Merge branch 'main' into release-ga-apim-graphql-resolvers

Author: v-alje

.openpublishing.redirection.azure-monitor.json

@@ -1,6 +1,11 @@
 {
     "redirections": [
-         {
+        {
+            "source_path_from_root": "/articles/azure-monitor/snapshot-debugger/snapshot-collector-release-notes.md",
+            "redirect_url": "/azure/azure-monitor/snapshot-debugger/snapshot-debugger#release-notes-for-microsoftapplicationinsightssnapshotcollector",
+            "redirect_document_id": false
+        },
+        {
             "source_path_from_root": "/articles/azure-monitor/best-practices.md",
             "redirect_url": "/azure/azure-monitor/getting-started",
             "redirect_document_id": false

articles/active-directory/authentication/concept-authentication-phone-options.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2023
+ms.date: 04/17/2023
 
 ms.author: justinha
 author: justinha
@@ -44,7 +44,11 @@ Microsoft doesn't guarantee consistent SMS or voice-based Azure AD Multi-Factor
 
 ### Text message verification
 
-With text message verification during SSPR or Azure AD Multi-Factor Authentication, an SMS is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface.
+With text message verification during SSPR or Azure AD Multi-Factor Authentication, a Short Message Service (SMS) text is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface. 
+
+Android users can enable Rich Communication Services (RCS) on their devices. RCS offers encryption and other improvements over SMS. For Android, MFA text messages may be sent over RCS rather than SMS. The MFA text message is similar to SMS, but RCS messages have more Microsoft branding and a verified checkmark so users know they can trust the message.
+
+:::image type="content" source="media/concept-authentication-methods/brand.png" alt-text="Screenshot of Microsoft branding in RCS messages.":::
 
 ### Phone call verification
 

articles/active-directory/authentication/media/concept-authentication-methods/brand.png

@@ -26,7 +26,7 @@ See [How the sample works](#how-the-sample-works) for an illustration.
 ## Prerequisites
 
 * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-* [Visual Studio 2019](https://visualstudio.microsoft.com/vs/)
+* [Visual Studio 2022](https://visualstudio.microsoft.com/vs/)
 * [.NET Framework 4.7.2+](https://dotnet.microsoft.com/download/visual-studio-sdks)
 
 ## Register and download the app
@@ -71,11 +71,11 @@ If you want to manually configure your application and code sample, use the foll
 3. Depending on the version of Visual Studio, you might need to right-click the project **AppModelv2-WebApp-OpenIDConnect-DotNet** and then select **Restore NuGet packages**.
 4. Open the Package Manager Console by selecting **View** > **Other Windows** > **Package Manager Console**. Then run `Update-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform -r`.
 
-5. Edit *Web.config* and replace the parameters `ClientId`, `Tenant`, and `redirectUri` with:
-   ```xml
-   <add key="ClientId" value="Enter_the_Application_Id_here" />
-   <add key="Tenant" value="Enter_the_Tenant_Info_Here" />
-   <add key="redirectUri" value="https://localhost:44368/" />
+5. Edit *appsettings.json* and replace the parameters `ClientId`, `Tenant`, and `redirectUri` with:
+   ```json
+   "ClientId" :"Enter_the_Application_Id_here" />
+   "TenantId": "Enter_the_Tenant_Info_Here" />
+   "RedirectUri" :"https://localhost:44368/" />
    ```
    In that code:
 
@@ -100,48 +100,30 @@ This section gives an overview of the code required to sign in users. This overv
 You can set up the authentication pipeline with cookie-based authentication by using OpenID Connect in ASP.NET with OWIN middleware packages. You can install these packages by running the following commands in Package Manager Console within Visual Studio:
 
 ```powershell
-Install-Package Microsoft.Owin.Security.OpenIdConnect
+Install-Package Microsoft.Identity.Web.Owin
+Install-Package Microsoft.Identity.Web.MicrosoftGraph
 Install-Package Microsoft.Owin.Security.Cookies
-Install-Package Microsoft.Owin.Host.SystemWeb
 ```
 
