Merge pull request #235008 from MicrosoftDocs/main

Publish to Live Wednesday 4AM PST, 04/19

Author: PMEds28

.openpublishing.redirection.defender-for-iot.json

@@ -1,5 +1,44 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-on-premises-management-console.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/activate-deploy-management",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-sensor.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/activate-deploy-sensor",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-deploy-certificates.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/activate-deploy-sensor#deploy-an-ssltls-certificate",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-enhance-port-and-vlan-name-resolution.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/how-to-control-what-traffic-is-monitored#customize-port-and-vlan-names",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-gain-insight-into-global-regional-and-local-threats.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/monitor-zero-trust",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/traffic-mirroring/configure-mirror-tap.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/best-practices/traffic-mirroring-methods#active-or-passive-aggregation-tap",
+            "redirect_document_id": false
+        },        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/pre-deployment-checklist.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/ot-deploy-path",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-troubleshoot-the-sensor-and-on-premises-management-console.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/how-to-troubleshoot-sensor",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-set-up-your-network.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/best-practices/plan-prepare-deploy",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-work-with-device-notifications.md",
             "redirect_url": "/azure/defender-for-iot/organizations/how-to-work-with-the-sensor-device-map#manage-device-notifications-from-an-ot-sensor-device-map",
@@ -136,7 +175,7 @@
         },
         {
             "source_path_from_root": "/articles/defender-for-iot/how-to-set-up-your-network.md",
-            "redirect_url": "/azure/defender-for-iot/organizations/how-to-set-up-your-network",
+            "redirect_url": "/azure/defender-for-iot/organizations/best-practices/plan-prepare-deploy",
             "redirect_document_id": false
         },
         {
@@ -151,7 +190,7 @@
         },
         {
             "source_path_from_root": "/articles/defender-for-iot/how-to-activate-and-set-up-your-on-premises-management-console.md",
-            "redirect_url": "/azure/defender-for-iot/organizations/how-to-activate-and-set-up-your-on-premises-management-console",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/activate-deploy-management",
             "redirect_document_id": false
         },
         {
@@ -256,7 +295,7 @@
         },
         {
             "source_path_from_root": "/articles/defender-for-iot/how-to-gain-insight-into-global-regional-and-local-threats.md",
-            "redirect_url": "/azure/defender-for-iot/organizations/how-to-gain-insight-into-global-regional-and-local-threats",
+            "redirect_url": "/azure/defender-for-iot/organizations/monitor-zero-trust",
             "redirect_document_id": false
         },
         {
@@ -677,5 +716,3 @@
     ]
 }
 
-
-

articles/active-directory/develop/security-best-practices-for-app-registration.md

@@ -62,6 +62,7 @@ Certificates and secrets, also known as credentials, are a vital part of an appl
 Consider the following guidance related to certificates and secrets:
 
 - Always use [certificate credentials](./active-directory-certificate-credentials.md) whenever possible and don't use password credentials, also known as *secrets*. While it's convenient to use password secrets as a credential, when possible use x509 certificates as the only credential type for getting tokens for an application.
+  - Configure [application authentication method policies](/graph/api/resources/applicationauthenticationmethodpolicy) to govern the use of secrets by limiting their lifetimes or blocking their use altogether.
 - Use Key Vault with [managed identities](../managed-identities-azure-resources/overview.md) to manage credentials for an application.
 - If an application is used only as a Public Client App (allows users to sign in using a public endpoint), make sure that there are no credentials specified on the application object.
 - Review the credentials used in applications for freshness of use and their expiration. An unused credential on an application can result in a security breach. Rollover credentials frequently and don't share credentials across applications. Don't have many credentials on one application.

articles/active-directory/governance/configure-logic-app-lifecycle-workflows.md

@@ -5,7 +5,7 @@ author: owinfreyATL
 ms.author: owinfrey
 ms.service: active-directory
 ms.topic: reference
-ms.date: 01/26/2023
+ms.date: 03/17/2023
 ms.custom: template-how-to
 ---
 
@@ -15,16 +15,32 @@ ms.custom: template-how-to
 
 Before you can use an existing Azure Logic App with the custom task extension feature of Lifecycle Workflows, it must first be made compatible. This reference guide provides a list of steps that must be taken to make the Azure Logic App compatible. For a guide on creating a new compatible Logic App via the Lifecycle Workflows portal, see [Trigger Logic Apps based on custom task extensions (preview)](trigger-custom-task.md).
 
+## Determine type of token security of your custom task extension
+
+Before configuring your Azure Logic App custom extension for use with Lifecycle Workflows, you must first figure out what type of token security it has. The two token security types can either be:
+
+- Normal
+- Proof of Possession(POP)
+
+
+To determine the security token type of your custom task extension, you'd check the **Custom extensions (Preview)** page:
+
+:::image type="content" source="media/configure-logic-app-lifecycle-workflows/custom-task-extension-token-type.png" alt-text="Screenshot of custom task extension and token type.":::
+
+
+> [!NOTE]
+> New custom task extensions will only have Proof of Possession(POP) token security type. Only task extensions created before the inclusion of the Proof of Possession token security type will have a type of Normal.
+
 ## Configure existing Logic Apps for LCW use
 
 Making an Azure Logic app compatible to run with the **Custom Task Extension** requires the following steps:
 
 - Configure the logic app trigger
-- Configure the callback action (only applicable to the callback scenario)
-- Enable system assigned managed identity.
-- Configure AuthZ policies.
+- Configure the callback action (Only applicable to the callback scenario.)
+- Enable system assigned managed identity (Always required for Normal security token type extensions. This is also the default for callback scenarios with custom task extensions. For more information on this, and other, custom task extension deployment scenarios, see: [Custom task extension deployment scenarios](lifecycle-workflow-extensibility.md#custom-task-extension-deployment-scenarios).)
+- Configure AuthZ policies
 
-To configure those you'll follow these steps:
+To configure those you follow these steps:
 
 1. Open the Azure Logic App you want to use with Lifecycle Workflow. Logic Apps may greet you with an introduction screen, which you can close with the X in the upper right corner.
 
@@ -202,21 +218,59 @@ To configure those you'll follow these steps:
 
 1. Select Save.    
 
-1. For Logic Apps authorization policy, we'll need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure portal** to find the required Application ID.
+## Configure authorization policy for custom task extension with POP security token type
+If the security token type is **Proof of Possession (POP)** for your custom task extension, you'd set the authorization policy by following these steps:
+
+1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.
 
 1. Go back to the logic app you created, and select **Authorization**.
 
-1. Create two authorization policies based on the tables below:
+1. Create two authorization policies based on these tables:
 
-    Policy name: AzureADLifecycleWorkflowsAuthPolicy   
+    Policy name: POP-Policy
+    
+    Policy type: (Preview) AADPOP   
+    
+    |Claim  |Value  |
+    |---------|---------|
+    |Issuer     |  https://sts.windows.net/(Tenant ID)/       |
+    |appid     |  ce79fdc4-cd1d-4ea5-8139-e74d7dbe0bb7   |
+    |m     |  POST   |
+    |u     |  management.azure.com   |
+    |p     |  /subscriptions/(subscriptionId)/resourceGroups/(resourceGroupName)/providers/Microsoft.Logic/workflows/(LogicApp name)   |
+
+
+1. Save the Authorization policy.
+
+
+> [!CAUTION]
+> Please pay attention to the details as minor differences can lead to problems later.
+-	For Issuer, ensure you did include the slash after your Tenant ID
+-	For appid, ensure the custom claim is “appid” in all lowercase. The appid value represents Lifecycle Workflows and is always the same.
+
+## Configure authorization policy for custom task extension with normal security token type
+
+If the security token type is **Normal** for your custom task extension, you'd set the authorization policy by following these steps:
+
+1. For Logic Apps authorization policy, we need the managed identities **Application ID**. Since the Azure portal only shows the Object ID, we need to look up the Application ID. You can search for the managed identity by Object ID under **Enterprise Applications in the Azure AD Portal** to find the required Application ID.
+
+1. Go back to the logic app you created, and select **Authorization**.
+
+1. Create two authorization policies based on these tables:
+
+    Policy name: AzureADLifecycleWorkflowsAuthPolicy 
+
+    Policy type: AAD  
     
     |Claim  |Value  |
     |---------|---------|
     |Issuer     |  https://sts.windows.net/(Tenant ID)/       |
     |Audience     | Application ID of your Logic Apps Managed Identity       |
     |appid     |  ce79fdc4-cd1d-4ea5-8139-e74d7dbe0bb7   |
 
-    Policy name: AzureADLifecycleWorkflowsAuthPolicyV2App   
+    Policy name: AzureADLifecycleWorkflowsAuthPolicyV2App 
+
+    Policy type: AAD   
  
     |Claim  |Value  |
     |---------|---------|
@@ -225,8 +279,6 @@ To configure those you'll follow these steps:
     |azp     |  ce79fdc4-cd1d-4ea5-8139-e74d7dbe0bb7   |
 
 1. Save the Authorization policy.
-> [!NOTE]
-> Due to a current bug in the Logic Apps UI you may have to save the authorization policy after each claim before adding another.
 
