Merge pull request #220495 from MicrosoftDocs/main

12/05 AM Publish

Author: huypub

articles/active-directory/conditional-access/concept-conditional-access-policy-common.md

@@ -1,12 +1,12 @@
 ---
-title: Common Conditional Access policies - Azure Active Directory
-description: Commonly used Conditional Access policies for organizations
+title: Conditional Access templates - Azure Active Directory
+description: Deploy commonly used Conditional Access policies with templates
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 08/22/2022
+ms.date: 11/29/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -15,57 +15,63 @@ ms.reviewer: calebb, lhuangnorth
 
 ms.collection: M365-identity-device-management
 ---
-# Common Conditional Access policies
+# Conditional Access templates (Preview)
 
-[Security defaults](../fundamentals/concept-fundamentals-security-defaults.md) are great for some but many organizations need more flexibility than they offer. Many organizations need to exclude specific accounts like their emergency access or break-glass administration accounts from Conditional Access policies. The policies referenced in this article can be customized based on organizational needs. Organizations can [use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)
-
-## Conditional Access templates (Preview)
-
-Conditional Access templates are designed to provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies across various customer types and locations.
+Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies across various customer types and locations.
 
 :::image type="content" source="media/concept-conditional-access-policy-common/conditional-access-policies-azure-ad-listing.png" alt-text="Conditional Access policies and templates in the Azure portal." lightbox="media/concept-conditional-access-policy-common/conditional-access-policies-azure-ad-listing.png":::
 
-The 14 policy templates are split into policies that would be assigned to user identities or devices. Find the templates in the **Azure portal** > **Azure Active Directory** > **Security** > **Conditional Access** > **Create new policy from template**.
+There are 14 Conditional Access policy templates, filtered by six different scenarios: 
 
-Organizations not comfortable allowing Microsoft to create these policies can create them manually by copying the settings from **View policy summary** or use the linked articles to create policies themselves. 
+- Secure foundation
+- Zero Trust
+- Remote work
+- Protect administrators
+- Emerging threats
+- All 
+
+Find the templates in the **Azure portal** > **Azure Active Directory** > **Security** > **Conditional Access** > **New policy from template (Preview)**. Select **Show more** to see all policy templates in each scenario.
 
 :::image type="content" source="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png" alt-text="Create a Conditional Access policy from a preconfigured template in the Azure portal." lightbox="media/concept-conditional-access-policy-common/create-policy-from-template-identity.png":::
 
 > [!IMPORTANT]
-> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md) open the policy and modify the excluded users and groups to include them. 
+> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md), you will be able to modify the policy once they are created. Simply navigate to **Azure portal** > **Azure Active Directory** > **Security** > **Conditional Access** > **Policies**, select the policy to open the editor and modify the excluded users and groups to select accounts you want to exclude.
 > 
 > By default, each policy is created in [report-only mode](concept-conditional-access-report-only.md), we recommended organizations test and monitor usage, to ensure intended result, before turning each policy on.
 
-- Identities
-   - [Require multi-factor authentication for admins](howto-conditional-access-policy-admin-mfa.md)\*
-   - [Securing security info registration](howto-conditional-access-policy-registration.md)
-   - [Block legacy authentication](howto-conditional-access-policy-block-legacy.md)\*
-   - [Require multi-factor authentication for all users](howto-conditional-access-policy-all-users-mfa.md)\*
-   - [Require multi-factor authentication for guest access](howto-policy-guest-mfa.md)
-   - [Require multi-factor authentication for Azure management](howto-conditional-access-policy-azure-management.md)\*
-   - [Require multi-factor authentication for risky sign-in](howto-conditional-access-policy-risk.md) **Requires Azure AD Premium P2**
-   - [Require password change for high-risk users](howto-conditional-access-policy-risk-user.md) **Requires Azure AD Premium P2**
-- Devices
-   - [Require compliant or hybrid Azure AD joined device or multifactor authentication for all users](howto-conditional-access-policy-compliant-device.md)
-   - [Block access for unknown or unsupported device platform](howto-policy-unknown-unsupported-device.md)
-   - [No persistent browser session](howto-policy-persistent-browser-session.md)
-   - [Require approved client apps or app protection](howto-policy-approved-app-or-app-protection.md)
-   - [Require compliant or Hybrid Azure AD joined device for administrators](howto-conditional-access-policy-compliant-device-admin.md)
-   - [Use application enforced restrictions for unmanaged devices](howto-policy-app-enforced-restriction.md)
+Organizations can select individual policy templates and:
 
-> \* These four policies when configured together, provide similar functionality enabled by [security defaults](../fundamentals/concept-fundamentals-security-defaults.md).
+- View a summary of the policy settings.
+- Edit, to customize based on organizational needs.
+- Export the JSON definition for use in programmatic workflows.
+   - These JSON definitions can be edited and then imported on the main Conditional Access policies page using the **Import policy file** option.
 
-### Other policies
+## Conditional Access template policies
+
+- [Block legacy authentication](howto-conditional-access-policy-block-legacy.md)\*
+- [Require multifactor authentication for admins](howto-conditional-access-policy-admin-mfa.md)\*
+- [Require multifactor authentication for all users](howto-conditional-access-policy-all-users-mfa.md)\*
+- [Require multifactor authentication for Azure management](howto-conditional-access-policy-azure-management.md)\*
+
+> \* These four policies when configured together, provide similar functionality enabled by [security defaults](../fundamentals/concept-fundamentals-security-defaults.md).
 
-* [Block access by location](howto-conditional-access-policy-location.md)
-* [Block access except specific apps](howto-conditional-access-policy-block-access.md)
+- [Block access for unknown or unsupported device platform](howto-policy-unknown-unsupported-device.md)
+- [No persistent browser session](howto-policy-persistent-browser-session.md)
+- [Require approved client apps or app protection](howto-policy-approved-app-or-app-protection.md)
+- [Require compliant or hybrid Azure AD joined device or multifactor authentication for all users](howto-conditional-access-policy-compliant-device.md)
+- [Require compliant or Hybrid Azure AD joined device for administrators](howto-conditional-access-policy-compliant-device-admin.md)
+- [Require multi-factor authentication for risky sign-in](howto-conditional-access-policy-risk.md) **Requires Azure AD Premium P2**
+- [Require multifactor authentication for guest access](howto-policy-guest-mfa.md)
+- [Require password change for high-risk users](howto-conditional-access-policy-risk-user.md) **Requires Azure AD Premium P2**
+- [Securing security info registration](howto-conditional-access-policy-registration.md)
+- [Use application enforced restrictions for unmanaged devices](howto-policy-app-enforced-restriction.md)
 
-## Emergency access accounts
+## Other common policies
 
-More information about emergency access accounts and why they're important can be found in the following articles: 
+- [Block access by location](howto-conditional-access-policy-location.md)
+- [Block access except specific apps](howto-conditional-access-policy-block-access.md)
 
-* [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md)
-* [Create a resilient access control management strategy with Azure Active Directory](../authentication/concept-resilient-controls.md)
+[!INCLUDE [active-directory-policy-exclusions](../../../includes/active-directory-policy-exclude-user.md)]
 
 ## Next steps
 

articles/active-directory/conditional-access/concept-conditional-access-users-groups.md

@@ -97,7 +97,7 @@ If you do find yourself locked out, see [What to do if you're locked out of the
 
 Conditional Access policies that target external users may interfere with service provider access, for example granular delegated admin privileges [Introduction to granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction). For policies that are intended to target service provider tenants, use the **Service provider user** external user type available in the **Guest or external users** selection options.
 
-## Workload identities (Preview)
+## Workload identities 
 
 A workload identity is an identity that allows an application or service principal access to resources, sometimes in the context of a user. Conditional Access policies can be applied to single tenant service principals that have been registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. Managed identities aren't covered by policy.
 

articles/active-directory/conditional-access/media/concept-conditional-access-policy-common/conditional-access-policies-azure-ad-listing.png

@@ -141,6 +141,8 @@
       href: how-to-connect-post-installation.md
     - name: Uninstall Azure AD Connect
       href: how-to-connect-uninstall.md
+    - name: Using a deprecated version
+      href: deprecated-azure-ad-connect.md
   - name: Plan and design
     items:
     - name: Design concepts

articles/active-directory/conditional-access/media/concept-conditional-access-policy-common/create-policy-from-template-identity.png

@@ -0,0 +1,41 @@
+---
+title: 'Using a deprecated version of Azure AD Connect'
+description: This article describes what to do if you find that you're running a deprecated version.
+services: active-directory
+author: billmath
+manager: amycolannino
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 12/05/2022
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+
+
+
+# Using a deprecated version of Azure AD Connect
+
+You may have received a notification email that says that your [Azure AD Connect version is deprecated](whatis-azure-ad-connect-v2.md) and no longer supported.  Or, you may have read a portal recommendation about upgrading your Azure AD Connect version. What is next?
+
+Using a deprecated and unsupported version of Azure AD Connect isn't recommended and not supported. Deprecated and unsupported versions of Azure AD Connect may **unexpectedly stop working**.  In these instances, you may need to install the latest version of Azure AD Connect as your only remedy to restore your sync process. 
+
+We regularly update Azure AD Connect with [newer versions](reference-connect-version-history.md). The new versions have bug fixes, performance improvements, new functionality, and security fixes, so it's important to stay up to date.
+
+## How to replace your deprecated version
+
+
+If you're still using a deprecated and unsupported version of Azure AD Connect, here's what you should do:
+
+ 1.	Verify which version you should install. Most customers no longer need Azure AD Connect and can now use [Azure AD Cloud Sync](../cloud-sync/what-is-cloud-sync.md). Cloud sync is the next generation of sync tools to provision users and groups from AD into Azure AD. It features a lightweight agent and is fully managed from the cloud – and it upgrades to newer versions automatically, so you never have to worry about upgrading again! 
+
+ 2.	If you're not yet eligible for Azure AD Cloud Sync, please follow this [link to download](https://www.microsoft.com/download/details.aspx?id=47594) and install the latest version of Azure AD Connect. In most cases, upgrading to the latest version will only take a few moments. For more information, see [Upgrading Azure AD Connect from a previous version.](how-to-upgrade-previous-version.md).
+
+
+## Next steps
+
+- [What is Azure AD Connect V2?](whatis-azure-ad-connect-v2.md)
+- [Azure AD Cloud Sync](../cloud-sync/what-is-cloud-sync.md)
+- [Azure AD Connect version history](reference-connect-version-history.md)

articles/active-directory/hybrid/TOC.yml

@@ -129,7 +129,7 @@ If you already have risk policies enabled in Identity Protection, we highly reco
 
 ### Migrating to Conditional Access
 
-1.	**Create an equivalent** [user risk-based](#user-risk-policy-in-conditional-access) and [sign-in risk-based ](#sign-in-risk-policy-in-conditional-access) policy in Conditional Access in report-only mode. You can create a policy with the steps above or using [Conditional Access templates](../conditional-access/concept-conditional-access-policy-common.md#common-conditional-access-policies) based on Microsoft's recommendations and your organizational requirements.
+1.	**Create an equivalent** [user risk-based](#user-risk-policy-in-conditional-access) and [sign-in risk-based ](#sign-in-risk-policy-in-conditional-access) policy in Conditional Access in report-only mode. You can create a policy with the steps above or using [Conditional Access templates](../conditional-access/concept-conditional-access-policy-common.md) based on Microsoft's recommendations and your organizational requirements.
     1. Ensure that the new Conditional Access risk policy works as expected by testing it in [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md).
 1.	**Enable** the new Conditional Access risk policy. You can choose to have both policies running side-by-side to confirm the new policies are working as expected before turning off the Identity Protection risk policies.
     1. Browse back to **Azure Active Directory** > **Security** > **Conditional Access**. 

articles/active-directory/hybrid/deprecated-azure-ad-connect.md

@@ -243,6 +243,41 @@ az aks nodepool add --cluster-name $clusterName -g $resourceGroup  -n newnodepoo
   --pod-subnet-id /subscriptions/$subscription/resourceGroups/$resourceGroup/providers/Microsoft.Network/virtualNetworks/$vnet/subnets/pod2subnet \
   --no-wait 
 ```
+## Monitor IP subnet usage 
+
+Azure CNI provides the capability to monitor IP subnet usage. To enable IP subnet usage monitoring, follow the steps below:
+
+### Get the YAML file
+1.	Download or grep the file named container-azm-ms-agentconfig.yaml from [github][github].
+2.	Find azure_subnet_ip_usage in integrations. Set `enabled` to `true`. 
+3.	Save the file.
+
+### Get the AKS credentials
+
+Set the variables for subscription, resource group and cluster. Consider the following as examples:
+
+```azurepowershell
+
+    $s="subscriptionId"
+
+    $rg="resourceGroup"
+
+    $c="ClusterName"
+
+    az account set -s $s
+
+    az aks get-credentials -n $c -g $rg
+
+```
+
+### Apply the config
+
+1.	Open terminal in the folder the downloaded container-azm-ms-agentconfig.yaml file is saved.
+2.	First, apply the config using the command: `kubectl apply -f container-azm-ms-agentconfig.yaml`
+3.	This will restart the pod and after 5-10 minutes, the metrics will be visible.
+4.	To view the metrics on the cluster, go to Workbooks on the cluster page in the Azure portal, and find the workbook named "Subnet IP Usage". Your view will look similar to the following:
+
+  :::image type="content" source="media/Azure-cni/ip-subnet-usage.png" alt-text="A diagram of the Azure portal's workbook blade is shown, and metrics for an AKS cluster's subnet IP usage are displayed.":::    
 
 ## Frequently asked questions
 
@@ -311,7 +346,7 @@ Learn more about networking in AKS in the following articles:
 [portal]: https://portal.azure.com
 [cni-networking]: https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md
 [kubenet]: concepts-network.md#kubenet-basic-networking
-
+[github]: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml
 
 <!-- LINKS - Internal -->
 [az-aks-create]: /cli/azure/aks#az_aks_create

articles/active-directory/identity-protection/howto-identity-protection-configure-risk-policies.md

@@ -164,7 +164,7 @@ jobs:
           manifests: |
              azure-vote-all-in-one-redis.yaml
           images: '${{ secrets.registry }}.azurecr.io/${{ secrets.repository }}/azure-vote-front:${{ github.sha }}'
-          pull: false 
+          pull-images: false 
 ```
 
 > [!IMPORTANT]