Merge pull request #289927 from MicrosoftDocs/main

11/5/2024 PM Publish

Author: Taojunshen

articles/active-directory-b2c/openid-connect.md

@@ -59,7 +59,7 @@ client_id=00001111-aaaa-2222-bbbb-3333cccc4444
 | {tenant} | Yes | Name of your [Azure AD B2C tenant]( tenant-management-read-tenant-name.md#get-your-tenant-name). If you're using a [custom domain](custom-domain.md), replace `tenant.b2clogin.com` with your domain, such as `fabrikam.com`.  |
 | {policy} | Yes | The user flow or policy that the app runs. Specify the name of a user flow that you create in your Azure AD B2C tenant. For example: `b2c_1_sign_in`, `b2c_1_sign_up`, or `b2c_1_edit_profile`. |
 | client_id | Yes | The application ID that the [Azure portal](https://portal.azure.com/) assigned to your application. |
-| nonce | Yes | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |
+| nonce | Recommended | A value included in the request (generated by the application) that is included in the resulting ID token as a claim. The application can then verify this value to mitigate token replay attacks. The value is typically a randomized unique string that can be used to identify the origin of the request. |
 | response_type | Yes | Must include an ID token for OpenID Connect. If your web application also needs tokens for calling a web API, you can use `code+id_token`.|
 | scope | Yes | A space-separated list of scopes. The `openid` scope indicates a permission to sign in the user and get data about the user in the form of ID tokens. The `offline_access` scope is optional for web applications. It indicates that your application need a *refresh token* for extended access to resources. The `https://{tenant-name}/{app-id-uri}/{scope}` indicates a permission to protected resources, such as a web API. For more information, see [Request an access token](access-tokens.md#scopes). |
 | prompt | No | The type of user interaction that you require. The only valid value at this time is `login`, which forces the user to enter their credentials on that request. |

articles/active-directory-b2c/partner-web-application-firewall.md

@@ -7,7 +7,7 @@ manager: martinco
 ms.reviewer: kengaderdus
 ms.service: azure-active-directory
 ms.topic: how-to
-ms.date: 01/26/2024
+ms.date: 10/29/2024
 ms.author: gasinh
 ms.subservice: b2c
 
@@ -17,12 +17,9 @@ ms.subservice: b2c
 
 # Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall
 
-Learn how to enable the Azure Web Application Firewall (WAF) service for an Azure Active Directory B2C (Azure AD B2C) tenant, with a custom domain. WAF protects web applications from common exploits and vulnerabilities.
+Learn how to enable the Azure Web Application Firewall (WAF) service for an Azure Active Directory B2C (Azure AD B2C) tenant with a custom domain. WAF protects web applications from common exploits and vulnerabilities such as cross-site scripting, DDoS attacks, and malicious bot activity.
 
->[!NOTE]
->This feature is in public preview. 
-
-See, [What is Azure Web Application Firewall?](../web-application-firewall/overview.md)
+See [What is Azure Web Application Firewall?](../web-application-firewall/overview.md)
 
 ## Prerequisites
 
@@ -32,77 +29,122 @@ To get started, you need:
 * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
 * **An Azure AD B2C tenant** – authorization server that verifies user credentials using custom policies defined in the tenant
   * Also known as the identity provider (IdP)
-  * See, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) 
-* **Azure Front Door (AFD)** – enables custom domains for the Azure AD B2C tenant
-  * See, [Azure Front Door and CDN documentation](../frontdoor/index.yml)
+  * See [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) 
+* **Azure Front Door premium** – enables custom domains for the Azure AD B2C tenant and is security optimized with access to WAF managed rulesets
+  * See [Azure Front Door and CDN documentation](../frontdoor/index.yml)
 * **WAF** – manages traffic sent to the authorization server
-  * [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/#overview)
+  * [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/#overview) (requires Premium SKU)
 
 ## Custom domains in Azure AD B2C
 
-To use custom domains in Azure AD B2C, use the custom domain features in AFD. See, [Enable custom domains for Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow).  
+To use custom domains in Azure AD B2C, use the custom domain features in Azure Front Door. See [Enable custom domains for Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow).
 
-   > [!IMPORTANT]
-   > After you configure the custom domain, see [Test your custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain).  
+> [!IMPORTANT]
+> After you configure the custom domain, see [Test your custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain).
 
