Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into stonith

Author: ianwhytez

articles/active-directory-domain-services/faqs.yml

@@ -164,6 +164,11 @@ sections:
           How are Windows Updates applied in Azure AD Domain Services?
         answer: |
           Domain controllers in a managed domain automatically apply required Windows updates. There's nothing for you to configure or administer here. Make sure you don't create network security group rules that block outbound traffic to Windows Updates. For your own VMs joined to the managed domain, you are responsible for configuring and applying any required OS and application updates.
+          
+      - question: |
+          Why do my domain controllers change names?
+        answer: |
+          It is possible that during the maintenance of domain controllers there is a change in their names. To avoid problems with this type of change, it is recommended to not use the names of the domain controllers hardcoded in applications and/or other domain resources, but the FQDN of the domain. This way, no matter what the names of the domain controllers are, you won't need to reconfigure anything after a name change.
 
   - name: Billing and availability
     questions:

articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa-with-federation.md

@@ -113,28 +113,28 @@ Run the following PowerShell cmdlet:
 The command returns your current additional authentication rules for your relying party trust. Append the following rules to your current claim rules:
 
 ```console
-c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == 
-"YourGroupSID"] => issue(Type = "https://schemas.microsoft.com/claims/authnmethodsproviders", 
+c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == 
+"YourGroupSID"] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", 
 Value = "AzureMfaAuthentication");
-not exists([Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+not exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
 Value=="YourGroupSid"]) => issue(Type = 
-"https://schemas.microsoft.com/claims/authnmethodsproviders", Value = 
+"http://schemas.microsoft.com/claims/authnmethodsproviders", Value = 
 "AzureMfaServerAuthentication");'
 ```
 
 The following example assumes your current claim rules are configured to prompt for MFA when users connect from outside your network. This example includes the additional rules that you need to append.
 
 ```PowerShell
 Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules 'c:[type == 
-"https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] => issue(type = 
-"https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = 
-"https://schemas.microsoft.com/claims/multipleauthn" );
- c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == 
-"YourGroupSID"] => issue(Type = "https://schemas.microsoft.com/claims/authnmethodsproviders", 
+"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] => issue(type = 
+"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = 
+"http://schemas.microsoft.com/claims/multipleauthn" );
+ c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == 
+"YourGroupSID"] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", 
 Value = "AzureMfaAuthentication");
-not exists([Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+not exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
 Value=="YourGroupSid"]) => issue(Type = 
-"https://schemas.microsoft.com/claims/authnmethodsproviders", Value = 
+"http://schemas.microsoft.com/claims/authnmethodsproviders", Value = 
 "AzureMfaServerAuthentication");'
 ```
 
@@ -145,15 +145,15 @@ This example modifies claim rules on a specific relying party trust (application
 
 ```PowerShell
 Set-AdfsRelyingPartyTrust -TargetName AppA -AdditionalAuthenticationRules 'c:[type == 
-"https://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] => issue(type = 
-"https://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = 
-"https://schemas.microsoft.com/claims/multipleauthn" );
-c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == 
-"YourGroupSID"] => issue(Type = "https://schemas.microsoft.com/claims/authnmethodsproviders", 
+"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", value == "false"] => issue(type = 
+"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", value = 
+"http://schemas.microsoft.com/claims/multipleauthn" );
+c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == 
+"YourGroupSID"] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders", 
 Value = "AzureMfaAuthentication");
-not exists([Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+not exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
 Value=="YourGroupSid"]) => issue(Type = 
-"https://schemas.microsoft.com/claims/authnmethodsproviders", Value = 
+"http://schemas.microsoft.com/claims/authnmethodsproviders", Value = 
 "AzureMfaServerAuthentication");'
 ```
 
@@ -379,12 +379,12 @@ For example, remove the following from the rule(s):
 
