Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

.openpublishing.redirection.json

@@ -54933,6 +54933,11 @@
       "redirect_url": "/azure/azure-monitor/containers/container-insights-log-query",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/azure-monitor/logs/quick-create-workspace-cli.md",
+      "redirect_url": "/azure/azure-monitor/logs/resource-manager-workspace",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/load-balancer/tutorial-load-balancer-standard-manage-portal.md",
       "redirect_url": "/azure/load-balancer/quickstart-load-balancer-standard-public-portal",

articles/active-directory/authentication/howto-mfa-nps-extension.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 08/17/2021
+ms.date: 08/20/2021
 
 ms.author: justinha
 author: justinha
@@ -29,7 +29,9 @@ When you use the NPS extension for Azure AD Multi-Factor Authentication, the aut
 1. **NAS/VPN Server** receives requests from VPN clients and converts them into RADIUS requests to NPS servers.
 2. **NPS Server** connects to Active Directory Domain Services (AD DS) to perform the primary authentication for the RADIUS requests and, upon success, passes the request to any installed extensions.  
 3. **NPS Extension** triggers a request to Azure AD Multi-Factor Authentication for the secondary authentication. Once the extension receives the response, and if the MFA challenge succeeds, it completes the authentication request by providing the NPS server with security tokens that include an MFA claim, issued by Azure STS.
-4. **Azure AD MFA** communicates with Azure Active Directory (Azure AD) to retrieve the user's details and performs the secondary authentication using a verification method configured to the user.
+   >[!NOTE]
+   >Users must have access to their default authentication method to complete the MFA requirement. They cannot choose an alternative method. Their default authentication method will be used even if it's been disabled in the tenant authentication methods and MFA policies.
+1. **Azure AD MFA** communicates with Azure Active Directory (Azure AD) to retrieve the user's details and performs the secondary authentication using a verification method configured to the user.
 
 The following diagram illustrates this high-level authentication request flow:
 

articles/active-directory/cloud-sync/how-to-gmsa-cmdlets.md

@@ -68,7 +68,7 @@ The following prerequisites are required to use these cmdlets.
 |PasswordWriteBack|See [PasswordWriteBack](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-password-writeback) permissions for Azure AD Connect|
 |HybridExchangePermissions|See [HybridExchangePermissions](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-exchange-hybrid-deployment) permissions for Azure AD Connect|
 |ExchangeMailPublicFolderPermissions| See [ExchangeMailPublicFolderPermissions](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-exchange-mail-public-folders) permissions for Azure AD Connect|
-|CloudHR| Applies 'Full control' on 'Descendant User objects' and 'Create/delete User objects' on 'This object and all descendant objects'|
+|CloudHR| Applies 'Create/delete User objects' on 'This object and all descendant objects'|
 |All|adds all the above permissions.|
 
 You can use AADCloudSyncPermissions in one of two ways:

articles/active-directory/cloud-sync/how-to-prerequisites.md

@@ -28,9 +28,9 @@ You need the following to use Azure AD Connect cloud sync:
 A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management,the ability to delegate the management to other administrators, and also extends this functionality over multiple servers.  Azure AD Connect Cloud Sync supports and uses a gMSA for running the agent.  You will be prompted for administrative credentials during setup, in order to create this account.  The account will appear as (domain\provAgentgMSA$).  For more information on a gMSA, see [Group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) 
 
 ### Prerequisites for gMSA:
-1.	The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2016.
+1.	The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later.
 2.	[PowerShell RSAT modules](/windows-server/remote/remote-server-administration-tools) on a domain controller
-3.	At least one domain controller in the domain must be running Windows Server 2016.
+3.	At least one domain controller in the domain must be running Windows Server 2012 or later.
 4.	A domain joined server where the agent is being installed needs to be either Windows Server 2016 or later.
 
 ### Custom gMSA account
@@ -129,6 +129,9 @@ When using OU scoping filter
 - You can only sync up to 59 separate OUs for a given configuration. 
 - Nested OUs are supported (that is, you **can** sync an OU that has 130 nested OUs, but you **cannot** sync 60 separate OUs in the same configuration). 
 
