Merge branch 'MicrosoftDocs:main' into release-orbital-pubpreview

Author: wamota

.openpublishing.redirection.json

@@ -623,6 +623,11 @@
       "redirect_url": "/azure/azure-arc/kubernetes/",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/azure-arc/kubernetes/conceptual-agent-architecture.md",
+      "redirect_url": "/azure/azure-arc/kubernetes/conceptual-agent-overview",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cognitive-services/whats-new-docs.md",
       "redirect_url": "/azure/cognitive-services/what-are-cognitive-services",

articles/active-directory-b2c/partner-eid-me.md

@@ -101,7 +101,7 @@ To configure your tenant application as a Relying Party in eID-Me the following
 | Name                               | Azure AD B2C/your desired application name                                                                                                                                                                                                                                                                                                                                                                       |
 | Domain                             | name.onmicrosoft.com                                                                                                                                                                                                                                                                                                                                                                                             |
 | Redirect URIs                      | https://jwt.ms                                                                                                                                                                                                                                                                                                                                                                       |
-| Redirect URLs                      | https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp<br>For Example: `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`<br>If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp.<br> Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. |
+| Redirect URLs                      | `https://your-B2C-tenant-name.b2clogin.com/your-B2C-tenant-name.onmicrosoft.com/oauth2/authresp`<br>For Example: `https://fabrikam.b2clogin.com/fabrikam.onmicrosoft.com/oauth2/authresp`<br>If you use a custom domain, enter https://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp.<br> Replace your-domain-name with your custom domain, and your-tenant-name with the name of your tenant. |
 | URL for application home page      | Will be displayed to the end user                                                                                                                                                                                                                                                                                                                                                                                |
 | URL for application privacy policy | Will be displayed to the end user                                                                                                                                                                                                                                                                                                                                                                                |
 
@@ -300,7 +300,7 @@ There are additional identity claims that eID-Me supports and can be added.
 
 1. Open the `TrustFrameworksExtension.xml`
 
-2. Find the `BuildingBlocks` element.  This is where additional identity claims that eID-Me supports can be added. Full lists of supported eID-Me identity claims with descriptions are mentioned at [http://www.oid-info.com/get/1.3.6.1.4.1.50715](http://www.oid-info.com/get/1.3.6.1.4.1.50715) with the OIDC identifiers used here [https://eid-me.bluink.ca/.well-known/openid-configuration](https://eid-me.bluink.ca/.well-known/openid-configuration).
+2. Find the `BuildingBlocks` element.  This is where additional identity claims that eID-Me supports can be added. Full lists of supported eID-Me identity claims with descriptions are mentioned at `http://www.oid-info.com/get/1.3.6.1.4.1.50715` with the OIDC identifiers used here [https://eid-me.bluink.ca/.well-known/openid-configuration](https://eid-me.bluink.ca/.well-known/openid-configuration).
 
    ```xml
    <BuildingBlocks>

articles/active-directory/authentication/concept-fido2-hardware-vendor.md

@@ -29,8 +29,6 @@ You can become a Microsoft-compatible FIDO2 security key vendor through the foll
         - Receive an overview of the device from the vendor
     - Microsoft will share our test scripts with you. Our engineering team will be able to answer questions if you have any specific needs.
     - You will complete and send all passed results to Microsoft Engineering team
-    - Once Microsoft confirms, you will send multiple hardware/solution samples of each device to Microsoft Engineering team
-        - Upon receipt Microsoft Engineering team will conduct test script verification and user experience flow
 4. Upon successful passing of all tests by Microsoft Engineering team, Microsoft will confirm vendor's device is listed in [the FIDO MDS](https://fidoalliance.org/metadata/).
 5. Microsoft will add your FIDO2 Security Key on Azure AD backend and to our list of approved FIDO2 vendors.
 

articles/active-directory/authentication/howto-mfa-nps-extension.md

@@ -271,13 +271,15 @@ For customers that use the Azure Government or Azure China 21Vianet clouds, the
     | Registry key       | Value |
     |--------------------|-----------------------------------|
     | AZURE_MFA_HOSTNAME | strongauthenticationservice.auth.microsoft.us   |
+    | AZURE_MFA_RESOURCE_HOSTNAME | adnotifications.windowsazure.us |
     | STS_URL            | https://login.microsoftonline.us/ |
 
 1. For Azure China 21Vianet customers, set the following key values:
 
     | Registry key       | Value |
     |--------------------|-----------------------------------|
     | AZURE_MFA_HOSTNAME | strongauthenticationservice.auth.microsoft.cn   |
+    | AZURE_MFA_RESOURCE_HOSTNAME | adnotifications.windowsazure.cn |
     | STS_URL            | https://login.chinacloudapi.cn/   |
 
 1. Repeat the previous two steps to set the registry key values for each NPS server.

articles/active-directory/saas-apps/f5-big-ip-oracle-jd-edwards-easy-button.md

@@ -351,4 +351,4 @@ If you don’t see a BIG-IP error page, then the issue is probably more related
 
