Merge pull request #189086 from MicrosoftDocs/main

Merge Main to Live, 4 AM

Author: PMEds28

articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md

@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # Enable passwordless security key sign-in to on-premises resources by using Azure AD 
 
-This document discusses how to enable passwordless authentication to on-premises resources for environments with both *Azure Active Directory (Azure AD)-joined* and *hybrid Azure AD-joined* Windows 10 devices. This passwordless authentication functionality provides seamless single sign-on (SSO) to on-premises resources when you use Microsoft-compatible security keys.
+This document discusses how to enable passwordless authentication to on-premises resources for environments with both *Azure Active Directory (Azure AD)-joined* and *hybrid Azure AD-joined* Windows 10 devices. This passwordless authentication functionality provides seamless single sign-on (SSO) to on-premises resources when you use Microsoft-compatible security keys, or with [Windows Hello for Business Cloud trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md)
 
 ## Use SSO to sign in to on-premises resources by using FIDO2 keys
 
@@ -44,11 +44,6 @@ You must also meet the following system requirements:
 
 - Devices must be running Windows 10 version 2004 or later.
 
-- You must be running [Azure AD Connect version 1.4.32.0 or later](../hybrid/how-to-connect-install-roadmap.md#install-azure-ad-connect).
-  - For more information about the available Azure AD hybrid authentication options, see the following articles:
-    - [Choose the right authentication method for your Azure AD hybrid identity solution](../hybrid/choose-ad-authn.md)
-    - [Select which installation type to use for Azure AD Connect](../hybrid/how-to-connect-install-select-installation.md)
-
 - Your Windows Server domain controllers must have patches installed for the following servers:
     - [Windows Server 2016](https://support.microsoft.com/help/4534307/windows-10-update-kb4534307)
     - [Windows Server 2019](https://support.microsoft.com/help/4534321/windows-10-update-kb4534321)

articles/active-directory/develop/active-directory-saml-claims-customization.md

@@ -121,7 +121,7 @@ You can use the following functions to transform claims.
 | Function | Description |
 |----------|-------------|
 | **ExtractMailPrefix()** | Removes the domain suffix from either the email address or the user principal name. This extracts only the first part of the user name being passed through (for example, "joe_smith" instead of [email protected]). |
-| **Join()** | Creates a new value by joining two attributes. Optionally, you can use a separator between the two attributes. |
+| **Join()** | Creates a new value by joining two attributes. Optionally, you can use a separator between the two attributes. For NameID claim transformation, the Join() function has specific behaviour when the transformation input has a domain part. It will remove the domain part from input before joining it with the separator and the selected parameter. For example, if the input of the transformation is ‘[email protected]’ and the separator is ‘@’ and the parameter is ‘fabrikam.com’, this will result in [email protected]. |
 | **ToLowercase()** | Converts the characters of the selected attribute into lowercase characters. |
 | **ToUppercase()** | Converts the characters of the selected attribute into uppercase characters. |
 | **Contains()** | Outputs an attribute or constant if the input matches the specified value. Otherwise, you can specify another output if there’s no match.<br/>For example, if you want to emit a claim where the value is the user’s email address if it contains the domain “@contoso.com”, otherwise you want to output the user principal name. To do this, you would configure the following values:<br/>*Parameter 1(input)*: user.email<br/>*Value*: "@contoso.com"<br/>Parameter 2 (output): user.email<br/>Parameter 3 (output if there's no match): user.userprincipalname |

