MicrosoftDocs
diff --git a/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 1 addition & 6 deletions b/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 1 addition & 6 deletions
diff --git a/‎.openpublishing.redirection.json
Lines changed: 22461 additions & 22450 deletions b/‎.openpublishing.redirection.json
Lines changed: 22461 additions & 22450 deletions
diff --git a/‎articles/active-directory/fundamentals/whats-new-sovereign-clouds.md
Lines changed: 85 additions & 0 deletions b/‎articles/active-directory/fundamentals/whats-new-sovereign-clouds.md
Lines changed: 85 additions & 0 deletions
diff --git a/‎articles/active-directory/governance/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/governance/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/manage-apps/plan-sso-deployment.md
Lines changed: 7 additions & 7 deletions b/‎articles/active-directory/manage-apps/plan-sso-deployment.md
Lines changed: 7 additions & 7 deletions
diff --git a/‎articles/active-directory/workload-identities/workload-identities-faqs.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/workload-identities/workload-identities-faqs.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/aks/nat-gateway.md
Lines changed: 8 additions & 8 deletions b/‎articles/aks/nat-gateway.md
Lines changed: 8 additions & 8 deletions
diff --git a/‎articles/aks/trusted-access-feature.md
Lines changed: 7 additions & 4 deletions b/‎articles/aks/trusted-access-feature.md
Lines changed: 7 additions & 4 deletions
@@ -1,11 +1,6 @@
 {
     "redirections": [
-       {
-            "source_path_from_root": "/articles/azure-monitor/snapshot-debugger/snapshot-debugger-troubleshoot.md",
-            "redirect_url": "https://learn.microsoft.com/troubleshoot/azure/azure-monitor/app-insights/snapshot-debugger-troubleshoot",
-            "redirect_document_id": false
-        },
-        {
+         {
             "source_path_from_root": "/articles/azure-monitor/best-practices.md",
             "redirect_url": "/azure/azure-monitor/getting-started",
             "redirect_document_id": false
 
@@ -21,6 +21,91 @@ Azure AD receives improvements on an ongoing basis. To stay up to date with the
 
 This page is updated monthly, so revisit it regularly.
 
