Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into msid-content-health-auth-ado-1976187

OwenRichards1 · OwenRichards1 · commit 63a5a241fd80 · 2022-08-30T15:17:18.000+01:00
diff --git a/articles/app-service/security-controls-policy.md b/articles/app-service/security-controls-policy.md
@@ -1,7 +1,7 @@
 ---
 title: Azure Policy Regulatory Compliance controls for Azure App Service
 description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources.
-ms.date: 08/17/2022
+ms.date: 08/29/2022
 ms.topic: sample
 ms.service: app-service
 ms.custom: subject-policy-compliancecontrols
@@ -21,6 +21,19 @@ compliant with the specific standard.
 
 ## Release notes
 
+### August 2022
+- **App Service apps should only be accessible over HTTPS**
+  - Update scope of policy to remove slots
+    - Creation of "App Service app slots should only be accessible over HTTPS" to monitor slots
+  - Add "Deny" effect
+  - Creation of "Configure App Service apps to only be accessible over HTTPS" for enforcement of policy
+- **App Service app slots should only be accessible over HTTPS**
+  - New policy created
+- **Configure App Service apps to only be accessible over HTTPS**
+  - New policy created
+- **Configure App Service app slots to only be accessible over HTTPS**
+  - New policy created
+
 ### July 2022
 
 - Deprecation of the following policies:
diff --git a/articles/cosmos-db/sql/how-to-use-stored-procedures-triggers-udfs.md b/articles/cosmos-db/sql/how-to-use-stored-procedures-triggers-udfs.md
@@ -358,9 +358,9 @@ const container = client.database("myDatabase").container("myContainer");
 const triggerId = "trgPreValidateToDoItemTimestamp";
 await container.items.create({
     category: "Personal",
-    name : "Groceries",
-    description : "Pick up strawberries",
-    isComplete : false
+    name: "Groceries",
+    description: "Pick up strawberries",
+    isComplete: false
 }, {preTriggerInclude: [triggerId]});
 ```
 
diff --git a/articles/defender-for-cloud/defender-for-servers-introduction.md b/articles/defender-for-cloud/defender-for-servers-introduction.md
@@ -27,7 +27,7 @@ Defender for Servers provides two plans you can choose from:
     - **Licensing**: Charges Defender for Endpoint licenses per hour instead of per seat, lowering costs by protecting virtual machines only when they are in use.
 - **Plan 2**
     - **Plan 1**: Includes everything in Defender for Servers Plan 1.
-    - **Additional features**: All other enhanced Defender for Servers security capabilities for Windows and Linux machines running in Azure, AWS, GCP, and on-premises.
+    - **Additional features**: All other enhanced Defender for Servers security features.
 
 ## Plan features
 
diff --git a/articles/defender-for-cloud/integration-defender-for-endpoint.md b/articles/defender-for-cloud/integration-defender-for-endpoint.md
@@ -231,7 +231,7 @@ You can also enable the MDE unified solution at scale through the supplied REST
 
 This is an example request body for the PUT request to enable the MDE unified solution:
 
-URI: `https://management.microsoft.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/settings&api-version=2022-05-01-preview`
+URI: `https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/settings&api-version=2022-05-01-preview`
 
 ```json
 {
diff --git a/articles/defender-for-cloud/multi-factor-authentication-enforcement.md b/articles/defender-for-cloud/multi-factor-authentication-enforcement.md
@@ -61,7 +61,7 @@ To see which accounts don't have MFA enabled, use the following Azure Resource G
     ```kusto
     securityresources
      | where type == "microsoft.security/assessments"
-     | where properties.displayName == "MFA should be enabled on accounts with owner permissions on your subscription"
+     | where properties.displayName == "MFA should be enabled on accounts with owner permissions on subscriptions"
      | where properties.status.code == "Unhealthy"
     ```
 
diff --git a/articles/firewall/protect-azure-virtual-desktop.md b/articles/firewall/protect-azure-virtual-desktop.md
@@ -15,63 +15,84 @@ Azure Virtual Desktop is a desktop and app virtualization service that runs on A
 
 [ ![Azure Virtual Desktop architecture](media/protect-windows-virtual-desktop/windows-virtual-desktop-architecture-diagram.png) ](media/protect-windows-virtual-desktop/windows-virtual-desktop-architecture-diagram.png#lightbox)
 
-Follow the guidelines in this article to provide additional protection for your Azure Virtual Desktop host pool using Azure Firewall.
+Follow the guidelines in this article to provide extra protection for your Azure Virtual Desktop host pool using Azure Firewall.
 
 ## Prerequisites
 
  - A deployed Azure Virtual Desktop environment and host pool.
- - An Azure Firewall deployed with at least one Firewall Manager Policy
+ - An Azure Firewall deployed with at least one Firewall Manager Policy.
+ - DNS and DNS Proxy enabled in the Firewall Policy to use [FQDN in Network Rules](../firewall/fqdn-filtering-network-rules.md).
 