articles/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md

@@ -12,7 +12,7 @@ ms.subservice: msi
 ms.devlang:
 ms.topic: conceptual
 ms.custom: mvc
-ms.date: 01/11/2022
+ms.date: 02/17/2022
 ms.author: barclayn
 ms.collection: M365-identity-device-management
 ---
@@ -39,7 +39,7 @@ The following diagram shows how managed service identities work with Azure virtu
 |------|----------------------------------|--------------------------------|
 | Creation |  Created as part of an Azure resource (for example, an Azure virtual machine or Azure App Service). | Created as a stand-alone Azure resource. |
 | Life cycle | Shared life cycle with the Azure resource that the managed identity is created with. <br/> When the parent resource is deleted, the managed identity is deleted as well. | Independent life cycle. <br/> Must be explicitly deleted. |
-| Sharing across Azure resources | Cannot be shared. <br/> It can only be associated with a single Azure resource. | Can be shared. <br/> The same user-assigned managed identity can be associated with more than one Azure resource. |
+| Sharing across Azure resources | Can’t be shared. <br/> It can only be associated with a single Azure resource. | Can be shared. <br/> The same user-assigned managed identity can be associated with more than one Azure resource. |
 | Common use cases | Workloads that are contained within a single Azure resource. <br/> Workloads for which you need independent identities. <br/> For example, an application that runs on a single virtual machine | Workloads that run on multiple resources and which can share a single identity. <br/> Workloads that need pre-authorization to a secure resource as part of a provisioning flow. <br/> Workloads where resources are recycled frequently, but permissions should stay consistent. <br/> For example, a workload where multiple virtual machines need to access the same resource |
 
 ## System-assigned managed identity
@@ -48,7 +48,7 @@ The following diagram shows how managed service identities work with Azure virtu
 
 2. Azure Resource Manager creates a service principal in Azure AD for the identity of the VM. The service principal is created in the Azure AD tenant that's trusted by the subscription.
 
-3. Azure Resource Manager configures the identity on the VM by updating the Azure Instance Metadata Service identity endpoint with the service principal client ID and certificate.
+3. Azure Resource Manager updates the VM identity using the Azure Instance Metadata Service identity endpoint, providing the endpoint with the service principal client ID and certificate.
 
 4. After the VM has an identity, use the service principal information to grant the VM access to Azure resources. To call Azure Resource Manager, use Azure role-based access control (Azure RBAC) to assign the appropriate role to the VM service principal. To call Key Vault, grant your code access to the specific secret or key in Key Vault.
 

articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md

@@ -103,6 +103,27 @@ Content-Type: application/json
 | `resource` | The resource the access token was requested for, which matches the `resource` query string parameter of the request. |
 | `token_type` | The type of token, which is a "Bearer" access token, which means the resource can give access to the bearer of this token. |
 
+## Get a token using the Azure Identity client library
+
+This is the reccomended method and library for using Azure Managed identities. All Azure SDKs are integrated with the Azure.Identity library that provides support for DefaultAzureCredential. This class makes it easy to use Managed Identities with Azure SDKs.[Learn more](https://docs.microsoft.com/dotnet/api/overview/azure/identity-readme)
+
+1. Install the [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) package and other required [Azure SDK library packages](https://aka.ms/azsdk), such as [Azure.Security.KeyVault.Secrets](https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets/).
+2. Use the sample code below. Note that you need not worry about getting tokens. You can directly use the Azure SDK clients. The code is for demonstrating how to get the token, if you need to.
+
+    ```csharp
+    using Azure.Core;
+    using Azure.Identity;
+    
+    string userAssignedClientId = "<your managed identity client Id>";
+    var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedClientId });
+    var accessToken = credential.GetToken(new TokenRequestContext(new[] { "https://vault.azure.net" }));
+    // To print the token, you can convert it to string 
+    String accessTokenString = accessToken.Token.ToString();
+    
+    //You can use the credential object directly with Key Vault client.     
+    var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), credential);
+    ```
+
 ## Get a token using the Microsoft.Azure.Services.AppAuthentication library for .NET
 
 For .NET applications and functions, the simplest way to work with managed identities for Azure resources is through the Microsoft.Azure.Services.AppAuthentication package. This library will also allow you to test your code locally on your development machine, using your user account from Visual Studio, the [Azure CLI](/cli/azure), or Active Directory Integrated Authentication. For more on local development options with this library, see the [Microsoft.Azure.Services.AppAuthentication reference](/dotnet/api/overview/azure/service-to-service-authentication). This section shows you how to get started with the library in your code.

