Merge pull request #192023 from MicrosoftDocs/main

3/17 AM Publish

Author: huypub

articles/active-directory/enterprise-users/licensing-groups-resolve-problems.md

@@ -22,7 +22,7 @@ ms.collection: M365-identity-device-management
 
 Group-based licensing in Azure Active Directory (Azure AD) introduces the concept of users in a licensing error state. In this article, we explain the reasons why users might end up in this state.
 
-When you assign licenses directly to individual users, without using group-based licensing, the assignment operation might fail. For example, when you execute the PowerShell cmdlet `Set-MsolUserLicense` on a user system, the cmdlet can fail for many reasons that are related to business logic. For example, there might be an insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time. The problem is immediately reported back to you.
+When you assign licenses directly to individual users, without using group-based licensing, the assignment operation might fail for reasons that are related to business logic. For example, there might be an insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time. The problem is immediately reported back to you.
 
 When you're using group-based licensing, the same errors can occur, but they happen in the background while the Azure AD service is assigning licenses. For this reason, the errors can't be communicated to you immediately. Instead, they're recorded on the user object and then reported via the administrative portal. The original intent to license the user is never lost, but it's recorded in an error state for future investigation and resolution.
 

articles/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: msi
 ms.topic: how-to
 ms.workload: identity
-ms.date: 03/04/2022
+ms.date: 03/08/2022
 ms.author: barclayn 
 ms.custom: devx-track-azurecli
 zone_pivot_groups: identity-mi-methods
@@ -81,13 +81,13 @@ In some environments, administrators choose to limit who can manage user-assigne
 1. Sign in to the [Azure portal](https://portal.azure.com).
 1. In the search box, enter **Managed Identities**. Under **Services**, select **Managed Identities**.
 1. A list of the user-assigned managed identities for your subscription is returned. Select the user-assigned managed identity that you want to manage.
-1. Select **Azure role assignments**, and then select **Add role assignment**.
-1. In the **Add role assignment** pane, configure the following values, and then select **Save**:
-   - **Role**: The role to assign.
-   - **Assign access to**: The resource to assign the user-assigned managed identity.
-   - **Select**: The member to assign access.
-   
-   ![Screenshot that shows the user-assigned managed identity IAM.](media/how-manage-user-assigned-managed-identities/assign-role-screenshot-02.png)
+1. Select **Access control (IAM)**.
+1. Choose **Add role assignment**.
+  
+   ![Screenshot that shows the user-assigned managed identity access control screen](media/how-manage-user-assigned-managed-identities/role-assign.png)
+
+1. In the **Add role assignment** pane, choose the role to assign and choose **Next**.
+1. Choose who should have the role assigned.
 
 >[!NOTE]
 >You can find information on assigning roles to managed identities in [Assign a managed identity access to a resource by using the Azure portal](../../role-based-access-control/role-assignments-portal-managed-identity.md)

articles/active-directory/managed-identities-azure-resources/media/how-manage-user-assigned-managed-identities/role-assign.png