 2. The **View Variables** link in this location may also help root cause SSO issues, particularly if the BIG-IP APM fails to obtain the right attributes from Azure AD or another source
 
-See [BIG-IP APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference](https://techdocs.f5.com/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.
+See [BIG-IP APM variable assign examples](https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

articles/active-directory/saas-apps/media/servicenow-tutorial/mobile-instance.png

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 07/21/2021
+ms.date: 04/06/2022
 ms.author: jeedes
 ---
 
@@ -29,11 +29,11 @@ To get started, you need the following items:
 
 * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
 * A ServiceNow single sign-on (SSO) enabled subscription.
-* For ServiceNow, an instance or tenant of ServiceNow supports Calgary, Kingston, London, Madrid, New York, Orlando and Paris versions or later.
+* For ServiceNow, an instance or tenant of ServiceNow supports Calgary, Kingston, London, Madrid, New York, Orlando, Paris and San Diego versions or later.
 * For ServiceNow Express, an instance of ServiceNow Express, Helsinki version or later.
 * The ServiceNow tenant must have the [Multiple Provider Single Sign On Plugin](https://old.wiki/index.php/Multiple_Provider_Single_Sign-On#gsc.tab=0) enabled.
 * For automatic configuration, enable the multi-provider plugin for ServiceNow.
-* To install the ServiceNow Classic (Mobile) application, go to the appropriate store, and search for the ServiceNow Classic application. Then download it.
+* To install the ServiceNow Agent (Mobile) application, go to the appropriate store, and search for the ServiceNow Agent application. Then download it.
 
 > [!NOTE]
 > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
@@ -46,7 +46,7 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
 
 * ServiceNow supports [Automated user provisioning](servicenow-provisioning-tutorial.md).
 
-* You can configure the ServiceNow Classic (Mobile) application with Azure AD for enabling SSO. It supports both Android and iOS users. In this tutorial, you configure and test Azure AD SSO in a test environment.
+* You can configure the ServiceNow Agent (Mobile) application with Azure AD for enabling SSO. It supports both Android and iOS users. In this tutorial, you configure and test Azure AD SSO in a test environment.
 
 ## Add ServiceNow from the gallery
 
@@ -73,7 +73,7 @@ To configure and test Azure AD SSO with ServiceNow, perform the following steps:
 	1. [Create a ServiceNow test user](#create-servicenow-test-user) to have a counterpart of B.Simon in ServiceNow, linked to the Azure AD representation of the user.
 	1. [Configure ServiceNow Express SSO](#configure-servicenow-express-sso) to configure the single sign-on settings on the application side.	
 3. [Test SSO](#test-sso) to verify whether the configuration works.
-4. [Test SSO for ServiceNow Classic (Mobile)](#test-sso-for-servicenow-classic-mobile) to verify whether the configuration works.
+4. [Test SSO for ServiceNow Agent (Mobile)](#test-sso-for-servicenow-agent-mobile) to verify whether the configuration works.
 
 ## Configure Azure AD SSO
 
@@ -460,29 +460,25 @@ The objective of this section is to create a user called B.Simon in ServiceNow.
 
 When you select the ServiceNow tile in the Access Panel, you should be automatically signed in to the ServiceNow for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
 
-## Test SSO for ServiceNow Classic (Mobile)
+## Test SSO for ServiceNow Agent (Mobile)
 
-1. Open your **ServiceNow Classic (Mobile)** application, and perform the following steps:
+1. Open your **ServiceNow Agent (Mobile)** application, and perform the following steps:
 
-	a. Select the plus sign in the lower-right corner.
+	b. Enter your ServiceNow instance address, nickname and select **Save and Login**.
 
-	![Screenshot of ServiceNow Classic application, with plus sign highlighted](./media/servicenow-tutorial/test-03.png)
-
-	b. Enter your ServiceNow instance name, and select **Continue**.
-
-	![Screenshot of Add Instance page, with Continue highlighted](./media/servicenow-tutorial/test-04.png)
+	![Screenshot of Add Instance page, with Continue highlighted](./media/servicenow-tutorial/mobile-instance.png)
 
 	c. On the **Log in** page, perform the following steps:
 
-	![Screenshot of Log in page, with Use external login highlighted](./media/servicenow-tutorial/test-01.png)
+	![Screenshot of Log in page, with Use external login highlighted](./media/servicenow-tutorial/mobile-login.png)
 
 	*  Enter **Username**, like [email protected].
 
-	*  Select **USE EXTERNAL LOGIN**. You're redirected to the Azure AD page for sign-in.
+	*  Select **Use external login**. You're redirected to the Azure AD page for sign-in.
 
 	*  Enter your credentials. If there is any third-party authentication, or any other security feature enabled, the user must respond accordingly. The application **Home page** appears.
 