 ### OWIN startup class
 
 The OWIN middleware uses a *startup class* that runs when the hosting process starts. In this quickstart, the *startup.cs* file is in the root folder. The following code shows the parameters that this quickstart uses:
 
 ```csharp
-public void Configuration(IAppBuilder app)
-{
-    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
-
-    app.UseCookieAuthentication(new CookieAuthenticationOptions());
-    app.UseOpenIdConnectAuthentication(
-        new OpenIdConnectAuthenticationOptions
-        {
-            // Sets the client ID, authority, and redirect URI as obtained from Web.config
-            ClientId = clientId,
-            Authority = authority,
-            RedirectUri = redirectUri,
-            // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it's using the home page
-            PostLogoutRedirectUri = redirectUri,
-            Scope = OpenIdConnectScope.OpenIdProfile,
-            // ResponseType is set to request the code id_token, which contains basic information about the signed-in user
-            ResponseType = OpenIdConnectResponseType.CodeIdToken,
-            // ValidateIssuer set to false to allow personal and work accounts from any organization to sign in to your application
-            // To only allow users from a single organization, set ValidateIssuer to true and the 'tenant' setting in Web.config to the tenant name
-            // To allow users from only a list of specific organizations, set ValidateIssuer to true and use the ValidIssuers parameter
-            TokenValidationParameters = new TokenValidationParameters()
-            {
-                ValidateIssuer = false // Simplification (see note below)
-            },
-            // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to the OnAuthenticationFailed method
-            Notifications = new OpenIdConnectAuthenticationNotifications
-            {
-                AuthenticationFailed = OnAuthenticationFailed
-            }
-        }
-    );
-}
+    public void Configuration(IAppBuilder app)
+    {
+        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
+
+        app.UseCookieAuthentication(new CookieAuthenticationOptions());
+        OwinTokenAcquirerFactory factory = TokenAcquirerFactory.GetDefaultInstance<OwinTokenAcquirerFactory>();
+
+        app.AddMicrosoftIdentityWebApp(factory);
+        factory.Services
+            .Configure<ConfidentialClientApplicationOptions>(options => { options.RedirectUri = "https://localhost:44368/"; })
+            .AddMicrosoftGraph()
+            .AddInMemoryTokenCaches();
+        factory.Build();
+    }
 ```
 
 |Where  | Description |
@@ -155,10 +137,6 @@ public void Configuration(IAppBuilder app)
 | `TokenValidationParameters`     | A list of parameters for token validation. In this case, `ValidateIssuer` is set to `false` to indicate that it can accept sign-ins from any personal, work, or school account type. |
 | `Notifications`     | A list of delegates that can be run on `OpenIdConnect` messages. |
 
-
-> [!NOTE]
-> Setting `ValidateIssuer = false` is a simplification for this quickstart. In real applications, validate the issuer. See the samples to understand how to do that.
-
 ### Authentication challenge
 
 You can force a user to sign in by requesting an authentication challenge in your controller:
@@ -182,6 +160,24 @@ public void SignIn()
 
 You can protect a controller or controller actions by using the `[Authorize]` attribute. This attribute restricts access to the controller or actions by allowing only authenticated users to access the actions in the controller. An authentication challenge will then happen automatically when an unauthenticated user tries to access one of the actions or controllers decorated by the `[Authorize]` attribute.
 
+### Call Microsoft Graph from the controller
+
+You can call Microsoft Graph from the controller by getting the instance of GraphServiceClient using the `GetGraphServiceClient` extension method on the controller, like in the following code:
+
+```csharp
+    try
+    { 
+        var me = await this.GetGraphServiceClient().Me.Request().GetAsync();
+        ViewBag.Username = me.DisplayName;
+    }
+    catch (ServiceException graphEx) when (graphEx.InnerException is MicrosoftIdentityWebChallengeUserException)
+    {
+        HttpContext.GetOwinContext().Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
+        return View();
+    }
+```
+
+
 [!INCLUDE [Help and support](../../../../../includes/active-directory-develop-help-support-include.md)]
 
 ## Next steps

articles/active-directory/develop/includes/web-app/quickstart-aspnet.md

@@ -522,6 +522,28 @@ $smssignin = Get-MgUserAuthenticationPhoneMethod -UserId $userId
 ##### End the script
 ```
 
+#### Symptom - Users fail to provision with error "AzureActiveDirectoryForbidden"
+
+Users in scope fail to provision. The provisioning logs details include the following error message:
+
+```
+The provisioning service was forbidden from performing an operation on Azure Active Directory, which is unusual. 
+A simultaneous change to the target object may have occurred, in which case, the operation might succeed when it is retried.
+Alternatively, the target of the operation, or one of its properties, may be mastered on-premises, in which case, 
+the provisioning service is not permitted to update it, and the corresponding source entry should be removed from the provisioning service's scope.
+Otherwise, authorizations may have been customized in such a way as to prevent the provisioning service from modifying the target object or one of its properties; 
+if so, then, again, the corresponding source entry should be removed from scope. 
+This operation was retried 0 times. 
+```
+
+**Cause**
+
+This error indicates the Guest invite settings in the target tenant are configured with the most restrictive setting: "No one in the organization can invite guest users including admins (most restrictive)".
+
+**Solution**
+
+Change the Guest invite settings in the target tenant to a less restrictive setting. For more information, see [Configure external collaboration settings](../external-identities/external-collaboration-settings-configure.md).
+
 ## Next steps
 
 - [Tutorial: Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md)

articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md

@@ -68,15 +68,13 @@ Follow the steps below to send logs from Azure Active Directory to Azure Monitor
     * `ADFSSignInLogs` Active Directory Federation Services (ADFS)
     * `RiskyUsers`
     * `UserRiskEvents`
-    
+	* `RiskyServicePrincipals`
+	* `ServicePrincipalRiskEvents`
 
-    The following logs are in preview but still visible in Azure AD. At this time, selecting these options will not add new logs to your workspace unless your organization was included in the preview.
-
-    * `AADServicePrincipalRiskEvents`
+1.  The following logs are in preview but still visible in Azure AD. At this time, selecting these options will not add new logs to your workspace unless your organization was included in the preview.
     * `EnrichedOffice365AuditLogs`
     * `MicrosoftGraphActivityLogs`
     * `NetworkAccessTrafficLogs`
-    * `RiskyServicePrincipals`
 
 1. Select the **Destination details** for where you'd like to send the logs. Choose any or all of the following destinations. Additional fields appear, depending on your selection.
 
@@ -96,3 +94,5 @@ If you do not see logs appearing in the selected destination after 15 minutes, s
 * [Analyze Azure AD activity logs with Azure Monitor logs](howto-analyze-activity-logs-log-analytics.md)
 * [Learn about the data sources you can analyze with Azure Monitor](../../azure-monitor/data-sources.md)
 * [Automate creating diagnostic settings with Azure Policy](../../azure-monitor/essentials/diagnostic-settings-policy.md)
+
+

articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md

@@ -130,30 +130,30 @@ Once the persistent volume claim has been created and the disk successfully prov
 
 1. Create a file named `azure-pvc-disk.yaml`, and copy in the following manifest: 
 
