Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-aadroles-roles-organizational-messages-writer

Author: rolyon

articles/active-directory/authentication/howto-authentication-temporary-access-pass.md

@@ -142,10 +142,15 @@ Users managing their security information at [https://aka.ms/mysecurityinfo](htt
 ![Screenshot of how users can manage a Temporary Access Pass in My Security Info.](./media/how-to-authentication-temporary-access-pass/tap-my-security-info.png)
 
 ### Windows device setup
-Users with a Temporary Access Pass can navigate the setup process on Windows 10 and 11 to perform device join operations and configure Windows Hello For Business. Temporary Access Pass usage for setting up Windows Hello for Business varies based on the devices joined state: 
-- During Azure AD Join setup, users can authenticate with a TAP (no password required) and setup Windows Hello for Business.
-- On already Azure AD Joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business. 
-- On Hybrid Azure AD Joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business. 
+Users with a Temporary Access Pass can navigate the setup process on Windows 10 and 11 to perform device join operations and configure Windows Hello for Business. Temporary Access Pass usage for setting up Windows Hello for Business varies based on the devices joined state. 
+
+For Azure AD Joined devices: 
+- During the Azure AD Join setup process, users can authenticate with a TAP (no password required) to join the device and register Windows Hello for Business.
+- On already joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business. 
+- If the [Web sign-in](https://learn.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) feature on Windows is also enabled, the user can use TAP to sign into the device. This is intended only for completing initial device setup, or recovery when the user does not know or have a password. 
+
+For Hybrid Azure AD Joined devices: 
+- Users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business. 
 
 ![Screenshot of how to enter Temporary Access Pass when setting up Windows 10.](./media/how-to-authentication-temporary-access-pass/windows-10-tap.png)
 