-   For more information, see [Tutorial: Create a host pool by using the Azure portal](../virtual-desktop/create-host-pools-azure-marketplace.md)
+For more information, see [Tutorial: Create a host pool by using the Azure portal](../virtual-desktop/create-host-pools-azure-marketplace.md)
 
 To learn more about Azure Virtual Desktop environments see [Azure Virtual Desktop environment](../virtual-desktop/environment-setup.md).
 
 ## Host pool outbound access to Azure Virtual Desktop
 
 The Azure virtual machines you create for Azure Virtual Desktop must have access to several Fully Qualified Domain Names (FQDNs) to function properly. Azure Firewall provides an Azure Virtual Desktop FQDN Tag to simplify this configuration. Use the following steps to allow outbound Azure Virtual Desktop platform traffic:
 
-You will need to create an Azure Firewall Policy and create Rule Collections for Network Rules and Applications Rules. Give the Rule Collection a priority and an allow or deny action.
+You'll need to create an Azure Firewall Policy and create Rule Collections for Network Rules and Applications Rules. Give the Rule Collection a priority and an allow or deny action.
+In order to identify a specific AVD Host Pool as "Source" in the tables below, [IP Group](../firewall/ip-groups.md) can be created to represent it. 
 
 ### Create network rules
 
-| Name      | Source type | Source                    | Protocol | Destination ports | Destination type | Destination                       |
-| --------- | ----------- | ------------------------- | -------- | ----------------- | ---------------- | --------------------------------- |
-| Rule Name | IP Address  | VNet or Subnet IP Address | TCP      | 80                | IP Address       | 169.254.169.254, 168.63.129.16    |
-| Rule Name | IP Address  | VNet or Subnet IP Address | TCP      | 443               | Service Tag      | AzureCloud, WindowsVirtualDesktop, AzureFrontDoor.Frontend |
-| Rule Name | IP Address  | VNet or Subnet IP Address | TCP, UDP | 53                | IP Address       | *                                 |
-|Rule name  | IP Address  | VNet or Subnet IP Address | TCP      | 1688              | IP address       | 20.118.99.224, 40.83.235.53 (azkms.core.windows.net)|
-|Rule name  | IP Address  | VNet or Subnet IP Address | TCP      | 1688              | IP address       | 23.102.135.246 (kms.core.windows.net)|
+Based on the Azure Virtual Desktop (AVD) [reference article](../virtual-desktop/safe-url-list.md), these are the ***mandatory*** rules to allow outbound access to the control plane and core dependent services: 
+
+| Name      | Source type          | Source                                | Protocol | Destination ports | Destination type | Destination                       |
+| --------- | -------------------- | ------------------------------------- | -------- | ----------------- | ---------------- | --------------------------------- |
+| Rule Name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 80                | IP Address       | 169.254.169.254, 168.63.129.16    |
+| Rule Name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 443               | Service Tag      | WindowsVirtualDesktop, AzureFrontDoor.Frontend, AzureMonitor |
+| Rule Name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP, UDP | 53                | IP Address       | *                                 |
+| Rule name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 1688              | IP address       | 20.118.99.224, 40.83.235.53 (azkms.core.windows.net) |
+| Rule name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 1688              | IP address       | 23.102.135.246 (kms.core.windows.net) |
+| Rule name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 443               | FQDN             | mrsglobalsteus2prod.blob.core.windows.net |
+| Rule name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 443               | FQDN             | wvdportalstorageblob.blob.core.windows.net |
+| Rule name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 80                | FQDN             | oneocsp.microsoft.com |
+| Rule name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 80                | FQDN             | www.microsoft.com |
 
 > [!NOTE]
 > Some deployments might not need DNS rules. For example, Azure Active Directory Domain controllers forward DNS queries to Azure DNS at 168.63.129.16.
 
+Azure Virtual Desktop (AVD) official documentation reports the following Network rules as **optional** depending on the usage and scenario: 
+
+| Name      | Source type          | Source                                | Protocol | Destination ports | Destination type | Destination                       |
+| ----------| -------------------- | ------------------------------------- | -------- | ----------------- | ---------------- | --------------------------------- |
+| Rule Name | IP Address or Group  | IP Group or VNet or Subnet IP Address | UDP      | 123               | FQDN             | time.windows.com |
+| Rule Name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 443               | FQDN             | login.microsoftonline.com |
+| Rule Name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 443               | FQDN             | login.windows.net |
+| Rule Name | IP Address or Group  | IP Group or VNet or Subnet IP Address | TCP      | 443               | FQDN             | www.msftconnecttest.com |
+
+
 ### Create application rules
 
-| Name      | Source type | Source                    | Protocol   | Destination type | Destination                                                                                 |
-| --------- | ----------- | ------------------------- | ---------- | ---------------- | ------------------------------------------------------------------------------------------- |
-| Rule Name | IP Address  | VNet or Subnet IP Address | Https:443  | FQDN Tag         | WindowsVirtualDesktop, WindowsUpdate, Windows Diagnostics, MicrosoftActiveProtectionService |
+Azure Virtual Desktop (AVD) official documentation reports the following Application rules as **optional** depending on the usage and scenario: 
+
+| Name      | Source type          | Source                    | Protocol   | Destination type | Destination                                                                                 |
+| --------- | -------------------- | --------------------------| ---------- | ---------------- | ------------------------------------------------------------------------------------------- |
+| Rule Name | IP Address or Group  | VNet or Subnet IP Address | Https:443  | FQDN Tag         | WindowsUpdate, Windows Diagnostics, MicrosoftActiveProtectionService |
+| Rule Name | IP Address or Group  | VNet or Subnet IP Address | Https:443  | FQDN             | *.events.data.microsoft.com |
+| Rule Name | IP Address or Group  | VNet or Subnet IP Address | Https:443  | FQDN             | *.sfx.ms |
+| Rule Name | IP Address or Group  | VNet or Subnet IP Address | Https:443  | FQDN             | *.digicert.com |
+| Rule Name | IP Address or Group  | VNet or Subnet IP Address | Https:443  | FQDN             | *.azure-dns.com, *.azure-dns.net |
 
 > [!IMPORTANT]
 > We recommend that you don't use TLS inspection with Azure Virtual Desktop. For more information, see the [proxy server guidelines](../virtual-desktop/proxy-server-support.md#dont-use-ssl-termination-on-the-proxy-server).
 
+## Azure Firewall Policy Sample 
+All the mandatory and optional rules mentioned above can be easily deployed a single Azure Firewall Policy using the template published at [this link](https://github.com/Azure/RDS-Templates/tree/master/AzureFirewallPolicyForAVD). 
+Before deploying into production, it's highly recommended to review all the Network and Application rules defined, ensure alignment with Azure Virtual Desktop official documentation and security requirements. 
+
 ## Host pool outbound access to the Internet
 
-Depending on your organization needs, you might want to enable secure outbound internet access for your end users. If the list of allowed destinations is well-defined (for example, for [Microsoft 365 access](/microsoft-365/enterprise/microsoft-365-ip-web-service)), you can use Azure Firewall application and network rules to configure the required access. This routes end-user traffic directly to the internet for best performance. If you need to allow network connectivity for Windows 365 or Intune, see [Network requirments for Windows 365](/windows-365/requirements-network#allow-network-connectivity) and [Network endpoints for Intune](/mem/intune/fundamentals/intune-endpoints).
+Depending on your organization needs, you might want to enable secure outbound internet access for your end users. If the list of allowed destinations is well-defined (for example, for [Microsoft 365 access](/microsoft-365/enterprise/microsoft-365-ip-web-service)), you can use Azure Firewall application and network rules to configure the required access. This routes end-user traffic directly to the internet for best performance. If you need to allow network connectivity for Windows 365 or Intune, see [Network requirements for Windows 365](/windows-365/requirements-network#allow-network-connectivity) and [Network endpoints for Intune](/mem/intune/fundamentals/intune-endpoints).
 
 If you want to filter outbound user internet traffic by using an existing on-premises secure web gateway, you can configure web browsers or other applications running on the Azure Virtual Desktop host pool with an explicit proxy configuration. For example, see [How to use Microsoft Edge command-line options to configure proxy settings](/deployedge/edge-learnmore-cmdline-options-proxy-settings). These proxy settings only influence your end-user internet access, allowing the Azure Virtual Desktop platform outbound traffic directly via Azure Firewall.
 
 ## Control user access to the web
 
 Admins can allow or deny user access to different website categories. Add a rule to your Application Collection from your specific IP address to web categories you want to allow or deny. Review all the [web categories](web-categories.md).
 
-## Additional considerations
-
-You might need to configure additional firewall rules, depending on your requirements:
-
-- NTP server access
-
-  By default, virtual machines running Windows connect to `time.windows.com` over UDP port 123 for time synchronization. Create a network rule to allow this access, or for a time server that you use in your environment.
-
 ## Next steps
 
 - Learn more about Azure Virtual Desktop: [What is Azure Virtual Desktop?](../virtual-desktop/overview.md)
+
diff --git a/articles/hdinsight/hadoop/apache-hadoop-use-mapreduce-ssh.md b/articles/hdinsight/hadoop/apache-hadoop-use-mapreduce-ssh.md
@@ -4,7 +4,7 @@ description: Learn how to use SSH to run MapReduce jobs using Apache Hadoop on H
 ms.service: hdinsight
 ms.topic: how-to
 ms.custom: hdinsightactive
-ms.date: 01/10/2020
+ms.date: 08/30/2022
 ---
 
