Merge pull request #179275 from MicrosoftDocs/master

11/09 PM Publish

Author: huypub

.openpublishing.publish.config.json

@@ -429,12 +429,6 @@
       "branch": "main",
       "branch_mapping": {}
     },
-    {
-      "path_to_root": "azureml-examples-cli-preview",
-      "url": "https://github.com/azure/azureml-examples",
-      "branch": "cli-preview",
-      "branch_mapping": {}
-    },
     {
       "path_to_root": "terraform",
       "url": "https://github.com/Azure/terraform",

.openpublishing.redirection.json

@@ -31431,6 +31431,11 @@
       "redirect_url": "/azure/virtual-wan/scenario-route-between-vnets-firewall",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/virtual-wan/virtual-wan-site-to-site-packet-capture.md",
+      "redirect_url": "/azure/virtual-wan/packet-capture-site-to-site-powershell",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/virtual-wan/logs-metrics.md",
       "redirect_url": "/azure/virtual-wan/monitor-virtual-wan",
@@ -45741,6 +45746,11 @@
       "redirect_url": "/azure/communication-services/quickstarts/voice-video-calling/getting-started-with-calling",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/communication-services/concepts/call-logs-azure-monitor.md",
+      "redirect_url": "/azure/communication-services/concepts/analytics/call-logs-azure-monitor",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/virtual-desktop/teams-on-wvd.md",
       "redirect_url": "/azure/virtual-desktop/teams-on-avd",

articles/active-directory-b2c/microsoft-graph-operations.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
 ms.date: 10/08/2021
-ms.custom: project-no-code, ignite-fall-2021
+ms.custom: "project-no-code, ignite-fall-2021, b2c-support"
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -29,6 +29,9 @@ Watch this video to learn about Azure AD B2C user migration using Microsoft Grap
 To use MS Graph API, and interact with resources in your Azure AD B2C tenant, you need an application registration that grants the permissions to do so. Follow the steps in the [Manage Azure AD B2C with Microsoft Graph](microsoft-graph-get-started.md) article to create an application registration that your management application can use. 
 
 ## User management
+> [!NOTE]
+> Azure AD B2C currently does not support advanced query capabilities on directory objects. This means that there is no support for `$count`, `$search` query parameters and Not (`not`), Not equals (`ne`), and Ends with (`endsWith`) operators in `$filter` query parameter. For more information, see [query parameters in Microsoft Graph](/graph/query-parameters) and [advanced query capabilities in Microsoft Graph](/graph/aad-advanced-queries).
+
 
 - [List users](/graph/api/user-list)
 - [Create a consumer user](/graph/api/user-post-users)

articles/active-directory-b2c/partner-bloksec.md

@@ -50,7 +50,7 @@ The following architecture diagram shows the implementation.
 
 ## Onboard to BlokSec
 
-Request a demo tenant with BlokSec by filling out [the form](https://bloksec.com/request-a-demo/). In the message field indicates that you would like to onboard with Azure AD B2C. Download and install the free BlokSec yuID mobile app from the app store. Once your demo tenant has been prepared, you'll receive an email. On your mobile device where the BlokSec application is installed, select the link to register your admin account with your yuID app.
+Request a demo tenant with BlokSec by filling out [the form](https://bloksec.com/). In the message field indicates that you would like to onboard with Azure AD B2C. Download and install the free BlokSec yuID mobile app from the app store. Once your demo tenant has been prepared, you'll receive an email. On your mobile device where the BlokSec application is installed, select the link to register your admin account with your yuID app.
 
 ::: zone pivot="b2c-user-flow"
 

articles/active-directory/conditional-access/concept-condition-filters-for-devices.md