articles/active-directory/fundamentals/10-secure-local-guest.md

@@ -0,0 +1,87 @@
+---
+title: Convert local guests into Azure AD B2B guest accounts
+description: Learn how to convert local guests into Azure AD B2B guest accounts 
+services: active-directory 
+author: gargi-sinha
+ms.author: gasinh
+manager: martinco
+ms.date: 11/03/2022
+ms.topic: how-to
+ms.service: active-directory
+ms.subservice: enterprise-users
+ms.workload: identity
+ms.custom: it-pro
+ms.collection: M365-identity-device-management
+---
+
+# Convert local guests into Azure Active Directory B2B guest accounts
+
+Azure Active Directory (Azure AD B2B) allows external users to collaborate using their own identities. However, it isn't uncommon for organizations to issue local usernames and passwords to external users. This approach isn't recommended as the bring-your-own-identity (BYOI) capabilities provided
+by Azure AD B2B to provide better security, lower cost, and reduce
+complexity when compared to local account creation. Learn more
+[here.](https://learn.microsoft.com/azure/active-directory/fundamentals/secure-external-access-resources)
+
+If your organization currently issues local credentials that external users have to manage and would like to migrate to using Azure AD B2B instead, this document provides a guide to make the transition as seamlessly as possible.
+
+## Identify external-facing applications
+
+Before migrating local accounts to Azure AD B2B, admins should understand what applications and workloads these external users need to access. For example, if external users need access to an application that is hosted on-premises, admins will need to validate that the application is integrated with Azure AD and that a provisioning process is implemented to provision the user from Azure AD to the application.
+The existence and use of on-premises applications could be a reason why local accounts are created in the first place. Learn more about
+[provisioning B2B guests to on-premises
+applications.](https://learn.microsoft.com/azure/active-directory/external-identities/hybrid-cloud-to-on-premises)
+
+All external-facing applications should have single-sign on (SSO) and provisioning integrated with Azure AD for the best end user experience.
+
+## Identify local guest accounts
+
+Admins will need to identify which accounts should be migrated to Azure AD B2B. External identities in Active Directory should be easily identifiable, which can be done with an attribute-value pair. For example, making ExtensionAttribute15 = `External` for all external users. If these users are being provisioned via Azure AD Connect or Cloud Sync, admins can optionally configure these synced external users
+to have the `UserType` attributes set to `Guest`. If these users are being
+provisioned as cloud-only accounts, admins can directly modify the
+users' attributes. What is most important is being able to identify the
+users who you want to convert to B2B.
+
+## Map local guest accounts to external identities
+
+Once you've identified which external user accounts you want to
+convert to Azure AD B2B, you need to identify the BYOI identities or external emails for each user. For example, admins will need to identify that the local account ([email protected]) is a user whose home identity/email address is [email protected]. How to identify the home identities is up to the organization, but some examples include:
+
+- Asking the external user's sponsor to provide the information.
+
+- Asking the external user to provide the information.
+
+- Referring to an internal database if this information is already known and stored by the organization.
+
+Once the mapping of each external local account to the BYOI identity is done, admins will need to add the external identity/email to the user.mail attribute on each local account.
+
+## End user communications
+
+External users should be notified that the migration will be taking place and when it will happen. Ensure you communicate the expectation that external users will stop using their existing password and post-migration will authenticate with their own home/corporate credentials going forward. Communications can include email campaigns, posters, and announcements.
+
+## Migrate local guest accounts to Azure AD B2B
+
+Once the local accounts have their user.mail attributes populated with the external identity/email that they're mapped to, admins can [convert the local accounts to Azure AD B2B by inviting the local account.](https://learn.microsoft.com/azure/active-directory/external-identities/invite-internal-users)
+This can be done in the UX or programmatically via PowerShell or the Microsoft Graph API. Once complete, the users will no longer
+authenticate with their local password, but will instead authenticate with their home identity/email that was populated in the user.mail attribute. You've successfully migrated to Azure AD B2B.
+
+## Post-migration considerations
+
+If local accounts for external users were being synced from on-premises, admins should take steps to reduce their on-premises footprint and use cloud-native B2B guest accounts moving forward. Some possible actions can include:
+
+- Transition existing local accounts for external users to Azure AD B2B and stop creating local accounts. Post-migration, admins should invite external users natively in Azure AD.
+
+- Randomize the passwords of existing local accounts for external users to ensure they can't authenticate locally to on-premises resources. This will increase security by ensuring that authentication and user lifecycle is tied to the external user's home identity.
+
+## Next steps
+
+See the following articles on securing external access to resources. We recommend you take the actions in the listed order.
+
+1. [Determine your desired security posture for external access](1-secure-access-posture.md)
+1. [Discover your current state](2-secure-access-current-state.md)
+1. [Create a governance plan](3-secure-access-plan.md)
+1. [Use groups for security](4-secure-access-groups.md)
+1. [Transition to Azure AD B2B](5-secure-access-b2b.md)
+1. [Secure access with Entitlement Management](6-secure-access-entitlement-managment.md)
+1. [Secure access with Conditional Access policies](7-secure-access-conditional-access.md) 
+1. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md)
+1. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
+1. [Secure local guest accounts](10-secure-local-guest.md) (You’re here)

articles/active-directory/fundamentals/secure-external-access-resources.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 09/13/2022
+ms.date: 11/03/2022
 ms.author: gasinh
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
@@ -89,3 +89,5 @@ See the following articles on securing external access to resources. We recommen
 8. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md)
 
 9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
+
+10. [Secure local guest accounts](10-secure-local-guest.md)

articles/active-directory/fundamentals/toc.yml

@@ -318,6 +318,8 @@ items:
         href: 8-secure-access-sensitivity-labels.md
       - name: 9 Secure access to Teams, SharePoint, and OneDrive
         href: 9-secure-access-teams-sharepoint.md
+      - name: 10 Secure local guest accounts
+        href: 10-secure-local-guest.md
     - name: Secure service accounts
       items:
       - name: Introduction to Azure service accounts

articles/advisor/advisor-how-to-performance-resize-high-usage-vm-recommendations.md