+## February 2023
+
+### General Availability - Filter and transform group names in token claims configuration using regular expression
+
+**Type:** New feature  
+**Service category:** Enterprise Apps             
+**Product capability:** SSO          
+
+Filter and transform group names in token claims configuration using regular expression. Many application configurations on ADFS and other IdPs rely on the ability to create authorization claims based on the content of Group Names using regular expression functions in the claim rules.  Azure AD now has the capability to use a regular expression match and replace function to create claim content based on Group **onpremisesSAMAccount** names. This functionality will allow those applications to be moved to Azure AD for authentication using the same group management patterns. For more information, see: [Configure group claims for applications by using Azure Active Directory](../hybrid/how-to-connect-fed-group-claims.md).
+
+---
+
+### General Availability - Filter groups in tokens using a substring match
+
+**Type:** New feature  
+**Service category:** Enterprise Apps             
+**Product capability:** SSO          
+
+Azure AD now has the capability to filter the groups included in the token using substring match on the display name or **onPremisesSAMAccountName** attributes of the group object.  Only Groups the user is a member of will be included in the token.This was a blocker for some of our customers to migrate their apps from ADFS to Azure AD. This feature will unblock those challenges. 
+
+For more information, see: 
+- [Group Filter](../develop/reference-claims-mapping-policy-type.md#group-filter).
+- [Configure group claims for applications by using Azure Active Directory](../hybrid/how-to-connect-fed-group-claims.md).
+
+
+
+---
+
+### General Availability - New SSO claims transformation features
+
+**Type:** New feature  
+**Service category:** Enterprise Apps             
+**Product capability:** SSO        
+
+Azure AD now supports claims transformations on multi-valued attributes and can emit multi-valued claims. More functions to allow match and string operations on claims processing to enable apps to be migrated from other IdPs to Azure AD. This includes:  Match on Empty(), NotEmpty(), Prefix(), Suffix(), and extract substring operators. For more information, see: [Claims mapping policy type](../develop/reference-claims-mapping-policy-type.md).
+
+---
+
+### General Availability - New Detection for Service Principal Behavior Anomalies
+
+**Type:** New feature  
+**Service category:** Access Reviews            
+**Product capability:** Identity Security & Protection       
+
+Post-authentication anomalous activity detection for workload identities. This detection focuses specifically on detection of post authenticated anomalous behavior performed by a workload identity (service principal). Post-authentication behavior will be assessed for anomalies based on an action and/or sequence of actions occurring for the account. Based on the scoring of anomalies identified, the offline detection may score the account as low, medium, or high risk. The risk allocation from the offline detection will be available within the Risky workload identities reporting blade. A new detection type identified as Anomalous service principal activity will appear in filter options. For more information, see: [Securing workload identities](../identity-protection/concept-workload-identity-risk.md).
+
+---
+
+### General Availability - Microsoft cloud settings for Azure AD B2B
+
+**Type:** New feature  
+**Service category:** B2B              
+**Product capability:** B2B/B2C       
+
+Microsoft cloud settings let you collaborate with organizations from different Microsoft Azure clouds. With Microsoft cloud settings, you can establish mutual B2B collaboration between the following clouds:
+
+- Microsoft Azure commercial and Microsoft Azure Government
+- Microsoft Azure commercial and Microsoft Azure China 21Vianet
+
+For more information about Microsoft cloud settings for B2B collaboration., see: [Microsoft cloud settings](../external-identities/cross-tenant-access-overview.md#microsoft-cloud-settings).
+
+---
+
+### Public Preview - Support for Directory Extensions using Azure AD cloud sync
+
+**Type:** New feature   
+**Service category:** Provisioning               
+**Product capability:** Azure AD Connect Cloud Sync         
+
+Hybrid IT Admins now can sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure AD, allowing customers to map the needed attributes using Cloud Sync's attribute mapping experience. 
+
+For more information on how to enable this feature, see: [Cloud Sync directory extensions and custom attribute mapping](../cloud-sync/custom-attribute-mapping.md)
+
+
+---
+
+### General Availability - On-premises application provisioning
+
+**Type:** Changed feature   
+**Service category:** Provisioning            
+**Product capability:** Outbound to On-premises Applications        
+
+Azure AD supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](../app-provisioning/on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](../app-provisioning/on-premises-ldap-connector-configure.md) user store, or a [SQL](../app-provisioning/tutorial-ecma-sql-connector.md) database, Azure AD can support those as well.
+
+---
 
 ## January 2023
 
 
@@ -234,6 +234,8 @@
           href: manage-workflow-tasks.md
         - name: Run a workflow on-demand
           href: on-demand-workflow.md
+        - name: Customize emails
+          href: customize-workflow-email.md
         - name: Check the status of a workflow
           href: check-status-workflow.md
         - name: Check execution user scope
 
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 12/07/2022
+ms.date: 03/20/2023
 ms.author: jomondi
 ms.reviewer: alamaral
 ms.collection: M365-identity-device-management
@@ -21,10 +21,10 @@ ms.custom: has-adal-ref
 This article provides information that you can use to plan your [single sign-on (SSO)](what-is-single-sign-on.md) deployment in Azure Active Directory (Azure AD). When you plan your SSO deployment with your applications in Azure AD, you need to consider the following questions:
 
 - What are the administrative roles required for managing the application?
-- Does the certificate need to be renewed?
+- Does the Security Assertion Markup Language (SAML) application certificate need to be renewed?
 - Who needs to be notified of changes related to the implementation of SSO?
 - What licenses are needed to ensure effective management of the application?
-- Are shared user accounts used to access the application?
+- Are shared and guest user accounts used to access the application?
 - Do I understand the options for SSO deployment?
 