articles/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage-sas.md

@@ -1,6 +1,6 @@
 ---
 title: 'Tutorial: Access Azure Storage using a SAS credential - Linux - Azure AD'
-description: A tutorial that shows you how to use a Linux VM system-assigned managed identity to access Azure Storage, using a SAS credential instead of a storage account access key.
+description: Tutorial showing how to use a Linux VM system-assigned managed identity to access Azure Storage using a SAS credential instead of a storage account access key.
 services: active-directory
 documentationcenter: ''
 author: barclayn
@@ -12,7 +12,7 @@ ms.subservice: msi
 ms.topic: tutorial
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 01/11/2022
+ms.date: 02/17/2022
 ms.author: barclayn
 ms.collection: M365-identity-device-management
 ---
@@ -27,7 +27,7 @@ This tutorial shows you how to use a system-assigned managed identity for a Linu
 > [!NOTE]
 > The SAS key generated in this tutorial will not be restricted/bound to the VM.  
 
-A Service SAS provides the ability to grant limited access to objects in a storage account, for a limited time and a specific service (in our case, the blob service), without exposing an account access key. You can use a SAS credential as usual when doing storage operations, for example when using the Storage SDK. For this tutorial, we demonstrate uploading and downloading a blob using Azure Storage CLI. You will learn how to:
+A Service SAS grants limited access to objects in a storage account without exposing an account access key. Access can be granted for a limited time and a specific service.  You can use a SAS credential as usual when doing storage operations, for example when using the Storage SDK. For this tutorial, we demonstrate uploading and downloading a blob using Azure Storage CLI. You'll learn how to:
 
 
 > [!div class="checklist"]
@@ -42,31 +42,31 @@ A Service SAS provides the ability to grant limited access to objects in a stora
 
 ## Create a storage account 
 
-If you don't already have one, you will now create a storage account.  You can also skip this step and grant your VM system-assigned managed identity access to the keys of an existing storage account. 
+If you don't already have one, you'll now create a storage account.  You can also skip this step and grant your VM system-assigned managed identity access to the keys of an existing storage account. 
 
-1. Click the **+/Create new service** button found on the upper left-hand corner of the Azure portal.
-2. Click **Storage**, then **Storage Account**, and a new "Create storage account" panel will display.
-3. Enter a **Name** for the storage account, which you will use later.  
+1. Select the **+/Create new service** button found on the upper left-hand corner of the Azure portal.
+2. Select **Storage**, then **Storage Account**, and a new "Create storage account" panel will display.
+3. Enter a **Name** for the storage account, which you'll use later.  
 4. **Deployment model** and **Account kind** should be set to "Resource Manager" and "General purpose", respectively. 
 5. Ensure the **Subscription** and **Resource Group** match the ones you specified when you created your VM in the previous step.
-6. Click **Create**.
+6. Select **Create**.
 
     ![Create new storage account](./media/msi-tutorial-linux-vm-access-storage/msi-storage-create.png)
 
 ## Create a blob container in the storage account
 
-Later we will upload and download a file to the new storage account. Because files require blob storage, we need to create a blob container in which to store the file.
+Later we'll upload and download a file to the new storage account. Because files require blob storage, we need to create a blob container in which to store the file.
 
 1. Navigate back to your newly created storage account.
-2. Click the **Containers** link in the left panel, under "Blob service."
-3. Click **+ Container** on the top of the page, and a "New container" panel slides out.
-4. Give the container a name, select an access level, then click **OK**. The name you specified will be used later in the tutorial. 
+2. Select the **Containers** link in the left panel, under "Blob service."
+3. Select **+ Container** on the top of the page, and a "New container" panel slides out.
+4. Give the container a name, select an access level, then select **OK**. The name you specified will be used later in the tutorial. 
 
     ![Create storage container](./media/msi-tutorial-linux-vm-access-storage/create-blob-container.png)
 
 ## Grant your VM's system-assigned managed identity access to use a storage SAS
 
-Azure Storage natively supports Azure AD authentication, so you can use your VM's system-assigned managed identity to retrieve a storage SAS from Resource Manager, then use the SAS to access storage.  In this step, you grant your VM's system-assigned managed identity access to your storage account SAS. Grant access by assigning the [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role to the managed-identity at the scope of the resource group that contains your storage account.
+Azure Storage natively supports Azure AD authentication, so you can use your VM's system-assigned managed identity to retrieve a storage SAS from Resource Manager, then use the SAS to access storage.  In this step, you grant your VM's system-assigned managed identity access to your storage account SAS. Assign the [Storage Account Contributor](../../role-based-access-control/built-in-roles.md#storage-account-contributor) role to the managed-identity at the scope of the resource group that contains your storage account.
 
