Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into anf-avs-ga-8nov2022

Author: b-ahibbard

.openpublishing.publish.config.json

@@ -164,6 +164,12 @@
       "branch": "dev",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "functions-quickstart-templates-v1",
+      "url": "https://github.com/Azure/azure-functions-templates",
+      "branch": "v1.x",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "azure-functions-samples-java",
       "url": "https://github.com/Azure-Samples/azure-functions-samples-java",

.openpublishing.redirection.json

@@ -798,6 +798,16 @@
             "redirect_url": "/troubleshoot/azure/azure-kubernetes/welcome-azure-kubernetes",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/aks/dapr-troubleshooting.md",
+            "redirect_url": "/troubleshoot/azure/azure-kubernetes/welcome-azure-kubernetes",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/aks/csi-secrets-store-troubleshooting.md",
+            "redirect_url": "/troubleshoot/azure/azure-kubernetes/welcome-azure-kubernetes",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/cdn/index.yml",
             "redirect_url": "/azure/frontdoor",

articles/active-directory-b2c/self-asserted-technical-profile.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 02/17/2022
+ms.date: 11/07/2022
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -50,8 +50,6 @@ In a self-asserted technical profile, you can use the **InputClaims** and **Inpu
 
 ## Display claims
 
-The display claims feature is currently in **preview**.
-
 The **DisplayClaims** element contains a list of claims to be presented on the screen for collecting data from the user. To prepopulate the values of display claims, use the input claims that were previously described. The element may also contain a default value.
 
 The order of the claims in **DisplayClaims** specifies the order in which Azure AD B2C renders the claims on the screen. To force the user to provide a value for a specific claim, set the **Required** attribute of the **DisplayClaim** element to `true`.
@@ -133,7 +131,7 @@ Use output claims when:
 - **Claims are output by output claims transformation**.
 - **Setting a default value in an output claim** without collecting data from the user or returning the data from the validation technical profile. The `LocalAccountSignUpWithLogonEmail` self-asserted technical profile sets the **executed-SelfAsserted-Input** claim to `true`.
 - **A validation technical profile returns the output claims** - Your technical profile may call a validation technical profile that returns some claims. You may want to bubble up the claims and return them to the next orchestration steps in the user journey. For example, when signing in with a local account, the self-asserted technical profile named `SelfAsserted-LocalAccountSignin-Email` calls the validation technical profile named `login-NonInteractive`. This technical profile validates the user credentials and also returns the user profile. Such as 'userPrincipalName', 'displayName', 'givenName' and 'surName'.
-- **A display control returns the output claims** - Your technical profile may have a reference to a [display control](display-controls.md). The display control returns some claims, such as the verified email address. You may want to bubble up the claims and return them to the next orchestration steps in the user journey. The display control feature is currently in **preview**.
+- **A display control returns the output claims** - Your technical profile may have a reference to a [display control](display-controls.md). The display control returns some claims, such as the verified email address. You may want to bubble up the claims and return them to the next orchestration steps in the user journey. 
 
 The following example demonstrates the use of a self-asserted technical profile that uses both display claims and output claims.
 

articles/active-directory/app-provisioning/known-issues.md

@@ -95,6 +95,9 @@ If a user and their manager are both in scope for provisioning, the service prov
 
 The global reader role is unable to read the provisioning configuration. Please create a custom role with the `microsoft.directory/applications/synchronization/standard/read` permission in order to read the provisioning configuration from the Azure Portal. 
 
+#### Microsoft Azure Government Cloud
+Credentials, including the secret token, notification email, and SSO certificate notification emails together have a 1KB limit in the Microsoft Azure Government Cloud. 
+
 ## On-premises application provisioning
 The following information is a current list of known limitations with the Azure AD ECMA Connector Host and on-premises application provisioning.
 
@@ -139,4 +142,4 @@ The following attributes and objects aren't supported:
 The ECMA host does not support updating the password in the connectivity page of the wizard. Please create a new connector when changing the password. 
 
 ## Next steps
-[How provisioning works](how-provisioning-works.md)
+[How provisioning works](how-provisioning-works.md)

articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 08/26/2022
+ms.date: 11/04/2022
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -93,7 +93,7 @@ You can define one or more matching attribute(s) and prioritize them based on th
 - The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Each connection can be optimized by:
   - Reducing the distance between the two ends of the hop.
   - Choosing the right network to traverse. For example, traversing a private network rather than the public internet might be faster because of dedicated links.
-
+- The agent and ECMA Host rely on a certificate for communication. The self-signed certificate generated by the ECMA host should only be used for testing purposes. The self-signed certificate expires in two years by default and cannot be revoked. Microsoft recommends using a certificiate from a trusted CA for production use cases.  
 
 
 ## Provisioning agent questions

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 10/17/2022
+ms.date: 11/04/2022
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -1315,16 +1315,7 @@ Applications that support the SCIM profile described in this article can be conn
 
     The following screenshot shows the Azure AD application gallery:
 
-   ![Screenshot shows the Azure AD application gallery.](media/use-scim-to-provision-users-and-groups/scim-figure-2b-1.png)
-   
-
-   > [!NOTE]
-   > If you are using the old app gallery experience, follow the screen guide below.
-   
-   The following screenshot shows the Azure AD old app gallery experience:
-
-   ![Screenshot shows the Azure AD old app gallery experience](media/use-scim-to-provision-users-and-groups/scim-figure-2a.png)
-   
+   ![Screenshot shows the Azure AD application gallery.](media/use-scim-to-provision-users-and-groups/scim-figure-2b-1.png) 
 
 1. In the app management screen, select **Provisioning** in the left panel.
 1. In the **Provisioning Mode** menu, select **Automatic**.

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/03/2022
+ms.date: 11/04/2022
 ms.author: justinha
 author: mjsantani
 ms.collection: M365-identity-device-management
@@ -17,7 +17,7 @@ This topic covers how to enable number matching in Microsoft Authenticator push
 
 >[!NOTE]
 >Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator that will begin to be enabled by default for all users starting February 27, 2023.<br> 
->We highly recommend enabling number matching in the near-term for improved sign-in security.
+>We highly recommend enabling number matching in the near term for improved sign-in security.
 
 ## Prerequisites
 
@@ -358,20 +358,40 @@ To enable number matching in the Azure AD portal, complete the following steps:
 
 ### When will my tenant see number matching if I don't use the Azure portal or Graph API to roll out the change?
 
-Number match will be enabled for all users of Microsoft Authenticator app after February 27, 2023. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all your users, we highly recommend you use the Azure portal or Graph API to roll out number match for all Microsoft Authenticator users. 
+Number match will be enabled for all users of Microsoft Authenticator after February 27, 2023. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all your users, we highly recommend you use the Azure portal or Graph API to roll out number match for all Microsoft Authenticator users. 
 
-### Can I opt out of number matching?
+### How should users be prepared for default number matching?
 
-Yes, currently you can disable number matching. We highly recommend that you enable number matching for all users in your tenant to protect yourself from MFA fatigue attacks. Microsoft will enable number matching for all tenants by Feb 27, 2023. After protection is enabled by default, users can't opt out of number matching in Microsoft Authenticator push notifications. 
+Here are differences in sign-in scenarios that Microsoft Authenticator users will see after number matching is enabled by default:
+
+- Authentication flows will require users to do number match when using Microsoft Authenticator. If their version of Microsoft Authenticator doesn’t support number match, their authentication will fail.
+- Self-service password reset (SSPR) and combined registration will also require number match when using Microsoft Authenticator. 
+- AD FS adapter will require number matching on [supported versions of Windows Server](#ad-fs-adapter). On earlier versions, users will continue to see the **Approve**/**Deny** experience and won’t see number matching until you upgrade. 
+- NPS extension versions beginning 1.2.2131.2 will require users to do number matching. Because the NPS extension can’t show a number, the user will be asked to enter a One-Time Passcode (OTP). The user must have an OTP authentication method such as Microsoft Authenticator or software OATH tokens registered to see this behavior. If the user doesn’t have an OTP method registered, they’ll continue to get the **Approve**/**Deny** experience.  
+ 
+  To create a registry key that overrides this behavior and prompts users with **Approve**/**Deny**: 
+
+  1. On the NPS Server, open the Registry Editor.
+  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
+  1. Set the following Key Value Pair:
+     Key: OVERRIDE_NUMBER_MATCHING_WITH_OTP
+     Value = FALSE
+  1. Restart the NPS Service. 
 
