Merge pull request #199727 from MicrosoftDocs/main

5/27 PM Publish

Author: huypub

articles/active-directory/develop/mobile-app-quickstart-portal-android.md

@@ -24,7 +24,7 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > 
 > We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
 
-> [!div renderon="portal" class="sxs-lookup display-on-portal"]
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
 > # Quickstart: Sign in users and call the Microsoft Graph API from an Android app
 > 
 > In this quickstart, you download and run a code sample that demonstrates how an Android application can sign in users and get an access token to call the Microsoft Graph API. 
@@ -42,15 +42,17 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > ### Step 1: Configure your application in the Azure portal
 > For the code sample in this quickstart to work, add a **Redirect URI** compatible with the Auth broker.
 > 
-> <button id="makechanges" class="nextstepaction" class="configure-app-button"> Make this change for me </button>
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
 > 
 > > [!div id="appconfigured" class="alert alert-info"]
 > > ![Already configured](media/quickstart-v2-android/green-check.png) Your application is configured with these attributes
 > 
 > ### Step 2: Download the project
 > 
 > Run the project using Android Studio.
-> <a href='https://github.com/Azure-Samples/ms-identity-android-java/archive/master.zip'><button id="downloadsample" class="download-sample-button">Download the code sample</button></a>
+> 
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>
 > 
 > 
 > ### Step 3: Your app is configured and ready to run
@@ -484,4 +486,4 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > Move on to the Android tutorial in which you build an Android app that gets an access token from the Microsoft identity platform and uses it to call the Microsoft Graph API.
 > 
 > > [!div class="nextstepaction"]
-> > [Tutorial: Sign in users and call the Microsoft Graph from an Android application](tutorial-v2-android.md)
+> > [Tutorial: Sign in users and call the Microsoft Graph from an Android application](tutorial-v2-android.md)

articles/active-directory/develop/mobile-app-quickstart-portal-ios.md

@@ -26,7 +26,7 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > 
 > We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
 
-> [!div renderon="portal" class="sxs-lookup display-on-portal"]
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
 > # Quickstart: Sign in users and call the Microsoft Graph API from an iOS or macOS app
 > 
 > In this quickstart, you download and run a code sample that demonstrates how a native iOS or macOS application can sign in users and get an access token to call the Microsoft Graph API.
@@ -47,16 +47,18 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > #### Step 1: Configure your application
 > For the code sample in this quickstart to work, add a **Redirect URI** compatible with the Auth broker.
 > 
-> <button id="makechanges" class="nextstepaction" class="configure-app-button"> Make this change for me </button>
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
 > 
 > > [!div id="appconfigured" class="alert alert-info"]
 > > ![Already configured](media/quickstart-v2-ios/green-check.png) Your application is configured with these attributes
 > 
 > #### Step 2: Download the sample project
 > 
-> <a href='https://github.com/Azure-Samples/active-directory-ios-swift-native-v2/archive/master.zip'><button id="downloadsample" class="downloadsample_ios">Download the code sample for iOS</button></a>
-> 
-> <a href='https://github.com/Azure-Samples/active-directory-macOS-swift-native-v2/archive/master.zip'><button id="downloadsample" class="downloadsample_ios">Download the code sample for macOS</button></a>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample_ios" class="download-sample-button">Download the code sample for iOS</button>
+>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample_macos" class="download-sample-button">Download the code sample for macOS</button>
 > 
 > #### Step 3: Install dependencies
 > 
@@ -238,4 +240,4 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > Move on to the step-by-step tutorial in which you build an iOS or macOS app that gets an access token from the Microsoft identity platform and uses it to call the Microsoft Graph API.
 > 
 > > [!div class="nextstepaction"]
-> > [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md)
+> > [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md)

articles/active-directory/develop/refresh-tokens.md

@@ -29,7 +29,10 @@ Before reading through this article, it's recommended that you go through the fo
 
 ## Refresh token lifetime
 
-Refresh tokens have a longer lifetime than access tokens. The default lifetime for the tokens is 90 days and they replace themselves with a fresh token upon every use. As such, whenever a refresh token is used to acquire a new access token, a new refresh token is also issued. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials. 
+Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for [single page apps](reference-third-party-cookies-spas.md) and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials. 
+
+>[!IMPORTANT]
+> Refresh tokens sent to a redirect URI registered as `spa` expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users do not have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the log-in page in a top-level frame to show the login session. This is due to [privacy features in browsers that block third party cookies](reference-third-party-cookies-spas.md).
 
 ## Refresh token expiration
 

articles/active-directory/privileged-identity-management/pim-resource-roles-configure-alerts.md

@@ -10,7 +10,7 @@ ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: pim
-ms.date: 05/24/2022
+ms.date: 10/07/2021
 ms.author: curtand
 ms.reviewer: shaunliu
 ms.custom: pim
@@ -31,15 +31,11 @@ Select an alert to see a report that lists the users or roles that triggered the
 
 ## Alerts
 
-Alert | Severity | Trigger | Recommendation
---- | --- | --- | ---
-**Too many owners assigned to a resource** |Medium |Too many users have the owner role. |Review the users in the list and reassign some to less privileged roles.
-**Too many permanent owners assigned to a resource** |Medium |Too many users are permanently assigned to a role. |Review the users in the list and re-assign some to require activation for role use.
-**Duplicate role created** |Medium |Multiple roles have the same criteria. |Use only one of these roles.
-**Roles are being assigned outside of Privileged Identity Management (Preview)** | High | A role is managed directly through the Azure IAM resource blade or the Azure Resource Manager API | Review the users in the list and remove them from privileged roles assigned outside of Privilege Identity Management. 
-
-> [!Note]
-> During the public preview of the **Roles are being assigned outside of Privileged Identity Management (Preview)** alert, Microsoft supports only permissions that are assigned at the subscription level. 
+| Alert | Severity | Trigger | Recommendation |
+| --- | --- | --- | --- |
+| **Too many owners assigned to a resource** |Medium |Too many users have the owner role. |Review the users in the list and reassign some to less privileged roles. |
+| **Too many permanent owners assigned to a resource** |Medium |Too many users are permanently assigned to a role. |Review the users in the list and re-assign some to require activation for role use. |
+| **Duplicate role created** |Medium |Multiple roles have the same criteria. |Use only one of these roles. |
 
 ### Severity
 

articles/aks/howto-deploy-java-liberty-app-with-postgresql.md

@@ -81,7 +81,7 @@ The steps in this section guide you through creating an Azure Database for Postg
    Use the [az postgres server create](/cli/azure/postgres/server#az-postgres-server-create) command to create the DB server. The following example creates a DB server named *youruniquedbname*. Make sure *youruniqueacrname* is unique within Azure.
 
    > [!TIP]
-   > To help ensure a globally unique name, prepend a disambiguation string such as your intitials and the MMDD of today's date.
+   > To help ensure a globally unique name, prepend a disambiguation string such as your initials and the MMDD of today's date.
 
 
    ```bash
@@ -153,7 +153,7 @@ In directory *liberty/config*, the *server.xml* is used to configure the DB conn
 
 After the offer is successfully deployed, an AKS cluster will be generated automatically. The AKS cluster is configured to connect to the ACR. Before we get started with the application, we need to extract the namespace configured for the AKS.
 
-1. Run following command to print the current deployment file, using the `appDeploymentTemplateYamlEncoded` you saved above. The output contains all the variables we need.
+1. Run the following command to print the current deployment file, using the `appDeploymentTemplateYamlEncoded` you saved above. The output contains all the variables we need.
 
    ```bash
    echo <appDeploymentTemplateYamlEncoded> | base64 -d

articles/aks/web-app-routing.md

@@ -23,15 +23,16 @@ The Web Application Routing solution makes it easy to access applications that a
 The add-on deploys four components: an [nginx ingress controller][nginx], [Secrets Store CSI Driver][csi-driver], [Open Service Mesh (OSM)][osm], and [External-DNS][external-dns] controller.
 
 - **Nginx ingress Controller**: The ingress controller exposed to the internet.
-- **External-dns**: Watches for Kubernetes Ingress resources and creates DNS A records in the cluster-specific DNS zone.
+- **External-DNS controller**: Watches for Kubernetes Ingress resources and creates DNS A records in the cluster-specific DNS zone.
 - **CSI driver**: Connector used to communicate with keyvault to retrieve SSL certificates for ingress controller.
 - **OSM**: A lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
-- **External-DNS controller**: Watches for Kubernetes Ingress resources and creates DNS A records in the cluster-specific DNS zone.
 
 ## Prerequisites
 
 - An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).
 - [Azure CLI installed](/cli/azure/install-azure-cli).
+- An Azure Key Vault containing any application certificates.
+- A DNS solution.
 
 ### Install the `aks-preview` Azure CLI extension
 
@@ -66,8 +67,6 @@ You can also enable Web Application Routing on an existing AKS cluster using the
 az aks enable-addons --resource-group myResourceGroup --name myAKSCluster --addons web_application_routing 
 ```
 
-After the cluster is deployed or updated, use the [az aks show][az-aks-show] command to retrieve the DNS zone name.
-
 ## Connect to your AKS cluster
 
 To connect to the Kubernetes cluster from your local computer, you use [kubectl][kubectl], the Kubernetes command-line client.
@@ -78,10 +77,10 @@ If you use the Azure Cloud Shell, `kubectl` is already installed. You can also i
 az aks install-cli
 ```
 
-To configure `kubectl` to connect to your Kubernetes cluster, use the [az aks get-credentials][az-aks-get-credentials] command. The following example gets credentials for the AKS cluster named *MyAKSCluster* in the *MyResourceGroup*:
+To configure `kubectl` to connect to your Kubernetes cluster, use the [az aks get-credentials][az-aks-get-credentials] command. The following example gets credentials for the AKS cluster named *myAKSCluster* in *myResourceGroup*:
 
 ```azurecli
-az aks get-credentials --resource-group MyResourceGroup --name MyAKSCluster
+az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
 ```
 