 # Use MapReduce with Apache Hadoop on HDInsight with SSH
diff --git a/articles/hdinsight/hbase/hbase-troubleshoot-unassigned-regions.md b/articles/hdinsight/hbase/hbase-troubleshoot-unassigned-regions.md
@@ -3,7 +3,7 @@ title: Issues with region servers in Azure HDInsight
 description: Issues with region servers in Azure HDInsight
 ms.service: hdinsight
 ms.topic: troubleshooting
-ms.date: 06/30/2020
+ms.date: 08/30/2022
 ---
 
 # Issues with region servers in Azure HDInsight
diff --git a/articles/hdinsight/hdinsight-config-for-vscode.md b/articles/hdinsight/hdinsight-config-for-vscode.md
@@ -3,7 +3,7 @@ title: Azure HDInsight configuration settings reference
 description: Introduce the configuration of Azure HDInsight extension.
 ms.service: hdinsight
 ms.topic: how-to
-ms.date: 04/07/2021
+ms.date: 08/30/2022
 ms.custom: devx-track-python
 ---
 
@@ -77,4 +77,4 @@ For general information about working with settings in VS Code, refer to [User a
 ## Next steps
 
 - For information about Azure HDInsight for VSCode, see [Spark & Hive for Visual Studio Code Tools](/sql/big-data-cluster/spark-hive-tools-vscode).
-- For a video that demonstrates using Spark & Hive for Visual Studio Code, see [Spark & Hive for Visual Studio Code](https://go.microsoft.com/fwlink/?linkid=858706).
+- For a video that demonstrates using Spark & Hive for Visual Studio Code, see [Spark & Hive for Visual Studio Code](https://go.microsoft.com/fwlink/?linkid=858706).
diff --git a/articles/hdinsight/hdinsight-sdk-dotnet-samples.md b/articles/hdinsight/hdinsight-sdk-dotnet-samples.md
@@ -3,7 +3,7 @@ title: 'Azure HDInsight: .NET samples'
 description: Find C# .NET examples on GitHub for common tasks using the HDInsight SDK for .NET.
 ms.service: hdinsight
 ms.topic: sample
-ms.date: 12/06/2019
+ms.date: 08/30/2022
 ---
 
 # Azure HDInsight: .NET samples
diff --git a/articles/hdinsight/network-virtual-appliance.md b/articles/hdinsight/network-virtual-appliance.md
@@ -3,7 +3,7 @@ title: Configure network virtual appliance in Azure HDInsight
 description: Learn how to configure a number of additional features for your network virtual appliance in Azure HDInsight.
 ms.service: hdinsight
 ms.topic: how-to
-ms.date: 06/30/2020
+ms.date: 08/30/2022
 ---
 
 # Configure network virtual appliance in Azure HDInsight
diff --git a/articles/site-recovery/vmware-azure-architecture.md b/articles/site-recovery/vmware-azure-architecture.md
@@ -31,7 +31,7 @@ The following table and graphic provide a high-level view of the components used
 For Site Recovery to work as expected, you need to modify outbound network connectivity to allow your environment to replicate.
 
 > [!NOTE]
-> Site Recovery doesn't support using an authentication proxy to control network connectivity.
+> Site Recovery of VMware/Physical machines using Classic architecture doesn't support using an authentication proxy to control network connectivity. The same is supported when using the [modernized architecutre](vmware-azure-architecture-preview.md).
 
 ### Outbound connectivity for URLs
 
diff --git a/articles/site-recovery/vmware-azure-set-up-replication-tutorial-preview.md b/articles/site-recovery/vmware-azure-set-up-replication-tutorial-preview.md
diff --git a/articles/site-recovery/vmware-azure-troubleshoot-push-install.md b/articles/site-recovery/vmware-azure-troubleshoot-push-install.md
diff --git a/articles/virtual-desktop/safe-url-list.md b/articles/virtual-desktop/safe-url-list.md
diff --git a/articles/virtual-desktop/windows-11-language-packs.md b/articles/virtual-desktop/windows-11-language-packs.md

Original file line number	Diff line number	Diff line change
`@@ -231,7 +231,7 @@ You can also enable the MDE unified solution at scale through the supplied REST`
`231`	`231`
`232`	`232`	`This is an example request body for the PUT request to enable the MDE unified solution:`
`233`	`233`
`234`		-URI: `https://management.microsoft.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/settings&api-version=2022-05-01-preview`
	`234`	+URI: `https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/settings&api-version=2022-05-01-preview`
`235`	`235`
`236`	`236`	```json
`237`	`237`	`{`