 > [!CAUTION]
 > Please pay attention to the details as minor differences can lead to problems later.

articles/active-directory/governance/media/configure-logic-app-lifecycle-workflows/custom-task-extension-token-type.png

@@ -81,3 +81,15 @@
     - name: Application management
       tocHref: /azure/app-provisioning/
       topicHref: /azure/active-directory/manage-apps/index
+
+- name: Azure
+  tocHref: /azure/
+  topicHref: /azure/index
+  items:  
+  - name: Active Directory
+    tocHref: /azure/active-directory-b2c/
+    topicHref: /azure/active-directory/index
+    items:
+    - name: Application management
+      tocHref: /azure/active-directory-b2c/
+      topicHref: /azure/active-directory/manage-apps/index

articles/active-directory/manage-apps/bread/toc.yml

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/12/2022
+ms.date: 04/19/2023
 ms.author: jomondi
 ms.reviewer: phsignor, yuhko
 ms.custom: contperf-fy21q2, contperf-fy22q2
@@ -31,7 +31,7 @@ To reduce the risk of malicious applications attempting to trick users into gran
 To configure user consent, you need:
 
 - A user account. If you don't already have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- A Global Administrator or Privileged Administrator role.
+- A Global Administrator role.
 
 ## Configure user consent settings
 

articles/active-directory/manage-apps/configure-user-consent.md

@@ -88,7 +88,7 @@
   - name: How-to guides
     expanded: false
     items:
-    - name: Application integration guidance
+    - name: Integrate SaaS applications
       href: ../saas-apps/tutorial-list.md
     - name: Assign owners
       href: assign-app-owners.md
@@ -140,7 +140,7 @@
         href: hide-application-from-user-portal.md
     - name: Migrate applications
       items:
-      - name: Migrate an AD FS app to Azure
+      - name: Migrate an AD FS app to Azure AD
         href: migrate-adfs-apps-to-azure.md
       - name: Migrate application authentication to Azure Active Directory
         href: migrate-application-authentication-to-azure-active-directory.md
@@ -162,7 +162,7 @@
         href: secure-hybrid-access.md
       - name: Secure hybrid access partner integrations
         href: secure-hybrid-access-integrations.md
-      - name: Cloudflare
+      - name: Configure Cloudflare with Azure AD
         href: cloudflare-azure-ad-integration.md
       - name: Datawiza
         items:
@@ -209,7 +209,7 @@
               - name: SSL-VPN
                 href: f5-aad-password-less-vpn.md  
               - name: B2C
-                href: ../../active-directory-b2c/partner-f5.md
+                href: ../../active-directory-b2c/partner-f5.md?context=%2fazure%2factive-directory%2fmanage-apps%2fcontext%2fmanage-apps-context
       - name: Silverfort
         href: silverfort-azure-ad-integration.md
     - name: Single sign-on

articles/active-directory/manage-apps/toc.yml

@@ -111,7 +111,7 @@ The following table has HIPAA guidance on the automatic logoff safeguard. Find M
 | Recommendation | Action |
 | - | - |
 | Create group policy | Support for devices not migrated to Azure AD and managed by Intune, [Group Policy (GPO)](../../active-directory-domain-services/manage-group-policy.md) can enforce sign out, or lock screen time for devices on AD, or in hybrid environments. |
-| Assess device management requirements | [Microsoft IntTune](/mem/intune/fundamentals/what-is-intune) provides mobile device management (MDM) and mobile application management (MAM). It provides control over company and personal devices. You can manage device usage and enforce policies to control mobile applications. |
+| Assess device management requirements | [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) provides mobile device management (MDM) and mobile application management (MAM). It provides control over company and personal devices. You can manage device usage and enforce policies to control mobile applications. |
 | Device Conditional Access policy | Implement device lock by using a conditional access policy to restrict access to [compliant](../conditional-access/concept-conditional-access-grant.md) or hybrid Azure AD joined devices. Configure [policy settings](../conditional-access/concept-conditional-access-grant.md#require-hybrid-azure-ad-joined-device).</br>For unmanaged devices, configure the [Sign-In Frequency](../conditional-access/howto-conditional-access-session-lifetime.md) setting to force users to reauthenticate. |
 | Configure session time out for Microsoft 365 | Review the [session timeouts](/microsoft-365/admin/manage/idle-session-timeout-web-apps) for Microsoft 365 applications and services, to amend any prolonged timeouts. |
 | Configure session time out for Azure portal | Review the [session timeouts for Azure portal session](../../azure-portal/set-preferences.md), by implementing a timeout due to inactivity it helps to protect resources from unauthorized access. |