+### Password Hash Sync
+- Using password hash sync with InetOrgPerson is not supported.
+
 
 ## Next steps 
 

articles/active-directory/develop/migrate-android-adal-msal.md

@@ -250,7 +250,7 @@ In MSAL, there's a hierarchy of exceptions, and each has its own set of associat
 | If you're catching these errors in ADAL...  | ...catch these MSAL exceptions:                                                         |
 |--------------------------------------------------|---------------------------------------------------------------------|
 | *No equivalent ADALError* | `MsalArgumentException`                          |
-| <ul><li>`ADALError.ANDROIDKEYSTORE_FAILED`<li>`ADALError.AUTH_FAILED_USER_MISMATCH`<li>`ADALError.DECRYPTION_FAILED`<li>`ADALError.DEVELOPER_AUTHORITY_CAN_NOT_BE_VALIDED`<li>`ADALError.EVELOPER_AUTHORITY_IS_NOT_VALID_INSTANCE`<li>`ADALError.DEVELOPER_AUTHORITY_IS_NOT_VALID_URL`<li>`ADALError.DEVICE_CONNECTION_IS_NOT_AVAILABLE`<li>`ADALError.DEVICE_NO_SUCH_ALGORITHM`<li>`ADALError.ENCODING_IS_NOT_SUPPORTED`<li>`ADALError.ENCRYPTION_ERROR`<li>`ADALError.IO_EXCEPTION`<li>`ADALError.JSON_PARSE_ERROR`<li>`ADALError.NO_NETWORK_CONNECTION_POWER_OPTIMIZATION`<li>`ADALError.SOCKET_TIMEOUT_EXCEPTION`</ul> | `MsalClientException`                            |
+| <ul><li>`ADALError.ANDROIDKEYSTORE_FAILED`<li>`ADALError.AUTH_FAILED_USER_MISMATCH`<li>`ADALError.DECRYPTION_FAILED`<li>`ADALError.DEVELOPER_AUTHORITY_CAN_NOT_BE_VALIDED`<li>`ADALError.DEVELOPER_AUTHORITY_IS_NOT_VALID_INSTANCE`<li>`ADALError.DEVELOPER_AUTHORITY_IS_NOT_VALID_URL`<li>`ADALError.DEVICE_CONNECTION_IS_NOT_AVAILABLE`<li>`ADALError.DEVICE_NO_SUCH_ALGORITHM`<li>`ADALError.ENCODING_IS_NOT_SUPPORTED`<li>`ADALError.ENCRYPTION_ERROR`<li>`ADALError.IO_EXCEPTION`<li>`ADALError.JSON_PARSE_ERROR`<li>`ADALError.NO_NETWORK_CONNECTION_POWER_OPTIMIZATION`<li>`ADALError.SOCKET_TIMEOUT_EXCEPTION`</ul> | `MsalClientException`                            |
 | *No equivalent ADALError* | `MsalDeclinedScopeException`                     |
 | <ul><li>`ADALError.APP_PACKAGE_NAME_NOT_FOUND`<li>`ADALError.BROKER_APP_VERIFICATION_FAILED`<li>`ADALError.PACKAGE_NAME_NOT_FOUND`</ul> | `MsalException`                                  |
 | *No equivalent ADALError* | `MsalIntuneAppProtectionPolicyRequiredException` |

articles/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md

@@ -32,7 +32,7 @@ The following table provides a summary of the permissions required on AD objects
 | Feature | Permissions |
 | --- | --- |
 | ms-DS-ConsistencyGuid feature |Read and Write permissions to the ms-DS-ConsistencyGuid attribute documented in [Design Concepts - Using ms-DS-ConsistencyGuid as sourceAnchor](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor). | 
-| Password hash sync |<li>Replicate Directory Changes</li>  <li>Replicate Directory Changes All |
+| Password hash sync |<li>Replicate Directory Changes - required for basic read only</li>  <li>Replicate Directory Changes All |
 | Exchange hybrid deployment |Read and Write permissions to the attributes documented in [Exchange hybrid writeback](reference-connect-sync-attributes-synchronized.md#exchange-hybrid-writeback) for users, groups, and contacts. |
 | Exchange Mail Public Folder |Read permissions to the attributes documented in [Exchange Mail Public Folder](reference-connect-sync-attributes-synchronized.md#exchange-mail-public-folder) for public folders. | 
 | Password writeback |Read and Write permissions to the attributes documented in [Getting started with password management](../authentication/tutorial-enable-sspr-writeback.md) for users. |
@@ -142,6 +142,7 @@ This cmdlet will set the following permissions:
 |Allow |AD DS Connector Account |Read all properties |Descendant Group objects| 
 |Allow |AD DS Connector Account |Read all properties |Descendant User objects| 
 |Allow |AD DS Connector Account |Read all properties |Descendant Contact objects| 
+|Allow|AD DS Connector Account|Replicating Directory Changes|This object only (Domain root)|
 
 
 ### Configure MS-DS-Consistency-Guid Permissions 

articles/active-directory/hybrid/how-to-connect-fed-group-claims.md

@@ -9,7 +9,7 @@ ms.subservice: hybrid
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 02/27/2019
+ms.date: 08/31/2021
 ms.author: billmath
 author: billmath
 ---
@@ -26,6 +26,7 @@ Azure Active Directory can provide a users group membership information in token
 >
 > - Support for use of sAMAccountName and security identifier (SID) attributes synced from on-premises is designed to enable moving existing applications from AD FS and other identity providers. Groups managed in Azure AD do not contain the attributes necessary to emit these claims.
 > - In larger organizations the number of groups a user is a member of may exceed the limit that Azure Active Directory will add to a token. 150 groups for a SAML token, and 200 for a JWT. This can lead to unpredictable results. If your users have large numbers of group memberships, we recommend using the option to restrict the groups emitted in claims to the relevant groups for the application.
+> - Group claims have a 5-group limit if the token is issued through the implicit flow. Tokens requested via the implicit flow will only have a "hasgroups":true claim if the user is in more than 5 groups.
 > - For new application development, or in cases where the application can be configured for it, and where nested group support isn't required, we recommend that in-app authorization is based on application roles rather than groups.  This limits the amount of information that needs to go into the token, is more secure, and separates user assignment from app configuration.
 
 ## Group claims for applications migrating from AD FS and other identity providers

articles/active-directory/privileged-identity-management/pim-email-notifications.md

@@ -1,5 +1,5 @@
 ---
-title: Email notifications in PIM - Azure Active Directory | Microsoft Docs
+title: Email notifications in Privileged Identity Management (PIM) - Azure Active Directory | Microsoft Docs
 description: Describes email notifications in Azure AD Privileged Identity Management (PIM).
 services: active-directory
 documentationcenter: ''
@@ -11,7 +11,7 @@ ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
 ms.subservice: pim
-ms.date: 06/30/2021
+ms.date: 08/24/2021
 ms.author: curtand
 ms.reviewer: hanki
 ms.custom: pim
@@ -33,6 +33,21 @@ These emails include a **PIM** prefix in the subject line. Here's an example:
 
 - PIM: Alain Charon was permanently assigned the Backup Reader role
 
+## Email timing for activation approvals
+
+When users activate their role and the role setting requires approval, approvers will receive two emails for each approval:
+
+- Request to approve or deny the user's activation request (sent by the request approval engine)
+- The user's request is approved (sent by the request approval engine)
+
+Also, Global Administrators and Privileged Role Administrators receive an email for each approval:
+
+- The user's role is activated (sent by Privileged Identity Management)
+
+The first two emails sent by the request approval engine can be delayed. Currently, 90% of emails take three to ten minutes, but for 1% customers it can be much longer, up to fifteen minutes.
+
+If an approval request is approved in the Azure portal before the first email is sent, the first email will no longer be triggered and other approvers won't be notified by email of the approval request. It might appear as if the they didn't get an email but it's the expected behavior.
+
 ## Notifications for Azure AD roles
 
 Privileged Identity Management sends emails when the following events occur for Azure AD roles:
@@ -41,7 +56,7 @@ Privileged Identity Management sends emails when the following events occur for
 - When a privileged role activation request is completed
 - When Azure AD Privileged Identity Management is enabled
 
-Who receives these emails for Azure AD roles depends on your role, the event, and the notifications setting:
+Who receives these emails for Azure AD roles depends on your role, the event, and the notifications setting.
 
 | User | Role activation is pending approval | Role activation request is completed | PIM is enabled |
 | --- | --- | --- | --- |
@@ -72,22 +87,7 @@ The email includes:
 
 The **Overview of your top roles** section lists the top five roles in your organization based on total number of permanent and eligible administrators for each role. The **Take action** link opens [Discovery & Insights](pim-security-wizard.md) where you can convert permanent administrators to eligible administrators in batches.
 
