Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into nat-avail-diagrams

Author: asudbring

articles/active-directory/enterprise-users/licensing-service-plan-reference.md

@@ -55,6 +55,7 @@ We detect risk on workload identities across sign-in behavior and offline indica
 | Leaked Credentials | Offline | This risk detection indicates that the account's valid credentials have been leaked. This leak can occur when someone checks in the credentials in public code artifact on GitHub, or when the credentials are leaked through a data breach. <br><br> When the Microsoft leaked credentials service acquires credentials from GitHub, the dark web, paste sites, or other sources, they're checked against current valid credentials in Azure AD to find valid matches. |
 | Malicious application | Offline | This detection indicates that Microsoft has disabled an application for violating our terms of service. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application.| 
 | Suspicious application | Offline | This detection indicates that Microsoft has identified an application that may be violating our terms of service, but has not disabled it. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application.| 
+| Anomalous service principal activity | Offline | This risk detection indicates that suspicious patterns of activity have been identified for an authenticated service principal. The post-authentication behavior of service principals is assessed for anomalies. This behavior is based on actions occurring for the account, along with any sign-in risk detected. |
 
 ## Identify risky workload identities
 

articles/active-directory/identity-protection/concept-workload-identity-risk.md

@@ -5,9 +5,9 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: tutorial
-ms.date: 10/18/2022
+ms.date: 10/28/2022
 ms.author: victorh
-ms.custom: mvc
+ms.custom: template-tutorial, mvc, engagement-fy23
 #Customer intent: As an administrator new to this service, I want to control outbound network access from resources located in an Azure subnet.
 ---
 

articles/firewall/tutorial-firewall-deploy-portal-policy.md

@@ -7,8 +7,9 @@ ms.service: frontdoor
 ms.topic: tutorial
 ms.tgt_pltfrm: na
 ms.workload: infrastructure-services
-ms.date: 10/12/2022
+ms.date: 10/28/2022
 ms.author: duau
+ms.custom: template-tutorial, engagement-fy23
 # Customer intent: As an IT admin, I want to learn about Front Door and how to configure a security header via Rules Engine. 
 ---
 

articles/frontdoor/front-door-security-headers.md

@@ -6,12 +6,12 @@ documentationcenter: na
 author: duongau
 ms.author: duau
 manager: KumudD
-ms.date: 10/12/2022
+ms.date: 10/28/2022
 ms.topic: quickstart
 ms.service: frontdoor
 ms.workload: infrastructure-services
 ms.tgt_pltfrm: na
-ms.custom: mode-ui
+ms.custom: template-tutorial, mode-ui, engagement-fy23
 #Customer intent: As an IT admin, I want to direct user traffic to ensure high availability of web applications.
 ---
 

articles/frontdoor/quickstart-create-front-door.md

@@ -6,8 +6,8 @@ author: mbender-ms
 ms.author: mbender
 ms.service: load-balancer
 ms.topic: tutorial
-ms.date: 10/18/2022
-ms.custom: template-tutorial
+ms.date: 10/28/2022
+ms.custom: template-tutorial, engagement-fy23
 ---
 
 # Tutorial: Create a single virtual machine inbound NAT rule using the Azure portal

articles/load-balancer/tutorial-load-balancer-port-forwarding-portal.md

@@ -7,9 +7,9 @@ tags: azure-resource-manager
 ms.service: network-watcher
 ms.topic: tutorial
 ms.workload: infrastructure-services
-ms.date: 10/17/2022
+ms.date: 10/28/2022
 ms.author: damendo
-ms.custom: mvc
+ms.custom: template-tutorial, mvc, engagement-fy23
 # Customer intent: I need to monitor communication between a VM and another VM. If the communication fails, I need to know why, so that I can resolve the problem. 
 ---
 

articles/network-watcher/connection-monitor.md

@@ -5,9 +5,9 @@ services: network-watcher
 author: damendo
 ms.service: network-watcher
 ms.topic: tutorial
-ms.date: 10/17/2022
+ms.date: 10/28/2022
 ms.author: damendo
-ms.custom: mvc
+ms.custom: template-tutorial, mvc, engagement-fy23
 # Customer intent: I need to log the network traffic to and from a VM so I can analyze it for anomalies.
 ---
 

articles/network-watcher/network-watcher-nsg-flow-logging-portal.md

@@ -7,11 +7,11 @@ author: jimmart-dev
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 03/01/2022
+ms.date: 10/28/2022
 ms.author: jammart
 ms.reviewer: fryu
 ms.subservice: blobs
-ms.custom: devx-track-azurepowershell, devx-track-azurecli 
+ms.custom: devx-track-azurepowershell, devx-track-azurecli, engagement-fy23
 ms.devlang: azurecli
 ---
 

articles/storage/blobs/anonymous-read-access-configure.md

@@ -7,22 +7,25 @@ author: jimmart-dev
 
 ms.service: storage
 ms.topic: how-to
-ms.date: 12/09/2020
+ms.date: 10/28/2022
 ms.author: jammart
 ms.reviewer: fryu
 ms.subservice: blobs
-ms.custom: devx-track-azurepowershell
+ms.custom: devx-track-azurepowershell, engagement-fy23
 ---
 
 # Prevent anonymous public read access to containers and blobs
 
+This article describes how to use a DRAG (Detection-Remediation-Audit-Governance) framework to continuously manage public access for your storage accounts.
+
 Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data, but may also present a security risk. It's important to manage anonymous access judiciously and to understand how to evaluate anonymous access to your data. Operational complexity, human error, or malicious attack against data that is publicly accessible can result in costly data breaches. Microsoft recommends that you enable anonymous access only when necessary for your application scenario.
 
 By default, public access to your blob data is always prohibited. However, the default configuration for a storage account permits a user with appropriate permissions to configure public access to containers and blobs in a storage account. For enhanced security, you can disallow all public access to storage account, regardless of the public access setting for an individual container. Disallowing public access to the storage account prevents a user from enabling public access for a container in the account. Microsoft recommends that you disallow public access to a storage account unless your scenario requires it. Disallowing public access helps to prevent data breaches caused by undesired anonymous access.
 
 When you disallow public blob access for the storage account, Azure Storage rejects all anonymous requests to that account. After public access is disallowed for an account, containers in that account cannot be subsequently configured for public access. Any containers that have already been configured for public access will no longer accept anonymous requests. For more information, see [Configure anonymous public read access for containers and blobs](anonymous-read-access-configure.md).
 
-This article describes how to use a DRAG (Detection-Remediation-Audit-Governance) framework to continuously manage public access for your storage accounts.
+> [!WARNING]
+> When a container is configured for public access, any client can read data in that container. Public access presents a potential security risk, so if your scenario does not require it, Microsoft recommends that you disallow it for the storage account.
 
 ## Detect anonymous requests from client applications