-### What about my Apple Watch?
+- Apple Watch will remain unsupported for number matching. We recommend you uninstall the Microsoft Authenticator Apple Watch app because you have to approve notifications on your phone.
 
-Apple Watch will remain unsupported for number matching. We recommend you uninstall the Microsoft Authenticator Apple Watch app because you have to approve notifications on your phone. 
+### Can I opt out of number matching?
+
+Yes, currently you can disable number matching. We highly recommend that you enable number matching for all users in your tenant to protect yourself from MFA fatigue attacks. Microsoft will enable number matching for all tenants by Feb 27, 2023. After protection is enabled by default, users can't opt out of number matching in Microsoft Authenticator push notifications. 
 
 ### What happens if a user runs an older version of Microsoft Authenticator?
 
 If a user is running an older version of Microsoft Authenticator that doesn't support number matching, authentication won't work if number matching is enabled. Users need to upgrade to the latest version of Microsoft Authenticator to use it for sign-in.  
 
+### Why is my user prompted to tap on one out of three numbers instead of entering the number in their Microsoft Authenticator app?
+
+Older versions of Microsoft Authenticator prompt users to tap and select a number instead of entering the number in their Microsoft Authenticator app. These authentications won't fail, but we highly recommend that users update to the latest version of the app to be able to enter the number. 
+
 
 ## Next steps
 

articles/active-directory/authentication/howto-authentication-passwordless-deployment.md

@@ -39,16 +39,16 @@ The [Azure portal](https://portal.azure.com/) now has a passwordless methods wiz
 
 Microsoft's passwordless authentication methods enable many scenarios. Consider your organizational needs, prerequisites, and the capabilities of each authentication method to select your passwordless authentication strategy. 
 
-The following table lists the passwordless authentication methods by device types. Our recommendations are in **bold**.
+The following table lists the passwordless authentication methods by device types. Our recommendations are in ***bold italics***.
 
 | Device types| Passwordless authentication method |
 | - | - |
-| Dedicated non-windows devices| <li> **Microsoft Authenticator** <li> Security keys |
-| Dedicated Windows 10 computers (version 1703 and later)| <li> **Windows Hello for Business** <li> Security keys |
-| Dedicated Windows 10 computers (before version 1703)| <li> **Windows Hello for Business** <li> Microsoft Authenticator app |
-| Shared devices: tablets, and mobile devices| <li> **Microsoft Authenticator** <li> One-time password sign-in |
-| Kiosks (Legacy)| **Microsoft Authenticator** |
-| Kiosks and shared computers ‎(Windows 10)| <li> **Security keys** <li> Microsoft Authenticator app |
+| Dedicated non-windows devices| <li> ***Microsoft Authenticator*** <li> Security keys |
+| Dedicated Windows 10 computers (version 1703 and later)| <li> ***Windows Hello for Business*** <li> Security keys |
+| Dedicated Windows 10 computers (before version 1703)| <li> ***Windows Hello for Business*** <li> Microsoft Authenticator app |
+| Shared devices: tablets, and mobile devices| <li> ***Microsoft Authenticator*** <li> One-time password sign-in |
+| Kiosks (Legacy)| ***Microsoft Authenticator*** |
+| Kiosks and shared computers ‎(Windows 10)| <li> ***Security keys*** <li> Microsoft Authenticator app |
 
