Merge branch 'MicrosoftDocs:main' into main

Author: meenasaravanan02

.openpublishing.publish.config.json

@@ -884,6 +884,7 @@
     "articles/azure-video-analyzer/.openpublishing.redirection.azure-video-analyzer.json",
     "articles/virtual-machines/.openpublishing.redirection.virtual-machines.json",
     "articles/virtual-machine-scale-sets/.openpublishing.redirection.virtual-machine-scale-sets.json",
-    "articles/mysql/.openpublishing.redirection.mysql.json"
+    "articles/mysql/.openpublishing.redirection.mysql.json",
+    "articles/container-apps/.openpublishing.redirection.container-apps.json"
   ]
 }

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 Thank you for taking the time to contribute to the Microsoft Azure documentation.
 
-This guide covers some general topics related to contribution and refers to the [contributors guide](/contribute) for more detailed explanations when required.
+This guide covers some general topics related to contribution and refers to the [contributors guide](https://docs.microsoft.com/contribute) for more detailed explanations when required.
 
 ## Code of Conduct
 
@@ -25,4 +25,4 @@ Follow the guidance for [Quick edits to existing documents](/contribute/#quick-e
 
 ### Pull Request
 
-Review the guidance for [Pull Requests](/contribute/how-to-write-workflows-major#pull-request-processing) in our contributors guide.
+Review the guidance for [Pull Requests](/contribute/how-to-write-workflows-major#pull-request-processing) in our contributors guide.

articles/active-directory-b2c/azure-monitor.md

@@ -11,7 +11,7 @@ ms.workload: identity
 ms.topic: how-to
 ms.author: kengaderdus
 ms.subservice: B2C
-ms.date: 02/09/2022
+ms.date: 02/23/2022
 ---
 
 # Monitor Azure AD B2C with Azure Monitor
@@ -147,7 +147,9 @@ After you've deployed the template and waited a few minutes for the resource pro
 1. Sign in to the [Azure portal](https://portal.azure.com) with your **Azure AD B2C** administrative account. This account must be a member of the security group you specified in the [Delegate resource management](#3-delegate-resource-management) step.
 1. Select the **Directories + subscriptions** icon in the portal toolbar.
 1. On the **Portal settings | Directories + subscriptions** page, in the **Directory name** list,  find your Azure AD directory that contains the Azure subscription and the _azure-ad-b2c-monitor_ resource group you created, and then select **Switch**.
-1. Verify that you've selected the correct directory and subscription.
+1. Verify that you've selected the correct directory and your Azure subscription is listed and selected in the **Default subscription filter**.
+
+   ![Screenshot of the default subscription filter](./media/azure-monitor/default-subscription-filter.png)
 
 ## 5. Configure diagnostic settings
 
@@ -178,6 +180,10 @@ To configure monitoring settings for Azure AD B2C activity logs:
 1. Check the box for each destination to send the logs. Select **Configure** to specify their settings **as described in the following table**.
 1. Select **Send to Log Analytics**, and then select the **Name of workspace** you created earlier (`AzureAdB2C`).
 1. Select **AuditLogs** and **SignInLogs**.
+
+   > [!NOTE]
+   > Only the **AuditLogs** and **SignInLogs** diagnostic settings are currently supported for Azure AD B2C tenants.
+
 1. Select **Save**.
 
 > [!NOTE]

articles/active-directory-b2c/media/azure-monitor/default-subscription-filter.png

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/03/2021
+ms.date: 02/22/2022
 
 ms.author: justinha
 author: inbarckMS 
@@ -17,15 +17,15 @@ ms.collection: M365-identity-device-management
 ---
 # Find and address gaps in strong authentication coverage for your administrators
 
-Requiring multi-factor authentication (MFA) for the administrators in your tenant is one of the first steps you can take to increase the security of your tenant. In this article, we'll cover how to make sure all of your administrators are covered by multi-factor authentication.
+Requiring multifactor authentication (MFA) for the administrators in your tenant is one of the first steps you can take to increase the security of your tenant. In this article, we'll cover how to make sure all of your administrators are covered by multifactor authentication.
 
