Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into provwork1

Author: billmath

.openpublishing.redirection.azure-monitor.json

@@ -25,6 +25,11 @@
             "redirect_url": "/azure/azure-monitor/change/change-analysis",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/java-in-process-agent-redirect.md",
+            "redirect_url": "/azure/azure-monitor/app/opentelemetry-enable",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/app/legacy-pricing.md",
             "redirect_url": "/azure/azure-monitor/best-practices-cost",

articles/active-directory-b2c/add-sign-up-and-sign-in-policy.md

@@ -3,14 +3,14 @@ title: Set up a sign-up and sign-in flow
 titleSuffix: Azure AD B2C
 description: Learn how to set up a sign-up and sign-in flow in Azure Active Directory B2C.
 services: active-directory-b2c
-author: kengaderdus
+author: garrodonnell
 manager: CelesteDG
 
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/21/2021
-ms.author: kengaderdus
+ms.date: 02/09/2023
+ms.author: godonnell
 ms.subservice: B2C
 ms.custom: "b2c-support"
 zone_pivot_groups: b2c-policy-type
@@ -37,7 +37,7 @@ Watch this video to learn how the user sign-up and sign-in policy works.
 
 ## Prerequisites
 
-If you haven't already done so, [register a web application in Azure Active Directory B2C](tutorial-register-applications.md).
+[!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
 
 ::: zone pivot="b2c-user-flow"
 

articles/active-directory/develop/tutorial-blazor-server.md

@@ -6,7 +6,7 @@ ms.author: henrymbugua
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: tutorial
-ms.date: 12/13/2022
+ms.date: 02/09/2023
 ms.custom: "engagement-fy23"
 ms.reviewer: janicericketts
 #Customer intent: As a developer, I want to add authentication to a Blazor app.
@@ -52,13 +52,7 @@ Finally, because the app calls a protected API (in this case Microsoft Graph), i
 