@@ -118,7 +118,7 @@ The following device attributes can be used with the filter for devices conditio
 | mdmAppId | Equals, NotEquals, In, NotIn | A valid MDM application ID | (device.mdmAppId -in [“0000000a-0000-0000-c000-000000000000”] |
 | model | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | Any string | (device.model -notContains “Surface”) |
 | operatingSystem | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | A valid operating system (like Windows, iOS, or Android) | (device.operatingSystem -eq “Windows”) |
-| operatingSystemVersion | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | A valid operating system version (like 6.1 for Windows 7, 6.2 for Windows 8, or 10.0 for Windows 10) | (device.operatingSystemVersion -in [“10.0.18363”, “10.0.19041”, “10.0.19042”]) |
+| operatingSystemVersion | Equals, NotEquals, StartsWith, NotStartsWith, EndsWith, NotEndsWith, Contains, NotContains, In, NotIn | A valid operating system version (like 6.1 for Windows 7, 6.2 for Windows 8, or 10.0 for Windows 10 and Windows 11) | (device.operatingSystemVersion -in [“10.0.18363”, “10.0.19041”, “10.0.19042”, “10.0.22000”]) |
 | physicalIds | Contains, NotContains | As an example all Windows Autopilot devices store ZTDId (a unique value assigned to all imported Windows Autopilot devices) in device physicalIds property. | (device.devicePhysicalIDs -contains "[ZTDId]:value") |
 | profileType | Equals, NotEquals | A valid profile type set for a device. Supported values are: RegisteredDevice (default), SecureVM (used for Windows VMs in Azure enabled with Azure AD sign in.), Printer (used for printers), Shared (used for shared devices), IoT (used for IoT devices) | (device.profileType -notIn [“Printer”, “Shared”, “IoT”] |
 | systemLabels | Contains, NotContains | List of labels applied to the device by the system. Some of the supported values are: AzureResource (used for Windows VMs in Azure enabled with Azure AD sign in), M365Managed (used for devices managed using Microsoft Managed Desktop), MultiUser (used for shared devices) | (device.systemLabels -contains "M365Managed") |

articles/active-directory/develop/msal-net-initializing-client-applications.md

@@ -97,7 +97,7 @@ The modifiers you can set on a public client or confidential client application
 
 |Modifier | Description|
 |--------- | --------- |
-|`.WithAuthority()` 7 overrides | Sets the application default authority to an Azure AD authority, with the possibility of choosing the Azure Cloud, the audience, the tenant (tenant ID or domain name), or providing directly the authority URI.|
+|[`.WithAuthority()`](/dotnet/api/microsoft.identity.client.abstractapplicationbuilder-1.withauthority)  | Sets the application default authority to an Azure AD authority, with the possibility of choosing the Azure Cloud, the audience, the tenant (tenant ID or domain name), or providing directly the authority URI.|
 |`.WithAdfsAuthority(string)` | Sets the application default authority to be an ADFS authority.|
 |`.WithB2CAuthority(string)` | Sets the application default authority to be an Azure AD B2C authority.|
 |`.WithClientId(string)` | Overrides the client ID.|

articles/active-directory/devices/troubleshoot-hybrid-join-windows-current.md

@@ -33,6 +33,10 @@ This article assumes that you have [configured hybrid Azure AD-joined devices](h
 - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
 
 
+> [!NOTE] 
+> To troubleshoot the common device registration issues, use [Device Registration Troubleshooter Tool](https://aka.ms/DSRegTool).
+
+
 ## Troubleshoot join failures
 
 ### Step 1: Retrieve the join status

articles/active-directory/enterprise-users/groups-assign-sensitivity-labels.md

@@ -30,7 +30,7 @@ To apply published labels to groups, you must first enable the feature. These st
 1. Open a Windows PowerShell window on your computer. You can open it without elevated privileges.
 1. Run the following commands to prepare to run the cmdlets.
 
-    ```PowerShell
+    ```powershell
     Install-Module AzureADPreview
     Import-Module AzureADPreview
     Connect-AzureAD
@@ -39,8 +39,8 @@ To apply published labels to groups, you must first enable the feature. These st
     In the **Sign in to your account** page, enter your admin account and password to connect you to your service, and select **Sign in**.
 1. Fetch the current group settings for the Azure AD organization.
 
-    ```PowerShell
-    $setting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
+    ```powershell
+    $grpUnifiedSetting = (Get-AzureADDirectorySetting | where -Property DisplayName -Value "Group.Unified" -EQ)
     $template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b
     $setting = $template.CreateDirectorySetting()
     ```
@@ -50,20 +50,26 @@ To apply published labels to groups, you must first enable the feature. These st
 
 1. Next, display the current group settings.
 
-    ```PowerShell
+    ```powershell
     $Setting.Values
     ```
 
-1. Then enable the feature:
+1. Enable the feature:
 
-    ```PowerShell
+    ```powershell
     $Setting["EnableMIPLabels"] = "True"
     ```
+ 
+1. Check the new applied value:
 
-1. Then save the changes and apply the settings:
+    ```powershell
+    $Setting.Values
+    ```
+    
+1. Save the changes and apply the settings:
 
-    ```PowerShell
-    New-AzureADDirectorySetting -DirectorySetting $setting
+    ```powershell
+    Set-AzureADDirectorySetting -Id grpUnifiedSetting.Id -DirectorySetting $setting
     ```
 
 You will also need to synchronize your sensitivity labels to Azure AD. For instructions, see [How to enable sensitivity labels for containers and synchronize labels](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites#how-to-enable-sensitivity-labels-for-containers-and-synchronize-labels).

articles/active-directory/hybrid/how-to-connect-install-prerequisites.md

@@ -67,6 +67,7 @@ To read more about securing your Active Directory environment, see [Best practic
     - The servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be enabled on these servers for remote installation. 
     - You must configure TLS/SSL certificates. For more information, see [Managing SSL/TLS protocols and cipher suites for AD FS](/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs) and [Managing SSL certificates in AD FS](/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap).
     - You must configure name resolution. 
+- It is not supported to break and analyze traffic between Azure AD Connect and Azure AD. Doing so may disrupt the service.
 - If your global administrators have MFA enabled, the URL https://secure.aadcdn.microsoftonline-p.com *must* be in the trusted sites list. You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it hasn't been added before. You can use Internet Explorer to add it to your trusted sites.
 - If you plan to use Azure AD Connect Health for syncing, ensure that the prerequisites for Azure AD Connect Health are also met. For more information, see [Azure AD Connect Health agent installation](how-to-connect-health-agent-install.md).
 

articles/active-directory/manage-apps/f5-big-ip-forms-advanced.md

@@ -1,5 +1,5 @@
 ---
-title: Azure Active Directory integration with F5 BIG-IP for forms based authentication Single Sign-on 
+title: F5 BIG-IP APM and Azure AD SSO to forms based authentication applications
 description: Learn how to integrate F5's BIG-IP Access Policy Manager (APM) and Azure Active Directory for secure hybrid access to forms-based applications.
 author: gargi-sinha
 ms.service: active-directory
@@ -35,9 +35,13 @@ Instead, a BIG-IP Virtual Edition (VE) deployed between the internet and the int
 
 Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and forms-based SSO, significantly improving the overall security posture of the application, allowing the business to continue operating at pace, without interruption.
 
+User credentials cached by the BIG-IP APM are then available for SSO against other forms based-authentication applications.
+
+## Scenario Architecture
+
 The secure hybrid access solution for this scenario is made up of the following:
 
-**Application**: Backend service to be protected by Azure AD and BIG-IP secure hybrid access. This particular application validates user credentials against an open source, but this could be any directory including Active Directory, LDS, etc.
+**Application**: Backend service to be protected by Azure AD and BIG-IP secure hybrid access. This particular application validates user credentials against Active Directory (AD), but this could be any directory including LDS (AD Lightweight Directory Services), open source, etc.
 
 **Azure AD**: The SAML Identity Provider (IdP), responsible for
 verification of user credentials, Conditional Access (CA), and SSO to the BIG-IP APM.
@@ -51,13 +55,13 @@ performing forms-based SSO to the backend application.
 | Steps | Description|
 |:-------|:----------|
 | 1. | User connects to application's SAML SP endpoint (BIG-IP APM).|
-|2. | APM access policy redirects user to SAML IdP (Azure AD) for pre-authentication.|
-| 3. | SAML IdP authenticates user and applies any enforced CA policies.|
-| 4. | Azure AD redirects user back to SAML SP with issued token and claims. |
-| 5. | APM prompts for application password and stores in cache. |
-| 6. |  BIG-IP request to application receives login form.|
-| 7. | APM scripting responds filling in username and password before submitting form.|
-| 8. | Application payload is served by webserver and sent to the client. Optionally, APM detects successful logon by examining response headers, looking for cookie or redirect URI. |
+| 2. | APM access policy redirects user to SAML IdP (Azure AD) for pre-authentication.|
+| 3. | Azure AD authenticates user and applies any enforced Conditional Access policies.|
+| 4. | User is redirected back to SAML SP with issued token and claims. |
+| 5. | BIG-IP prompts user for application password and stores in cache. |
+| 6. | BIG-IP sends request to application and receives a login form.|
+| 7. | APM scripting auto responds filling in username and password before submitting form.|
+| 8. | Application payload is served by webserver and sent to the client. Optionally, APM detects successful logon by examining response headers, looking for cookie or redirect URI.|
 