 ## Detect current usage for Azure AD Built-in administrator roles
 
 The [Azure AD Secure Score](../fundamentals/identity-secure-score.md) provides a score for **Require MFA for administrative roles** in your tenant. This improvement action tracks the MFA usage of Global administrator, Security administrator, Exchange administrator, and SharePoint administrator. 
 
 There are different ways to check if your admins are covered by an MFA policy. 
 
-- To troubleshoot sign-in for a specific administrator, you can use the sign-in logs. The sign-in logs let you filter **Authentication requirement** for specific users. Any sign-in where **Authentication requirement** is **Single-factor authentication** means there was no multi-factor authentication policy that was required for the sign-in.
+- To troubleshoot sign-in for a specific administrator, you can use the sign-in logs. The sign-in logs let you filter **Authentication requirement** for specific users. Any sign-in where **Authentication requirement** is **Single-factor authentication** means there was no multifactor authentication policy that was required for the sign-in.
 
   ![Screenshot of the sign-in log.](./media/how-to-authentication-find-coverage-gaps/auth-requirement.png)
 
@@ -35,23 +35,23 @@ There are different ways to check if your admins are covered by an MFA policy.
 
 - To choose which policy to enable based on your user licenses, we have a new MFA enablement wizard to help you [compare MFA policies](concept-mfa-licensing.md#compare-multi-factor-authentication-policies) and see which steps are right for your organization. The wizard shows administrators who were protected by MFA in the last 30 days.
 
-  ![Screenshot of the Multi-factor authentication enablement wizard.](./media/how-to-authentication-find-coverage-gaps/wizard.png)
+  ![Screenshot of the multifactor authentication enablement wizard.](./media/how-to-authentication-find-coverage-gaps/wizard.png)
 
-- To programmatically create a report listing all users with Admins roles in your tenant and their strong authentication status, you can run a [PowerShell script](https://github.com/microsoft/AzureADToolkit/blob/main/src/Find-AADToolkitUnprotectedUsersWithAdminRoles.ps1). This script enumerates all permanent and eligible built-in and custom role assignments as well as groups with roles assigned, and finds users that are either not registered for MFA or not signing in with MFA by evaluating their authentication methods and their sign-in activity.
+- You can run [this script](https://github.com/microsoft/AzureADToolkit/blob/main/src/Find-AADToolkitUnprotectedUsersWithAdminRoles.ps1) to programmatically generate a report of all users with directory role assignments who have signed in with or without MFA in the last 30 days. This script will enumerate all active built-in and custom role assignments, all eligible built-in and custom role assignments, and groups with roles assigned.
 
-## Enforce multi-factor authentication on your administrators
+## Enforce multifactor authentication on your administrators
 
-Based on gaps you found, require administrators to use multi-factor authentication in one of the following ways:
+If you find administrators who aren't protected by multifactor authentication, you can protect them in one of the following ways:
 
 - If your administrators are licensed for Azure AD Premium, you can [create a Conditional Access policy](tutorial-enable-azure-mfa.md) to enforce MFA for administrators. You can also update this policy to require MFA from users who are in custom roles.  
 
 - Run the [MFA enablement wizard](https://aka.ms/MFASetupGuide) to choose your MFA policy.
 
-- If you assign custom or built-in admin roles in [Privileged Identity Management](../privileged-identity-management/pim-configure.md), require multi-factor authentication upon role activation.
+- If you assign custom or built-in admin roles in [Privileged Identity Management](../privileged-identity-management/pim-configure.md), require multifactor authentication upon role activation.
 