-		![Screenshot of the application home page](./media/servicenow-tutorial/test-02.png)
+		![Screenshot of the application home page](./media/servicenow-tutorial/mobile-landing-page.png)
 
 ## Next Steps
 

articles/active-directory/saas-apps/media/servicenow-tutorial/mobile-landing-page.png

@@ -21,6 +21,13 @@ When Azure resources composing a solution such as a web app and a database are l
 
 Colocation in the same region is best for Azure resources composing a solution such as a web app and a database or storage account used to hold content or data. When creating resources, make sure they are in the same Azure region unless you have specific business or design reason for them not to be. You can move an App Service app to the same region as your database by using the [App Service cloning feature](app-service-web-app-cloning.md) currently available for Premium App Service Plan apps.   
 
+## <a name ="certificatepinning"></a>Certificate Pinning
+Applications should never have a hard dependency or pin to the default \*.azurewebsites.net TLS certificate because the \*.azurewebsites.net TLS certificate could be rotated anytime given the nature of App Service as a Platform as a Service (PaaS). Certificate pinning is a practice where an application only allows a specific list of acceptable Certificate Authorities (CAs), public keys, thumbprints, or any part of the certificate hierarchy. In the event that the service rotates the App Service default wildcard TLS certificate, certificate pinned applications will break and disrupt the connectivity for applications that are hardcoded to a specific set of certificate attributes. The periodicity with which the \*.azurewebsites.net TLS certificate is rotated is also not guaranteed since the rotation frequency can change at any time.
+
+Note that applications which rely on certificate pinning should also not have a hard dependency on an App Service Managed Certificate. App Service Managed Certificates could be rotated anytime, leading to similar problems for applications that rely on stable certificate properties. It is best practice to provide a custom TLS certificate for applications that rely on certificate pinning.
+
+If an application needs to rely on certificate pinning behavior, it is recommended to add a custom domain to a web app and provide a custom TLS certificate for the domain which can then be relied on for certificate pinning.
+
 ## <a name="memoryresources"></a>When apps consume more memory than expected
 When you notice an app consumes more memory than expected as indicated via monitoring or service recommendations, consider the [App Service Auto-Healing feature](https://azure.microsoft.com/blog/auto-healing-windows-azure-web-sites). One of the options for the Auto-Healing feature is taking custom actions based on a memory threshold. Actions span the spectrum from email notifications to investigation via memory dump to on-the-spot mitigation by recycling the worker process. Auto-healing can be configured via web.config and via a friendly user interface as described at in this blog post for the [App Service Support Site Extension](https://azure.microsoft.com/blog/additional-updates-to-support-site-extension-for-azure-app-service-web-apps).   
 
@@ -61,6 +68,10 @@ When backup failures happen, review most recent results to understand which type
 ## <a name="nodejs"></a>When new Node.js apps are deployed to Azure App Service
 Azure App Service default configuration for Node.js apps is intended to best suit the needs of most common apps. If configuration for your Node.js app would benefit from personalized tuning to improve performance or optimize resource usage for CPU/memory/network resources, see [Best practices and troubleshooting guide for Node applications on Azure App Service](app-service-web-nodejs-best-practices-and-troubleshoot-guide.md). This article describes the iisnode settings you may need to configure for your Node.js app, describes the various scenarios or issues that your app may be facing, and shows how to address these issues.
 
+## <a name=""></a>When Internet of Things (IoT) devices are connected to apps on App Service
+There are a few scenarios where you can improve your environment when running Internet of Things (IoT) devices that are connected to App Service. One very common practice with IoT devices is "certificate pinning". To avoid any unforseen downtime due to changes in the service's managed certificates, you should never pin certificates to the default \*.azurewebsites.net certificate nor to an App Service Managed Certificate. If your system needs to rely on certificate pinning behavior, it is recommended to add a custom domain to a web app and provide a custom TLS certificate for the domain which can then be relied on for certificate pinning. You can refer to the [certificate pinning](#certificatepinning) section of this article for more information.
+
+To increase resiliency in your environment, you should not rely on a single endpoint for all your devices. You should at least host your web apps in two different regions to avoid a single point of failure and be ready to failover traffic. On App Service, you can add identical custom domain to different web apps as long as these web apps are hosted in different regions. This ensures that if you need to pin certificates, you can also pin on the custom TLS certificate that you provided. Another option would be to use a load balancer in front of the web apps, such as Azure Front Door or Traffic Manager, to ensure high availabilty for your web apps. You can refer to [Quickstart: Create a Front Door for a highly available global web application](../frontdoor/quickstart-create-front-door.md) or [Controlling Azure App Service traffic with Azure Traffic Manager](./web-sites-traffic-manager.md) for more information.
 
 ## Next Steps
 For more information on best practices, visit [App Service Diagnostics](./overview-diagnostics.md) to find out actionable best practices specific to your resource.