 ## Prerequisites
 
@@ -91,11 +95,8 @@ Prior BIG-IP experience is not necessary, but you'll need:
 
 ## Deployment modes
 
-Several methods exist for configuring a BIG-IP for this scenario,
-including several wizard-based options or an advanced configuration.
-
-This tutorial covers the advanced approach, which provides a more
-flexible approach at implementing secure hybrid access by manually creating all BIG-IP configuration objects. You would also use this approach for scenarios not covered by the Guided Configuration.
+Several methods exist for configuring a BIG-IP for this scenario. This tutorial covers the advanced approach, which provides a more
+flexible approach at implementing secure hybrid access by manually creating all BIG-IP configuration objects. You would use this approach for scenarios not covered by the template based Guided Configuration.
 
 >[!NOTE]
 >All example strings or values referenced throughout this article should be replaced with those for your actual environment.
@@ -365,11 +366,11 @@ A virtual server is a BIG-IP data plane object represented by a virtual IP addre
 
 ## Session management
 
-A BIG-IPs session management setting are used to define the conditions under which user sessions are terminated or allowed to continue, limits for users and IP addresses, and error pages. You can create your own policy by heading to **Access Policy** > **Access Profiles** and selecting your application from the list.
+A BIG-IPs session management settings are used to define the conditions under which user sessions are terminated or allowed to continue, limits for users and IP addresses, and error pages. You can create your own policy by heading to **Access Policy** > **Access Profiles** and selecting your application from the list.
 
-With regard to SLO functionality, having defined a Single Log-out URI in Azure AD will ensure an IdP initiated sign-out from the MyApps portal also terminates the session between the client and the BIG-IP APM.
+With regard to SLO functionality, having defined a Single Log-Out URI in Azure AD will ensure an IdP initiated sign-out from the MyApps portal also terminates the session between the client and the BIG-IP APM.
 
-Having imported the application's federation metadata.xml then provides the APM with the Azure AD SAML log-out endpoint for SP initiated sign-outs. But for this to be truly effective, the APM needs to know exactly when a user signs-out.
+Having imported the application's federation metadata.xml then provides the APM with the Azure AD SAML SLO endpoint for SP initiated sign-outs. But for this to be truly effective, the APM needs to know exactly when a user signs-out.
 
 Consider a scenario where a BIG-IP web portal isn't used, the user has no way of instructing the APM to sign out. Even if the user signs-out of the application itself, the BIG-IP is technically oblivious to this, so the application session could easily be reinstated through SSO. For this reason SP initiated sign-out needs careful consideration to ensure sessions are securely terminated when no longer required.
 
@@ -388,16 +389,12 @@ For increased security, organizations using this pattern could also consider blo
 
 ## Next steps
 
-From a browser, connect to the application's external URL or select the application's icon in the MyApps portal. After authenticating to Azure AD, you'll be redirected to the BIG-IP virtual server for the application and prompted for a password.
-
->[!Note]
->The APM pre-fills the username with the UPN from Azure AD.
+From a browser, connect to the application's external URL or select the application's icon in the MyApps portal. After authenticating to Azure AD, you’ll be redirected to the BIG-IP endpoint for the application and prompted for a password. Note how the APM pre-fills the username with the UPN from Azure AD. The username pre-populated by the APM is read only to ensure session consistency between Azure AD and backend application. This field could be hidden from view with additional configuration, if necessary.
 
 ![Sceenshot shows secured sso](./media/f5-big-ip-forms-advanced/secured-sso.png)
 
 Once submitted, the user should be automatically signed into the
-application and the password cached for reuse against any other
-applications published using the FBA SSO access profile.
+application.
 
 ![Sceenshot shows welcome message](./media/f5-big-ip-forms-advanced/welcome-message.png)