-      ```yaml
-      kind: Pod
-      apiVersion: v1
-      metadata:
-        name: mypod
-      spec:
-        containers:
-       - name: mypod
+    ```yaml
+    kind: Pod
+    apiVersion: v1
+    metadata:
+      name: mypod
+    spec:
+      containers:
+        - name: mypod
           image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine
           resources:
             requests:
-               cpu: 100m
-               memory: 128Mi
+              cpu: 100m
+              memory: 128Mi
             limits:
               cpu: 250m
               memory: 256Mi
           volumeMounts:
-         - mountPath: "/mnt/azure"
-            name: volume
-        volumes:
-         - name: volume
-            persistentVolumeClaim:
-              claimName: azure-managed-disk
-       ```
+            - mountPath: "/mnt/azure"
+              name: volume
+      volumes:
+        - name: volume
+          persistentVolumeClaim:
+            claimName: azure-managed-disk
+    ```
 
 2. Create the pod with the [kubectl apply][kubectl-apply] command, as shown in the following example:
 

articles/aks/azure-csi-disk-storage-provision.md

@@ -47,6 +47,8 @@ At its core, App Service is a service running on top of the Azure PaaS (platform
 - An operating system drive (`%SystemDrive%`), whose size varies depending on the size of the VM.
 - A resource drive (`%ResourceDrive%`) used by App Service internally.
 
+A best practice is to always use the environment variables `%SystemDrive%` and `%ResourceDrive%` instead of hard-coded file paths.  The root path returned from these two environment variables has shifted over time from `d:\` to `c:\`.  However, older applications hard-coded with file path references to `d:\` will continue to work because the App Service platform automatically remaps `d:\` to instead point at `c:\`.  As noted above, it is highly recommended to always use the environment variables when building file paths and avoid confusion over platform changes to the default root file path.
+
 It is important to monitor your disk utilization as your application grows. If the disk quota is reached, it can have adverse effects to your application. For example: 
 
 - The app may throw an error indicating not enough space on the disk.

articles/app-service/operating-system-functionality.md

@@ -33,7 +33,7 @@ Service account owners can manage consent requests and private endpoints through
 
 ### Private endpoints for App Configuration 
 
-When creating a private endpoint, you must specify the App Configuration store to which it connects. If you have multiple App Configuration stores, you need a separate private endpoint for each store.
+When creating a private endpoint, you must specify the App Configuration store to which it connects. If you enable the geo-replication for an App Configuration store, you can connect to all replicas of the store using the same private endpoint. If you have multiple App Configuration stores, you need a separate private endpoint for each store.
 
 ### Connecting to private endpoints
 
@@ -55,7 +55,7 @@ When you create a private endpoint, the DNS CNAME resource record for the config
 
 When you resolve the endpoint URL from within the VNet hosting the private endpoint, it resolves to the private endpoint of the store. When resolved from outside the VNet, the endpoint URL resolves to the public endpoint. When you create a private endpoint, the public endpoint is disabled.
 
-If you are using a custom DNS server on your network, clients must be able to resolve the fully qualified domain name (FQDN) for the service endpoint to the private endpoint IP address. Configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for `[Your-store-name].privatelink.azconfig.io` with the private endpoint IP address.
+If you are using a custom DNS server on your network, clients must be able to resolve the fully qualified domain name (FQDN) for the service endpoint to the private endpoint IP address. Configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for `[Your-store-name].privatelink.azconfig.io` (or `[Your-store-name]-[replica-name].privatelink.azconfig.io` for a replica if the geo-replication is enabled) with the private endpoint IP address.
 
 > [!TIP]
 > When using a custom or on-premises DNS server, you should configure your DNS server to resolve the store name in the `privatelink` subdomain to the private endpoint IP address. You can do this by delegating the `privatelink` subdomain to the private DNS zone of the VNet, or configuring the DNS zone on your DNS server and adding the DNS A records.