@@ -0,0 +1,68 @@
+---
+author: madewithsmiles
+ms.author: ngdiarra
+title: Improve the performance of highly used VMs using Azure Advisor
+description: Use Azure Advisor to improve the performance of your Azure virtual machines with consistent high utilization.
+ms.topic: article
+ms.date: 10/27/2022
+---
+
+# Improve the performance of highly used VMs using Azure Advisor
+
+Azure Advisor helps you improve the speed and responsiveness of your business-critical applications. You can get performance recommendations from the **Performance** tab on the Advisor dashboard.
+
+1. Sign in to the [**Azure portal**](https://portal.azure.com).
+
+1. Search for and select [**Advisor**](https://aka.ms/azureadvisordashboard) from any page.
+
+1. On the **Advisor** dashboard, select the **Performance** tab.
+
+## Optimize virtual machine (VM) performance by right-sizing highly utilized instances 
+
+You can improve the quality of your workload and prevent many performance-related issues (i.e., throttling, high latency) by regularly assessing your [performance efficiency](/azure/architecture/framework/scalability/overview). Performance efficiency is defined by the [Azure Well-Architected Framework](/azure/architecture/framework/) as the ability of your workload to adapt to changes in load. Performance efficiency is one of the five pillars of architectural excellence on Azure.  
+
+Unless by design, we recommend keeping your application's usage well below your virtual machine's size limits, so it can better operate and easily accommodate changes.
+
+Advisor aggregates various metrics over a minimum of 7 days, identifies virtual machines with consistent high utilization across those metrics, and finds better sizes (SKUs) for improved performance. Finally, Advisor examines capacity signals in Azure to frequently refresh the recommended SKUs, ensuring that they are available for deployment in the region.
+
+### Resize SKU recommendations
+
+Advisor recommends resizing virtual machines when use is consistently high (above predefined thresholds) given the running virtual machine's size limits.
+
+-	The recommendation algorithm evaluates **CPU**, **Memory**, **VM Cached IOPS Consumed Percentage**, and **VM Uncached Bandwidth Consumed Percentage** usage metrics
+- The observation period is the past 7 days from the day of the recommendation
+- Metrics are sampled every 30 seconds, aggregated to 1 minute and then further aggregated to 30 minutes (taking the average of 1-minute average values while aggregating to 30 minutes)
+- A SKU upgrade for virtual machines is decided given the following criteria: 
+  - For each metric, we create a new feature from the P50 (median) of its 30-mins averages aggregated over the observation period. Therefore, a virtual machine is identified as a candidate for a resize if:
+    * _Both_ `CPU` and `Memory` features are >= *90%* of the current SKU's limits
+    * Otherwise, _either_ 
+        * The `VM Cached IOPS` feature is >= to *95%* of the current SKU's limits, and the current SKU's max local disk IOPS is >= to its network disk IOPS. _or_
+        * the `VM Uncached Bandwidth` feature is >= *95%* of the current SKU's limits, and the current SKU's max network disk throttle limits are >= to its local disk throttle units  
+- We ensure the following:
+  - The current workload utilization will be better on the new SKU's given that it has higher limits and better performance guarantees
+  - The new SKU has the same Accelerated Networking and Premium Storage capabilities 
+  - The new SKU is supported and ready for deployment in the same region as the running virtual machine
+
+
+In some cases, recommendations can't be adopted or might not be applicable, such as some of these common scenarios (there may be other cases):
+- The virtual machine is short-lived
+- The current virtual machine has already been provisioned to accommodate upcoming traffic
+- Specific testing being done using the current SKU, even if not utilized efficiently
+- There's a need to keep the virtual machine as-is
+
+In such cases, simply use the Dismiss/Postpone options associated with the recommendation. 
+
+We're constantly working on improving these recommendations. Feel free to share feedback on [Advisor Forum](https://aka.ms/advisorfeedback).
+
+## Next steps
+
+To learn more about Advisor recommendations and best practices, see:
+* [Get started with Advisor](advisor-get-started.md)
+* [Introduction to Advisor](advisor-overview.md)
+* [Advisor score](azure-advisor-score.md)
+* [Advisor performance recommendations](advisor-reference-performance-recommendations.md)
+* [Advisor cost recommendations (full list)](advisor-reference-cost-recommendations.md)
+* [Advisor reliability recommendations](advisor-reference-reliability-recommendations.md)
+* [Advisor security recommendations](advisor-security-recommendations.md)
+* [Advisor operational excellence recommendations](advisor-reference-operational-excellence-recommendations.md)
+* [The Microsoft Azure Well-Architected Framework](/azure/architecture/framework/)

