Merge pull request #184441 from MicrosoftDocs/master

1/07 AM Publish

Author: huypub

articles/active-directory/develop/supported-accounts-validation.md

@@ -36,7 +36,7 @@ See the following table for the validation differences of various properties for
 | Certificates (`keyCredentials`)                              | Symmetric signing key                                                                                                                                                                                                                               | Symmetric signing key                                                                                                                                                                                                                          | Encryption and asymmetric signing key                                                                                                                                                                              |
 | Client secrets (`passwordCredentials`)                       | No limit\*                                                                                                                                                                                                                                          | No limit\*                                                                                                                                                                                                                                     | If liveSDK is enabled: Maximum of two client secrets                                                                                                                                                               |
 | Redirect URIs (`replyURLs`)                                  | See [Redirect URI/reply URL restrictions and limitations](reply-url.md) for more info.                                                                                                                                                              |                                                                                                                                                                                                                                                |                                                                                                                                                                                                                    |
-| API permissions (`requiredResourceAccess`)                   | No limit\*                                                                                                                                                                                                                                          | No limit\*                                                                                                                                                                                                                                     | Maximum of 50 resources per application and 30 permissions per resource (for example, Microsoft Graph). Total limit of 200 per application (resources x permissions).                                              |
+| API permissions (`requiredResourceAccess`)                   | No more than 50 APIs (resource apps) from the same tenant as the application, no more than 10 APIs from other tenants, and no more than 400 permissions total across all APIs.                                                                      | No more than 50 APIs (resource apps) from the same tenant as the application, no more than 10 APIs from other tenants, and no more than 400 permissions total across all APIs.                                                                 | Maximum of 50 resources per application and 30 permissions per resource (for example, Microsoft Graph). Total limit of 200 per application (resources x permissions).                                              |
 | Scopes defined by this API (`oauth2Permissions`)             | Maximum scope name length of 120 characters <br><br> No limit\* on the number of scopes defined                                                                                                                                                     | Maximum scope name length of 120 characters <br><br> No limit\* on the number of scopes defined                                                                                                                                                | Maximum scope name length of 40 characters <br><br> Maximum of 100 scopes defined                                                                                                                                  |
 | Authorized client applications (`preAuthorizedApplications`) | No limit\*                                                                                                                                                                                                                                          | No limit\*                                                                                                                                                                                                                                     | Total maximum of 500 <br><br> Maximum of 100 client apps defined <br><br> Maximum of 30 scopes defined per client                                                                                                  |
 | appRoles                                                     | Supported <br> No limit\*                                                                                                                                                                                                                           | Supported <br> No limit\*                                                                                                                                                                                                                      | Not supported                                                                                                                                                                                                      |

articles/active-directory/manage-apps/f5-aad-integration.md

@@ -127,6 +127,9 @@ Integrating F5 BIG-IP with Azure AD for SHA have the following pre-requisites:
 
 No previous experience or F5 BIG-IP knowledge is necessary to implement SHA, but we do recommend familiarizing yourself with F5 BIG-IP terminology. F5’s rich [knowledge base](https://www.f5.com/services/resources/glossary) is also a good place to start building BIG-IP knowledge.
 
+## Deployment scenarios
+
+
 Configuring a BIG-IP for SHA is achieved using any of the many available methods, including several template based options, or a manual configuration.
 The following tutorials provide detailed guidance on implementing some of the more common patterns for BIG-IP and Azure AD SHA, using these methods.  
 

articles/active-directory/manage-apps/f5-big-ip-kerberos-advanced.md

@@ -15,7 +15,7 @@ ms.collection: M365-identity-device-management
 
 # Tutorial: Configure F5 BIG-IP Access Policy Manager for Kerberos authentication
 
-In this article, you'll learn how to implement Secure Hybrid Access (SHA) with single sign-on (SSO) to Kerberos applications by using F5's BIG-IP advanced configuration. 
+In this tutorial, you'll learn to implement Secure Hybrid Access (SHA) with single sign-on (SSO) to Kerberos applications by using F5's BIG-IP advanced configuration. 
 
 Integrating a BIG-IP with Azure Active Directory (Azure AD) provides many benefits, including:
 

articles/active-directory/manage-apps/f5-big-ip-kerberos-easy-button.md

@@ -15,7 +15,7 @@ ms.collection: M365-identity-device-management
 
 # Tutorial: Configure F5 BIG-IP Easy Button for Kerberos SSO
 
-In this tutorial, you’ll implement Secure Hybrid Access (SHA) with Single Sign-on (SSO) to Kerberos applications using F5’s BIG-IP Easy Button guided configuration.
+In this tutorial, you'll learn to implement Secure Hybrid Access (SHA) with Single Sign-on (SSO) to Kerberos applications using F5’s BIG-IP Easy Button guided configuration.
 