 For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
 
@@ -76,13 +76,18 @@ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-b
 
 ## Get an access token using the VM's identity and use it to call Azure Resource Manager
 
-For the remainder of the tutorial, we will work from the VM we created earlier.
+For the remainder of the tutorial, we'll work from the VM we created earlier.
 
-To complete these steps, you will need an SSH client. If you are using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/install-win10). If you need assistance configuring your SSH client's keys, see [How to Use SSH keys with Windows on Azure](../../virtual-machines/linux/ssh-from-windows.md), or [How to create and use an SSH public and private key pair for Linux VMs in Azure](../../virtual-machines/linux/mac-create-ssh-keys.md).
+You need an SSH client to complete these steps. If you're using Windows, you can use the SSH client in the [Windows Subsystem for Linux](/windows/wsl/install-win10). If you need assistance configuring your SSH client's keys, see:
 
-1. In the Azure portal, navigate to **Virtual Machines**, go to your Linux virtual machine, then from the **Overview** page click **Connect** at the top. Copy the string to connect to your VM. 
+  - [How to Use SSH keys with Windows on Azure](../../virtual-machines/linux/ssh-from-windows.md)
+  - [How to create and use an SSH public and private key pair for Linux VMs in Azure](../../virtual-machines/linux/mac-create-ssh-keys.md).
+
+Now that you have your SSH client continue to the steps below:
+
+1. In the Azure portal, navigate to **Virtual Machines**, go to your Linux virtual machine, then from the **Overview** page select **Connect** at the top. Copy the string to connect to your VM. 
 2. Connect to your VM using your SSH client.  
-3. Next, you will be prompted to enter in your **Password** you added when creating the **Linux VM**. You should then be successfully signed in.  
+3. Next, you'll be prompted to enter in your **Password** you added when creating the **Linux VM**. You should then be successfully signed in.  
 4. Use CURL to get an access token for Azure Resource Manager.  
 
     The CURL request and response for the access token is below:
@@ -109,7 +114,7 @@ To complete these steps, you will need an SSH client. If you are using Windows,
 
 Now use CURL to call Resource Manager using the access token we retrieved in the previous section, to create a storage SAS credential. Once we have the SAS credential, we can call storage upload/download operations.
 
-For this request we'll use the follow HTTP request parameters to create the SAS credential:
+For this request, we'll use the following HTTP request parameters to create the SAS credential:
 
 ```JSON
 {
@@ -138,13 +143,13 @@ The CURL response returns the SAS credential:
 {"serviceSasToken":"sv=2015-04-05&sr=c&spr=https&st=2017-09-22T00%3A10%3A00Z&se=2017-09-22T02%3A00%3A00Z&sp=rcw&sig=QcVwljccgWcNMbe9roAJbD8J5oEkYoq%2F0cUPlgriBn0%3D"} 
 ```
 
-Create a sample blob file to upload to your blob storage container. On a Linux VM, you can do this with the following command. 
+On a Linux VM, create a sample blob file to upload to your blob storage container using the following command:
 
 ```bash
 echo "This is a test file." > test.txt
 ```
 
-Next, authenticate with the CLI `az storage` command using the SAS credential, and upload the file to the blob container. For this step, you will need to [install the latest Azure CLI](/cli/azure/install-azure-cli) on your VM, if you haven't already.
+Next, authenticate with the CLI `az storage` command using the SAS credential, and upload the file to the blob container. For this step, you'll need to [install the latest Azure CLI](/cli/azure/install-azure-cli) on your VM, if you haven't already.
 
 ```azurecli
  az storage blob upload --container-name 

articles/aks/TOC.yml

@@ -202,7 +202,7 @@
           items:
             - name: Node pool snapshot
               href: node-pool-snapshot.md
-            - name: Use Dedicated Hosts with AKS
+            - name: Use Dedicated Hosts with AKS (preview)
               href: use-azure-dedicated-hosts.md
             - name: Use multiple node pools
               href: use-multiple-node-pools.md