Merge branch 'main' into release-cred-free-java

Author: v-alje

.openpublishing.redirection.active-directory.json

@@ -4178,12 +4178,12 @@
     },
     {
       "source_path_from_root": "/articles/active-directory/active-directory-troubleshooting-support-howto.md",
-      "redirect_url": "/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto",
+      "redirect_url": "/azure/active-directory/fundamentals/how-to-get-support",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/active-directory/b2b/get-support.md",
-      "redirect_url": "/azure/active-directory/fundamentals/active-directory-troubleshooting-support-howto",
+      "redirect_url": "/azure/active-directory/fundamentals/how-to-get-support",
       "redirect_document_id": false
     },
     {
@@ -10885,7 +10885,16 @@
       "source_path_from_root": "/articles/active-directory/cloud-infrastructure-entitlement-management/product-integrations.md",
       "redirect_url": "/azure/active-directory/cloud-infrastructure-entitlement-management",
       "redirect_document_id": false
+    },
+{
+      "source_path_from_root": "/articles/active-directory/fundamentals/active-directory-troubleshooting-support-howto.md",
+      "redirect_url": "/azure/active-directory/fundamentals/how-to-get-support",
+      "redirect_document_id": false
+    },
+{
+      "source_path_from_root": "/articles/active-directory/fundamentals/support-help-options.md",
+      "redirect_url": "/azure/active-directory/fundamentals/how-to-get-support",
+      "redirect_document_id": false
     }
-
   ]
 }

.openpublishing.redirection.json

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 06/20/2022
+ms.date: 09/21/2022
 ms.author: justinha
 
 ---
@@ -108,14 +108,21 @@ The following sections cover network security groups and Inbound and Outbound po
 
 ### Inbound connectivity
 
-The following network security group Inbound rules are required for the managed domain to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet your managed domain is deployed into.
+The following network security group Inbound rules are required for the managed domain to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet for your managed domain.
 
 | Inbound port number | Protocol | Source                             | Destination | Action | Required | Purpose |
 |:-----------:|:--------:|:----------------------------------:|:-----------:|:------:|:--------:|:--------|
 | 5986        | TCP      | AzureActiveDirectoryDomainServices | Any         | Allow  | Yes      | Management of your domain. |
 | 3389        | TCP      | CorpNetSaw                         | Any         | Allow  | Optional      | Debugging for support. |
 
-An Azure standard load balancer is created that requires these rules to be place. This network security group secures Azure AD DS and is required for the managed domain to work correctly. Don't delete this network security group. The load balancer won't work correctly without it.
+Azure AD DS also relies on the Default Security rules AllowVnetInBound and AllowAzureLoadBalancerInBound.
+
+:::image type="content" border="true" source="./media/network-considerations/nsg.png" alt-text="Screenshot of network security group rules.":::
+
+The AllowVnetInBound rule allows all traffic within the VNet which allows the DCs to properly communicate and replicate as well as allow domain join and other domain services to domain members. For more information about required ports for Windows, see [Service overview and network port requirements for Windows](/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements).
+
+
+The AllowAzureLoadBalancerInBound rule is also required so that the service can properly communicate over the loadbalancer to manage the DCs. This network security group secures Azure AD DS and is required for the managed domain to work correctly. Don't delete this network security group. The load balancer won't work correctly without it. 
 
 If needed, you can [create the required network security group and rules using Azure PowerShell](powershell-create-instance.md#create-a-network-security-group).
 

articles/active-directory-domain-services/media/network-considerations/nsg.png

@@ -105,11 +105,22 @@ When these conditions are met, the app can extract the claims challenge from the
 
 ```javascript
 const authenticateHeader = response.headers.get('www-authenticate');
-const claimsChallenge = authenticateHeader
-        .split(' ')
-        .find((entry) => entry.includes('claims='))
-        .split('claims="')[1]
-        .split('",')[0];
+const claimsChallenge = parseChallenges(authenticateHeader).claims;
+
+// ...
+
+function parseChallenges(header) {
+    const schemeSeparator = header.indexOf(' ');
+    const challenges = header.substring(schemeSeparator + 1).split(',');
+    const challengeMap = {};
+
+    challenges.forEach((challenge) => {
+        const [key, value] = challenge.split('=');
+        challengeMap[key.trim()] = window.decodeURI(value.replace(/['"]+/g, ''));
+    });
+
+    return challengeMap;
+}
 ```
 
 Your app would then use the claims challenge to acquire a new access token for the resource.
@@ -118,22 +129,19 @@ Your app would then use the claims challenge to acquire a new access token for t
 let tokenResponse;
 
 try {
-
     tokenResponse = await msalInstance.acquireTokenSilent({
-                    claims: window.atob(claimsChallenge), // decode the base64 string
-                    scopes: scopes,  // e.g ['User.Read', 'Contacts.Read']
-                    account: account, // current active account
-                });
+        claims: window.atob(claimsChallenge), // decode the base64 string
+        scopes: scopes,  // e.g ['User.Read', 'Contacts.Read']
+        account: account, // current active account
+    });
 
 } catch (error) {
-
      if (error instanceof InteractionRequiredAuthError) {
-
         tokenResponse = await msalInstance.acquireTokenPopup({
-                        claims: window.atob(claimsChallenge), // decode the base64 string
-                        scopes: scopes, // e.g ['User.Read', 'Contacts.Read']
-                        account: account, // current active account
-                    });
+            claims: window.atob(claimsChallenge), // decode the base64 string
+            scopes: scopes, // e.g ['User.Read', 'Contacts.Read']
+            account: account, // current active account
+        });
     }
 
 }

articles/active-directory-domain-services/network-considerations.md

@@ -22,7 +22,7 @@ To improve the security of Linux virtual machines (VMs) in Azure, you can integr
 This article shows you how to create and configure a Linux VM and log in with Azure AD by using OpenSSH certificate-based authentication.
 
 > [!IMPORTANT]
-> This capability is now generally available. The previous version that made use of device code flow was [deprecated on August 15, 2021](../../virtual-machines/linux/login-using-aad.md). To migrate from the old version to this version, see the section [Migrate from the previous (preview) version](#migrate-from-the-previous-preview-version).
+> This capability is now generally available. The previous version that made use of device code flow was [deprecated on August 15, 2021](/azure-docs-archive-pr/virtual-machines/linux/login-using-aad). To migrate from the old version to this version, see the section [Migrate from the previous (preview) version](#migrate-from-the-previous-preview-version).
 
 There are many security benefits of using Azure AD with OpenSSH certificate-based authentication to log in to Linux VMs in Azure. They include:
 

articles/active-directory/develop/app-resilience-continuous-access-evaluation.md

@@ -200,7 +200,7 @@ To configure role assignments for your Azure AD-enabled Windows Server 2019 Data
 
 The following example uses [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. You obtain the username of your current Azure account by using [az account show](/cli/azure/account#az-account-show), and you set the scope to the VM created in a previous step by using [az vm show](/cli/azure/vm#az-vm-show). 
 
-You can also assign the scope at a resource group or subscription level. Normal Azure RBAC inheritance permissions apply. For more information, see [Log in to a Linux virtual machine in Azure by using Azure Active Directory authentication](../../virtual-machines/linux/login-using-aad.md).
+You can also assign the scope at a resource group or subscription level. Normal Azure RBAC inheritance permissions apply. For more information, see [Log in to a Linux virtual machine in Azure by using Azure Active Directory authentication](/azure-docs-archive-pr/virtual-machines/linux/login-using-aad).
 
 ```AzureCLI
 $username=$(az account show --query user.name --output tsv)