Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into pauljewell-upload-download

Author: pauljewellmsft

articles/active-directory/roles/protected-actions-add.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: roles
 ms.workload: identity
 ms.topic: how-to
-ms.date: 04/10/2022
+ms.date: 04/21/2023
 ---
 
 # Add, test, or remove protected actions in Azure AD (preview)
@@ -45,14 +45,18 @@ Protected actions use a Conditional Access authentication context, so you must c
 
 1. Create a new policy and select your authentication context.
 
-    For more information, see [Conditional Access: Cloud apps, actions, and authentication context](../conditional-access/concept-conditional-access-cloud-apps.md).
+    For more information, see [Conditional Access: Cloud apps, actions, and authentication context](../conditional-access/concept-conditional-access-cloud-apps.md#authentication-context).
 
     :::image type="content" source="media/protected-actions-add/policy-authentication-context.png" alt-text="Screenshot of New policy page to create a new policy with an authentication context." lightbox="media/protected-actions-add/policy-authentication-context.png":::
 
 ## Add protected actions
 
 To add protection actions, assign a Conditional Access policy to one or more permissions using a Conditional Access authentication context.
 
+1. Select **Azure Active Directory** > **Protect & secure** > **Conditional Access** > **Policies**.
+
+1. Make sure the state of the Conditional Access policy that you plan to use with your protected action is set to **On** and not **Off** or **Report-only**.
+
 1. Select **Azure Active Directory** > **Roles & admins** > **Protected actions (Preview)**.
 
     :::image type="content" source="media/protected-actions-add/protected-actions-start.png" alt-text="Screenshot of Add protected actions page in Roles and administrators." lightbox="media/protected-actions-add/protected-actions-start.png":::
@@ -173,6 +177,22 @@ The user has previously satisfied policy. For example, the completed multifactor
 
 Check the [Azure AD sign-in events](../conditional-access/troubleshoot-conditional-access.md) to troubleshoot. The sign-in events will include details about the session, including if the user has already completed multifactor authentication. When troubleshooting with the sign-in logs, it's also helpful to check the policy details page, to confirm an authentication context was requested.  
 
+### Symptom - Policy is never satisfied
+
+When you attempt to perform the requirements for the Conditional Access policy, the policy is never satisfied and you keep getting requested to reauthenticate.
+
+**Cause**
+
+The Conditional Access policy wasn't created or the policy state is **Off** or **Report-only**.
+
+**Solution**
+
+Create the Conditional Access policy if it doesn't exist or and set the state to **On**.
+
+If you aren't able to access the Conditional Access page because of the protected action and repeated requests to reauthenticate, use the following link to open the Conditional Access page.
+
+- [https://aka.ms/MSALProtectedActions](https://aka.ms/MSALProtectedActions)
+
 ### Symptom - No access to add protected actions
 
 When signed in you don't have permissions to add or remove protected actions.

articles/active-directory/roles/protected-actions-overview.md

@@ -57,7 +57,7 @@ Here's the initial set of permissions:
 
 ## How do protected actions compare with Privileged Identity Management role activation?
 
-[Privileged Identity Management role activation](../privileged-identity-management/pim-how-to-change-default-settings.md) can also be assigned Conditional Access policies. This capability allows for policy enforcement only when a user activates a role, providing the most comprehensive protection. Protected actions are enforced only when a user takes an action that requires permissions with Conditional Access policy assigned to it. Protected actions allows for high impact permissions to be protected, independent of a user role. Privileged Identity Management role activation and protected actions can be used together, for the strongest coverage.
+[Privileged Identity Management role activation](../privileged-identity-management/pim-how-to-change-default-settings.md) can also be assigned Conditional Access policies. This capability allows for policy enforcement only when a user activates a role, providing the most comprehensive protection. Protected actions are enforced only when a user takes an action that requires permissions with Conditional Access policy assigned to it. Protected actions allow for high impact permissions to be protected, independent of a user role. Privileged Identity Management role activation and protected actions can be used together for stronger coverage.
 
