Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into pe-ddos-cli

Author: asudbring

articles/active-directory/manage-apps/assign-app-owners.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: app-mgmt
 ms.topic: how-to
-ms.date: 12/02/2021
+ms.date: 12/05/2022
 ms.author: saibandaru
 #Customer intent: As an Azure AD administrator, I want to assign owners to enterprise applications.
 

articles/active-directory/manage-apps/overview-assign-app-owners.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: app-mgmt
 ms.topic: conceptual
-ms.date: 02/11/2022
+ms.date: 12/05/2022
 ms.author: saibandaru
 
 #Customer intent: As an Azure AD administrator, I want to learn about enterprise application ownership.
@@ -32,7 +32,11 @@ If you have an ownerless application in your tenant, you can access the audit lo
 
 You may also see other users who have scoped permissions on the application by navigating to “Roles and Administrators” tab. Once you find the right person to own the application, a user with a highly privileged administrative role in the organization can assign the new owner for the application. See [Assign enterprise application owners](assign-app-owners.md).
 
-As a best practice, we recommend proactive monitoring applications in your environment to ensure there are at least two owners, where possible, to avoid the situation of ownerless apps. Additionally, you should utilize the serviceManagementReference property on the application object to reference the team contact information from your enterprise Service or Asset Management Database. The serviceManagementReference property ensures you have team contact even if an individual leaves the organization. 
+As a best practice, we recommend proactive monitoring applications in your environment to ensure there are at least two owners, where possible, to avoid the situation of ownerless apps. Additionally, you should utilize the serviceManagementReference property on the application object to reference the team contact information from your enterprise Service or Asset Management Database. The serviceManagementReference property ensures you have team contact even if an individual leaves the organization.
+
+**How can I find enterprise applications that are ownerless or at risk of being ownerless in my organization?**
+
+To learn how to identify ownerless enterprise apps or those with only one owner using Microsoft Graph API, see [List ownerless applications](/graph/tutorial-applications-basics.md#manage-application-ownership).
 
 **How do you add yourself as an owner of an enterprise application?**
 

articles/aks/azure-ad-rbac.md

@@ -4,7 +4,7 @@ titleSuffix: Azure Kubernetes Service
 description: Learn how to use Azure Active Directory group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in Azure Kubernetes Service (AKS)
 services: container-service
 ms.topic: article
-ms.date: 03/17/2021
+ms.date: 12/07/2022
 
 ---
 
@@ -18,7 +18,34 @@ This article shows you how to control access using Kubernetes RBAC in an AKS clu
 
 This article assumes that you have an existing AKS cluster enabled with Azure AD integration. If you need an AKS cluster, see [Integrate Azure Active Directory with AKS][azure-ad-aks-cli].
 
-You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+Kubernetes RBAC is enabled by default during AKS cluster creation. If Kubernetes RBAC wasn't enabled when you originally deployed your cluster, you'll need to delete and recreate your cluster.
+
+Consider the following basic requirements before continuing:
+
+- The Azure CLI version 2.0.61 or later is installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+- If using Terraform, install [Terraform][terraform-on-azure] version 2.99.0 or later.
+
+To verify if Kubernetes RBAC is enabled, you can check from Azure portal or Azure CLI.
+
+#### [Azure portal](#tab/portal)
+
+From your browser, sign in to the [Azure portal](https://portal.azure.com).
+
+Navigate to Kubernetes services, and from the left-hand pane select **Cluster configuration**. On the page, under the section **Authentication and Authorization**, verify the option **Local accounts with Kubernetes RBAC** is shown.
+
+:::image type="content" source="./media/azure-ad-rbac/rbac-portal.png" alt-text="Example of Authentication and Authorization page in Azure portal." lightbox="./media/azure-ad-rbac/rbac-portal.png":::
+
+#### [Azure CLI](#tab/azure-cli)
+
+To verify RBAC is enabled, you can use the `az aks show` command.
+
+```azuecli
+az aks show --resource-group myResourceGroup --name myAKSCluster` 
+```
+
+The output will show that the value for `enableRbac` is `true`.
+
+---
 
 ## Create demo groups in Azure AD
 
@@ -280,7 +307,7 @@ kubectl apply -f rolebinding-sre-namespace.yaml
 
 Now, let's test the expected permissions work when you create and manage resources in an AKS cluster. In these examples, you schedule and view pods in the user's assigned namespace. Then, you try to schedule and view pods outside of the assigned namespace.
 