articles/active-directory/standards/hipaa-access-controls.md

@@ -2,11 +2,20 @@
 title: Release notes for Azure Advisor
 description: A description of what's new and changed in Azure Advisor
 ms.topic: reference
-ms.date: 01/03/2022
+ms.date: 04/18/2023
 ---
 # What's new in Azure Advisor?
 
 Learn what's new in the service. These items may be release notes, videos, blog posts, and other types of information. Bookmark this page to stay up to date with the service.
+## April 2023
+
+### VM/VMSS right-sizing recommendations with custom lookback period
+
+Customers can now improve the relevance of recommendations to make them more actionable, resulting in additional cost savings. 
+The right sizing recommendations help optimize costs by identifying idle or underutilized virtual machines based on their CPU, memory, and network activity over the default lookback period of seven days. 
+Now, with this latest update, customers can adjust the default look back period to get recommendations based on 14, 21,30, 60, or even 90 days of use. The configuration can be applied at the subscription level. This is especially useful when the workloads have biweekly or monthly peaks (such as with payroll applications). 
+
+To learn more, visit [Optimize virtual machine (VM) or virtual machine scale set (VMSS) spend by resizing or shutting down underutilized instances](advisor-cost-recommendations.md#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances).
 
 ## May 2022
 

articles/advisor/advisor-release-notes.md

@@ -14,7 +14,7 @@ author: palma21
 
 When you leverage [integrated authentication between Azure Active Directory (Azure AD) and AKS](managed-aad.md), you can use Azure AD users, groups, or service principals as subjects in [Kubernetes role-based access control (Kubernetes RBAC)][kubernetes-rbac]. This feature frees you from having to separately manage user identities and credentials for Kubernetes. However, you still have to set up and manage Azure RBAC and Kubernetes RBAC separately.
 
-This article covers how to use Azure RBAC for Kubernetes Authorization, which allows for the unified management and access control across Azure resources, AKS, and Kubernetes resources. For more information, see [Azure RBAC for Kubernetes Authorization][azure-rbac-kubernetes-rbac].
+This article covers how to use Azure RBAC for Kubernetes Authorization, which allows for the unified management and access control across Azure resources, AKS, and Kubernetes resources. For more information, see [Azure RBAC for Kubernetes Authorization][kubernetes-rbac].
 
 ## Before you begin
 
@@ -206,7 +206,7 @@ az group delete -n myResourceGroup
 
 To learn more about AKS authentication, authorization, Kubernetes RBAC, and Azure RBAC, see:
 
-* [Access and identity options for AKS](/concepts-identity.md)
+* [Access and identity options for AKS](./concepts-identity.md)
 * [What is Azure RBAC?](../role-based-access-control/overview.md)
 * [Microsoft.ContainerService operations](../role-based-access-control/resource-provider-operations.md#microsoftcontainerservice)
 
@@ -228,5 +228,4 @@ To learn more about AKS authentication, authorization, Kubernetes RBAC, and Azur
 [install-azure-cli]: /cli/azure/install-azure-cli
 [az-role-definition-create]: /cli/azure/role/definition#az_role_definition_create
 [az-aks-get-credentials]: /cli/azure/aks#az_aks_get-credentials
-[kubernetes-rbac]: /concepts-identity#azure-rbac-for-kubernetes-authorization
-[azure-rbac-kubernetes-rbac]: /concepts-identity#azure-rbac-for-kubernetes-authorization
+[kubernetes-rbac]: ./concepts-identity.md#azure-rbac-for-kubernetes-authorization