 
 ```console
-c:[Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value ==
-"**YourGroupSID**"] => issue(Type = "https://schemas.microsoft.com/claims/authnmethodsproviders",
+c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value ==
+"**YourGroupSID**"] => issue(Type = "http://schemas.microsoft.com/claims/authnmethodsproviders",
 Value = "AzureMfaAuthentication");
-not exists([Type == "https://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+not exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
 Value=="YourGroupSid"]) => issue(Type =
-"https://schemas.microsoft.com/claims/authnmethodsproviders", Value =
+"http://schemas.microsoft.com/claims/authnmethodsproviders", Value =
 "AzureMfaServerAuthentication");'
 ```
 

articles/active-directory/external-identities/hybrid-cloud-to-on-premises.md

@@ -66,7 +66,7 @@ The following diagram provides a high-level overview of how Azure AD Application
 You can manage the on-premises B2B user objects through lifecycle management policies. For example:
 
 - You can set up multi-factor authentication (MFA) policies for the Guest user so that MFA is used during Application Proxy authentication. For more information, see [Conditional Access for B2B collaboration users](authentication-conditional-access.md).
-- Any sponsorships, access reviews, account verifications, etc. that are performed on the cloud B2B user applies to the on-premises users. For example, if the cloud user is deleted through your lifecycle management policies, the on-premises user is also deleted by MIM Sync or through Azure AD Connect sync. For more information, see [Manage guest access with Azure AD access reviews](../governance/manage-guest-access-with-access-reviews.md).
+- Any sponsorships, access reviews, account verifications, etc. that are performed on the cloud B2B user applies to the on-premises users. For example, if the cloud user is deleted through your lifecycle management policies, the on-premises user is also deleted by MIM Sync or through the Azure AD B2B script. For more information, see [Manage guest access with Azure AD access reviews](../governance/manage-guest-access-with-access-reviews.md).
 
 ### Create B2B guest user objects through an Azure AD B2B script
 

articles/active-directory/governance/entitlement-management-organization.md

@@ -78,20 +78,20 @@ To add an external Azure AD directory or domain as a connected organization, fol
 
     The **Select directories + domains** pane opens.
 
-1. In the search box, enter a domain name to search for the Azure AD directory or domain. Be sure to enter the entire domain name.
+1. In the search box, enter a domain name to search for the Azure AD directory or domain. You can also add domains that are not in Azure AD. Be sure to enter the entire domain name.
 
-1. Confirm that the organization name and authentication type are correct. User sign in, prior to being able to access the myaccess portal, depends on the authentication type for their organization.  If the authentication type for a connected organization is Azure AD, then all users with an account in any verified domain of that Azure AD directory will sign into their directory, and then can request access to access packages that allow that connected organization. If the authentication type is One-time passcode, this allows users with email addresses from just that domain to visit the myaccess portal. Then, after they authenticate with the passcode, the user can make a request.
+1. Confirm that the organization name(s) and authentication type(s) are correct. User sign in, prior to being able to access the MyAccess portal, depends on the authentication type for their organization.  If the authentication type for a connected organization is Azure AD, all users with an account in any verified domain of that Azure AD directory will sign into their directory, and then can request access to access packages that allow that connected organization. If the authentication type is One-time passcode, this allows users with email addresses from just that domain to visit the MyAccess portal. After they authenticate with the passcode, the user can make a request.
 
     ![The "Select directories + domains" pane](./media/entitlement-management-organization/organization-select-directories-domains.png)
 
     > [!NOTE]
     > Access from some domains could be blocked by the Azure AD business to business (B2B) allow or deny list. For more information, see [Allow or block invitations to B2B users from specific organizations](../external-identities/allow-deny-list.md).
 
-1. Select **Add** to add the Azure AD directory or domain. Currently, you can add only one Azure AD directory or domain per connected organization.
+1. Select **Add** to add the Azure AD directory or domain. **You can add multiple Azure AD directories and domains**.
 
-1. After you've added the Azure AD directory or domain, select **Select**.
+1. After you've added the Azure AD directories or domains, select **Select**.
 
-    The organization appears in the list.
+    The organization(s) appears in the list.
 