@@ -0,0 +1,92 @@
+---
+title: Azure Active Directory SLA performance | Microsoft Docs
+description: Learn about the Azure AD SLA performance
+services: active-directory
+documentationcenter: ''
+author: MarkusVi
+manager: karenhoran
+editor: ''
+
+ms.assetid: 9b88958d-94a2-4f4b-a18c-616f0617a24e
+ms.service: active-directory
+ms.topic: reference
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.subservice: report-monitor
+ms.date: 03/15/2022
+ms.author: markvi
+ms.reviewer: besiler
+
+ms.collection: M365-identity-device-management
+---
+
+# Azure Active Directory SLA performance 
+
+As an identity admin, you may need to track Azure AD's service-level agreement (SLA) performance to make sure Azure AD can support your vital apps. This article shows how the Azure AD service has performed according to the [SLA for Azure Active Directory (Azure AD)](https://azure.microsoft.com/support/legal/sla/active-directory/v1_1/). 
+
+You can use this article in discussions with app or business owners to help them understand the performance they can expect from Azure AD. 
+
+
+## Service availability commitment 
+
+Microsoft offers Premium Azure AD customers the opportunity to get a service credit if Azure AD fails to meet the documented SLA. When you request a service credit, Microsoft evaluates the SLA for your specific tenant; however, this global SLA can give you an indication of the general health of Azure AD over time. 
+
+The SLA covers the following scenarios that are vital to businesses:
+
+- **User authentication:** Users are able to login to the Azure Active Directory service.
+
+- **App access:** Azure Active Directory successfully emits the authentication and authorization tokens required for users to log into applications connected to the service.
+
+For full details on SLA coverage and instructions on requesting a service credit, see the [SLA for Azure Active Directory (Azure AD)](https://azure.microsoft.com/support/legal/sla/active-directory/v1_1/).
+
+
+## No planned downtime 
+
+You rely on Azure AD to provide identity and access management for your vital systems. To ensure Azure AD is available when business operations require it, Microsoft does not plan downtime for Azure AD system maintenance. Instead, maintenance is performed as the service runs, without customer impact. 
+
+## Recent worldwide SLA performance 
+
+To help you plan for moving workloads to Azure AD, we publish past SLA performance. These numbers show the level at which Azure AD met the requirements in the [SLA for Azure Active Directory (Azure AD)](https://azure.microsoft.com/support/legal/sla/active-directory/v1_1/), for all tenants. 
+
+For each month, we truncate the SLA attainment at three places after the decimal. Numbers are not rounded up, so actual SLA attainment is higher than indicated. 
+
+
+| Month     | 2021    | 2022    |
+| ---       | ---     | ---     |
+| January   |         | 99.999% |
+| February  | 99.999% | 99.999% |
+| March     | 99.568% |         |
+| April     | 99.999% |         |
+| May       | 99.999% |         |
+| June      | 99.999% |         |
+| July      | 99.999% |         |
+| August    | 99.999% |         |
+| September | 99.999% |         |
+| October   | 99.999% |         |
+| November  | 99.998% |         |
+| December  | 99.978% |         |
+
+
+
+### How is Azure AD SLA measured? 
+
+The Azure AD SLA is measured in a way that reflects customer authentication experience, rather than simply reporting on whether the system is available to outside connections. This means that the calculation is based on whether:
+
+- Users can authenticate 
+- Azure AD successfully issues tokens for target apps after authentication
+  
+The numbers above are a global total of Azure AD authentications across all customers and geographies. 
+  
+
+## Incident history 
+
+All incidents that seriously impact Azure AD performance are documented in the [Azure status history](https://status.azure.com/status/history/). Not all events documented in Azure status history are serious enough to cause Azure AD to go below its SLA. You can view information about the impact of incidents, as well as a root cause analysis of what caused the incident and what steps Microsoft took to prevent future incidents. 
+
+ 
+
+
+## Next steps
+
+* [Azure AD reports overview](overview-reports.md)
+* [Programmatic access to Azure AD reports](concept-reporting-api.md)
+* [Azure Active Directory risk detections](../identity-protection/overview-identity-protection.md)

articles/active-directory/reports-monitoring/reference-azure-ad-sla-performance.md

@@ -104,6 +104,8 @@
 - name: Reference
   expanded: true
   items:
+  - name: Azure Active Directory SLA performance
+    href: reference-azure-ad-sla-performance.md
   - name: Basic info in the sign-in logs
     href: reference-basic-info-sign-in-logs.md
   - name: Azure AD PowerShell cmdlets for reporting

articles/active-directory/reports-monitoring/toc.yml

@@ -41,7 +41,7 @@ In this tutorial, you learn how to:
 
 ## Enable managed identity on an app
 
-If you create and publish your web app through Visual Studio, the managed identity was enabled on your app for you. In your app service, select **Identity** in the left pane, and then select **System assigned**. Verify that the **Status** is set to **On**. If not, select **Save** and then select **Yes** to enable the system-assigned managed identity. When the managed identity is enabled, the status is set to **On** and the object ID is available.
+If you create and publish your web app through Visual Studio, the managed identity was enabled on your app for you. In your app service, select **Identity** in the left pane, and then select **System assigned**. Verify that the **Status** is set to **On**. If not, select **On** and then **Save**. Select **Yes** in the confirmation dialog to enable the system-assigned managed identity. When the managed identity is enabled, the status is set to **On** and the object ID is available.
 
 :::image type="content" alt-text="Screenshot that shows the System assigned identity option." source="../../media/scenario-secure-app-access-storage/create-system-assigned-identity.png":::
 
@@ -63,15 +63,15 @@ To create a general-purpose v2 storage account in the Azure portal, follow these
 
 1. On the Azure portal menu, select **All services**. In the list of resources, enter **Storage Accounts**. As you begin typing, the list filters based on your input. Select **Storage Accounts**.
 
-1. In the **Storage Accounts** window that appears, select **Add**.
+1. In the **Storage Accounts** window that appears, select **Create**.
 