-First, reset the *kubeconfig* context using the [az aks get-credentials][az-aks-get-credentials] command. In a previous section, you set the context using the cluster admin credentials. The admin user bypasses Azure AD sign in prompts. Without the `--admin` parameter, the user context is applied that requires all requests to be authenticated using Azure AD.
+First, reset the *kubeconfig* context using the [az aks get-credentials][az-aks-get-credentials] command. In a previous section, you set the context using the cluster admin credentials. The admin user bypasses Azure AD sign-in prompts. Without the `--admin` parameter, the user context is applied that requires all requests to be authenticated using Azure AD.
 
 ```azurecli-interactive
 az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --overwrite-existing
@@ -292,7 +319,7 @@ Schedule a basic NGINX pod using the [kubectl run][kubectl-run] command in the *
 kubectl run nginx-dev --image=mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine --namespace dev
 ```
 
-As the sign in prompt, enter the credentials for your own `[email protected]` account created at the start of the article. Once you are successfully signed in, the account token is cached for future `kubectl` commands. The NGINX is successfully schedule, as shown in the following example output:
+As the sign-in prompt, enter the credentials for your own `[email protected]` account created at the start of the article. Once you are successfully signed in, the account token is cached for future `kubectl` commands. The NGINX is successfully schedule, as shown in the following example output:
 
 ```console
 $ kubectl run nginx-dev --image=mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine --namespace dev
@@ -435,3 +462,4 @@ For best practices on identity and resource control, see [Best practices for aut
 [az-ad-group-show]: /cli/azure/ad/group#az_ad_group_show
 [rbac-authorization]: concepts-identity.md#kubernetes-rbac
 [operator-best-practices-identity]: operator-best-practices-identity.md
+[terraform-on-azure]: /azure/developer/terraform/overview

articles/aks/media/azure-ad-rbac/rbac-portal.png

@@ -74,8 +74,20 @@ The output from this command should look similar to the following:
 {"env":[{"name":"INGESTION_URL","value":"https://my-azure-monitor-workspace.eastus2-1.metrics.ingest.monitor.azure.com/dataCollectionRules/dcr-00000000000000000/streams/Microsoft-PrometheusMetrics/api/v1/write?api-version=2021-11-01-preview"},{"name":"LISTENING_PORT","value":"8081"},{"name":"IDENTITY_TYPE","value":"userAssigned"},{"name":"AZURE_CLIENT_ID","value":"00000000-0000-0000-0000-00000000000"}],"image":"mcr.microsoft.com/azuremonitor/prometheus/promdev/prom-remotewrite:prom-remotewrite-20221012.2","imagePullPolicy":"Always","name":"prom-remotewrite","ports":[{"containerPort":8081,"name":"rw-port","protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"kube-api-access-vbr9d","readOnly":true}]}
 ```
 
+### Hitting your ingestion quota limit
+With remote write you will typically get started using the remote write endpoint shown on the Azure Monitor workspace overview page. Behind the scenes, this uses a system Data Collection Rule (DCR) and system Data Collection Endpoint (DCE). These resources have an ingestion limit covered in the [Azure Monitor service limits](../service-limits.md#prometheus-metrics) document. You may hit these limits if you setup remote write for several clusters all sending data into the same endpoint in the same Azure Monitor workspace. If this is the case you can create additional DCRs and DCEs and use them to spread out the ingestion loads across a few ingestion endpoints.
 
+The INGESTION-URL uses the following format: 
+https://<Metrics-Ingestion-URL>/dataCollectionRules/<DCR-Immutable-ID>/streams/Microsoft-PrometheusMetrics/api/v1/write?api-version=2021-11-01-preview 
 
+Metrics-Ingestion-URL: can be obtained by viewing DCE JSON body with API version 2021-09-01-preview or newer. 
+
+DCR-Immutable-ID: can be obtained by viewing DCR JSON body or running the following command in the Azure CLI: 
+
+```azureccli
+az monitor data-collection rule show --name "myCollectionRule" --resource-group "myResourceGroup" 
+```
+  
 ## Next steps
 
 - [Setup Grafana to use Managed Prometheus as a data source](prometheus-grafana.md).