 ## Enable WAF
 
-To enable WAF, configure a WAF policy and associate it with the AFD for protection.
+To enable WAF, configure a WAF policy and associate it with your Azure Front Door premium for protection. Azure Front Door premium comes optimized for security and gives you access to rulesets managed by Azure that protect against common vulnerabilities and exploits including cross site scripting and Java exploits. The WAF provides rulesets that help protect you against malicious bot activity. The WAF offers you layer 7 DDoS protection for your application.
 
 ### Create a WAF policy
 
-Create a WAF policy with Azure-managed default rule set (DRS). See, [Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md).
+Create a WAF policy with Azure-managed default rule set (DRS). See [Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md).
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Create a resource**.
-3. Search for Azure WAF. 
-4. Select **Azure Web Application Firewall (WAF)**.
-5. Select **Create**.
-6. Go to the **Create a WAF policy** page.
-7. Select the **Basics** tab. 
-8. For **Policy for**, select **Global WAF (Front Door)**.
-9. For **Front Door SKU**, select between **Basic**, **Standard**, or **Premium** SKU.
-10. For **Subscription**, select your Front Door subscription name.
-11. For **Resource group**, select your Front Door resource group name.
-12. For **Policy name**, enter a unique name for your WAF policy.
-13. For **Policy state**, select **Enabled**.
-14. For **Policy mode**, select **Detection**.
-15. Select **Review + create**.
-16. Go to the **Association** tab of the Create a WAF policy page.
-17. Select **+ Associate a Front Door profile**.
-18. For **Front Door**, select your Front Door name associated with Azure AD B2C custom domain.
-19. For **Domains**, select the Azure AD B2C custom domains to associate the WAF policy to.
-20. Select **Add**.
-21. Select **Review + create**.
-22. Select **Create**.
+1. Select **Create a resource**.
+1. Search for Azure WAF. 
+1. Select the **Azure Service Web Application Firewall (WAF) from Microsoft**.
+1. Select **Create**.
+1. Go to the **Create a WAF policy** page.
+1. Select the **Basics** tab. 
+1. For **Policy for**, select **Global WAF (Front Door)**.
+1. For **Front Door SKU**, select the **Premium** SKU.
+1. For **Subscription**, select your Front Door subscription name.
+1. For **Resource group**, select your Front Door resource group name.
+1. For **Policy name**, enter a unique name for your WAF policy.
+1. For **Policy state**, select **Enabled**.
+1. For **Policy mode**, select **Detection**.
+1. Go to the **Association** tab of the Create a WAF policy page.
+1. Select **+ Associate a Front Door profile**.
+1. For **Front Door**, select your Front Door name associated with Azure AD B2C custom domain.
+1. For **Domains**, select the Azure AD B2C custom domains to associate the WAF policy to.
+1. Select **Add**.
+1. Select **Review + create**.
+1. Select **Create**.
+
+### Default Ruleset
+
+When you create a new WAF policy for Azure Front Door, it automatically deploys with the latest version of Azure-managed default ruleset (DRS). This ruleset protects web applications from common vulnerabilities and exploits. Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Because Azure manages these rule sets, the rules are updated as needed to protect against new attack signatures. The DRS includes the Microsoft Threat Intelligence Collection rules that are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
+
+Learn more: [Azure Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md#default-rule-sets)
+
+### Bot Manager Ruleset
+
+By default, the Azure Front Door WAF deploys with the latest version of Azure-managed Bot Manager ruleset. This ruleset categorizes bot traffic into good, bad, and unknown bots. The bot signatures behind this ruleset are managed by the WAF platform and are updated dynamically.
+
+Learn more: [What is Azure Web Application Firewall on Azure Front Door?](../web-application-firewall/afds/afds-overview.md#bot-protection-rule-set)
+
+### Rate Limiting
+
+Rate limiting enables you to detect and block abnormally high levels of traffic from any socket IP address. By using Azure WAF in Azure Front Door, you can mitigate some types of denial-of-service attacks. Rate limiting protects you against clients that were accidentally misconfigured to send large volumes of requests in a short time period. Rate limiting must be configured manually on the WAF using custom rules.
+
+Learn more:
+- [Web application firewall rate limiting for Azure Front Door](../web-application-firewall/afds/waf-front-door-rate-limit.md)
+- [Configure a WAF rate-limit rule for Azure Front Door](../web-application-firewall/afds/waf-front-door-rate-limit-configure.md)
 
 ### Detection and Prevention modes
 
-When you create WAF policy, the policy is in Detection mode. We recommend you don't disable Detection mode. In this mode, WAF doesn't block requests. Instead, requests that match the WAF rules are logged in the WAF logs. 
+When you create a WAF policy, the policy starts in **Detection mode**. We recommend you leave the WAF policy in **Detection mode** while you tune the WAF for your traffic. In this mode, WAF doesn't block requests. Instead, requests that match the WAF rules are logged by the WAF once logging is enabled.
+
+Enable logging: [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md#logs-and-diagnostics)
 
-Learn more: [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)
+Once logging is enabled, and your WAF starts receiving request traffic, you can begin tuning your WAF by looking through your logs.
+
+Learn more: [Tune Azure Web Application Firewall for Azure Front Door](../web-application-firewall/afds/waf-front-door-tuning.md)
 
 The following query shows the requests blocked by the WAF policy in the past 24 hours. The details include, rule name, request data, action taken by the policy, and the policy mode.
-   
-   ![Screenshot of blocked requests.](./media/partner-web-application-firewall/blocked-requests-query.png)
 
-   ![Screenshot of blocked requests details, such as Rule ID, Action, Mode, etc.](./media/partner-web-application-firewall/blocked-requests-details.png)
+```json
+AzureDiagnostics
+| where TimeGenerated >= ago(24h)
+| where Category == "FrontdoorWebApplicationFirewallLog"
+| where action_s == "Block"
+| project RuleID=ruleName_s, DetailMsg=details_msg_s, Action=action_s, Mode=policyMode_s, DetailData=details_data_s
+```
+
+|RuleID|DetailMsg|Action|Mode|DetailData|
+|---|---|---|---|---|
+|DefaultRuleSet-1.0-SQLI-942430|Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)|Block|detection|Matched Data: CfDJ8KQ8bY6D|
 
 Review the WAF logs to determine if policy rules cause false positives. Then, exclude the WAF rules based on the WAF logs.
 
-Learn more: [Define exclusion rules based on Web Application Firewall logs](../web-application-firewall/afds/waf-front-door-exclusion.md#define-exclusion-based-on-web-application-firewall-logs)
+Learn more
+- [Configure WAF exclusion lists for Azure Front Door](../web-application-firewall/afds/waf-front-door-exclusion-configure.md)
+- [Web application firewall exclusion lists in Azure Front Door](../web-application-firewall/afds/waf-front-door-exclusion.md)
+ 
+Once logging is set up and your WAF is receiving traffic, you can assess the effectiveness of your bot manager rules in handling bot traffic. The following query shows the actions taken by your bot manager ruleset, categorized by bot type. While in **Detection mode**, the WAF logs bot traffic actions only. However, once switched to prevention mode, the WAF begins actively blocking unwanted bot traffic.
+
+```json
+AzureDiagnostics
+| where Category == "FrontDoorWebApplicationFirewallLog"
+| where action_s in ("Log", "Allow", "Block", "JSChallenge", "Redirect") and ruleName_s contains "BotManager"
+| extend RuleGroup = extract("Microsoft_BotManagerRuleSet-[\\d\\.]+-(.*?)-Bot\\d+", 1, ruleName_s)
+| extend RuleGroupAction = strcat(RuleGroup, " - ", action_s)
+| summarize Hits = count() by RuleGroupAction, bin(TimeGenerated, 30m)
+| project TimeGenerated, RuleGroupAction, Hits
+| render columnchart kind=stacked
+```
 
 #### Switching modes
 
-To see WAF operating, select **Switch to prevention mode**, which changes the mode from Detection to Prevention. Requests that match the rules in the DRS are blocked and logged in the WAF logs.
-
-  ![Screenshot of options and selections for DefaultRuleSet under Web Application Firewall policies.](./media/partner-web-application-firewall/switch-to-prevention-mode.png)
+To see WAF take action on request traffic, select **Switch to prevention mode** from the Overview page, which changes the mode from Detection to Prevention. Requests that match the rules in the DRS are blocked and logged in the WAF logs. The WAF takes the prescribed action when a request matches one, or more, rules in the DRS and logs the results. By default, the DRS is set to anomaly scoring mode; this means that the WAF doesn't take any action on a request unless the anomaly score threshold is met.
 
-To revert to Detection mode, select **Switch to detection mode**.
+Learn more: Anomaly scoring [Azure Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md#anomaly-scoring-mode)
 
-  ![Screenshot of DefaultRuleSet with Switch to detection mode.](./media/partner-web-application-firewall/switch-to-detection-mode.png)
+To revert to **Detection mode**, select **Switch to detection mode** from the Overview page.
 
 ## Next steps
 
-* [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)
-* [Web Application Firewall (WAF) with Front Door exclusion lists](../web-application-firewall/afds/waf-front-door-exclusion.md)
+- [Best practices for Azure Web Application Firewall in Azure Front Door](../web-application-firewall/afds/waf-front-door-best-practices.md)
+- [Manage Web Application Firewall policies](../firewall-manager/manage-web-application-firewall-policies.md)
+- [Tune Azure Web Application Firewall for Azure Front Door](../web-application-firewall/afds/waf-front-door-tuning.md)

articles/app-service/app-service-web-nodejs-best-practices-and-troubleshoot-guide.md

@@ -272,4 +272,4 @@ Follow these links to learn more about Node.js applications on Azure App Service
 * [Using Node.js Modules with Azure applications](/training/modules/create-nodejs-project-dependencies/)
 * [Azure App Service Web Apps: Node.js](/archive/blogs/silverlining/windows-azure-websites-node-js)
 * [Node.js Developer Center](../nodejs-use-node-modules-azure-apps.md)
-* [Exploring the Super Secret Kudu Debug Console](https://azure.microsoft.com/documentation/videos/super-secret-kudu-debug-console-for-azure-web-sites/)
+* [Exploring the Super Secret Kudu Debug Console](https://www.youtube.com/watch?v=-VjqyvA2XjM)

articles/app-service/environment/how-to-upgrade-preference.md

@@ -4,7 +4,7 @@ description: Configure the upgrade preference for the Azure App Service Environm
 author: madsd
 ms.topic: tutorial
 ms.custom: devx-track-azurecli
-ms.date: 06/25/2024
+ms.date: 11/05/2024
 zone_pivot_groups: app-service-cli-portal
 ---
 
@@ -34,10 +34,14 @@ In smaller regions, Early and Late upgrade preferences might be very close to ea
 
 Manual upgrade preference gives you the option to receive a notification when an upgrade is available. The availability is also visible in the Azure portal. After the upgrade is available, you'll have 15 days to start the upgrade process. If you don't start the upgrade within the 15 days, the upgrade is processed with the remaining automatic upgrades in the region.
 
+> [!IMPORTANT]
+> In rare cases, you might see an upgrade is available in the **Configuration** page for your App Service Environment, but you don't receive a **Service Health** notification (if you [configure notifications](#configure-notifications)). If you don't receive a Service Health notification, this available upgrade isn't required and the 15-day time limit doesn't apply. This is a known bug that we are working to fix.
+> 
+
 Upgrades normally don't affect the availability of your apps. The upgrade adds extra instances to ensure that the same capacity is available during upgrade. Patched and restarted instances are added back in rotation, and when you have workloads sensitive to restarts you should plan to start the maintenance during non-business hours. The full upgrade process normally finishes within 18 hours, but could take longer. Once the upgrade is started the upgrade runs until it's complete and isn't paused during standard business hours.
 
 > [!NOTE]
-> In rare cases the upgrade availability might be impacted by a security hotfix superseding the planned upgrade, or a regression found in the planned upgrade before it has been applied to your instance. In these rare cases, the available upgrade will be removed and will transition to automatic upgrade.
+> In rare cases, the upgrade availability might be impacted by a security hotfix superseding the planned upgrade, or a regression found in the planned upgrade before it has been applied to your instance. In these rare cases, the available upgrade will be removed and will transition to automatic upgrade.
 > 
 
 ## Configure notifications

articles/app-service/overview-authentication-authorization.md

@@ -172,9 +172,7 @@ When a request fulfills all these conditions, App Service authentication automat
 
 When using Azure App Service with authentication behind Azure Front Door or other reverse proxies, a few additional things have to be taken into consideration.
 
-- Disable caching for the authentication workflow.
-
-    See [Disable cache for auth workflow](../static-web-apps/front-door-manual.md#disable-cache-for-auth-workflow) to learn more on how to configure rules in Azure Front Door to disable caching for authentication and authorization-related pages.
+- Disable [Front Door caching](../frontdoor/front-door-caching.md) for the authentication workflow.
 
 - Use the Front Door endpoint for redirects.