 1. Select the subscription in which to create the storage account.
 
 1. Under the **Resource group** field, select the resource group that contains your web app from the drop-down menu.
 
 1. Next, enter a name for your storage account. The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length and can include numbers and lowercase letters only.
 
-1. Select a location for your storage account, or use the default location.
+1. Select a location (region) for your storage account, or use the default value.
 
 1. Leave these fields set to their default values:
 

articles/app-service/includes/tutorial-dotnet-storage-managed-identity/introduction.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: vhorne
 ms.service: application-gateway
 ms.topic: troubleshooting
-ms.date: 06/09/2020
+ms.date: 03/17/2022
 ms.author: victorh 
 ms.custom: devx-track-azurepowershell
 ---
@@ -480,6 +480,19 @@ This behavior can occur for one or more of the following reasons:
 
 1.	To verify that Application Gateway is healthy and running, go to the **Resource Health** option in the portal and verify that the state is **Healthy**. If you see an **Unhealthy** or **Degraded** state, [contact support](https://azure.microsoft.com/support/options/).
 
+1. If Internet and private traffic are going though an Azure Firewall hosted in a secured Virtual hub (using Azure Virtual WAN Hub):
+
+   a. To ensure the application gateway can send traffic directly to the Internet, configure the following user defined route:
+   
+   Address prefix: 0.0.0.0/0<br>
+   Next hop: Internet
+
+   b. To ensure the application gateway can send traffic to the backend pool via an Azure Firewall in the Virtual WAN hub, configure the following user defined route:
+   
+   Address Prefix: Backend pool subnet<br>
+   Next hop: Azure Firewall private IP address
+
+
 ## Next steps
 
 Learn more about [Application Gateway diagnostics and logging](./application-gateway-diagnostics.md).

articles/application-gateway/application-gateway-backend-health-troubleshooting.md

@@ -23,4 +23,5 @@ HTTP/1.1 403 Forbidden
 ```
 
 **Reason:** The access key used to authenticate the request does not provide the required permissions to perform the requested operation.
+
 **Solution:** Obtain an access key that provides permission to perform the requested operation and use it to authenticate the request.

articles/azure-app-configuration/rest-api-authorization-hmac.md

@@ -27,7 +27,7 @@ The following providers and their corresponding Kubernetes distributions have su
 
 | Provider name | Distribution name | Version |
 | ------------ | ----------------- | ------- |
-| RedHat       | [OpenShift Container Platform](https://www.openshift.com/products/container-platform) | [4.5.41+](https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-release-notes.html), [4.6.35+](https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html), [4.7.18+](https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html) |
+| RedHat       | [OpenShift Container Platform](https://www.openshift.com/products/container-platform) | [4.7.18+](https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html), [4.9.17+](https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html), [4.10.0+](https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html) |
 | VMware       | [Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid) | TKGm 1.4.0; upstream K8s v1.21.2+vmware.1 <br>TKGm 1.3.1; upstream K8s v1.20.5_vmware.2 <br>TKGm 1.2.1; upstream K8s v1.19.3+vmware.1 |
 | Canonical    | [Charmed Kubernetes](https://ubuntu.com/kubernetes) | [1.19](https://ubuntu.com/kubernetes/docs/1.19/components) |
 | SUSE Rancher      | [Rancher Kubernetes Engine](https://rancher.com/products/rke/) | RKE CLI version: [v1.2.4](https://github.com/rancher/rke/releases/tag/v1.2.4); Kubernetes versions: [1.19.6](https://github.com/kubernetes/kubernetes/releases/tag/v1.19.6)), [1.18.14](https://github.com/kubernetes/kubernetes/releases/tag/v1.18.14)), [1.17.16](https://github.com/kubernetes/kubernetes/releases/tag/v1.17.16))  |

articles/azure-arc/kubernetes/validation-program.md

@@ -102,6 +102,9 @@ The following table lists the proxy and firewall configuration information requi
 
 For firewall information required for Azure Government, see [Azure Government management](../../azure-government/compare-azure-government-global-azure.md#azure-monitor). 
 
+> [!IMPORTANT]
+> If your firewall is doing CNAME inspections, you need to configure it to allow all domains in the CNAME.
+
 If you plan to use the Azure Automation Hybrid Runbook Worker to connect to and register with the Automation service to use runbooks or management features in your environment, it must have access to the port number and the URLs described in [Configure your network for the Hybrid Runbook Worker](../../automation/automation-hybrid-runbook-worker.md#network-planning).
 
 ### Proxy configuration