-## Email timing for activation approvals
-
-When users activate their role and the role setting requires approval, approvers will receive two emails for each approval:
-
-- Request to approve or deny the user's activation request (sent by the request approval engine)
-- The user's request is approved (sent by the request approval engine)
-
-Also, Global Administrators and Privileged Role Administrators receive an email for each approval:
-
-- The user's role is activated (sent by Privileged Identity Management)
-
-The first two emails sent by the request approval engine can be delayed. Currently, 90% of emails take three to ten minutes, but for 1% customers it can be much longer, up to fifteen minutes.
-
-If an approval request is approved in the Azure portal before the first email is sent, the first email will no longer be triggered and other approvers won't be notified by email of the approval request. It might appear as if the they didn't get an email but it's the expected behavior.
-
-## PIM emails for Azure resource roles
+## Notifications for Azure resource roles
 
 Privileged Identity Management sends emails to Owners and User Access Administrators when the following events occur for Azure resource roles:
 
@@ -109,6 +109,25 @@ The following shows an example email that is sent when a user is assigned an Azu
 
 ![New Privileged Identity Management email for Azure resource roles](./media/pim-email-notifications/email-resources-new.png)
 
+## Notifications for Privileged Access groups
+
+Privileged Identity Management sends emails to Owners only when the following events occur for Privileged Access group assignments:
+
+- When an Owner or Member role assignment is pending approval
+- When an Owner or Member role is assigned
+- When an Owner or Member role is soon to expire
+- When an Owner or Member role is eligible to extend
+- When an Owner or Member role is being renewed by an end user
+- When an Owner or Member role activation request is completed
+
+Privileged Identity Management sends emails to end users when the following events occur for Privileged Access group role assignments:
+
+- When an Owner or Member role is assigned to the user
+- When a user's an Owner or Member role is expired
+- When a user's an Owner or Member role is extended
+- When a user's an Owner or Member role activation request is completed
+
+
 ## Next steps
 
 - [Configure Azure AD role settings in Privileged Identity Management](pim-how-to-change-default-settings.md)

articles/advisor/resource-graph-samples.md

@@ -1,7 +1,7 @@
 ---
 title: Azure Resource Graph sample queries for Azure Advisor
 description: Sample Azure Resource Graph queries for Azure Advisor showing use of resource types and tables to access Azure Advisor related resources and properties.
-ms.date: 08/27/2021
+ms.date: 08/31/2021
 ms.topic: sample
 ms.custom: subject-resourcegraph-sample
 ---

articles/api-management/api-management-howto-developer-portal-customize.md

@@ -6,7 +6,7 @@ author: mikebudzynski
 
 ms.service: api-management
 ms.topic: tutorial
-ms.date: 11/16/2020
+ms.date: 08/31/2021
 ms.author: apimpm
 ---
 
@@ -118,15 +118,49 @@ Before you make your portal available to the visitors, you should personalize th
 
 ### Home page
 
-The default **Home** page is filled with placeholder content. You can either remove entire sections containing this content or keep the structure and adjust the elements one by one. Replace the generated text and images with your own and make sure the links point to desired locations.
+The default **Home** page is filled with placeholder content. You can either remove entire sections containing this content or keep the structure and adjust the elements one by one. Replace the generated text and images with your own and make sure the links point to desired locations. You can edit the structure and content of the home page by:
+* Dragging and dropping page elements to the desired placement on the site.
+* Selecting text and heading elements to edit and format content. 
+* Verifying your buttons point to the right locations.
 
 ### Layouts
 
 Replace the automatically generated logo in the navigation bar with your own image.
 
+1. In the developer portal, select the default **Contoso** logo in the top left of the navigation bar. 
+1. Select the **Edit** icon. 
+1. Under the **Main** section, select **Source**.
+1. In the **Media** pop-up, either select:
+    * An image already uploaded in your library, or
+    * **Upload file** to upload a new image file to use, or
+    * Select **None** to forego using a logo.
+1. The logo updates in real-time.
+1. Select outside the pop-up windows to exit the media library.
+1. Click **Save**.
+
 ### Styling
 
-Although you don't need to adjust any styles, you may consider adjusting particular elements. For example, change the primary color to match your brand's color.
+Although you don't need to adjust any styles, you may consider adjusting particular elements. For example, change the primary color to match your brand's color. You can do this in two ways:
+
+#### Overall site style
+
+1. In the developer portal, select the **Styles** icon from the left tool bar.
+1. Under the **Colors** section, select the color style item you want to edit.
+1. Click the **Edit** icon for that style item.
+1. Select the color from the color-picker, or enter the hex color code.
+1. Add and name another color item by clicking **Add color**.  
+1. Click **Save**.
+
+#### Container style
+
+1. On the main page of the developer portal, select the container background.
+1. Click the **Edit** icon.
+1. In the pop-up, set:
+    * The background to clear, an image, a specific color, or a gradient.
+    * The container size, margin, and padding.
+    * Container position and height.
+1. Select outside the pop-up windows to exit the container settings.
+1. Click **Save**.
 
 ### Customization example