Merge pull request #287956 from MicrosoftDocs/main

10/07/2024 AM Publish

Author: Albertyang0

articles/active-directory-b2c/best-practices.md

@@ -5,11 +5,11 @@ description: Recommendations and best practices to consider when working with Az
 
 author: kengaderdus
 ms.author: kengaderdus
-manager: CelesteDG
+manager: mwongerapz
 ms.service: active-directory
 
 ms.topic: concept-article
-ms.date: 02/05/2024
+ms.date: 10/07/2024
 ms.subservice: B2C
 
 
@@ -68,7 +68,7 @@ Test and automate your Azure AD B2C implementation.
 | Functional and UI testing | Test the user flows end-to-end. Add synthetic tests every few minutes using Selenium, VS Web Test, etc. |
 | Pen-testing | Before going live with your solution, perform penetration testing exercises to verify all components are secure, including any third-party dependencies. Verify you've secured your APIs with access tokens and used the right authentication protocol for your application scenario. Learn more about [Penetration testing](../security/fundamentals/pen-testing.md) and the [Microsoft Cloud Unified Penetration Testing Rules of Engagement](https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1). |
 | A/B Testing | Flight your new features with a small, random set of users before rolling out to your entire population. With JavaScript enabled in Azure AD B2C, you can integrate with A/B testing tools like Optimizely, Clarity, and others. |
-| Load testing | Azure AD B2C can scale, but your application can scale only if all of its dependencies can scale. Load-test your APIs and CDN. Learn more about [Resilience through developer best practices](../active-directory/architecture/resilience-b2c-developer-best-practices.md).|
+| Load testing | Azure AD B2C can scale, but your application can scale only if all of its dependencies can scale. We recommend that you load-test your policy in production mode, that's set the `DeploymentMode` attribute in your custom policy file's `<TrustFrameworkPolicy>` element to `Production`. This setting ensures your performance during the test matches the production level performance. Load-test your APIs and CDN. Learn more about [Resilience through developer best practices](../active-directory/architecture/resilience-b2c-developer-best-practices.md).|
 | Throttling |  Azure AD B2C throttles traffic if too many requests are sent from the same source in a short period of time. Use several traffic sources while load testing, and handle the `AADB2C90229` error code gracefully in your applications. |
 | Automation | Use continuous integration and delivery (CI/CD) pipelines to automate testing and deployments, for example, [Azure DevOps](deploy-custom-policies-devops.md). |
 