 ## Create the app using the .NET CLI
 
-Run the following command to download the templates for `Microsoft.Identity.Web`, which we'll make use of in this tutorial.
-
-```dotnetcli
-dotnet new --install Microsoft.Identity.Web.ProjectTemplates
-```
-
-Then, run the following command to create the application. Replace the placeholders in the command with the proper information from your app's overview page and execute the command in a command shell. The output location specified with the `-o|--output` option creates a project folder if it doesn't exist and becomes part of the app's name.
+To create the application, run the following command. Replace the placeholders in the command with the proper information from your app's overview page and execute the command in a command shell. The output location specified with the `-o|--output` option creates a project folder if it doesn't exist and becomes part of the app's name.
 
 ```dotnetcli
 dotnet new blazorserver --auth SingleOrg --calls-graph -o {APP NAME} --client-id "{CLIENT ID}" --tenant-id "{TENANT ID}" --domain "{DOMAIN}" -f net7.0
@@ -208,5 +202,5 @@ After granting consent, navigate to the "Fetch data" page to read some email.
 
 Learn about calling building web apps that sign in users in our multi-part scenario series:
 
-> [!div class="nextstepaction"] 
+> [!div class="nextstepaction"]
 > [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md)

articles/active-directory/fundamentals/service-accounts-standalone-managed.md

@@ -1,14 +1,14 @@
 ---
-title: Secure standalone managed service accounts | Azure Active Directory
-description: A guide to securing standalone managed service accounts.
+title: Secure standalone managed service accounts
+description: Learn when to use, how to assess, and to secure standalone managed service accounts (sMSAs)
 services: active-directory
-author: janicericketts
+author: jricketts
 manager: martinco
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 08/20/2022
+ms.date: 02/08/2023
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
@@ -17,78 +17,75 @@ ms.collection: M365-identity-device-management
 
 # Secure standalone managed service accounts
 
-Standalone managed service accounts (sMSAs) are managed domain accounts that you use to help secure one or more services that run on a server. They can't be reused across multiple servers. sMSAs provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate management to other administrators. 
+Standalone managed service accounts (sMSAs) are managed domain accounts that help secure services running on a server. They can't be reused across multiple servers. sMSAs have automatic password management, simplified service principal name (SPN) management, and delegated management to administrators. 
 
-In Active Directory, sMSAs are tied to a specific server that runs a service. You can find these accounts listed in the Active Directory Users and Computers snap-in of the Microsoft Management Console.
+In Active Directory (AD), sMSAs are tied to a server that runs a service. You can find accounts in the Active Directory Users and Computers snap-in in Microsoft Management Console.
 
-![Screenshot of the Active Directory users and computers snap-in showing the managed service accounts OU.](./media/securing-service-accounts/secure-standalone-msa-image-1.png)
+   ![Screenshot of a service name and type under Active Directory Users and Computers.](./media/securing-service-accounts/secure-standalone-msa-image-1.png)
 
-Managed service accounts were introduced with Windows Server 2008 R2 Active Directory Schema, and they require at least Windows Server 2008 R2​. 
+> [!NOTE]
+> Managed service accounts were introduced in Windows Server 2008 R2 Active Directory Schema, and they require Windows Server 2008 R2, or a later version. 
 
-## Benefits of using sMSAs
+## sMSA benefits
 
-sMSAs offer greater security than user accounts that are used as service accounts. At the same time, to help reduce administrative overhead, they:
+sMSAs have greater security than user accounts used as service accounts. They help reduce administrative overhead:
 
-* **Set strong passwords**: sMSAs use 240-byte, randomly generated complex passwords. The complexity and length of sMSA passwords minimizes the likelihood of a service getting compromised by brute force or dictionary attacks.
+* Set strong passwords - sMSAs use 240 byte, randomly generated complex passwords
+  * The complexity minimizes the likelihood of compromise by brute force or dictionary attacks
+* Cycle passwords regularly - Windows changes the sMSA password every 30 days. 
+  * Service and domain administrators don’t need to schedule password changes or manage the associated downtime
+* Simplify SPN management - SPNs are updated if the domain functional level is Windows Server 2008 R2. The SPN is updated when you:
+  * Rename the host computer account
+  * Change the host computer domain name server (DNS) name
+  * Use PowerShell to add or remove other sam-accountname or dns-hostname parameters
+  * See, [Set-ADServiceAccount](/powershell/module/activedirectory/set-adserviceaccount)
 
-* **Cycle passwords regularly**: Windows automatically changes the sMSA password every 30 days. Service and domain administrators don’t need to schedule password changes or manage the associated downtime.
+## Using sMSAs
 
-* **Simplify SPN management**: Service principal names are automatically updated if the domain functional level is Windows Server 2008 R2. For instance, the service principal name is automatically updated when you:
-   * Rename the host computer account.  
-   * Change the domain name server (DNS) name of the host computer.  
