Merge branch 'MicrosoftDocs:main' into patch-3

Author: cilwerner

articles/active-directory/develop/configure-token-lifetimes.md

@@ -9,29 +9,30 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/08/2021
+ms.date: 10/17/2022
 ms.author: ryanwi
-ms.custom: aaddev, contperf-fy21q1
+ms.custom: identityplatformtop40, contperf-fy21q2, engagement-fy23
 ms.reviewer: ludwignick, jlu, annaba
 ---
 # Configure token lifetime policies (preview)
-You can specify the lifetime of an access, SAML, or ID token issued by Microsoft identity platform. You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization. For more info, read [configurable token lifetimes](active-directory-configurable-token-lifetimes.md).
 
-In this section, we walk through a common policy scenario that can help you impose new rules for token lifetime. In the example, you learn how to create a policy that requires users to authenticate more frequently in your web app.
+In the following steps, you'll implement a common policy scenario that imposes new rules for token lifetime. It's possible to specify the lifetime of an access, SAML, or ID token issued by the Microsoft identity platform. This can be set for all apps in your organization or for a specific service principal. They can also be set for multi-organizations (multi-tenant application). 
+
+For more information, see [configurable token lifetimes](active-directory-configurable-token-lifetimes.md).
 
 ## Get started
 
 To get started, download the latest [Azure AD PowerShell Module Public Preview release](https://www.powershellgallery.com/packages/AzureADPreview).
 
-Next, run the `Connect` command to sign in to your Azure AD admin account. Run this command each time you start a new session.
+Next, run the `Connect-AzureAD` command to sign in to your Azure Active Directory (Azure AD) admin account. Run this command each time you start a new session.
 
 ```powershell
 Connect-AzureAD -Confirm
 ```
 
 ## Create a policy for web sign-in
 
-In this example, you create a policy that requires users to authenticate more frequently in your web app. This policy sets the lifetime of the access/ID tokens to the service principal of your web app.
+In the following steps, you'll create a policy that requires users to authenticate more frequently in your web app. This policy sets the lifetime of the access/ID tokens to the service principal of your web app.
 
 1. Create a token lifetime policy.
 
@@ -73,7 +74,7 @@ To see all policies that have been created in your organization, run the [Get-Az
 Get-AzureADPolicy -All $true
 ```
 
-To see which apps and service principals are linked to a specific policy you identified run the following [Get-AzureADPolicyAppliedObject](/powershell/module/azuread/get-azureadpolicyappliedobject?view=azureadps-2.0-preview&preserve-view=true) cmdlet by replacing **1a37dad8-5da7-4cc8-87c7-efbc0326cf20** with any of your policy IDs. Then you can decide whether to configure Conditional Access sign-in frequency or remain with the Azure AD defaults.
+To see which apps and service principals are linked to a specific policy that you identified, run the following [`Get-AzureADPolicyAppliedObject`](/powershell/module/azuread/get-azureadpolicyappliedobject?view=azureadps-2.0-preview&preserve-view=true) cmdlet by replacing `1a37dad8-5da7-4cc8-87c7-efbc0326cf20` with any of your policy IDs. Then you can decide whether to configure Conditional Access sign-in frequency or remain with the Azure AD defaults.
 
 ```powershell
 Get-AzureADPolicyAppliedObject -id 1a37dad8-5da7-4cc8-87c7-efbc0326cf20
@@ -82,7 +83,7 @@ Get-AzureADPolicyAppliedObject -id 1a37dad8-5da7-4cc8-87c7-efbc0326cf20
 If your tenant has policies which define custom values for the refresh and session token configuration properties, Microsoft recommends you update those policies to values that reflect the defaults described above. If no changes are made, Azure AD will automatically honor the default values.
 