 ## Create the application namespace
@@ -110,6 +109,12 @@ Copy the identity's object ID:
 
 ### Grant access to Azure Key Vault
 
+Obtain the vault URI for your Azure Key Vault:
+
+```azurecli
+az keyvault show --resource-group myResourceGroup --name myapp-contoso
+```
+
 Grant `GET` permissions for Web Application Routing to retrieve certificates from Azure Key Vault:
 
 ```azurecli
@@ -128,7 +133,7 @@ annotations:
 
 These annotations in the service manifest would direct Web Application Routing to create an ingress servicing `myapp.contoso.com` connected to the keyvault `myapp-contoso`.
 
-Create a file named **samples-web-app-routing.yaml** and copy in the following YAML. On line 29-31, update `<MY_HOSTNAME>` and `<MY_KEYVAULT_URI>` with the DNS zone name collected in the previous step of this article.
+Create a file named **samples-web-app-routing.yaml** and copy in the following YAML. On line 29-31, update `<MY_HOSTNAME>` with your DNS host name and `<MY_KEYVAULT_URI>` with the vault URI collected in the previous step of this article.
 
 ```yaml
 apiVersion: apps/v1
@@ -175,19 +180,17 @@ Use the [kubectl apply][kubectl-apply] command to create the resources.
 kubectl apply -f samples-web-app-routing.yaml -n hello-web-app-routing
 ```
 
-The following example shows the created resources:
+The following example output shows the created resources:
 
 ```bash
-$ kubectl apply -f samples-web-app-routing.yaml -n hello-web-app-routing
-
 deployment.apps/aks-helloworld created
 service/aks-helloworld created
 ```
 
 ## Verify the managed ingress was created
 
 ```bash
-$ kubectl get ingress -n hello-web-app-routing -n hello-web-app-routing
+$ kubectl get ingress -n hello-web-app-routing
 ```
 
 Open a web browser to *<MY_HOSTNAME>*, for example *myapp.contoso.com* and verify you see the demo application. The application may take a few minutes to appear.
@@ -208,8 +211,6 @@ az aks disable-addons --addons web_application_routing  --name myAKSCluster --re
 
 When the Web Application Routing add-on is disabled, some Kubernetes resources may remain in the cluster. These resources include *configMaps* and *secrets*, and are created in the *app-routing-system* namespace. To maintain a clean cluster, you may want to remove these resources.
 
-Look for *addon-web-application-routing* resources using the following [kubectl get][kubectl-get] commands:
-
 ## Clean up
 
 Remove the associated Kubernetes objects created in this article using `kubectl delete`.
@@ -249,4 +250,4 @@ service "aks-helloworld" deleted
 [kubectl-delete]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#delete
 [kubectl-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs
 [ingress]: https://kubernetes.io/docs/concepts/services-networking/ingress/
-[ingress-resource]: https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource
+[ingress-resource]: https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource

articles/availability-zones/az-overview.md

@@ -4,7 +4,7 @@ description: Learn about regions and availability zones and how they work to hel
 author: awysza
 ms.service: azure
 ms.topic: conceptual
-ms.date: 03/30/2022
+ms.date: 05/30/2022
 ms.author: rarco
 ms.reviewer: cynthn
 ms.custom: references_regions

articles/availability-zones/az-region.md

@@ -4,7 +4,7 @@ description: Learn what services are supported by availability zones and underst
 author: awysza
 ms.service: azure
 ms.topic: conceptual
-ms.date: 03/25/2022
+ms.date: 05/30/2022
 ms.author: rarco
 ms.reviewer: cynthn
 ms.custom: references_regions

articles/availability-zones/includes/availability-zone-regions-include.md

@@ -4,7 +4,7 @@
  author: awysza
  ms.service: azure
  ms.topic: include
- ms.date: 05/18/2022
+ ms.date: 05/30/2022
  ms.author: rarco
  ms.custom: include file
 ---
@@ -20,7 +20,5 @@ Azure provides the most extensive global footprint of any cloud provider and is
 | East US 2 | UK South | | Southeast Asia |
 | South Central US | West Europe | | East Asia |
 | US Gov Virginia | Sweden Central | | China North 3 |
-| West US 2 | Switzerland North* | | |
+| West US 2 | Switzerland North | | |
 | West US 3 | | | |
-
-\* To learn more about Availability Zones and available services support in these regions, contact your Microsoft sales or customer representative. For the upcoming regions that will support Availability Zones, see [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/).

articles/azure-arc/data/active-directory-introduction.md

@@ -12,8 +12,11 @@ ms.topic: how-to
 ---
 
 # Azure Arc-enabled SQL Managed Instance with Active Directory authentication 
+
 Azure Arc-enabled data services support Active Directory (AD) for Identity and Access Management (IAM). The Arc-enabled SQL Managed Instance uses an existing on-premises Active Directory (AD) domain for authentication. 
 
+[!INCLUDE [azure-arc-data-preview](../../../includes/azure-arc-data-preview.md)]
+
 This article describes how to enable Azure Arc-enabled SQL Managed Instance with Active Directory (AD) Authentication. The article demonstrates two possible AD integration modes: 
 -  Customer-managed keytab (CMK) 
 -  System-managed keytab (SMK)