-   * Add or remove other sam-accountname or dns-hostname parameters by using [PowerShell](/powershell/module/activedirectory/set-adserviceaccount).
-
-## When to use sMSAs
-
-sMSAs can simplify management and security tasks. Use sMSAs when you have one or more services deployed to a single server and you can't use a group managed service account (gMSA). 
+Use sMSAs to simplify management and security tasks. sMSAs are useful when services are deployed to a server and you can't use a group managed service account (gMSA). 
 
 > [!NOTE] 
-> Although you can use sMSAs for more than one service, we recommend that each service have its own identity for auditing purposes. 
+> You can use sMSAs for more than one service, but it's recommended that each service has an identity for auditing. 
 
-If the creator of the software can’t tell you whether it can use an MSA, you must test your application. To do so, create a test environment and ensure that it can access all required resources. For more information, see [Create and install an sMSA](/archive/blogs/askds/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting).
+If the software creator can’t tell you if the application uses an MSA, test the application. Create a test environment and ensure it accesses required resources. 
 
-### Assess the security posture of sMSAs
+Learn more: [Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting](/archive/blogs/askds/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting)
 
-sMSAs are inherently more secure than standard user accounts, which require ongoing password management. However, it's important to consider sMSAs’ scope of access as part of their overall security posture.
+### Assess sMSA security posture
 
-To see how to mitigate potential security issues posed by sMSAs, refer to the following table:
+Consider the sMSA scope of access as part of the security posture. To mitigate potential security issues, see the following table:
 
 | Security issue| Mitigation |
 | - | - |
-| sMSA is a member of privileged groups. | <li>Remove the sMSA from elevated privileged groups, such as Domain Admins.<li>Use the *least privileged* model, and grant the sMSA only the rights and permissions it requires to run its services.<li>If you're unsure of the required permissions, consult the service creator. |
-| sMSA has read/write access to sensitive resources. | <li>Audit access to sensitive resources.<li>Archive audit logs to a Security Information and Event Management (SIEM) program, such as Azure Log Analytics or Microsoft Sentinel, for analysis.<li>Remediate resource permissions if an undesirable level of access is detected. |
-| By default, the sMSA password rollover frequency is 30 days. | You can use group policy to tune the duration, depending on enterprise security requirements. To set the password expiration duration, use the following path:<br>*Computer Configuration\Policies\Windows Settings\Security Settings\Security Options*. For domain member, use **Maximum machine account password age**. |
-| | |
-
+| sMSA is a member of privileged groups | - Remove the sMSA from elevated privileged groups, such as Domain Admins</br> - Use the least-privileged model </br> - Grant the sMSA rights and permissions to run its services</br> - If you're unsure about permissions, consult the service creator|
+| sMSA has read/write access to sensitive resources | - Audit access to sensitive resources</br> - Archive audit logs to a security information and event management (SIEM) program, such as Azure Log Analytics or Microsoft Sentinel </br> - Remediate resource permissions if an undesirable access is detected |
+| By default, the sMSA password rollover frequency is 30 days | Use group policy to tune the duration, depending on enterprise security requirements. To set the password expiration duration, go to:<br>Computer Configuration>Policies>Windows Settings>Security Settings>Security Options. For domain member, use **Maximum machine account password age**. |
 
-
-### Challenges with sMSAs
-
-The challenges associated with sMSAs are as follows:
+### sMSA challenges
+  
+Use the following table to associate challenges with mitigations.
 
 | Challenge| Mitigation |
 | - | - |
-| sMSAs can be used on a single server only. | Use a gMSA if you need to use the account across servers. |
-| sMSAs can't be used across domains. | Use a gMSA if you need to use the account across domains. |
-| Not all applications support sMSAs. | Use a gMSA if possible. Otherwise, use a standard user account or a computer account, as recommended by the application creator. |
-| | |
-
+| sMSAs are on a single server | Use a gMSA to use the account across servers |
+| sMSAs can't be used across domains | Use a gMSA to use the account across domains |
+| Not all applications support sMSAs| Use a gMSA, if possible. Otherwise, use a standard user account or a computer account, as recommended by the creator|
 
 ## Find sMSAs
 
-On any domain controller, run DSA.msc, and then expand the managed service accounts container to view all sMSAs. 
+On a domain controller, run DSA.msc, and then expand the managed service accounts container to view all sMSAs. 
 
 To return all sMSAs and gMSAs in the Active Directory domain, run the following PowerShell command: 
 
 `Get-ADServiceAccount -Filter *`
 
-To return only sMSAs in the Active Directory domain, run the following command:
+To return sMSAs in the Active Directory domain, run the following command:
 
 `Get-ADServiceAccount -Filter * | where { $_.objectClass -eq "msDS-ManagedServiceAccount" }`
 
 ## Manage sMSAs
 
-To manage your sMSAs, you can use the following Active Directory PowerShell cmdlets:
+To manage your sMSAs, you can use the following AD PowerShell cmdlets:
 
