Merge branch 'main' into jira-microsoft

Author: bhavana-129

.openpublishing.redirection.azure-hpc.json

@@ -0,0 +1,9 @@
+{
+  "redirections": [
+    {
+      "source_path_from_root": "/articles/high-performance-compute/index.yml",
+      "redirect_url": "/articles/high-performance-computing",
+      "redirect_document_id": false
+    }
+  ]
+}

.openpublishing.redirection.json

@@ -29498,6 +29498,11 @@
             "source_path_from_root": "/articles/cloud-shell/example-terraform-bash.md",
             "redirect_url": "/azure/developer/terraform/quickstart-configure",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/aks/managed-cluster-snapshot.md",
+            "redirect_url": "/azure/aks/intro-kubernetes",
+            "redirect_document_id": "false"
         }
     ]
 }

.whatsnew/.application-management.json

@@ -17,7 +17,7 @@
     },
     "areas": [
         {
-            "name": [ "."],
+            "names": [ "."],
             "heading": "Azure Active Directory application management"
         }
     ]

articles/active-directory/app-provisioning/partner-driven-integrations.md

@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 The Azure Active Directory Provisioning service allows you to provision users and groups into both [SaaS](user-provisioning.md) and [on-premises](on-premises-scim-provisioning.md) applications. There are four integration paths:
 
 **Option 1 - Azure AD Application Gallery:**
-Popular third party applications, such as Dropbox, Snowflake, and Workplace by Facebook, are made available for customers through the Azure AD application gallery. New applications can easily be onboarded to the gallery using the [application network portal](../azuread-dev/howto-app-gallery-listing.md). 
+Popular third party applications, such as Dropbox, Snowflake, and Workplace by Facebook, are made available for customers through the Azure AD application gallery. New applications can easily be onboarded to the gallery using the [application network portal](../manage-apps/v2-howto-app-gallery-listing.md). 
 
 **Option 2 - Implement a SCIM compliant API for your application:**
 If your line-of-business application supports the [SCIM](https://aka.ms/scimoverview) standard, it can easily be integrated with the [Azure AD SCIM client](use-scim-to-provision-users-and-groups.md).

articles/active-directory/app-proxy/application-proxy-secure-api-access.md

@@ -134,7 +134,7 @@ You've now registered the AppProxyNativeAppSample app in Azure Active Directory.
 The last step is to configure the native app. The code snippet that's used in the following steps is based on [Add the Microsoft Authentication Library to your code (.NET C# sample)](application-proxy-configure-native-client-application.md#step-4-add-the-microsoft-authentication-library-to-your-code-net-c-sample). The code is customized for this example. The code must be added to the *Form1.cs* file in the NativeClient sample app where it will cause the [MSAL library](../develop/reference-v2-libraries.md) to acquire the token for requesting the API call and attach it as bearer to the header in the request.
 
 > [!NOTE]
-> The sample app uses [Azure Active Directory Authentication Library (ADAL)](../azuread-dev/active-directory-authentication-libraries.md). Read how to [add MSAL to your project](../develop/tutorial-v2-windows-desktop.md#add-msal-to-your-project). Remember to [add the reference to MSAL](../develop/tutorial-v2-windows-desktop.md#add-the-code-to-initialize-msal) to the class and remove the ADAL reference.
+> The sample app uses Azure Active Directory Authentication Library (ADAL). Read how to [add MSAL to your project](../develop/tutorial-v2-windows-desktop.md#add-msal-to-your-project). Remember to [add the reference to MSAL](../develop/tutorial-v2-windows-desktop.md#add-the-code-to-initialize-msal) to the class and remove the ADAL reference.
 
 To configure the native app code:
 

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/04/2022
+ms.date: 11/11/2022
 ms.author: justinha
 author: mjsantani
 ms.collection: M365-identity-device-management
@@ -63,7 +63,7 @@ When a user goes through combined registration to set up the Authenticator app,
 
 ### AD FS adapter
 
-The AD FS adapter supports number matching after installing an update. Earlier versions of Windows Server don't support number matching. On earlier versions, users will continue to see the **Approve**/**Deny** experience and won't see number matching until you upgrade.
+The AD FS adapter supports number matching after installing an update. Unpatched versions of Windows Server don't support number matching. Users will continue to see the **Approve**/**Deny** experience and won't see number matching unless these updates are applied.
 
 | Version | Update |
 |---------|--------|

articles/active-directory/authentication/how-to-mfa-server-migration-utility.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 10/10/2022
+ms.date: 11/14/2022
 
 ms.author: justinha
 author: justinha
@@ -159,12 +159,6 @@ Depending on user activity, the data file can become outdated quickly. Any chang
 ### Install MFA Server update
 Run the new installer on the Primary MFA Server. Before you upgrade a server, remove it from load balancing or traffic sharing with other MFA Servers. You don't need to uninstall your current MFA Server before running the installer. The installer performs an in-place upgrade using the current installation path (for example, C:\Program Files\Multi-Factor Authentication Server). If you're prompted to install a Microsoft Visual C++ 2015 Redistributable update package, accept the prompt. Both the x86 and x64 versions of the package are installed. It isn't required to install updates for User portal, Web SDK, or AD FS Adapter.
 
-After the installation is complete, it can take several minutes for the datafile to be upgraded. During this time, the User portal may have issues connecting to the MFA Service. **Don't restart the MFA Service, or the MFA Server during this time.** This behavior is normal. Once the upgrade is complete, the primary server’s main service will again be functional.
-
-You can check \Program Files\Multi-Factor Authentication Server\Logs\MultiFactorAuthSvc.log to see progress and make sure the upgrade is complete. **Completed performing tasks to upgrade from 23 to 24**.
-
-If you have thousands of users, you might schedule the upgrade during a maintenance window and take the User portal offline during this time. To estimate how long the upgrade will take, plan on around 4 minutes per 10,000 users. You can minimize the time by cleaning up disabled or inactive users prior to the upgrade.
-
 >[!NOTE]
 >After you run the installer on your primary server, secondary servers may begin to log **Unhandled SB** entries. This is due to schema changes made on the primary server that will not be recognized by secondary servers. These errors are expected. In environments with 10,000 users or more, the amount of log entries can increase significantly. To mitigate this issue, you can increase the file size of your MFA Server logs, or upgrade your secondary servers. 
 
@@ -208,7 +202,7 @@ The settings option allows you to change the settings for the migration process:
 :::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/settings.png" alt-text="Screenshot of settings.":::
 
 - Migrate – This setting allows you to specify which method(s) should be migrated for the selection of users
-- User Match – Allows you to specify a different attribute for matching users instead of the default UPN-matching
+- User Match – Allows you to specify a different on-premises Active Directory attribute for matching Azure AD UPN instead of the default match to userPrincipalName
 - Automatic synchronization – Starts a background service that will continually monitor any authentication method changes to users in the on-premises MFA Server, and write them to Azure AD at the specified time interval defined
 
 The migration process can be an automatic process, or a manual process.

articles/active-directory/authentication/overview-authentication.md

@@ -75,7 +75,7 @@ By default, Azure AD blocks weak passwords such as *Password1*. A global banned
 
 To increase security, you can define custom password protection policies. These policies can use filters to block any variation of a password containing a name such as *Contoso* or a location like *London*, for example.
 
-For hybrid security, you can integrate Azure AD password protection with an on-premises Active Directory environment. A component installed in the on-prem environment receives the global banned password list and custom password protection policies from Azure AD, and domain controllers use them to process password change events. This hybrid approach makes sure that no matter how or where a user changes their credentials, you enforce the use of strong passwords.
+For hybrid security, you can integrate Azure AD password protection with an on-premises Active Directory environment. A component installed in the on-premises environment receives the global banned password list and custom password protection policies from Azure AD, and domain controllers use them to process password change events. This hybrid approach makes sure that no matter how or where a user changes their credentials, you enforce the use of strong passwords.
 
 ## Passwordless authentication
 
@@ -85,7 +85,55 @@ The end-goal for many environments is to remove the use of passwords as part of
 
 When you sign in with a passwordless method, credentials are provided by using methods like biometrics with Windows Hello for Business, or a FIDO2 security key. These authentication methods can't be easily duplicated by an attacker.
 
-Azure AD provides ways to natively authenticate using passwordless methods to simplify the sign-in experience for users and reduce the risk of attacks.
+Azure AD provides ways to natively authenticate using passwordless methods to simplify the sign-in experience for users and reduce the risk of attacks.  
+
+## Web browser cookies
+
+When authenticating against Azure Active Directory through a web browser, multiple cookies are involved in the process. Some of the cookies are common on all requests, other cookies are specific to some particular scenarios, i.e., specific authentication flows and/or specific client-side conditions.  
+
+Persistent session tokens are stored as persistent cookies on the web browser's cookie jar, and non-persistent session tokens are stored as session cookies on the web browser and are destroyed when the browser session is closed. 
+
+|  Cookie Name | Type | Comments |
+|--|--|--|
+| ESTSAUTH | Common | Contains user's session information to facilitate SSO. Transient. |
+| ESTSAUTHPERSISTENT | Common | Contains user's session information to facilitate SSO. Persistent. |
+| ESTSAUTHLIGHT | Common  | Contains Session GUID Information. Lite session state cookie used exclusively by client-side JavaScript in order to facilitate OIDC sign-out. Security feature. |
+| SignInStateCookie | Common | Contains list of services accessed to facilitate sign-out. No user information. Security feature. |
+| CCState | Common | Contains session information state to be used between Azure AD and the [Azure AD Backup Authentication Service](/azure/active-directory/conditional-access/resilience-defaults). |
+| buid | Common | Tracks browser related information. Used for service telemetry and protection mechanisms. |
+| fpc | Common | Tracks browser related information. Used for tracking requests and throttling. |
+| esctx | Common | Session context cookie information. For CSRF protection. Binds a request to a specific browser instance so the request can't be replayed outside the browser. No user information. |
+| ch | Common | ProofOfPossessionCookie. Stores the Proof of Possession cookie hash to the user agent. |
+| ESTSSC | Common | Legacy cookie containing session count information no longer used. |
+| ESTSSSOTILES | Common | Tracks session sign-out. When present and not expired, with value "ESTSSSOTILES=1", it will interrupt SSO, for specific SSO authentication model, and will present tiles for user account selection. |
+| AADSSOTILES | Common | Tracks session sign-out. Similar to ESTSSSOTILES but for other specific SSO authentication model. |
+| ESTSUSERLIST | Common | Tracks Browser SSO user's list. |
+| SSOCOOKIEPULLED | Common | Prevents looping on specific scenarios. No user information. |
+| cltm | Common | For telemetry purposes. Tracks AppVersion, ClientFlight and Network type. | 
+| brcap | Common | Client-side cookie (set by JavaScript) to validate client/web browser's touch capabilities. |
+| clrc | Common | Client-side cookie (set by JavaScript) to control local cached sessions on the client. |
+| CkTst | Common | Client-side cookie (set by JavaScript). No longer in active use. | 
+| wlidperf | Common | Client-side cookie (set by JavaScript) that tracks local time for performance purposes. |
+| x-ms-gateway-slice | Common | Azure AD Gateway cookie used for tracking and load balance purposes. |
+| stsservicecookie | Common | Azure AD Gateway cookie also used for tracking purposes. |
+| x-ms-refreshtokencredential | Specific | Available when [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token) is in use. |
+| estsStateTransient | Specific | Applicable to new session information model only. Transient. | 
+| estsStatePersistent | Specific | Same as estsStateTransient, but persistent. |
+| ESTSNCLOGIN | Specific | National Cloud Login related Cookie. | 
+| UsGovTraffic | Specific | US Gov Cloud Traffic Cookie. | 
+| ESTSWCTXFLOWTOKEN | Specific | Saves flowToken information when redirecting to ADFS. |
+| CcsNtv | Specific | To control when Azure AD Gateway will send requests to [Azure AD Backup Authentication Service](/azure/active-directory/conditional-access/resilience-defaults). Native flows. | 
+| CcsWeb | Specific | To control when Azure AD Gateway will send requests to [Azure AD Backup Authentication Service](/azure/active-directory/conditional-access/resilience-defaults). Web flows. | 
+| Ccs* | Specific | Cookies with prefix Ccs*, have the same purpose as the ones without prefix, but only apply when [Azure AD Backup Authentication Service](/azure/active-directory/conditional-access/resilience-defaults) is in use. | 
+| threxp | Specific | Used for throttling control. | 
+| rrc | Specific | Cookie used to identify a recent B2B invitation redemption. | 
+| debug | Specific | Cookie used to track if user's browser session is enabled for DebugMode. |
+| MSFPC | Specific | This cookie is not specific to any ESTS flow, but is sometimes present. It applies to all Microsoft Sites (when accepted by users). Identifies unique web browsers visiting Microsoft sites. It's used for advertising, site analytics, and other operational purposes. |
+
+> [!NOTE] 
+> Cookies identified as client-side cookies are set locally on the client device by JavaScript, hence, will be marked with HttpOnly=false.  
+>
+> Cookie definitions and respective names are subject to change at any moment in time according to Azure AD service requirements.  
 
 ## Next steps
 

articles/active-directory/cloud-infrastructure-entitlement-management/overview.md

@@ -55,7 +55,7 @@ Customers can right-size permissions based on usage, grant new permissions on-de
 
 ### Monitor
 
-Customers can detect anomalous activities with machine language-powered (ML-powered) alerts and generate detailed forensic reports.
+Customers can detect anomalous activities with machine learning-powered (ML-powered) alerts and generate detailed forensic reports.
 
 - ML-powered anomaly detections.
 - Context-rich forensic reports around identities, actions, and resources to support rapid investigation and remediation.

articles/active-directory/cloud-infrastructure-entitlement-management/product-permission-analytics.md

@@ -61,8 +61,6 @@ This article describes how you can create and view permission analytics triggers
 
     - The **Status** column displays if the authorization system is online or offline
     - The **Controller** column displays if the controller is enabled or disabled.
-
-1. On the **Configuration** tab, to update the **Time Interval**, select **90 Days**, **60 Days**, or **30 Days** from the **Time range** dropdown.
 1. Select **Save**.
 
 ## View permission analytics alert triggers