 ## Administrative Roles
@@ -33,17 +33,17 @@ Always use the role with the fewest permissions available to accomplish the requ
 
 | Persona | Roles | Azure AD role (if necessary) |
 | ------- | ----- | --------------------------- |
-| Help desk admin | Tier 1 support | None |
-| Identity admin | Configure and debug when issues involve Azure AD | Global Administrator |
+| Help desk admin | Tier 1 support view the sign-in logs to resolve issues.  | None |
+| Identity admin | Configure and debug when issues involve Azure AD | Cloud Application Administrator |
 | Application admin | User attestation in application, configuration on users with permissions | None |
-| Infrastructure admins | Certificate rollover owner | Global Administrator |
+| Infrastructure admins | Certificate rollover owner | Cloud Application Administrator |
 | Business owner/stakeholder | User attestation in application, configuration on users with permissions | None |
 
 To learn more about Azure AD administrative roles, see [Azure AD built-in roles](../users-groups-roles/directory-assign-admin-roles.md).
 
 ## Certificates
 
-When you enable federated SSO for your application, Azure AD creates a certificate that is by default valid for three years. You can customize the expiration date for that certificate if needed. Ensure that you have processes in place to renew certificates prior to their expiration. 
+When you enable federation on SAML application, Azure AD creates a certificate that is by default valid for three years. You can customize the expiration date for that certificate if needed. Ensure that you have processes in place to renew certificates prior to their expiration. 
 
 You change that certificate duration in the Azure portal. Make sure to document the expiration and know how you'll manage your certificate renewal. It’s important to identify the right roles and email distribution lists involved with managing the lifecycle of the signing certificate. The following roles are recommended:
 
 
@@ -116,7 +116,7 @@ intended to expand.
 
 ## Do these licenses require individual workload identities assignment? 
 
-No, license assignment isn't required. One license in the tenant unlocks features for workload identities. 
+No, license assignment isn't required. 
 
 ## Can I get a free trial of Workload Identities Premium? 
 
@@ -130,4 +130,4 @@ Yes, it's available.
 
 ## Is it possible to have a mix of Azure AD Premium P1, Azure AD Premium P2 and Workload Identities Premium licenses in one tenant?
 
-Yes, customers can have a mixture of license plans in one tenant.
+Yes, customers can have a mixture of license plans in one tenant.
@@ -1,7 +1,7 @@
 ---
-title: Managed NAT Gateway
+title: Create a managed or user-assigned NAT gateway
 titleSuffix: Azure Kubernetes Service
-description: Learn how to create an AKS cluster with managed NAT integration
+description: Learn how to create an AKS cluster with managed NAT integration and user-assigned NAT gateway.
 author: asudbring
 ms.subservice: aks-networking
 ms.custom: devx-track-azurecli
@@ -10,21 +10,21 @@ ms.date: 10/26/2021
 ms.author: allensu
 ---
 
-# Managed NAT Gateway
+# Create a managed or user-assigned NAT gateway
 
 While you can route egress traffic through an Azure Load Balancer, there are limitations on the amount of outbound flows of traffic you can have. Azure NAT Gateway allows up to 64,512 outbound UDP and TCP traffic flows per IP address with a maximum of 16 IP addresses.
 
-This article shows you how to create an AKS cluster with a Managed NAT Gateway for egress traffic and how to disable OutboundNAT on Windows.
+This article shows you how to create an AKS cluster with a managed NAT gateway and a user-assigned NAT gateway for egress traffic and how to disable OutboundNAT on Windows.
 
 ## Before you begin
 
 * Make sure you're using the latest version of [Azure CLI][az-cli].
 * Make sure you're using Kubernetes version 1.20.x or above.
 * Managed NAT Gateway is incompatible with custom virtual networks.
 