 ## Steps to use protected actions
 
@@ -67,7 +67,7 @@ Here's the initial set of permissions:
 
 1. **Configure Conditional Access policy**
 
-    Configure a Conditional Access authentication context and an associated Conditional Access policy. Protected actions use an authentication context, which allows policy enforcement for fine-grain resources in a service, like Azure AD permissions. A good policy to start with is to require passwordless MFA and exclude an emergency account. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#authentication-context)
+    Configure a Conditional Access authentication context and an associated Conditional Access policy. Protected actions use an authentication context, which allows policy enforcement for fine-grain resources in a service, like Azure AD permissions. A good policy to start with is to require passwordless MFA and exclude an emergency account. [Learn more](./protected-actions-add.md#configure-conditional-access-policy)
 
 1. **Add protected actions**
 

articles/active-directory/verifiable-credentials/TOC.yml

@@ -88,6 +88,8 @@
   items:
   - name: Remote onboarding
     href: remote-onboarding-new-employees-id-verification.md
+  - name: LinkedIn employment verification
+    href: linkedin-employment-verification.md
 - name: Reference
   expanded: true
   items:

articles/active-directory/verifiable-credentials/linkedin-employment-verification.md

@@ -0,0 +1,87 @@
+---
+title: LinkedIn employment verification
+description: A design pattern describing how to configure employment verification using LinkedIn
+services: decentralized-identity
+author: barclayn
+manager: amycolannino
+ms.service: decentralized-identity
+ms.subservice: verifiable-credentials
+ms.topic: conceptual
+ms.date: 04/21/2023
+ms.author: barclayn
+---
+
+# LinkedIn employment verification
+
+If your organization wants its employees get verified on LinkedIn, you need to follow these few steps:
+
+1. Setup your Microsoft Entra Verified ID service by following these [instructions](verifiable-credentials-configure-tenant.md).
+1. [Create](how-to-use-quickstart-verifiedemployee.md#create-a-verified-employee-credential) a Verified ID Employee credential.
+1. Configure the LinkedIn company page  with your organization DID (decentralized identity) and URL of the custom Webapp.
+1. Once you deploy the updated LinkedIn mobile app your employees can get verified.
+
+>[!NOTE]
+> Review LinkedIn's documentation for information on [verifications on LinkedIn profiles.](https://www.linkedin.com/help/linkedin/answer/a1359065).
+
+## Deploying custom Webapp
+
+Deploying this custom webapp from [GitHub](https://github.com/Azure-Samples/VerifiedEmployeeIssuance) allows an administrator to have control over who can get verified and change which information is shared with LinkedIn.
+There are two reasons to deploy the custom webapp for LinkedIn Employment verification.
+
+1. You need control over who can get verified on LinkedIn. The webapp allows you to use user assignments to grant access.
+1. You want more control over the issuance of the Verified Employee ID. By default, the Employee Verified ID contains a few claims:
+
+   - ```firstname```
+   - ```lastname```
+   - ```displayname```
+   - ```jobtitle```
+   - ```upn```
+   - ```email```
+   - ```photo```
+
+>[!NOTE]
+>The web app can be modified to remove claims, for example, you may choose to remove the photo claim.
+
+Installation instructions for the Webapp can be found in the [GitHub repository](https://github.com/Azure-Samples/VerifiedEmployeeIssuance/blob/main/ReadmeFiles/Deployment.md)
+
+## Architecture overview
+
+Once the administrator configures the company page on LinkedIn, employees can get verified. Below are the high-level steps for LinkedIn integration:
+
+1. User starts the LinkedIn mobile app. 
+1. The mobile app retrieves information from the LinkedIn backend and checks if the company is enabled for employment verification and it retrieves a URL to the custom Webapp.
+1. If the company is enabled, the user can tap on the verify employment link, and the user is sent to the Webapp in a web view.
+1. The user needs to provide their corporate credentials to sign in.
+1. The Webapp retrieves the user profile from Microsoft Graph including, ```firstname```, ```lastname```, ```displayname```, ```jobtitle```, ```upn```, ```email``` and ```photo``` and call the Microsoft Entra Verified ID service with the profile information.
+1. The Microsoft Entra Verified ID service creates a verifiable credentials issuance request and returns the URL of that specific request.
+1. The Webapp redirects back to the LinkedIn app with this specific URL.
+1. LinkedIn app wallet communicates with the Microsoft Entra Verified ID services to get the Verified Employment VC issued in their wallet, which is part of the LinkedIn mobile app.
+1. The LinkedIn app then verifies the received verifiable credential.
+1. If the verification is completed, they change the status to ‘verified’ in their backend system and is visible to other users of LinkedIn.
+ 
+The diagram below shows the dataflow of the entire solution.
+
+   ![Diagram showing a high-level flow.](media/linkedin-employment-verification/linkedin-employee-verification.png)
+
+
+## Frequently asked questions
+
+### Can I use Microsoft Authenticator to store my Employee Verified ID and use it to get verified on LinkedIn?
+
+Currently the solution works through the embedded webview. In the future LinkedIn allows us to use Microsoft authenticator or any compatible custom wallet to verify employment. The myaccount page will also be updated to allow issuance of the verified employee ID to Microsoft Authenticator.
+
+### How do users sign-in?
+
+The Webapp is protected using Microsoft Entra Azure Active directory. Users sign-in according to the administrator's policy, either with passwordless, regular username and password, with or without MFA, etc. This is proof a user is allowed to get issued a verified employee ID.
+
+### What happens when an employee leaves the organization?
+
+Nothing by default. You can choose the revoke the Verified Employee ID but currently LinkedIn isn't checking for that status.
+
+### What happens when my Verified Employee ID expires?
+
+LinkedIn asks you again to get verified, if you don’t, the verified checkmark is removed from your profile.
+
+### Can former employees use this feature to get verified?
+
+Currently this option only verifies current employment.