 Integrating a BIG-IP with Azure Active Directory (Azure AD) provides many benefits, including:
 

articles/active-directory/manage-apps/f5-big-ip-ldap-header-easybutton.md

@@ -15,7 +15,7 @@ ms.collection: M365-identity-device-management
 
 # Tutorial: Configure F5 BIG-IP Easy Button for Header-based and LDAP SSO
 
-In this tutorial, you’ll implement Secure Hybrid Access (SHA) with Single Sign-on (SSO) to header-based applications that also require session augmentation through Lightweight Directory Access Protocol (LDAP) sourced attributes using F5’s BIG-IP Easy Button guided configuration.
+In this tutorial, you'll learn to implement Secure Hybrid Access (SHA) with Single Sign-on (SSO) to header-based applications that also require session augmentation through Lightweight Directory Access Protocol (LDAP) sourced attributes using F5’s BIG-IP Easy Button guided configuration.
 
 Configuring BIG-IP published applications with Azure AD provides many benefits, including:
 

articles/active-directory/manage-apps/toc.yml

@@ -182,8 +182,8 @@
               href: f5-aad-password-less-vpn.md  
             - name: B2C
               href: https://docs.microsoft.com/azure/active-directory-b2c/partner-f5
-      - name: Silverfort
-        href: silverfort-azure-ad-integration.md
+    - name: Silverfort
+      href: silverfort-azure-ad-integration.md
     - name: Single sign-on
       items:
       - name: Linked

articles/active-directory/roles/groups-concept.md

@@ -50,7 +50,7 @@ Role-assignable groups are designed to help prevent potential breaches by having
 - Only Global Administrators and Privileged Role Administrators can create a role-assignable group.
 - The membership type for role-assignable groups must be Assigned and can't be an Azure AD dynamic group. Automated population of dynamic groups could lead to an unwanted account being added to the group and thus assigned to the role.
 - By default, only Global Administrators and Privileged Role Administrators can manage the membership of a role-assignable group, but you can delegate the management of role-assignable groups by adding group owners.
-- RoleManagement.ReadWrite.All Microsoft Graph permission is required to be able to manage the membership of such groups; Group.ReadWrite.All won't work.
+- RoleManagement.ReadWrite.Directory Microsoft Graph permission is required to be able to manage the membership of such groups; Group.ReadWrite.All won't work.
 - To prevent elevation of privilege, only a Privileged Authentication Administrator or a Global Administrator can change the credentials or reset MFA for members and owners of a role-assignable group.
 - Group nesting is not supported. A group can't be added as a member of a role-assignable group.
 

articles/active-directory/saas-apps/workplace-by-facebook-provisioning-tutorial.md

@@ -94,6 +94,9 @@ This section guides you through the steps to configure the Azure AD provisioning
 
  	![authorize](./media/workplace-by-facebook-provisioning-tutorial/workplace-login.png)
 
+> [!NOTE]
+> Failure to change the URL to https://scim.workplace.com/ will result in a failure when trying to save the configuration 
+
 6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
 
 	![Notification Email](common/provisioning-notification-email.png)
@@ -172,7 +175,8 @@ In December 2021, Facebook released a SCIM 2.0 connector. Completing the steps b
 * Scoping filters
 * Custom attribute mappings
 
-Be sure to note any changes that have been made to the settings listed above before completing the steps below. Failure to do so will result in the loss of customized settings. 
+> [!NOTE]
+> Be sure to note any changes that have been made to the settings listed above before completing the steps below. Failure to do so will result in the loss of customized settings. 
 
 1. Sign into the Azure portal at https://portal.azure.com 
 2. Navigate to your current Workplace by Facebook app under Azure Active Directory > Enterprise Applications
@@ -214,6 +218,9 @@ POST https://graph.microsoft.com/beta/servicePrincipals/[object-id]/synchronizat
 
 11. Restore any previous changes you made to the application (Authentication details, Scoping filters, Custom attribute mappings) and re-enable provisioning. 
 
+> [!NOTE] 
+> Failure to restore the previous settings may results in attributes (name.formatted for example) updating in Workplace unexpectedly. Be sure to check the configuration before enabling  provisioning 
+
 ## Change log
 
 * 09/10/2020 - Added support for enterprise attributes "division", "organization", "costCenter" and "employeeNumber". Added support for custom attributes "startDate", "auth_method" and "frontline"

articles/aks/TOC.yml

@@ -293,6 +293,8 @@
           items:
             - name: Use kubenet
               href: configure-kubenet.md
+            - name: Use kubenet with dual-stack networking
+              href: configure-kubenet-dual-stack.md
             - name: Use Azure-CNI
               href: configure-azure-cni.md
         - name: Create an internal load balancer