Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into fixMainLink

Author: roygara

articles/active-directory-b2c/best-practices.md

@@ -3,13 +3,13 @@ title: Best practices for Azure AD B2C
 titleSuffix: Azure AD B2C
 description: Recommendations and best practices to consider when working with Azure Active Directory B2C (Azure AD B2C).
 services: active-directory-b2c
-author: vigunase
-ms.author: vigunase
+author: kengaderdus
+ms.author: kengaderdus
 manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 12/01/2022
+ms.date: 12/29/2022
 ms.subservice: B2C
 ---
 
@@ -75,6 +75,7 @@ Manage your Azure AD B2C environment.
 | Use version control for your custom policies | Consider using GitHub, Azure Repos, or another cloud-based version control system for your Azure AD B2C custom policies. |
 | Use the Microsoft Graph API to automate the management of your B2C tenants | Microsoft Graph APIs:<br/>Manage [Identity Experience Framework](/graph/api/resources/trustframeworkpolicy?preserve-view=true&view=graph-rest-beta) (custom policies)<br/>[Keys](/graph/api/resources/trustframeworkkeyset?preserve-view=true&view=graph-rest-beta)<br/>[User Flows](/graph/api/resources/identityuserflow?preserve-view=true&view=graph-rest-beta) |
 | Integrate with Azure DevOps | A [CI/CD pipeline](deploy-custom-policies-devops.md) makes moving code between different environments easy and ensures production readiness always.   |
+| Custom policy deployment | Azure AD B2C relies on caching to deliver performance to your end users. When you deploy a custom policy using whatever method, expect a delay of up to **30 minutes** for your users to see the changes. As a result of this behavior, consider the following practices when you deploy your custom policies: <br> - If you're deploying to a development environment, set the `DeploymentMode` attribute to `Development` in your custom policy file's `<TrustFrameworkPolicy>` element. <br> - Deploy your updated policy files to a production environment when traffic in your app is low. <br> - When you deploy to a production environment to update existing policy files, upload the updated files with new name(s), and then update your app reference to the new name(s). You can then remove the old policy files afterwards.<br> - You can set the `DeploymentMode` to `Development` in a production environment to bypass the caching behavior. However, we don't recommend this practice. If you [Collect Azure AD B2C logs with Application Insights](troubleshoot-with-application-insights.md), all claims sent to and from identity providers are collected, which is a security and performance risk. |
 | Integrate with Azure Monitor | [Audit log events](view-audit-logs.md) are only retained for seven days. [Integrate with Azure Monitor](azure-monitor.md) to retain the logs for long-term use, or integrate with third-party security information and event management (SIEM) tools to gain insights into your environment. |
 | Setup active alerting and monitoring | [Track user behavior](./analytics-with-application-insights.md) in Azure AD B2C using Application Insights. |
 

articles/active-directory/devices/concept-azure-ad-join.md

@@ -26,7 +26,7 @@ Any organization can deploy Azure AD joined devices no matter the size or indust
 |   | Applicable to all users in an organization |
 | **Device ownership** | Organization |
 | **Operating Systems** | All Windows 11 and Windows 10 devices except Home editions |
-|   | [Windows Server 2019 Virtual Machines running in Azure](howto-vm-sign-in-azure-ad-windows.md) (Server core isn't supported) |
+|   | [Windows Server 2019 and newer Virtual Machines running in Azure](howto-vm-sign-in-azure-ad-windows.md) (Server core isn't supported) |
 | **Provisioning** | Self-service: Windows Out of Box Experience (OOBE) or Settings |
 |   | Bulk enrollment |
 |   | Windows Autopilot |

articles/active-directory/devices/hybrid-azuread-join-manual.md

@@ -96,30 +96,6 @@ The **$scp.Keywords** output shows the Azure AD tenant information. Here's an ex
    azureADId:72f988bf-86f1-41af-91ab-2d7cd011db47
    ```
 