     ![The "Directory + domain" pane](./media/entitlement-management-organization/organization-directory-domain.png)
 

articles/active-directory/reports-monitoring/reference-azure-ad-sla-performance.md

@@ -60,7 +60,7 @@ For each month, we truncate the SLA attainment at three places after the decimal
 | May       | 99.999% | 99.999% |
 | June      | 99.999% | 99.999% |
 | July      | 99.999% | 99.999% |
-| August    | 99.999% |         |
+| August    | 99.999% | 99.999% |
 | September | 99.999% |         |
 | October   | 99.999% |         |
 | November  | 99.998% |         |

articles/active-directory/verifiable-credentials/verifiable-credentials-configure-tenant.md

@@ -158,7 +158,7 @@ To add the required permissions, follow these steps:
     1. Website ID registration
     1. Domain verification.
 1. Select on each section and download the JSON file under each.
-1. Crete a website that you can use to distribute the files. If you specified **https://contoso.com** as your domain, the URLs for each of the files would look as shown below:
+1. Create a website that you can use to distribute the files. If you specified **https://contoso.com** as your domain, the URLs for each of the files would look as shown below:
     - `https://contoso.com/.well-known/did.json`
     - `https://contoso.com/.well-known/did-configuration.json`
 
@@ -167,4 +167,4 @@ Once that you have successfully completed the verification steps, you are ready
 ## Next steps
 
 - [Learn how to issue Microsoft Entra Verified ID credentials from a web application](verifiable-credentials-configure-issuer.md).
-- [Learn how to verify Microsoft Entra Verified ID credentials](verifiable-credentials-configure-verifier.md).
+- [Learn how to verify Microsoft Entra Verified ID credentials](verifiable-credentials-configure-verifier.md).

articles/aks/TOC.yml

@@ -260,8 +260,6 @@
             - name: Scan images in your CI/CD Workflow
               href: ../defender-for-cloud/defender-for-container-registries-cicd.md
               maintainContext: True
-        - name: Remove vulnerable images with ImageCleaner (preview)
-          href: image-cleaner.md
         - name: Registry security
           items:
             - name: Scanning images in ACR registries
@@ -273,6 +271,8 @@
               href: kubernetes-service-principal.md
             - name: Use managed identities
               href: use-managed-identity.md
+            - name: Remove vulnerable images with ImageCleaner (preview)
+              href: image-cleaner.md
             - name: Limit access to cluster configuration file
               href: control-kubeconfig-access.md
             - name: Define API server authorized IP ranges

articles/aks/image-cleaner.md

@@ -5,7 +5,7 @@ ms.author: nickoman
 author: nickomang
 services: container-service
 ms.topic: article
-ms.date: 08/26/2022
+ms.date: 09/09/2022
 ---
 
 # Use ImageCleaner to clean up stale images on your Azure Kubernetes Service cluster (preview)
@@ -17,7 +17,7 @@ It's common to use pipelines to build and deploy images on Azure Kubernetes Serv
 ## Prerequisites
 
 * An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
-* [Azure CLI][azure-cli-install] or [Azure PowerShell][azure-powershell-install] and the `aks-preview` CLI extension installed.
+* [Azure CLI][azure-cli-install] or [Azure PowerShell][azure-powershell-install] and the `aks-preview` 0.5.96 or later CLI extension installed.
 * The `EnableImageCleanerPreview` feature flag registered on your subscription:
 
 ### [Azure CLI](#tab/azure-cli)
@@ -164,4 +164,4 @@ The deletion logs are stored in the `image-cleaner-kind-worker` pods. You can ch
 [register-azresourceprovider]: /powershell/module/az.resources/register-azresourceprovider
 
 [arm-vms]: https://azure.microsoft.com/blog/azure-virtual-machines-with-ampere-altra-arm-based-processors-generally-available/
-[trivy]: https://github.com/aquasecurity/trivy
+[trivy]: https://github.com/aquasecurity/trivy

articles/api-management/TOC.yml

@@ -76,6 +76,8 @@
               href: ./security-controls-policy.md
             - name: Security baseline
               href: /security/benchmark/azure/baselines/api-management-security-baseline?toc=/azure/api-management/&bc=/azure/api-management/breadcrumb/toc.json
+            - name: Authentication and authorization
+              href: authentication-authorization-overview.md
       - name: Observability
         href: observability.md
       - name: DevOps and CI/CD