articles/active-directory/verifiable-credentials/media/linkedin-employment-verification/linkedin-employee-verification.png

@@ -87,17 +87,19 @@ The following table compares features available in the managed gateway versus th
 | API | Managed (Dedicated)  | Managed (Consumption) | Self-hosted  |
 | --- | ----- | ----- | ---------- |
 | [OpenAPI specification](import-api-from-oas.md) |  ✔️ | ✔️ | ✔️ |
-| [WSDL specification)](import-soap-api.md) |  ✔️ | ✔️ | ✔️ |
+| [WSDL specification](import-soap-api.md) |  ✔️ | ✔️ | ✔️ |
 | WADL specification |  ✔️ | ✔️ | ✔️ |
 | [Logic App](import-logic-app-as-api.md) |  ✔️ | ✔️ | ✔️ |
 | [App Service](import-app-service-as-api.md) |  ✔️ | ✔️ | ✔️ |
 | [Function App](import-function-app-as-api.md) |  ✔️ | ✔️ | ✔️ |
 | [Container App](import-container-app-with-oas.md) |  ✔️ | ✔️ | ✔️ |
 | [Service Fabric](../service-fabric/service-fabric-api-management-overview.md) |  Developer, Premium |  ❌ | ❌ |
 | [Pass-through GraphQL](graphql-apis-overview.md) |  ✔️ | ✔️ | ❌ |
-| [Synthetic GraphQL](graphql-apis-overview.md)|  ✔️ |  ✔️ | ❌ |
+| [Synthetic GraphQL](graphql-apis-overview.md)|  ✔️ |  ✔️<sup>1</sup> | ❌ |
 | [Pass-through WebSocket](websocket-api.md) |  ✔️ |  ❌ | ✔️ |
 
+<sup>1</sup> Synthetic GraphQL subscriptions (preview) aren't supported in the Consumption tier.
+
 ### Policies
 
 Managed and self-hosted gateways support all available [policies](api-management-policies.md) in policy definitions with the following exceptions.

articles/api-management/api-management-gateways-overview.md

@@ -25,7 +25,7 @@ API Management helps you import, manage, protect, test, publish, and monitor Gra
 
 * GraphQL APIs are supported in all API Management service tiers
 * Pass-through and synthetic GraphQL APIs currently aren't supported in a self-hosted gateway
-* GraphQL subscription support in synthetic GraphQL APIs is currently in preview
+* Support for GraphQL subscriptions in synthetic GraphQL APIs is currently in preview and isn't available in the Consumption tier
 
 ## What is GraphQL?
 

articles/api-management/graphql-apis-overview.md

@@ -350,7 +350,9 @@
     href: https://azure.microsoft.com/develop/iot/
   - name: Azure Roadmap
     href: https://azure.microsoft.com/roadmap/?category=iot
-  - name: Azure IoT Tools for Visual Studio Code
+  - name: Azure IoT Edge for Visual Studio Code
+    href: https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-edge
+  - name: Azure IoT Hub extension for Visual Studio Code
     href: https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit
   - name: Azure IoT Explorer tool
     href: https://github.com/Azure/azure-iot-explorer

articles/iot-edge/TOC.yml

@@ -7,7 +7,7 @@ author: HeidiSteen
 ms.author: heidist
 ms.service: cognitive-search
 ms.topic: conceptual
-ms.date: 01/31/2023
+ms.date: 04/21/2023
 ---
 