-If the service connection point doesn't exist, you can create it by running the `Initialize-ADSyncDomainJoinedComputerSync` cmdlet on your Azure AD Connect server. Enterprise admin credentials are required to run this cmdlet.  
-
-The `Initialize-ADSyncDomainJoinedComputerSync` cmdlet:
-
-* Creates the service connection point in the Active Directory forest that Azure AD Connect is connected to.
-* Requires you to specify the `AdConnectorAccount` parameter. This account is configured as the Active Directory connector account in Azure AD Connect.
-
-
-The following script shows an example for using the cmdlet. In this script, `$aadAdminCred = Get-Credential` requires you to type a user name. Provide the user name in the user principal name (UPN) format (`[email protected]`).
-
-   ```PowerShell
-   Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1";
-
-   $aadAdminCred = Get-Credential;
-
-   Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;
-   ```
-
-The `Initialize-ADSyncDomainJoinedComputerSync` cmdlet:
-
-* Uses the Active Directory PowerShell module and Active Directory Domain Services (AD DS) tools. These tools rely on Active Directory Web Services running on a domain controller. Active Directory Web Services is supported on domain controllers running Windows Server 2008 R2 and later.
-* Is only supported by the MSOnline PowerShell module version 1.1.166.0. To download this module, use [this link](https://www.powershellgallery.com/packages/MSOnline/1.1.166.0).
-* If the AD DS tools aren't installed, `Initialize-ADSyncDomainJoinedComputerSync` will fail. You can install the AD DS tools through Server Manager under **Features** > **Remote Server Administration Tools** > **Role Administration Tools**.
-
 ### Set up issuance of claims
 
 In a federated Azure AD configuration, devices rely on AD FS or an  on-premises federation service from a Microsoft partner to authenticate to Azure AD. Devices authenticate to get an access token to register against the Azure Active Directory Device Registration Service (Azure DRS).

articles/active-directory/reports-monitoring/concept-usage-insights-report.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.topic: conceptual
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 11/23/2022
+ms.date: 01/10/2023
 ms.author: sarahlipsey
 ms.reviewer: besiler
 ---
@@ -44,7 +44,9 @@ There are currently three reports available in Azure AD Usage & insights. All th
 
 ### Azure AD application activity (preview)
 
-The **Azure AD application activity (preview)** report shows the list of applications with one or more sign-in attempts. Any application activity during the selected date range appears in the report. It's possible that activity for a deleted application may appear in the report, if the activity took place during the selected date range and before the application was deleted. The report allows you to sort by the number of successful sign-ins, failed sign-ins, and the success rate.
+The **Azure AD application activity (preview)** report shows the list of applications with one or more sign-in attempts. Any application activity during the selected date range appears in the report. The report allows you to sort by the number of successful sign-ins, failed sign-ins, and the success rate.
+
+It's possible that activity for a deleted application may appear in the report if the activity took place during the selected date range and before the application was deleted. Other scenarios could include a user attempting to sign in to an application that doesn't have a service principal associated with the app. For these types of scenarios, you may need to review the audit logs or sign-in logs to investigate further.
 
 Select the **View sign in activity** link for an application to view more details. The sign-in graph per application counts interactive user sign-ins. The details of any sign-in failures appears below the table. 
 

articles/aks/use-kms-etcd-encryption.md

@@ -3,7 +3,7 @@ title: Use Key Management Service (KMS) etcd encryption in Azure Kubernetes Serv
 description: Learn how to use the Key Management Service (KMS) etcd encryption with Azure Kubernetes Service (AKS)
 services: container-service
 ms.topic: article
-ms.date: 12/17/2022
+ms.date: 01/09/2023
 ---
 
 # Add Key Management Service (KMS) etcd encryption to an Azure Kubernetes Service (AKS) cluster
@@ -32,6 +32,7 @@ The following limitations apply when you integrate KMS etcd encryption with AKS:
 
 * Deletion of the key, Key Vault, or the associated identity isn't supported.
 * KMS etcd encryption doesn't work with system-assigned managed identity. The key vault access policy is required to be set before the feature is enabled. In addition, system-assigned managed identity isn't available until cluster creation, thus there's a cycle dependency.
+* Azure Key Vault with Firewall enabled to allow public access isn't supported because it blocks traffic from KMS plugin to the Key Vault.
 * The maximum number of secrets that a cluster enabled with KMS supports is 2,000.
 * Bring your own (BYO) Azure Key Vault from another tenant isn't supported.
 * With KMS enabled, you can't  change associated Azure Key Vault model (public, private). To [change associated key vault mode][changing-associated-key-vault-mode], you need to disable and enable KMS again.
@@ -282,6 +283,8 @@ After changing the key ID (including key name and key version), you can use [az
 
 > [!WARNING]
 > Remember to update all secrets after key rotation. Otherwise, the secrets will be inaccessible if the old keys are not existing or working.
+> 
+> Once you rotate the key, the old key (key1) is still cached and shouldn't be deleted. If you want to delete the old key (key1) immediately, you need to rotate the key twice. Then key2 and key3 are cached, and key1 can be deleted without impacting existing cluster.
 
 ```azurecli-interactive
 az aks update --name myAKSCluster --resource-group MyResourceGroup  --enable-azure-keyvault-kms --azure-keyvault-kms-key-id $NewKEY_ID --azure-keyvault-kms-key-vault-network-access "Private" --azure-keyvault-kms-key-vault-resource-id $KEYVAULT_RESOURCE_ID

articles/automation/TOC.yml

@@ -43,6 +43,8 @@
       href: /powershell/dsc/overview
     - name: Automation network configuration details
       href: automation-network-configuration.md
+    - name: Azure Automation extension for Visual Studio Code
+      href: automation-runbook-authoring.md
     - name: Security
       items:
       - name: Security controls by Azure Policy
@@ -98,6 +100,8 @@
               href: delete-run-as-account.md
             - name: Manage Run As account
               href: manage-runas-account.md
+        - name: Use Automation extension for Visual Studio Code
+          href: how-to/runbook-authoring-extension-for-vscode.md
         - name: Configure authentication with Amazon Web Services
           href: automation-config-aws-account.md
         - name: Configure authentication with Azure AD

articles/automation/automation-role-based-access-control.md

@@ -3,7 +3,7 @@ title: Manage role permissions and security in Azure Automation
 description: This article describes how to use Azure role-based access control (Azure RBAC), which enables access management and role permissions for Azure resources.
 services: automation
 ms.subservice: shared-capabilities
-ms.date: 09/10/2021
+ms.date: 01/09/2023
 ms.topic: how-to 
 ms.custom: devx-track-azurepowershell, subject-rbac-steps
 #Customer intent: As an administrator, I want to understand permissions so that I use the least necessary set of permissions.
@@ -322,6 +322,9 @@ Update Management can be used to assess and schedule update deployments to machi
 |Create update schedule ([Software Update Configurations](/rest/api/automation/softwareupdateconfigurations)) |Microsoft.Compute/virtualMachines/write |For static VM list and resource groups |
 |Create update schedule ([Software Update Configurations](/rest/api/automation/softwareupdateconfigurations)) |Microsoft.OperationalInsights/workspaces/analytics/query/action |For workspace resource ID when using non-Azure dynamic list.|
 
+>[!NOTE]
+>When you use Update management, ensure that the execution policy for scripts is *RemoteSigned*.
+
 ## Configure Azure RBAC for your Automation account
 
 The following section shows you how to configure Azure RBAC on your Automation account through the [Azure portal](#configure-azure-rbac-using-the-azure-portal) and [PowerShell](#configure-azure-rbac-using-powershell).

articles/automation/automation-runbook-authoring.md

@@ -0,0 +1,79 @@
+---
+title: Runbook authoring using VS code in Azure Automation
+description: This article provides an overview authoring runbooks in Azure Automation using the visual studio code.
+services: automation
+ms.subservice: process-automation
+ms.date: 01/10/2023
+ms.topic: conceptual
+ms.custom: devx-track-azurepowershell
+---
+
+# Runbook authoring through VS Code in Azure Automation
+
+This article explains about the Visual Studio extension that you can use to create and manage runbooks. 
+
+Azure Automation provides a new extension from VS Code to create and manage runbooks. Using this extension, you can perform all runbook management operations such as, creating and editing runbooks, triggering a job, tracking recent jobs output, linking a schedule, asset management, and local debugging. 
+
+## Prerequisites 
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).  
+- [Visual Studio Code](https://code.visualstudio.com/).
+- PowerShell modules and Python packages used by runbook must be locally installed on the machine to run the runbook locally. 
+
+## Supported operating systems 
+
+The test matrix includes the following operating systems:
+1. **Windows Server 2022** with Windows PowerShell 5.1 and PowerShell Core 7.2.7
+1. **Windows Server 2019** with Windows PowerShell 5.1 and PowerShell Core 7.2.7
+1. **macOS 11** with PowerShell Core 7.2.7
+1. **Ubuntu** 20.04 with PowerShell Core 7.2.7
+
+>[!NOTE]
+>- The extension should work anywhere in VS Code and it supports [PowerShell 7.2 or higher](https://learn.microsoft.com/powershell/scripting/install/PowerShell-Support-Lifecycle?view=powershell-7.3). For Windows PowerShell, only version 5.1 is supported.
+>-  PowerShell Core 6 is end-of-life and not supported.
+
+
+## Key Features 
+
+- **Simplified onboarding** – You can sign in using an Azure account in a simple and secure way. 
+- **Multiple languages** - Supports all Automation runtime stack such as PowerShell 5, PowerShell 7, Python 2, and Python 3 Runbooks. 
+- **Supportability**- Supports test execution of job, publishing Automation job and triggering job in Azure and Hybrid workers. You can execute runbooks locally.  
+- Supports Python positional parameters and PowerShell parameters to trigger job. 
+- **Webhooks simplified** – You can create a webhook, start a job through a webhook in simpler way. Also, support to link a schedule to a Runbook. 
+- **Manage Automation Assets** – You can perform create, update, and delete operation against assets including certificates, variables, credentials, and connections. 
+- **View properties** – You can view the properties and select Hybrid worker group to execute hybrid jobs and view the recent last 10 jobs executed. 
+- **Debug locally** - You can debug the PowerShell scripts locally.
+- **Runbook comparison** - You can compare the local runbook to the published or the draft runbook copy.
+ 
+## Key Features of v1.0.8
+
+- **Local directory configuration settings** - You can define the working directory that you want to save runbooks locally.
+   - **Change Directory:Base Path** - You use the changed directory path when you reopen Visual Studio code IDE. To change the directory using the Command Palette, use **Ctrl+Shift+P -> select Change Directory**. To change the base path from extension configuration settings, select **Manage** icon in the activity bar on the left and go to **Settings > Extensions > Azure Automation > Directory:Base Path**.
+   - **Change Directory:Folder Structure** - You can change the local directory folder structure from *vscodeAutomation/accHash* to *subscription/resourceGroup/automationAccount*. Select **Manage** icon in the activity bar on the left and go to **Settings > Extensions > Azure Automation > Directory:Folder Structure**. You can change the default configuration setting from *vscodeAutomation/accHash* to *subscription/resourceGroupe/automationAccount* format.
+    >[!NOTE]
+    >If your automation account is integrated with source control you can provide the runbook folder path of your GitHub repo as the directory path. For example: changing directory to *C:\abc* would store runbooks in *C:\abc\vscodeAutomation..* or *C:\abc//subscriptionName//resourceGroupName//automationAccountName//runbookname.ps1*. 
+- **Runbook management operations** - You can create runbook, fetch draft runbook, fetch published runbook, open local runbook in the editor, compare local runbook with a published or draft runbook copy, upload as draft, publish runbook, and delete runbook from your Automation account.
+- **Runbook execution operations** - You can run a local version of Automation jobs such as, Start Automation jobs, Start Automation test job, view job outputs and run local version of the PowerShell Runbook in debug mode by allowing you to add breakpoints in the script. 
+  >[!NOTE]
+  > Currently, we support the use of internal cmdlets like `Get-AutomationVariable` only with non-encrypted assets.
+ 
+- **Work with schedules, assets and webhooks** -  You can view the properties of a schedule, delete schedule, link schedule to link a schedule to a runbook.
+- **Add webhook** - You can add a webhook to the runbook.
+- **Update properties of assets** - You can create, update, view properties of assets such as Certificates, Connections, Credentials, Variables and Deletion of assets from the extension.
+
+
+## Limitations
+Currently, the following features aren't supported:  
+
+- Creation of new schedules. 
+- Adding new Certificates in Assets. 
+- Upload Modules (PowerShell and Python) packages from the extension. 
+- Auto-sync of local runbooks to Azure Automation account. You will have to perform the operation to **Fetch** or **Publish** runbook. 
+- Management of Hybrid worker groups. 
+- Graphical runbook and workflows. 
+- For Python, we don't provide any debug options. We recommend that you install any debugger extension in your Python script.
+- Currently, we support only the unencrypted assets in local run.
+
+## Next steps
+
+- For Runbook management operations and to test runbook and jobs, see [Use Azure Automation extension for Visual Studio Code](../automation/how-to/runbook-authoring-extension-for-vscode.md)
+