@@ -82,7 +82,7 @@ Manage your Azure AD B2C environment.
 | Use version control for your custom policies | Consider using GitHub, Azure Repos, or another cloud-based version control system for your Azure AD B2C custom policies. |
 | Use the Microsoft Graph API to automate the management of your B2C tenants | Microsoft Graph APIs:<br/>Manage [Identity Experience Framework](/graph/api/resources/trustframeworkpolicy?preserve-view=true&view=graph-rest-beta) (custom policies)<br/>[Keys](/graph/api/resources/trustframeworkkeyset?preserve-view=true&view=graph-rest-beta)<br/>[User Flows](/graph/api/resources/identityuserflow?preserve-view=true&view=graph-rest-beta) |
 | Integrate with Azure DevOps | A [CI/CD pipeline](deploy-custom-policies-devops.md) makes moving code between different environments easy and ensures production readiness always.   |
-| Deploy custom policy | Azure AD B2C relies on caching to deliver performance to your end users. When you deploy a custom policy using whatever method, expect a delay of up to **30 minutes** for your users to see the changes. As a result of this behavior, consider the following practices when you deploy your custom policies: <br> - If you're deploying to a development environment, set the `DeploymentMode` attribute to `Development` in your custom policy file's `<TrustFrameworkPolicy>` element. <br> - Deploy your updated policy files to a production environment when traffic in your app is low. <br> - When you deploy to a production environment to update existing policy files, upload the updated files with new name(s), and then update your app reference to the new name(s). You can then remove the old policy files afterwards.<br> - You can set the `DeploymentMode` to `Development` in a production environment to bypass the caching behavior. However, we don't recommend this practice. If you [Collect Azure AD B2C logs with Application Insights](troubleshoot-with-application-insights.md), all claims sent to and from identity providers are collected, which is a security and performance risk. |
+| Deploy custom policy | Azure AD B2C relies on caching to deliver performance to your end users. When you deploy a custom policy using whatever method, expect a delay of up to **30 minutes** for your users to see the changes. As a result of this behavior, consider the following practices when you deploy your custom policies: <br> - If you're deploying to a development environment, set the `DeploymentMode` attribute in your custom policy file's `<TrustFrameworkPolicy>` element to `Production`. <br> - Deploy your updated policy files to a production environment when traffic in your app is low. <br> - When you deploy to a production environment to update existing policy files, upload the updated files with new name(s), and then update your app reference to the new name(s). You can then remove the old policy files afterwards.<br> - You can set the `DeploymentMode` to `Development` in a production environment to bypass the caching behavior. However, we don't recommend this practice. If you [Collect Azure AD B2C logs with Application Insights](troubleshoot-with-application-insights.md), all claims sent to and from identity providers are collected, which is a security and performance risk. |
 | Deploy app registration updates | When you modify your application registration in your Azure AD B2C tenant, such as updating the application's redirect URI, expect a delay of up to **2 hours (3600s)** for the changes to take effect in the production environment. We recommend that you modify your application registration in your production environment when traffic in your app is low.|
 | Integrate with Azure Monitor | [Audit log events](view-audit-logs.md) are only retained for seven days. [Integrate with Azure Monitor](azure-monitor.md) to retain the logs for long-term use, or integrate with third-party security information and event management (SIEM) tools to gain insights into your environment. |
 | Setup active alerting and monitoring | [Track user behavior](./analytics-with-application-insights.md) in Azure AD B2C using Application Insights. |

articles/application-gateway/for-containers/how-to-multiple-site-hosting-ingress-api.md

@@ -194,7 +194,7 @@ status:
 Now we're ready to send some traffic to our sample application, via the FQDN assigned to the frontend. Use the following command to get the FQDN.
 
 ```bash
-fqdn=$(kubectl get ingress ingress-01 -n test-infra -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'')
+fqdn=$(kubectl get ingress ingress-01 -n test-infra -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
 ```
 
 Next, specify the server name indicator using the curl command, `contoso.com` for the frontend FQDN should return a response from the backend-v1 service.

articles/communication-services/concepts/email/sdk-features.md

@@ -38,16 +38,16 @@ Azure Resource Manager for email communication resources is meant for email doma
 
 ## API throttling and timeouts
 
-Your Azure account limits the number of email messages that you can send. For all developers, the limits are 30 mails sent per minute and 100 mails sent per hour.
+The Azure Communication Services email service is designed to support high throughput. The initial rate limits are intended to help customers onboard smoothly and avoid some of the issues that can occur when switching to a new email service.
 
-This sandbox setup helps developers start building the application. Gradually, you can request to increase the sending volume as soon as the application is ready to go live. Submit a support request to increase your sending limit.
+To learn more about these limits and instructions for requesting an increase, see [Service limits for Azure Communication Services > Email](../../concepts/service-limits.md#email).
 
 ## Next steps
 
-* [Create and manage an email communication resource in Azure Communication Services](../../quickstarts/email/create-email-communication-resource.md)
-* [Connect a verified email domain in Azure Communication Services](../../quickstarts/email/connect-email-communication-resource.md)
+* [Create and manage an email communication resource in Azure Communication Services](../../quickstarts/email/create-email-communication-resource.md).
+* [Connect a verified email domain in Azure Communication Services](../../quickstarts/email/connect-email-communication-resource.md).
 
-The following topics might be interesting to you:
+## Related articles:
 
 * Learn how to send emails with [custom verified domains](../../quickstarts/email/add-custom-verified-domains.md).
 * Learn how to send emails with [Azure-managed domains](../../quickstarts/email/add-azure-managed-domains.md).

articles/communication-services/concepts/service-limits.md

@@ -100,6 +100,10 @@ For more information on the SMS SDK and service, see the [SMS SDK overview](./sm
 
 You can send a limited number of email messages. If you exceed the following limits for your subscription, your requests are rejected. You can attempt these requests again, after the Retry-After time passes. Take action before reaching the limit by requesting to raise your sending volume limits if needed.
 
+The Azure Communication Services email service is designed to support high throughput. However, the service imposes initial rate limits to help customers onboard smoothly and avoid some of the issues that can occur when switching to a new email service. We recommend gradually increasing your email volume using Azure Communication Services Email over a period of two to four weeks, while closely monitoring the delivery status of your emails. This gradual increase allows third-party email service providers to adapt to the change in IP for your domain's email traffic, thus protecting your sender reputation and maintaining the reliability of your email delivery.
+
+We approve higher limits for customers based on use case requirements, domain reputation, traffic patterns, and failure rates. To request higher limits, follow the instructions at [Quota increase for email domains](./email/email-quota-increase.md). Note that higher quotas are only available for verified custom domains, not Azure-managed domains.
+
 ### Rate Limits 
 
 [Custom Domains](../quickstarts/email/add-custom-verified-domains.md)

articles/modeling-simulation-workbench/best-practices.md

@@ -0,0 +1,75 @@
+---
+title: Best practices for using and administering Azure Modeling and Simulation Workbench
+description: Learn best practices and helpful guidance when working with Azure Modeling and Simulation Workbench.
+author: yousefi-msft
+ms.author: yousefi
+ms.service: modeling-simulation-workbench
+ms.topic: best-practice
+ms.date: 10/06/2024
+
+#customer intent: As a user of Azure Modeling and Simulation Workbench, I want to learn best practices so that I can efficiently and effectively use and administer.
+
+---
+
+# Best practices for Azure Modeling and Simulation Workbench
+
+The Azure Modeling and Simulation Workbench is a cloud-based collaboration platform that provides secure, isolated chambers to allow enterprises to work in the cloud. Modeling and Simulation Workbench provides a large selection of powerful, virtual machines (VM) and high-performance scalable storage and provides control and oversight to what users can export from the platform.
+
+This best practices article provides both users and administrators guidance on how to get the most from the platform, control costs, and work effectively.
+
+## Control costs with chamber idle mode
+
+When a chamber won't be used in the immediate future, [place it into idle mode](./how-to-guide-chamber-idle.md). Idling a chamber significantly reduces costs. For more information, see the [pricing guide](https://azure.microsoft.com/pricing/details/modeling-and-simulation-workbench/#pricing). Idle mode doesn't delete your VMs or storage, but does terminate desktop sessions and chamber license servers.
+
+## Review user allocation to chambers to control cost
+
+Modeling and Simulation Workbench prices chamber access through 10-Pack user connectivity. If your user count increases beyond a multiple of 10, another user pack is added. Review your user allocations to ensure your costs are optimized. For more information, see the [pricing guide](https://azure.microsoft.com/pricing/details/modeling-and-simulation-workbench/#pricing).
+
+## Use an Azure naming resource convention
+
+Depending on complexity, workbenches can have many resources. Adopting a naming convention can help you effectively manage your deployment. The Azure Cloud Adoption Framework has a [naming convention](/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming) to help you get started.
+
+## Key Vaults best practices
+
+Modeling and Simulation Workbench uses [Key Vaults](/azure/key-vault/general/basic-concepts) to store authentication identifiers. See the [Azure Key Vault best practices guide](/azure/key-vault/general/best-practices) for other guidance on effectively using a Key Vault in Azure.
+
+### Use separate Key Vault to broaden security perimeters
+
+Use separate Key Vault for every workbench or assigned group of administrators to help keep your deployment secure. If user credentials or a perimeter is breached, a separate key vault for workbenches can reduce impact.
+
+### Assign two or more Key Vault Secrets Officers
+
+The role of **Secrets Officers** is assigned to the **Workbench Owner** who is tasked with creating and administering the workbench environment. Designating at least two secrets officers can reduce downtime if secrets need to be administered and one administrator isn't available. Consider using Azure Groups to assign this role.
+
+## Use the right storage for the task
+
+Modeling and Simulation Workbench offers several types and tiers for storage. For more information, see the [storage overview](./concept-storage.md).
+
+* Don't save or perform critical work in home directories. Home directories are deleted anytime users are dropped from chambers. Additionally, if you delete users to manage user pack costs, those home directories are deleted. Home directories are intended for resource files or temporary work.
+* Chamber storage is the best place to store vital data and perform application workloads. Chamber storage is high-performance with two different performance tiers and scalable. You can learn how to manage chamber storage in [chamber storage how-to](./how-to-guide-manage-chamber-storage.md).
+* Don't place information that shouldn't be shared with other chambers in shared storage. Shared storage is visible to all users of the member chambers.
+* If you plan on idling the chamber and are looking to save cost, create a standard tier of chamber storage and move all files there.
+
+## Using application registrations in Microsoft Entra and Modeling and Simulation Workbench
+
+### Choose a meaningful management approach for application registrations
+
+Application registrations can easily accumulate in an organization and be forgotten, becoming difficult to manage. Use a meaningful name for application registrations made for Modeling and Simulation Workbench to identify it later. Assign at least two or more owners or consider using an Azure Group to assign ownership.
+
+### Manage application registration secrets
+
+Use a reasonable expiration date for the application secret created. Refer to your organizations rules on application password lifetime.
+
+### Reuse application registrations across related deployments
+
+Application registrations are authentication brokers for the Modeling and Simulation Workbench. Identity and Access Management (IAM) at the chamber level is responsible for this access. You can use fewer application registrations where it makes sense to do so based on region, user base, project, or security boundaries.
+
+### Delete redirect URIs when deleting connectors
+
+Connectors generate two distinct redirect URIs when created. Anytime you're deleting or rebuilding a connector, delete the associated redirect URI from the application registration.
+
+## Related content
+
+* [Manage chamber storage in Azure Modeling and Simulation Workbench](how-to-guide-manage-chamber-storage.md)
+* [Manage users in Azure Modeling and Simulation Workbench](how-to-guide-manage-users.md)
+* [Manage chamber idle mode](how-to-guide-chamber-idle.md)