articles/azure-monitor/essentials/prometheus-remote-write.md

@@ -0,0 +1,157 @@
+---
+title: SMART on FHIR - Azure API for FHIR
+description: This tutorial describes how to enable SMART on FHIR applications with the Azure API for FHIR.
+services: healthcare-apis
+ms.service: healthcare-apis
+ms.subservice: fhir
+ms.topic: tutorial
+ms.author: kesheth
+author: expekesheth
+ms.date: 12/06/2022
+---
+
+# SMART on FHIR overview
+
+Substitutable Medical Applications and Reusable Technologies ([SMART on FHIR](https://docs.smarthealthit.org/)) is a healthcare standard through which applications can access clinical information through a data store. It adds a security layer based on open standards including OAuth2 and OpenID Connect, to FHIR interfaces to enable integration with EHR systems. Using SMART on FHIR provides at least three important benefits:
+- Applications have a known method for obtaining authentication/authorization to a FHIR repository.
+- Users accessing a FHIR repository with SMART on FHIR are restricted to resources associated with the user, rather than having access to all data in the repository.
+- Users have the ability to grant applications access to a further limited set of their data by using SMART clinical scopes.
+
+Below tutorials describe steps to enable SMART on FHIR applications with FHIR Service.
+
+## Prerequisites
+
+- An instance of the FHIR service
+- .NET SDK 6.0
+- [Enable cross-origin resource sharing (CORS)](configure-cross-origin-resource-sharing.md)
+- [Register public client application in Azure AD](https://learn.microsoft.com/azure/healthcare-apis/azure-api-for-fhir/register-public-azure-ad-client-app)
+     - After registering the application, make note of the applicationId for client application.
+
+## SMART on FHIR using samples (preferred approach)
+As a prerequisite, ensure you have access to Azure Subscription of FHIR service, to create resources and add role assignments.
+
+### Step 1: Set up FHIR SMART user role 
+Follow the steps listed under section [Manage Users: Assign Users to Role](https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). Any user added to role - "FHIR SMART User" will be able to access the FHIR Service if their requests comply with the SMART on FHIR implementation Guide, such as request having access token, which includes a fhirUser claim and a clinical scopes claim.  The access granted to the users in this role will then be limited by the resources associated to their fhirUser compartment and the restrictions in the clinical scopes.
+
+### Step 2: FHIR server integration with samples 
+[Follow the steps](https://github.com/Azure-Samples/azure-health-data-services-samples/blob/main/samples/Patient%20and%20Population%20Services%20G10/docs/deployment.md) under Azure Health Data Service Samples OSS. This will enable integration of FHIR server with other Azure Services (such as APIM, Azure functions and more).
+
+This is our preferred approach, as it demonstrates to Health IT developers steps needed to comply with 21st Century Act Criterion §170.315(g)(10) Standardized API for patient and population services criterion.
+
+> [!NOTE]
+> These samples are open-source code, and you should review the information and licensing terms on GitHub before using it. They are not part of the Azure Health Data Service and are not supported by Microsoft Support. These samples can be used to demonstrate how Azure Health Data Services and other open-source tools can be used together to demonstrate ONC (g)(10) compliance, using Azure Active Directory as the identity provider workflow. 
+
+
+## SMART on FHIR proxy
+### Step 1: Set admin consent for your client application
+
+To use SMART on FHIR, you must first authenticate and authorize the app. The first time you use SMART on FHIR, you also must get administrative consent to let the app access your FHIR resources.
+
+If you don't have an ownership role in the app, contact the app owner and ask them to grant admin consent for you in the app. 
+
+If you do have administrative privileges, complete the following steps to grant admin consent to yourself directly. (You also can grant admin consent to yourself later when you're prompted in the app.) You can complete the same steps to add other users as owners, so they can view and edit this app registration.
+
+To add yourself or another user as owner of an app:
+
+1. In the Azure portal, go to Azure Active Directory.
+2. In the left menu, select **App Registration**.
+3. Search for the app registration you created, and then select it.
+4. In the left menu, under **Manage**, select **Owners**.
+5. Select **Add owners**, and then add yourself or the user you want to have admin consent.
+6. Select **Save**
+
+### Step 2: Enable the SMART on FHIR proxy
+
+SMART on FHIR requires that `Audience` has an identifier URI equal to the URI of the FHIR service. The standard configuration of the Azure API for FHIR uses an `Audience` value of `https://azurehealthcareapis.com`. However, you can also set a value matching the specific URL of your FHIR service (for example `https://MYFHIRAPI.azurehealthcareapis.com`). This is required when working with the SMART on FHIR proxy.
+
+To enable the SMART on FHIR proxy in the **Authentication** settings for your Azure API for FHIR instance, select the **SMART on FHIR proxy** check box:
+
+![Screenshot shows enabling the SMART on FHIR proxy.](media/tutorial-smart-on-fhir/enable-smart-on-fhir-proxy.png)
+
+The SMART on FHIR proxy acts as an intermediary between the SMART on FHIR app and Azure AD. The authentication reply (the authentication code) must go to the SMART on FHIR proxy instead of the app itself. The proxy then forwards the reply to the app. 
+
+Because of this two-step relay of the authentication code, you need to set the reply URL (callback) for your Azure AD client application to a URL that is a combination of the reply URL for the SMART on FHIR proxy and the reply URL for the SMART on FHIR app. The combined reply URL takes this form:
+
+```http
+https://MYFHIRAPI.azurehealthcareapis.com/AadSmartOnFhirProxy/callback/aHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMS9zYW1wbGVhcHAvaW5kZXguaHRtbA
+```
+
+In that reply, `aHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMS9zYW1wbGVhcHAvaW5kZXguaHRtbA` is a URL-safe, base64-encoded version of the reply URL for the SMART on FHIR app. For the SMART on FHIR app launcher, when the app is running locally, the reply URL is `https://localhost:5001/sampleapp/index.html`. 
+
+You can generate the combined reply URL by using a script like this:
+
+```PowerShell
+$replyUrl = "https://localhost:5001/sampleapp/index.html"
+$fhirServerUrl = "https://MYFHIRAPI.azurewebsites.net"
+$bytes = [System.Text.Encoding]::UTF8.GetBytes($ReplyUrl)
+$encodedText = [Convert]::ToBase64String($bytes)
+$encodedText = $encodedText.TrimEnd('=');
+$encodedText = $encodedText.Replace('/','_');
+$encodedText = $encodedText.Replace('+','-');
+
+$newReplyUrl = $FhirServerUrl.TrimEnd('/') + "/AadSmartOnFhirProxy/callback/" + $encodedText
+```
+
+Add the reply URL to the public client application that you created earlier for Azure AD:
+
+![Screenshot show how reply url can be configured for the public client.](media/tutorial-smart-on-fhir/configure-reply-url.png)
+
+### Step 3: Get a test patient
+
+To test the Azure API for FHIR and the SMART on FHIR proxy, you'll need to have at least one patient in the database. If you've not interacted with the API yet, and you don't have data in the database, see [Access the FHIR service using Postman](./../fhir/use-postman.md) to load a patient. Make a note of the ID of a specific patient.
+
+### Step 4: Download the SMART on FHIR app launcher
+
+The open-source [FHIR Server for Azure repository](https://github.com/Microsoft/fhir-server) includes a simple SMART on FHIR app launcher and a sample SMART on FHIR app. In this tutorial, use this SMART on FHIR launcher locally to test the setup.
+
+You can clone the GitHub repository and go to the application by using these commands:
+
+```PowerShell
+git clone https://github.com/Microsoft/fhir-server
+cd fhir-server/samples/apps/SmartLauncher
+```
+
+The application needs a few configuration settings, which you can set in `appsettings.json`:
+
+```json
+{
+    "FhirServerUrl": "https://MYFHIRAPI.azurehealthcareapis.com",
+    "ClientId": "APP-ID",
+    "DefaultSmartAppUrl": "/sampleapp/launch.html"
+}
+```
+
+We recommend that you use the `dotnet user-secrets` feature:
+
+```PowerShell
+dotnet user-secrets set FhirServerUrl https://MYFHIRAPI.azurehealthcareapis.com
+dotnet user-secrets set ClientId <APP-ID>
+```
+
+Use this command to run the application:
+
+```PowerShell
+dotnet run
+```
+
+### Step 5: Test the SMART on FHIR proxy
+
+After you start the SMART on FHIR app launcher, you can point your browser to `https://localhost:5001`, where you should see the following screen:
+
+![Screenshot of SMART on FHIR app launcher.](media/tutorial-smart-on-fhir/smart-on-fhir-app-launcher.png)
+
+When you enter **Patient**, **Encounter**, or **Practitioner** information, you'll notice that the **Launch context** is updated. When you're using the Azure API for FHIR, the launch context is simply a JSON document that contains information about patient, practitioner, and more. This launch context is base64 encoded and passed to the SMART on FHIR app as the `launch` query parameter. According to the SMART on FHIR specification, this variable is opaque to the SMART on FHIR app and passed on to the identity provider. 
+
+The SMART on FHIR proxy uses this information to populate fields in the token response. The SMART on FHIR app *can* use these fields to control which patient it requests data for and how it renders the application on the screen. The SMART on FHIR proxy supports the following fields:
+
+* `patient`
+* `encounter`
+* `practitioner`
+* `need_patient_banner`
+* `smart_style_url`
+
+These fields are meant to provide guidance to the app, but they don't convey any security information. A SMART on FHIR application can ignore them.
+
+Notice that the SMART on FHIR app launcher updates the **Launch URL** information at the bottom of the page. Select **Launch** to start the sample app.
+
+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

articles/healthcare-apis/azure-api-for-fhir/smart-on-fhir.md

@@ -40,7 +40,7 @@ items:
     - name: 4. Write web application
       href: tutorial-web-app-write-web-app.md
   - name: SMART on FHIR 
-    href: use-smart-on-fhir-proxy.md
+    href: smart-on-fhir.md
   - name: Interoperability and Patient Access
     expanded: false
     items: