Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/develop/app-resilience-continuous-access-evaluation.md

@@ -104,11 +104,20 @@ You can test your application by signing in a user to the application then using
 When these conditions are met, the app can extract the claims challenge from the API response header as follows: 
 
 ```javascript
-const authenticateHeader = response.headers.get('www-authenticate');
-const claimsChallenge = parseChallenges(authenticateHeader).claims;
-
-// ...
+try {
+  const response = await fetch(apiEndpoint, options);
+
+  if (response.status === 401 && response.headers.get('www-authenticate')) {
+    const authenticateHeader = response.headers.get('www-authenticate');
+    const claimsChallenge = parseChallenges(authenticateHeader).claims;
+    
+    // use the claims challenge to acquire a new access token...
+  }
+} catch(error) {
+  // ...
+}
 
+// helper function to parse the www-authenticate header
 function parseChallenges(header) {
     const schemeSeparator = header.indexOf(' ');
     const challenges = header.substring(schemeSeparator + 1).split(',');
@@ -126,24 +135,20 @@ function parseChallenges(header) {
 Your app would then use the claims challenge to acquire a new access token for the resource.
 
 ```javascript
+const tokenRequest = {
+    claims: window.atob(claimsChallenge), // decode the base64 string
+    scopes: ['User.Read']
+    account: msalInstance.getActiveAccount();
+};
+
 let tokenResponse;
 
 try {
-    tokenResponse = await msalInstance.acquireTokenSilent({
-        claims: window.atob(claimsChallenge), // decode the base64 string
-        scopes: scopes,  // e.g ['User.Read', 'Contacts.Read']
-        account: account, // current active account
-    });
-
+    tokenResponse = await msalInstance.acquireTokenSilent(tokenRequest);
 } catch (error) {
      if (error instanceof InteractionRequiredAuthError) {
-        tokenResponse = await msalInstance.acquireTokenPopup({
-            claims: window.atob(claimsChallenge), // decode the base64 string
-            scopes: scopes, // e.g ['User.Read', 'Contacts.Read']
-            account: account, // current active account
-        });
+        tokenResponse = await msalInstance.acquireTokenPopup(tokenRequest);
     }
-
 }
 ```
 
@@ -154,8 +159,7 @@ const msalConfig = {
     auth: {
         clientId: 'Enter_the_Application_Id_Here', 
         clientCapabilities: ["CP1"]
-        // the remaining settings
-        // ... 
+        // remaining settings...
     }
 }
 

articles/active-directory/develop/claims-challenge.md

@@ -103,7 +103,7 @@ _clientApp = PublicClientApplicationBuilder.Create(App.ClientId)
  .WithDefaultRedirectUri()
  .WithAuthority(authority)
  .WithClientCapabilities(new [] {"cp1"})
- .Build();*
+ .Build();
 ```
 
 Those using Microsoft.Identity.Web can add the following code to the configuration file:
@@ -112,22 +112,21 @@ Those using Microsoft.Identity.Web can add the following code to the configurati
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    // the remaining settings
-    // ... 
-    "ClientCapabilities": [ "cp1" ]
+    "ClientId": 'Enter_the_Application_Id_Here' 
+    "ClientCapabilities": [ "cp1" ],
+    // remaining settings...
 },
 ```
 #### [JavaScript](#tab/JavaScript)
 
-Those using MSAL.js can add `clientCapabilities` property to the configuration object.
+Those using MSAL.js or MSAL Node can add `clientCapabilities` property to the configuration object. Note: this option is available to both public and confidential cient applications.
 
 ```javascript
 const msalConfig = {
     auth: {
         clientId: 'Enter_the_Application_Id_Here', 
         clientCapabilities: ["CP1"]
-        // the remaining settings
-        // ... 
+        // remaining settings...
     }
 }
 
@@ -222,14 +221,15 @@ else
 
 ### [JavaScript](#tab/JavaScript)
 
+The following snippet illustrates a custom Express.js middleware:
+
 ```javascript
 const checkIsClientCapableOfClaimsChallenge = (req, res, next) => {
     // req.authInfo contains the decoded access token payload
     if (req.authInfo['xms_cc'] && req.authInfo['xms_cc'].includes('CP1')) {
           // Return formatted claims challenge as this client understands this
-          
     } else {
-            return res.status(403).json({ error: 'Client is not capable' });
+          return res.status(403).json({ error: 'Client is not capable' });
     }
 }
 

articles/active-directory/develop/mark-app-as-publisher-verified.md

@@ -31,7 +31,6 @@ If you are already enrolled in the Microsoft Partner Network (MPN) and have met
 
 For more details on specific benefits, requirements, and frequently asked questions see the [overview](publisher-verification-overview.md).
 
-
 ## Mark your app as publisher verified
 Make sure you have met the [pre-requisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified.  
 

articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md

@@ -76,7 +76,7 @@ GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-0
 | `Metadata` | An HTTP request header field required by managed identities. This information is used as a mitigation against server side request forgery (SSRF) attacks. This value must be set to "true", in all lower case. |
 | `object_id` | (Optional) A query string parameter, indicating the object_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.|
 | `client_id` | (Optional) A query string parameter, indicating the client_id of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities.|
-| `mi_res_id` | (Optional) A query string parameter, indicating the mi_res_id (Azure Resource ID) of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities. |
+| `msi_res_id` | (Optional) A query string parameter, indicating the msi_res_id (Azure Resource ID) of the managed identity you would like the token for. Required, if your VM has multiple user-assigned managed identities. |
 
 Sample response:
 

articles/aks/TOC.yml

@@ -186,6 +186,8 @@
           href: custom-node-configuration.md
         - name: Integrate ACR with an AKS cluster
           href: cluster-container-registry-integration.md
+        - name: Use Vertical Pod Autoscaler (preview)
+          href: vertical-pod-autoscaler.md
         - name: Scale an AKS cluster
           href: scale-cluster.md
         - name: Stop/Deallocate nodes with Scale-down Mode

articles/aks/operator-best-practices-cluster-security.md

@@ -73,10 +73,8 @@ spec:
 ```
 
 > [!NOTE]
-> We recommend you review [Azure AD workload identity][workload-identity-overview] (preview).
-> This authentication method replaces pod-managed identity (preview), which integrates with the
-> Kubernetes native capabilities to federate with any external identity providers on behalf of the
-> application.
+> Alternatively you can use [Pod Identity](./use-azure-ad-pod-identity.md) though this is in Public Preview.  It has a pod (NMI) that runs as a DaemonSet on each node in the AKS cluster. NMI intercepts security token requests to the Azure Instance Metadata Service on each node, redirect them to itself and validates if the pod has access to the identity it's requesting a token for and fetch the token from the Azure AD tenant on behalf of the application.
+>
 
 ## Secure container access to resources
 

articles/aks/supported-kubernetes-versions.md

@@ -192,7 +192,7 @@ For the past release history, see [Kubernetes](https://en.wikipedia.org/wiki/Kub
 | 1.22  | Aug-04-21 | Sept 2021   | Dec 2021  | 1.25 GA |
 | 1.23  | Dec 2021 | Jan 2022   | Apr 2022  | 1.26 GA |
 | 1.24 | Apr-22-22 | May 2022 | Jul 2022 | 1.27 GA
-| 1.25 | Aug 2022 | Sept 2022 | Nov 2022 | 1.28 GA
+| 1.25 | Aug 2022 | Oct 2022 | Nov 2022 | 1.28 GA
 
 ## FAQ