-## Create an AKS cluster with a Managed NAT Gateway
+## Create an AKS cluster with a managed NAT gateway
 
-To create an AKS cluster with a new Managed NAT Gateway, use `--outbound-type managedNATGateway`, `--nat-gateway-managed-outbound-ip-count`, and `--nat-gateway-idle-timeout` when running `az aks create`. If you want the NAT gateway to be able to operate out of availability zones, specify the zones using `--zones`.
+To create an AKS cluster with a new managed NAT Gateway, use `--outbound-type managedNATGateway`, `--nat-gateway-managed-outbound-ip-count`, and `--nat-gateway-idle-timeout` when running `az aks create`. If you want the NAT gateway to be able to operate out of availability zones, specify the zones using `--zones`.
 
 The following example creates a *myResourceGroup* resource group, then creates a *natCluster* AKS cluster in *myResourceGroup* with a Managed NAT Gateway, two outbound IPs, and an idle timeout of 30 seconds.
 
@@ -56,9 +56,9 @@ az aks update \
     --nat-gateway-managed-outbound-ip-count 5
 ```
 
-## Create an AKS cluster with a user-assigned NAT Gateway
+## Create an AKS cluster with a user-assigned NAT gateway
 
-To create an AKS cluster with a user-assigned NAT Gateway, use `--outbound-type userAssignedNATGateway` when running `az aks create`. This configuration requires bring-your-own networking (via [Kubenet][byo-vnet-kubenet] or [Azure CNI][byo-vnet-azure-cni]) and that the NAT Gateway is preconfigured on the subnet. The following commands create the required resources for this scenario. Make sure to run them all in the same session so that the values stored to variables are still available for the `az aks create` command.
+To create an AKS cluster with a user-assigned NAT gateway, use `--outbound-type userAssignedNATGateway` when running `az aks create`. This configuration requires bring-your-own networking (via [Kubenet][byo-vnet-kubenet] or [Azure CNI][byo-vnet-azure-cni]) and that the NAT Gateway is preconfigured on the subnet. The following commands create the required resources for this scenario. Make sure to run them all in the same session so that the values stored to variables are still available for the `az aks create` command.
 
 1. Create the resource group.
 
 
@@ -3,7 +3,7 @@ title: Enable Azure resources to access Azure Kubernetes Service (AKS) clusters
 description: Learn how to use the Trusted Access feature to enable Azure resources to access Azure Kubernetes Service (AKS) clusters.
 author: schaffererin
 ms.topic: article
-ms.date: 03/03/2023
+ms.date: 03/20/2023
 ms.author: schaffererin
 ---
 
@@ -33,9 +33,11 @@ Trusted Access enables you to give explicit consent to your system-assigned MSI
 
 * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 * Resource types that support [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md).
-* Pre-defined Roles with appropriate [AKS permissions](concepts-identity.md).
-  * To learn about what Roles to use in various scenarios, see [AzureML access to AKS clusters with special configurations](https://github.com/Azure/AML-Kubernetes/blob/master/docs/azureml-aks-ta-support.md).
-* If you're using Azure CLI, the **aks-preview** extension version **0.5.74 or later** is required.
+* * If you're using Azure CLI, the **aks-preview** extension version **0.5.74 or later** is required.
+* To learn about what Roles to use in various scenarios, see:
+  *  [AzureML access to AKS clusters with special configurations](https://github.com/Azure/AML-Kubernetes/blob/master/docs/azureml-aks-ta-support.md).
+  *  [AKS backup using Azure Backup][aks-azure-backup]
+
 
 First, install the aks-preview extension by running the following command:
 
@@ -160,3 +162,4 @@ For more information on AKS, see:
 [az-feature-register]: /cli/azure/feature#az-feature-register
 [az-feature-show]: /cli/azure/feature#az-feature-show
 [az-provider-register]: /cli/azure/provider#az-provider-register
+[aks-azure-backup]: ../backup/azure-kubernetes-service-backup-overview.md