 ### Troubleshooting
-Some users have reported a `Get-AzureADPolicy : The term 'Get-AzureADPolicy' is not recognized` error after running the `Get-AzureADPolicy` cmdlet. As a workaround, run the following to uninstall/re-install the AzureAD module and then install the AzureADPreview module:
+Some users have reported a `Get-AzureADPolicy : The term 'Get-AzureADPolicy' is not recognized` error after running the `Get-AzureADPolicy` cmdlet. As a workaround, run the following to uninstall/re-install the AzureAD module, and then install the AzureADPreview module:
 
 ```powershell
 # Uninstall the AzureAD Module

articles/azure-arc/system-center-virtual-machine-manager/quickstart-connect-system-center-virtual-machine-manager-to-arc.md

@@ -16,6 +16,9 @@ This QuickStart shows you how to connect your SCVMM management server to Azure A
 
 ## Prerequisites
 
+>[!Note]
+>If VMM server is running on Windows Server 2016 machine, ensure that [Open SSH package](https://github.com/PowerShell/Win32-OpenSSH/releases) is installed. 
+
 | **Requirement** | **Details** |
 | --- | --- |
 | **Azure** | An Azure subscription  <br/><br/> A resource group in the above subscription where you have the *Owner/Contributor* role. |

articles/data-factory/TOC.yml

@@ -288,14 +288,14 @@ items:
       - name: Supported functions
         href: wrangling-functions.md
         displayName: power
+  - name: Change Data Capture
+    href: concepts-change-data-capture.md
   - name: Roles and permissions
     href: concepts-roles-permissions.md
   - name: Naming rules
     href: naming-rules.md
   - name: Data redundancy
     href: concepts-data-redundancy.md
-  - name: Change Data Capture
-    href: concepts-change-data-capture.md
 - name: SAP knowledge center
   items:
   - name: Overview

articles/data-factory/concepts-change-data-capture.md

@@ -9,7 +9,7 @@ ms.service: data-factory
 ms.subservice: data-movement
 ms.custom: synapse
 ms.topic: conceptual
-ms.date: 10/14/2022
+ms.date: 10/18/2022
 ---
 
 # Change data capture in Azure Data Factory and Azure Synapse Analytics
@@ -22,30 +22,68 @@ To learn more, see [Azure Data Factory overview](introduction.md) or [Azure Syna
 
 ## Overview
 
-When you perform data integration and ETL processes in the cloud, your jobs can perform much better and be more effective when you only read the source data that has changed since the last time the pipeline ran, rather than always querying an entire dataset on each run. Executing pipelines that only read the latest changed data is available in many of ADF's source connectors by simply enabling a checkbox property inside the source transformation. Support for full-fidelity CDC, which includes row markers for inserts, upserts, deletes, and updates, as well as rules for resetting the ADF-managed checkpoint are available in several ADF connectors. To easily capture changes and deltas, ADF supports patterns and templates for managing incremental pipelines with user-controlled checkpoints as well, which you'll find in the table below.
+When you perform data integration and ETL processes in the cloud, your jobs can perform much better and be more effective when you only read the source data that has changed since the last time the pipeline ran, rather than always querying an entire dataset on each run. ADF provides multiple different ways for you to easily get delta data only from the last run.
 
-## CDC Connector support
+### Native change data capture in mapping data flow
 
-| Connector   | Full CDC | Incremental CDC | Incremental pipeline pattern |
-| :-------------------- | :--------------------------- | :--------------------------------- | :--------------------------- |
-| [ADLS Gen1](load-azure-data-lake-store.md) |   | ✓    |       |
-| [ADLS Gen2](load-azure-data-lake-storage-gen2.md) |   | ✓    |       |
-| [Azure Blob Storage](connector-azure-blob-storage.md) |      | ✓    |     |   
-| [Azure Cosmos DB (SQL API)](connector-azure-cosmos-db.md) | ✓ | ✓ |   |
-| [Azure Database for MySQL](connector-azure-database-for-mysql.md) |   | ✓ |   |
-| [Azure Database for PostgreSQL](connector-azure-database-for-postgresql.md) |   | ✓ |   |
-| [Azure SQL Database](connector-azure-sql-database.md) | ✓ | ✓ | [✓](tutorial-incremental-copy-portal.md) |
-| [Azure SQL Managed Instance](connector-azure-sql-managed-instance.md) | ✓ | ✓ | [✓](tutorial-incremental-copy-change-data-capture-feature-portal.md) |
-| [Azure SQL Server](connector-sql-server.md) | ✓ | ✓ | [✓](tutorial-incremental-copy-multiple-tables-portal.md) |
-| [Common data model](format-common-data-model.md) |   | ✓    |       |
-| [SAP CDC](connector-sap-change-data-capture.md) | ✓ | ✓ | ✓ |