 
 ## Prerequisites 

articles/active-directory/authentication/howto-mfa-getstarted.md

@@ -4,10 +4,10 @@ description: Learn about deployment considerations and strategy for successful i
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 06/01/2022
-ms.author: mtillman
-author: mtillman
-manager: martinco
+ms.date: 11/04/2022
+ms.author: justinha
+author: justinha
+manager: amycolannino
 ms.reviewer: michmcla
 ms.collection: M365-identity-device-management
 ---
@@ -246,7 +246,7 @@ You can monitor authentication method registration and usage across your organiz
 
 The Azure AD sign-in reports include authentication details for events when a user is prompted for MFA, and if any Conditional Access policies were in use. You can also use PowerShell for reporting on users registered for Azure AD Multi-Factor Authentication. 
 
-NPS extension and AD FS logs can be viewed from **Security** > **MFA** > **Activity report**. Inclusion of this activity in the [Sign-in logs](../reports-monitoring/concept-sign-ins.md) is currently in Preview.
+NPS extension and AD FS logs for cloud MFA activity are now included in the [Sign-in logs](../reports-monitoring/concept-sign-ins.md), and no longer published to **Security** > **MFA** > **Activity report**.
 
 For more information, and additional Azure AD Multi-Factor Authentication reports, see [Review Azure AD Multi-Factor Authentication events](howto-mfa-reporting.md#view-the-azure-ad-sign-ins-report).
 

articles/active-directory/develop/active-directory-saml-protocol-reference.md

@@ -9,9 +9,9 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 10/27/2021
+ms.date: 11/4/2022
 ms.author: kenwith
-ms.custom: aaddev
+ms.custom: aaddev, engagement-fy23
 ms.reviewer: paulgarn
 ---
 
@@ -23,14 +23,17 @@ The SAML protocol requires the identity provider (Microsoft identity platform) a
 
 When an application is registered with Azure AD, the app developer registers federation-related information with Azure AD. This information includes the **Redirect URI** and **Metadata URI** of the application.
 
-The Microsoft identity platform uses the cloud service's **Metadata URI** to retrieve the signing key and the logout URI. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>, you can open the app in **Azure Active Directory -> App registrations**, and then in **Manage -> Authentication**, you can update the Logout URL. This way the Microsoft identity platform can send the response to the correct URL.
+The Microsoft identity platform uses the cloud service's **Metadata URI** to retrieve the signing key and the logout URI. This way the Microsoft identity platform can send the response to the correct URL. In the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>; 
 
-Azure AD exposes tenant-specific and common (tenant-independent) SSO and single sign-out endpoints. These URLs represent addressable locations--they're not just identifiers--so you can go to the endpoint to read the metadata.
+- Open the app in **Azure Active Directory** and select **App registrations**
+- Under **Manage**, select **Authentication**. From there you can update the Logout URL. 
 
-- The tenant-specific endpoint is located at `https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml`. The _\<TenantDomainName>_ placeholder represents a registered domain name or TenantID GUID of an Azure AD tenant. For example, the federation metadata of the contoso.com tenant is at: https://login.microsoftonline.com/contoso.com/FederationMetadata/2007-06/FederationMetadata.xml
+Azure AD exposes tenant-specific and common (tenant-independent) SSO and single sign-out endpoints. These URLs represent addressable locations, and aren't only identifiers. You can then go to the endpoint to read the metadata.
+
+- The tenant-specific endpoint is located at `https://login.microsoftonline.com/<TenantDomainName>/FederationMetadata/2007-06/FederationMetadata.xml`. The *\<TenantDomainName>* placeholder represents a registered domain name or TenantID GUID of an Azure AD tenant. For example, the federation metadata of the `contoso.com` tenant is at: https://login.microsoftonline.com/contoso.com/FederationMetadata/2007-06/FederationMetadata.xml
 
 - The tenant-independent endpoint is located at
-  `https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml`. In this endpoint address, **common** appears instead of a tenant domain name or ID.
+  `https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml`. In this endpoint address, *common* appears instead of a tenant domain name or ID.
 
 ## Next steps