articles/advisor/advisor-reference-performance-recommendations.md

@@ -247,6 +247,12 @@ Ultra disk is available in the same region as your database workload. Ultra disk
 
 Learn more about [Virtual machine - AzureStorageVmUltraDisk (Take advantage of Ultra Disk low latency for your log disks and improve your database workload performance.)](../virtual-machines/disks-enable-ultra-ssd.md?tabs=azure-portal).
 
+### Upgrade the size of your virtual machines close to resource exhaustion
+
+We analyzed data for the past 7 days and identified virtual machines (VMs) with high utilization across different metrics (i.e., CPU, Memory, and VM IO). Those VMs may experience performance issues since they are nearing/at their SKU's limits. Consider upgrading their SKU to improve performance.
+
+Learn more about [Virtual machine - Improve the performance of highly used VMs using Azure Advisor](https://aka.ms/aa_resizehighusagevmrec_learnmore)
+
 ## Kubernetes
 
 ### Unsupported Kubernetes version is detected

articles/advisor/toc.yml

@@ -46,6 +46,8 @@
     href: advisor-cost-recommendations.md
   - name: Improve security
     href: advisor-security-recommendations.md
+  - name: Improve the performance of highly used VMs
+    href: advisor-how-to-performance-resize-high-usage-vm-recommendations.md
   - name: Use tags to filter recommendations and score
     href: advisor-tag-filtering.md
   - name: Configure recommendations

articles/aks/private-clusters.md

@@ -151,7 +151,7 @@ As mentioned, virtual network peering is one way to access your private cluster.
 
 2. The private DNS zone is linked only to the VNet that the cluster nodes are attached to (3). This means that the private endpoint can only be resolved by hosts in that linked VNet. In scenarios where no custom DNS is configured on the VNet (default), this works without issue as hosts point at 168.63.129.16 for DNS that can resolve records in the private DNS zone because of the link.
 
-3. In scenarios where the VNet containing your cluster has custom DNS settings (4), cluster deployment fails unless the private DNS zone is linked to the VNet that contains the custom DNS resolvers (5). This link can be created manually after the private zone is created during cluster provisioning or via automation upon detection of creation of the zone using event-based deployment mechanisms (for example, Azure Event Grid and Azure Functions).
+3. In scenarios where the VNet containing your cluster has custom DNS settings (4), cluster deployment fails unless the private DNS zone is linked to the VNet that contains the custom DNS resolvers (5). This link can be created manually after the private zone is created during cluster provisioning or via automation upon detection of creation of the zone using event-based deployment mechanisms (for example, Azure Event Grid and Azure Functions). To avoid cluster failure during initial deployment, the cluster can be deployed with the private DNS zone resource ID. This only works with resource type Microsoft.ContainerService/managedCluster and API version 2022-07-01. Using an older version with an ARM template or Bicep resource definition is not supported.
 
 > [!NOTE]
 > Conditional Forwarding doesn't support subdomains.
@@ -257,4 +257,4 @@ Once the A record is created, link the private DNS zone to the virtual network t
 [container-registry-private-link]: ../container-registry/container-registry-private-link.md
 [virtual-networks-name-resolution]: ../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server
 [virtual-networks-168.63.129.16]: ../virtual-network/what-is-ip-address-168-63-129-16.md
-[use-custom-domains]: coredns-custom.md#use-custom-domains
+[use-custom-domains]: coredns-custom.md#use-custom-domains