articles/modeling-simulation-workbench/toc.yml

@@ -81,6 +81,8 @@ items:
         href: ./resources-troubleshoot.md
       - name: Known issues
         href: ./troubleshoot-known-issues.md
+      - name: Best practices
+        href: ./best-practices.md
       - name: Business continuity and disaster recovery
         href: ./disaster-recovery.md
       - name: Get support

articles/modeling-simulation-workbench/troubleshoot-known-issues.md

@@ -17,6 +17,26 @@ The Modeling and Simulation Workbench is a secure, cloud-based platform for coll
 
 This Known Issues guide provides troubleshooting and advisory information for resolving or acknowledging issues to be addressed. Where applicable, workaround or mitigation steps are provided.
 
+## Cadence dependencies
+
+When a Chamber Admin is attempting installation of some recent releases of Cadence tools, some users report missing dependencies on Modeling and Simulation Workbench. To fix this issue, install missing dependencies.
+
+### Troubleshooting steps
+
+During installation, the Cadence dependency checker `checkSysConf` reports that the following packages are missing from Modeling and Simulation Workbench VMs. Some of those packages are installed, but fail the dependency check due to other dependencies.
+
+* `xterm`
+* `motif`
+* `libXp`
+* `apr`
+* `apr-util`
+
+A Chamber Admin can install these packages with the following command in a terminal:
+
+```bash
+sudo yum install motif apr apr-util xterm
+```
+
 ## EDA license upload failures on server name
 
 When uploading Electronic Design Automation (EDA) license files with server names that contain a dash ("-") symbol, the chamber license file server fails to process the file. For some license files, the `SERVER` line server name isn't being parsed correctly. The parser fails to tokenize this line in order to reformat for the chamber license server environment.