 ## Use Passwordless and phishing resistant authentication methods for your administrators
 
-After your admins are enforced for multi-factor authentication and have been using it for a while, it is time to raise the bar on strong authentication and use Passwordless and phishing resistant authentication method: 
+After your admins are enforced for multifactor authentication and have been using it for a while, it is time to raise the bar on strong authentication and use Passwordless and phishing resistant authentication method: 
 
 - [Phone Sign-in (with Microsoft Authenticator)](concept-authentication-authenticator-app.md)
 - [FIDO2](concept-authentication-passwordless.md#fido2-security-keys)

articles/active-directory/authentication/how-to-authentication-find-coverage-gaps.md

@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/17/2021
+ms.date: 02/23/2022
 ms.author: justinha
 author: mjsantani
 ms.collection: M365-identity-device-management
@@ -37,6 +37,9 @@ Number matching is available for the following scenarios. When enabled, all scen
 - [AD FS adapter](howto-mfaserver-adfs-windows-server.md)
 - [NPS extension](howto-mfa-nps-extension.md)
 
+>[!NOTE]
+>For passwordless users, enabling number matching has no impact because it's already part of the passwordless experience. 
+
 ### Multifactor authentication
 
 When a user responds to an MFA push notification using Microsoft Authenticator, they will be presented with a number. They need to type that number into the app to complete the approval. 
@@ -240,10 +243,6 @@ To enable number matching in the Azure AD portal, complete the following steps:
    ![Screenshot of enabling number match.](media/howto-authentication-passwordless-phone/enable-number-matching.png)
 
 
-## Known issues
-
-- Number matching for admin roles during SSPR is pending and unavailable for a couple days.
-
 ## Next steps
 
 [Authentication methods in Azure Active Directory - Microsoft Authenticator app](concept-authentication-authenticator-app.md)

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -28,7 +28,7 @@ CloudKnox is a cloud infrastructure entitlement management (CIEM) solution that
 
 ## What are the prerequisites to use CloudKnox?
 
-CloudKnox supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers are required to have an Azure Active Directory (Azure AD) account to use CloudKnox, however, an Azure subscription or Azure AD P1 or P2 license aren't required to use CloudKnox for AWS or GCP.
+CloudKnox supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers are required to have an Azure Active Directory (Azure AD) account to use CloudKnox.
 
 ## Can a customer use CloudKnox if they have other identities with access to their IaaS platform that aren’t yet in Azure AD (for example, if part of their business has Okta or AWS Identity & Access Management (IAM))?
 

articles/active-directory/cloud-infrastructure-entitlement-management/cloudknox-faqs.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 01/10/2022
+ms.date: 02/23/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -19,31 +19,25 @@ ms.collection: M365-identity-device-management
 
 Previously, Conditional Access policies applied only to users when they access apps and services like SharePoint online or the Azure portal. This preview adds support for Conditional Access policies applied to service principals owned by the organization. We call this capability  Conditional Access for workload identities. 
 
-A workload identity is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as:
+A [workload identity](../develop/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they:
 
-- They usually have no formal lifecycle process.
+- Can’t perform multi-factor authentication.
+- Often have no formal lifecycle process.
 - Need to store their credentials or secrets somewhere.
-- Applications may use multiple identities. 
- 
-These differences make workload identities difficult to manage, puts them at higher risk for leaks, and reduces the potential for securing access.
+
+These differences make workload identities harder to manage and put them at higher risk for compromise.
 
 > [!IMPORTANT]
 > In public preview, you can scope Conditional Access policies to service principals in Azure AD with an Azure Active Directory Premium P2 edition active in your tenant. After general availability, additional licenses might be required.
 
 > [!NOTE]
 > Policy can be applied to single tenant service principals that have been registered in your tenant. Third party SaaS and multi-tenanted apps are out of scope. Managed identities are not covered by policy. 
 
-This preview enables blocking service principals from outside of trusted IP ranges, such as a corporate network public IP ranges. 
+This preview enables blocking service principals from outside of trusted public IP ranges, or based on risk detected by Azure AD Identity Protection.
 