 # Incremental enrichment and caching in Azure Cognitive Search
@@ -80,23 +80,19 @@ If you know that a change to the skill is indeed superficial, you should overrid
 Setting this parameter ensures that only updates to the skillset definition are committed and the change isn't evaluated for effects on the existing cache. Use a preview API version, 2020-06-30-Preview or later.
 
 ```http
-PUT https://[servicename].search.windows.net/skillsets/[skillset name]?api-version=2020-06-30-Preview
-    {
-        "disableCacheReprocessingChangeDetection" : true
-    }
+PUT https://[servicename].search.windows.net/skillsets/[skillset name]?api-version=2020-06-30-Preview&disableCacheReprocessingChangeDetection
+  
 ```
 
 <a name="Bypass-data-source-check"></a>
 
 ### Bypass data source validation checks
 
-Most changes to a data source definition will invalidate the cache. However, for scenarios where you know that a change should not invalidate the cache - such as changing a connection string or rotating the key on the storage account - append the "ignoreResetRequirement" parameter on the data source update. Setting this parameter to true allows the commit to go through, without triggering a reset condition that would result in all objects being rebuilt and populated from scratch.
+Most changes to a data source definition will invalidate the cache. However, for scenarios where you know that a change should not invalidate the cache - such as changing a connection string or rotating the key on the storage account - append the "ignoreResetRequirement" parameter on the [data source update](/rest/api/searchservice/update-data-source). Setting this parameter to true allows the commit to go through, without triggering a reset condition that would result in all objects being rebuilt and populated from scratch.
 
 ```http
-PUT https://[search service].search.windows.net/datasources/[data source name]?api-version=2020-06-30-Preview
-    {
-        "ignoreResetRequirement" : true
-    }
+PUT https://[search service].search.windows.net/datasources/[data source name]?api-version=2020-06-30-Preview&ignoreResetRequirement
+ 
 ```
 
 <a name="Force-skillset-evaluation"></a>
@@ -181,9 +177,13 @@ REST API version `2020-06-30-Preview` or later provides incremental enrichment t
 
 + [Update Data Source](/rest/api/searchservice/update-data-source), when called with a preview API version, provides a new parameter named "ignoreResetRequirement", which should be set to true when your update action should not invalidate the cache. Use "ignoreResetRequirement" sparingly as it could lead to unintended inconsistency in your data that will not be detected easily.
 
+## Limitations
+
+If you are using [SharePoint indexer (Preview](search-howto-index-sharepoint-online.md), it is not recommended that the Incremental enrichment feature is used. There are conditions that may rise when indexing with this preview feature that would require to reset the indexer and invalidate the cache.
+
 ## Next steps
 
 Incremental enrichment is a powerful feature that extends change tracking to skillsets and AI enrichment. Incremental enrichment enables reuse of existing processed content as you iterate over skillset design. As a next step, enable caching on your indexers.
 
 > [!div class="nextstepaction"]
-> [Enable caching for incremental enrichment](search-howto-incremental-index.md)
+> [Enable caching for incremental enrichment](search-howto-incremental-index.md)

articles/search/cognitive-search-incremental-indexing-conceptual.md

@@ -92,7 +92,7 @@ Install the Linux agent on sperate Linux instance.
 
 2. Configure the logs to be collected
 
-Follow the configuration steps below to get Vectra Stream metadata into Microsoft Sentinel. The Log Analytics agent is leveraged to send custom JSON into Azure Monitor, enabling the storage of the metadata into a custom table. For more information, refer to the [Azure Monitor Documentation](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-json).
+Follow the configuration steps below to get Vectra Stream metadata into Microsoft Sentinel. The Log Analytics agent is leveraged to send custom JSON into Azure Monitor, enabling the storage of the metadata into a custom table. For more information, refer to the [Azure Monitor Documentation](/azure/azure-monitor/agents/data-sources-json).
 1. Download config file for the log analytics agent: VectraStream.conf (located in the Connector folder within the Vectra solution: https://aka.ms/sentinel-aivectrastream-conf).
 2. Login to the server where you have installed Azure Log Analytics agent.
 3. Copy VectraStream.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder.