pipelines are implemented as YAML files and they're stored in the 'deploy/pipelines' folder in the repository. 
 ## Control plane deployment pipeline
 
-Create the control plane deployment pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipeline YAML File. Specify the pipeline with the following settings:
+Create the control plane deployment pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipelines YAML File. Specify the pipeline with the following settings:
 
 | Setting | Value                                           |
 | ------- | ----------------------------------------------- |
@@ -94,7 +94,7 @@ Save the Pipeline, to see the Save option select the chevron next to the Run but
 
 ## SAP workload zone deployment pipeline
 
-Create the SAP workload zone pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipeline YAML File. Specify the pipeline with the following settings:
+Create the SAP workload zone pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipelines YAML File. Specify the pipeline with the following settings:
 
 | Setting | Value                                        |
 | ------- | -------------------------------------------- |
@@ -106,7 +106,7 @@ Save the Pipeline, to see the Save option select the chevron next to the Run but
 
 ## SAP system deployment pipeline
 
-Create the SAP system deployment pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipeline YAML File. Specify the pipeline with the following settings:
+Create the SAP system deployment pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipelines YAML File. Specify the pipeline with the following settings:
 
 | Setting | Value                                            |
 | ------- | ------------------------------------------------ |
@@ -118,7 +118,7 @@ Save the Pipeline, to see the Save option select the chevron next to the Run but
 
 ## SAP software acquisition pipeline
 
-Create the SAP software acquisition pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipeline YAML File. Specify the pipeline with the following settings:
+Create the SAP software acquisition pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipelines YAML File. Specify the pipeline with the following settings:
 
 | Setting | Value                                            |
 | ------- | ------------------------------------------------ |
@@ -130,7 +130,7 @@ Save the Pipeline, to see the Save option select the chevron next to the Run but
 
 ## SAP configuration and software installation pipeline
 
-Create the SAP configuration and software installation pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipeline YAML File. Specify the pipeline with the following settings:
+Create the SAP configuration and software installation pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipelines YAML File. Specify the pipeline with the following settings:
 
 | Setting | Value                                              |
 | ------- | -------------------------------------------------- |
@@ -142,7 +142,7 @@ Save the Pipeline, to see the Save option select the chevron next to the Run but
 
 ## Deployment removal pipeline
 
-Create the deployment removal pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipeline YAML File. Specify the pipeline with the following settings:
+Create the deployment removal pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipelines YAML File. Specify the pipeline with the following settings:
 
 | Setting | Value                                        |
 | ------- | -------------------------------------------- |
@@ -154,7 +154,7 @@ Save the Pipeline, to see the Save option select the chevron next to the Run but
 
 ## Deployment removal pipeline using Azure Resource Manager
 
-Create the deployment removal ARM pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipeline YAML File. Specify the pipeline with the following settings:
+Create the deployment removal ARM pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipelines YAML File. Specify the pipeline with the following settings:
 
 | Setting | Value                                           |
 | ------- | ----------------------------------------------- |
@@ -169,7 +169,7 @@ Save the Pipeline, to see the Save option select the chevron next to the Run but
 
 ## Repository updater pipeline
 
-Create the Repository updater pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipeline YAML File. Specify the pipeline with the following settings:
+Create the Repository updater pipeline by choosing _New Pipeline_ from the Pipelines section, select 'Azure Repos Git' as the source for your code. Configure your Pipeline to use an existing Azure Pipelines YAML File. Specify the pipeline with the following settings:
 
 | Setting | Value                                           |
 | ------- | ----------------------------------------------- |

includes/iot-central-limits.md

@@ -6,4 +6,4 @@ ms.topic: include
 ms.date: 11/21/2019
 ---
 
-IoT Central limits the number of applications you can deploy in a subscription to 10. If you need to increase this limit, contact [Microsoft support](https://azure.microsoft.com/support/options/).
+IoT Central limits the number of applications you can deploy in a subscription to 100. If you need to increase this limit, contact [Microsoft support](https://azure.microsoft.com/support/options/).