 ## Implementation
 
-### Step 1: Set up a sample application
-
-If you already have a test application that makes use of a service principal, you can skip this step.
-
-Set up a sample application that, demonstrates how a job or a Windows service can run with an application identity, instead of a user's identity. Follow the instructions in the article [Quickstart: Get a token and call the Microsoft Graph API by using a console app's identity](../develop/quickstart-v2-netcore-daemon.md) to create this application.
-
-### Step 2: Create a Conditional Access policy
+### Create a location-based Conditional Access policy
 
 Create a location based Conditional Access policy that applies to service principals.
 
@@ -60,6 +54,52 @@ Create a location based Conditional Access policy that applies to service princi
 1. Your policy can be saved in **Report-only** mode, allowing administrators to estimate the effects, or policy is enforced by turning policy **On**.
 1. Select **Create** to complete your policy.
 
+### Create a risk-based Conditional Access policy
+
+Use this sample JSON for a risk-based policy using the [Microsoft Graph beta endpoint](/graph/api/resources/conditionalaccesspolicy?view=graph-rest-1.0&preserve-view=true). 
+
+> [!NOTE]
+> Report-only mode doesn't report account risk on a risky workload identity.
+
+```json
+{
+"displayName": "Name",
+"state": "enabled OR disabled",
+"conditions": {
+"applications": {
+"includeApplications": [
+"All"
+],
+"excludeApplications": [],
+"includeUserActions": [],
+"includeAuthenticationContextClassReferences": [],
+"applicationFilter": null
+},
+"userRiskLevels": [],
+"signInRiskLevels": [],
+"clientApplications": {
+"includeServicePrincipals": [
+"ServicePrincipalsInMyTenant"
+],
+"excludeServicePrincipals": []
+},
+"servicePrincipalRiskLevels": [
+"low",
+"medium",
+"high"
+]
+},
+"grantControls": {
+"operator": "and",
+"builtInControls": [
+"block"
+],
+"customAuthenticationFactors": [],
+"termsOfUse": []
+}
+}
+```
+
 ## Roll back
 
 If you wish to roll back this feature, you can delete or disable any created policies.
@@ -77,14 +117,14 @@ Failure reason when Service Principal is blocked by Conditional Access: “Acces
 
 ### Finding the objectID
 
-You can get the objectID of the service principal from Azure AD Enterprise Applications. The Object ID in Azure AD App registrations cannot be used. This identifier is the Object ID of the app registration, not of the service principal.
+You can get the objectID of the service principal from Azure AD Enterprise Applications. The Object ID in Azure AD App registrations can’t be used. This identifier is the Object ID of the app registration, not of the service principal.
 
 1. Browse to the **Azure portal** > **Azure Active Directory** > **Enterprise Applications**, find the application you registered.
 1. From the **Overview** tab, copy the **Object ID** of the application. This identifier is the unique to the service principal, used by Conditional Access policy to find the calling app.
 
 ### Microsoft Graph
 
-Sample JSON for configuration using the Microsoft Graph beta endpoint.
+Sample JSON for location-based configuration using the Microsoft Graph beta endpoint.
 
 ```json
 {

articles/active-directory/conditional-access/workload-identity.md

@@ -34,7 +34,7 @@ To compute the assertion, you can use one of the many JWT libraries in the langu
 | --- | --- |
 | `alg` | Should be **RS256** |
 | `typ` | Should be **JWT** |
-| `x5t` | The X.509 certificate hash's (also known as the cert's SHA-1 *thumbprint*) Hex representation encoded as a Base64url string value. For example, given an X.509 certificate hash of `84E05C1D98BCE3A5421D225B140B36E86A3D5534` (Hex), the `x5t` claim would be `hOBcHZi846VCHSJbFAs26Go9VTQ=` (Base64url). |
+| `x5t` | Base64url-encoded SHA-1 thumbprint of the X.509 certificate thumbprint. For example, given an X.509 certificate hash of `84E05C1D98BCE3A5421D225B140B36E86A3D5534` (Hex), the `x5t` claim would be `hOBcHZi846VCHSJbFAs26Go9VTQ=` (Base64url). |
 
 ### Claims (payload)