 `Get-ADServiceAccount`
 `Install-ADServiceAccount`
@@ -100,16 +97,17 @@ To manage your sMSAs, you can use the following Active Directory PowerShell cmdl
 
 ## Move to sMSAs
 
-If an application service supports sMSAs but not gMSAs, and you're currently using a user account or computer account for the security context, [Create and install an sMSA](/archive/blogs/askds/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting) on the server. 
+If an application service supports sMSAs, but not gMSAs, and you're using a user account or computer account for the security context, see</br>
+[Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting](/archive/blogs/askds/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting).
 
-Ideally, you would move resources to Azure and use Azure Managed Identities or service principals.
+If possible, move resources to Azure and use Azure managed identities, or service principals.
 
 ## Next steps
 
-To learn more about securing service accounts, see the following articles:
+To learn more about securing service accounts, see:
 
-* [Introduction to on-premises service accounts](service-accounts-on-premises.md)  
+* [Securing on-premises service accounts](service-accounts-on-premises.md)  
 * [Secure group managed service accounts](service-accounts-group-managed.md)  
-* [Secure computer accounts](service-accounts-computer.md)  
-* [Secure user accounts](service-accounts-user-on-premises.md)  
+* [Secure on-premises computer accounts with AD](service-accounts-computer.md)  
+* [Secure user-based service accounts in AD](service-accounts-user-on-premises.md)  
 * [Govern on-premises service accounts](service-accounts-govern-on-premises.md)

articles/app-service/networking/private-endpoint.md

@@ -4,7 +4,7 @@ description: Connect privately to an App Service apps using Azure private endpoi
 author: madsd
 ms.assetid: 2dceac28-1ba6-4904-a15d-9e91d5ee162c
 ms.topic: article
-ms.date: 01/30/2023
+ms.date: 02/09/2023
 ms.author: madsd
 ---
 
@@ -27,7 +27,7 @@ A private endpoint is a special network interface (NIC) for your App Service app
 When you create a private endpoint for your app, it provides secure connectivity between clients on your private network and your app. The private endpoint is assigned an IP Address from the IP address range of your virtual network.
 The connection between the private endpoint and the app uses a secure [Private Link](../../private-link/private-link-overview.md). Private endpoint is only used for incoming traffic to your app. Outgoing traffic won't use this private endpoint. You can inject outgoing traffic to your network in a different subnet through the [virtual network integration feature](../overview-vnet-integration.md).
 
-Each slot of an app is configured separately. You can plug up to 100 private endpoints per slot. You can't share a private endpoint between slots.
+Each slot of an app is configured separately. You can plug up to 100 private endpoints per slot. You can't share a private endpoint between slots. The sub-resource name of a slot will be `sites-<slot-name>`.
 
 The subnet where you plug the private endpoint can have other resources in it, you don't need a dedicated empty subnet.
 You can also deploy the private endpoint in a different region than your app. 

articles/azure-monitor/app/java-in-process-agent-redirect.md

@@ -611,21 +611,17 @@ items:
         href: app/monitor-functions.md
       - name: Azure Kubernetes Service
         href: app/kubernetes-codeless.md
-      - name: Any environment
+      - name: ASP.NET on-premises
         items:
-        - name: ASP.NET
-          items:
-            - name: Overview
-              displayName: IIS monitoring, on premises monitoring, on prem
-              href: app/status-monitor-v2-overview.md
-            - name: Getting started
-              href: app/status-monitor-v2-get-started.md
-            - name: Detailed instructions
-              href: app/status-monitor-v2-detailed-instructions.md
-            - name: API reference
-              href: app/status-monitor-v2-api-reference.md
-        - name: Java (OpenTelemetry redirect)
-          href: app/java-in-process-agent-redirect.md
+          - name: Overview
+            displayName: IIS monitoring, on premises monitoring, on prem
+            href: app/status-monitor-v2-overview.md
+          - name: Getting started
+            href: app/status-monitor-v2-get-started.md
+          - name: Detailed instructions
+            href: app/status-monitor-v2-detailed-instructions.md
+          - name: API reference
+            href: app/status-monitor-v2-api-reference.md
     - name: Application Insights SDKs
       items:
       - name: .NET

articles/azure-monitor/toc.yml

@@ -3,7 +3,7 @@ title: DHCP and DNS in Azure VMware Solution description
 description: Azure VMware Solution DHCP and DNS description.
 ms.topic: include
 ms.service: azure-vmware
-ms.date: 05/28/2021
+ms.date: 2/9/2023
 author: suzizuber
 ms.author: v-szuber
 ---
@@ -13,3 +13,6 @@ ms.author: v-szuber
 Applications and workloads running in a private cloud environment require name resolution and DHCP services for lookup and IP address assignments. A proper DHCP and DNS infrastructure are required to provide these services. You can configure a virtual machine to provide these services in your private cloud environment.  
 
 Use the DHCP service built-in to NSX or use a local DHCP server in the private cloud instead of routing broadcast DHCP traffic over the WAN back to on-premises.
+
+> [!IMPORTANT]
+> If you advertise a default route to the Azure VMware Solution, then you must allow the DNS forwarder to reach the configured DNS servers and they must support public name resolution.