+The changed data including inserted, updated and deleted rows can be automatically detected and extracted by ADF mapping data flow from the source databases.  No timestamp or ID columns are required to identify the changes since it uses the native change data capture technology in the databases.  By simply chaining a source transform and a sink transform reference to a database dataset in a mapping data flow, you will see the changes happened on the source database to be automatically applied to the target database, so that you can easily synchronize data between two tables.  You can also add any transformations in between for any business logic to process the delta data.
 
+**Supported connectors**
+-   [SAP CDC](connector-sap-change-data-capture.md)
+-   [Azure SQL Database](connector-azure-sql-database.md)
+-   [Azure SQL Server](connector-sql-server.md)
+-   [Azure SQL Managed Instance](connector-azure-sql-managed-instance.md)
+-   [Azure Cosmos DB (SQL API)](connector-azure-cosmos-db.md)
 
-ADF makes it super-simple to enable and use CDC. Many of the connectors listed above will enable a checkbox similar to the one shown below from the data flow source transformation.
+### Auto incremental extraction in mapping data flow
 
-:::image type="content" source="media/data-flow/cdc.png" alt-text="Change data capture":::
+The newly updated rows or updated files can be automatically detected and extracted by ADF mapping data flow from the source stores. When you want to get delta data from the databases, the incremental column is required to identify the changes. When you want to load new files or updated files only from a storage store, ADF mapping data flow just works through files’ last modify time. 
+
+**Supported connectors**
+-   [Azure Blob Storage](connector-azure-blob-storage.md)
+-   [ADLS Gen2](load-azure-data-lake-storage-gen2.md)
+-   [ADLS Gen1](load-azure-data-lake-store.md)
+-   [Azure SQL Database](connector-azure-sql-database.md)
+-   [Azure SQL Server](connector-sql-server.md)
+-   [Azure SQL Managed Instance](connector-azure-sql-managed-instance.md)
+-   [Azure Database for MySQL](connector-azure-database-for-mysql.md)
+-   [Azure Database for PostgreSQL](connector-azure-database-for-postgresql.md)
+-   [Common data model](format-common-data-model.md)
+
+### Customer managed delta data extraction in pipeline
+
+You can always build your own delta data extraction pipeline for all ADF supported data stores including using lookup activity to get the watermark value stored in an external control table, copy activity or mapping data flow activity to query the delta data against timestamp or ID column, and SP activity to write the new watermark value back to your external control table for the next run.  When you want to load new files only from a storage store, you can either delete files every time after they have been moved to the destination successfully, or leverage the time partitioned folder or file names or last modified time to identify the new files. 
+
+
+## Best Practices
+
+**Change data capture from databases:**
+
+-   Native change data capture is always recommended as the simplest way for you to get change data. It also brings much less burden on your source database when ADF extracts the change data for further processing. 
+-   If your database stores are not part of the ADF connector list with native change data capture support, we recommend you to check the auto incremental extraction option where you only need to input incremental column to capture the changes. ADF will take care of the rest including creating a dynamic query for delta loading and managing the checkpoint for each activity run. 
+-   Customer managed delta data extraction in pipeline covers all the ADF supported databases and give you the flexibility to control everything by yourself. 
+
+**Change files capture from file based storages:**
+
+-   When you want to load data from Azure Blob Storage, Azure Data Lake Storage Gen2 or Azure Data Lake Storage Gen1, mapping data flow provides you the opportunity to get new or updated files only by simple one click. It is the simplest and recommended way for you to achieve delta load from these file based storages in mapping data flow. 
+-   You can get more [best practices](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/best-practices-of-how-to-use-adf-copy-activity-to-copy-new-files/ba-p/1532484). 
+
+
+## Checkpoint
+
+When you enable native change data capture or auto incremental extraction options in ADF mapping data flow, ADF helps you to manage the checkpoint to make sure each activity run will automatically only read the source data that has changed since the last time the pipeline run.  By default, the checkpoint is coupled with your pipeline and activity name.  If you change your pipeline name or activity name, the checkpoint will be reset, which leads you to start from beginning or get changes from now in the next run. If you do want to change the pipeline name or activity name but still keep the checkpoint to get changed data from the last run automatically, please use your own [Checkpoint key](control-flow-execute-data-flow-activity.md#checkpoint-key) in data flow activity to achieve that. 
+
+When you debug the pipeline, this feature works the same. The checkpoint will be reset when you refresh your browser during the debug run. After you are satisfied with the pipeline result from debug run, you can go ahead to publish and trigger the pipeline. At the moment when you first time trigger your published pipeline, it automatically restarts from the beginning or gets changes from now on.
+
+In the monitoring section, you always have the chance to rerun a pipeline. When you are doing so, the changed data is always captured from the previous checkpoint of your selected pipeline run.
+
+## Tutorials
+
+The followings are the tutorials to start the change data capture in Azure Data Factory and Azure Synapse Analytics.
+
+- [SAP CDC tutorial in ADF](sap-change-data-capture-introduction-architecture.md#sap-cdc-capabilities)
+- [Incrementally copy data from a source data store to a destination data store tutorials](tutorial-incremental-copy-overview.md)
 
-The "Full CDC" and "Incremental CDC" features are available in both ADF and Synapse data flows and pipelines. In each of those options, ADF manages the checkpoint automatically for you. You can turn on the change data capture feature in the data flow source and you can also reset the checkpoint in the data flow activity. To reset the checkpoint for your CDC pipeline, go into the data flow activity in your pipeline and override the checkpoint key. Connectors in ADF that support "full CDC" also provide automatic tagging of rows as update, insert, delete.
 
 ## Next steps
 

articles/defender-for-cloud/TOC.yml

@@ -517,7 +517,9 @@
     - name: Defender for Servers integration with Microsoft Defender for Endpoint
       href: episode-sixteen.md
     - name: Defender for Servers integration with Microsoft Entra
-      href: episode-seventeen.md   
+      href: episode-seventeen.md
+    - name: Defender for Azure Cosmos DB
+      href: episode-eighteen.md   
   - name: Manage user data
     href: privacy.md
   - name: Microsoft Defender for IoT documentation

articles/defender-for-cloud/concept-cloud-security-posture-management.md

@@ -21,7 +21,7 @@ Defender for Cloud continually assesses your resources, subscriptions, and organ
 
 ## Defender CSPM plan options
 
-The Defender CSPM plan comes with two options, foundational CSPM capabilities and Defender Cloud Security Posture Management (CSPM). When you deploy Defender for Cloud to your subscription and resources, you'll automatically gain the basic coverages offered by the CSPM plan. To gain access to the other capabilities provided by Defender CSPM, you'll need to [enable the Defender Cloud Security Posture Management (CSPM) plan](enable-enhanced-security.md) to your subscription and resources.
+The Defender CSPM plan comes with two options, foundational CSPM capabilities and Defender Cloud Security Posture Management (CSPM). When you deploy Defender for Cloud to your subscription and resources, you'll automatically gain the basic coverage offered by the CSPM plan. To gain access to the other capabilities provided by Defender CSPM, you'll need to [enable the Defender Cloud Security Posture Management (CSPM) plan](enable-enhanced-security.md) on your subscription and resources.
 
 The following table summarizes what's included in each plan and their cloud availability.
 
@@ -60,11 +60,14 @@ Learn more about [Cloud Security Explorer](concept-attack-path.md#what-is-cloud-
 
 ## Attack Path Analysis
 
-Attack Path Analysis is a graph-based algorithm that scans the Cloud Security Graph. The scans expose exploitable paths that attackers may use to breach your environment to reach your high-impact assets. Attack Path Analysis exposes those attack paths and suggests recommendations as to how best remediate the issues that will break the attack path and prevent successful breach.
+Attack Path Analysis is a graph-based algorithm that scans the Cloud Security Graph. The scans:
 
-By taking your environment's contextual information into account such as, internet exposure, permissions, lateral movement, and more. Attack Path Analysis identifies issues that may lead to a breach on your environment, and helps you to remediate the highest risk ones first.
+- expose exploitable paths that attackers may use to breach your environment and reach your high-impact assets
+- provide recommendations for ways to prevent successful breaches
 
-Learn more about [Attack Path Analysis](concept-attack-path.md#what-is-attack-path-analysis)
+By taking your environment's contextual information into account such as, internet exposure, permissions, lateral movement, and more, this analysis identifies issues that may lead to a breach on your environment, and helps you to remediate the highest risk ones first.
+
+Learn more about [Attack Path Analysis](concept-attack-path.md#what-is-attack-path-analysis).
 
 ## Agentless scanning for machines