MicrosoftDocs
diff --git a/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/add-sign-up-and-sign-in-policy.md
Lines changed: 4 additions & 4 deletions b/‎articles/active-directory-b2c/add-sign-up-and-sign-in-policy.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/cloud-infrastructure-entitlement-management/onboard-aws.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/develop/tutorial-blazor-server.md
Lines changed: 3 additions & 9 deletions b/‎articles/active-directory/develop/tutorial-blazor-server.md
Lines changed: 3 additions & 9 deletions
diff --git a/‎articles/active-directory/fundamentals/service-accounts-standalone-managed.md
Lines changed: 46 additions & 48 deletions b/‎articles/active-directory/fundamentals/service-accounts-standalone-managed.md
Lines changed: 46 additions & 48 deletions
diff --git a/‎articles/aks/learn/quick-windows-container-deploy-powershell.md
Lines changed: 14 additions & 0 deletions b/‎articles/aks/learn/quick-windows-container-deploy-powershell.md
Lines changed: 14 additions & 0 deletions
diff --git a/‎articles/api-management/export-api-power-platform.md
Lines changed: 2 additions & 2 deletions b/‎articles/api-management/export-api-power-platform.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/app-service/environment/how-to-custom-domain-suffix.md
Lines changed: 4 additions & 2 deletions b/‎articles/app-service/environment/how-to-custom-domain-suffix.md
Lines changed: 4 additions & 2 deletions
@@ -25,6 +25,11 @@
             "redirect_url": "/azure/azure-monitor/change/change-analysis",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/java-in-process-agent-redirect.md",
+            "redirect_url": "/azure/azure-monitor/app/opentelemetry-enable",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/app/legacy-pricing.md",
             "redirect_url": "/azure/azure-monitor/best-practices-cost",
 
@@ -3,14 +3,14 @@ title: Set up a sign-up and sign-in flow
 titleSuffix: Azure AD B2C
 description: Learn how to set up a sign-up and sign-in flow in Azure Active Directory B2C.
 services: active-directory-b2c
-author: kengaderdus
+author: garrodonnell
 manager: CelesteDG
 
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/21/2021
-ms.author: kengaderdus
+ms.date: 02/09/2023
+ms.author: godonnell
 ms.subservice: B2C
 ms.custom: "b2c-support"
 zone_pivot_groups: b2c-policy-type
@@ -37,7 +37,7 @@ Watch this video to learn how the user sign-up and sign-in policy works.
 
 ## Prerequisites
 
-If you haven't already done so, [register a web application in Azure Active Directory B2C](tutorial-register-applications.md).
+[!INCLUDE [active-directory-b2c-customization-prerequisites](../../includes/active-directory-b2c-customization-prerequisites.md)]
 
 ::: zone pivot="b2c-user-flow"
 
 
@@ -17,7 +17,7 @@ ms.author: jfields
 This article describes how to onboard an Amazon Web Services (AWS) account on Permissions Management.
 
 > [!NOTE]
-> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
+> A *global administrator* or *root user* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).
 
 ## Explanation
 
 
@@ -6,7 +6,7 @@ ms.author: henrymbugua
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: tutorial
-ms.date: 12/13/2022
+ms.date: 02/09/2023
 ms.custom: "engagement-fy23"
 ms.reviewer: janicericketts
 #Customer intent: As a developer, I want to add authentication to a Blazor app.
@@ -52,13 +52,7 @@ Finally, because the app calls a protected API (in this case Microsoft Graph), i
 
 ## Create the app using the .NET CLI
 
-Run the following command to download the templates for `Microsoft.Identity.Web`, which we'll make use of in this tutorial.
-
-```dotnetcli
-dotnet new --install Microsoft.Identity.Web.ProjectTemplates
-```
-
-Then, run the following command to create the application. Replace the placeholders in the command with the proper information from your app's overview page and execute the command in a command shell. The output location specified with the `-o|--output` option creates a project folder if it doesn't exist and becomes part of the app's name.
+To create the application, run the following command. Replace the placeholders in the command with the proper information from your app's overview page and execute the command in a command shell. The output location specified with the `-o|--output` option creates a project folder if it doesn't exist and becomes part of the app's name.
 
 ```dotnetcli
 dotnet new blazorserver --auth SingleOrg --calls-graph -o {APP NAME} --client-id "{CLIENT ID}" --tenant-id "{TENANT ID}" --domain "{DOMAIN}" -f net7.0
@@ -208,5 +202,5 @@ After granting consent, navigate to the "Fetch data" page to read some email.
 
 Learn about calling building web apps that sign in users in our multi-part scenario series:
 
-> [!div class="nextstepaction"] 
+> [!div class="nextstepaction"]
 > [Scenario: Web app that signs in users](scenario-web-app-sign-user-overview.md)
@@ -1,14 +1,14 @@
 ---
-title: Secure standalone managed service accounts | Azure Active Directory
-description: A guide to securing standalone managed service accounts.
+title: Secure standalone managed service accounts
+description: Learn when to use, how to assess, and to secure standalone managed service accounts (sMSAs)
 services: active-directory
-author: janicericketts
+author: jricketts
 manager: martinco
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 08/20/2022
+ms.date: 02/08/2023
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
@@ -17,78 +17,75 @@ ms.collection: M365-identity-device-management
 
 # Secure standalone managed service accounts
 
-Standalone managed service accounts (sMSAs) are managed domain accounts that you use to help secure one or more services that run on a server. They can't be reused across multiple servers. sMSAs provide automatic password management, simplified service principal name (SPN) management, and the ability to delegate management to other administrators. 
+Standalone managed service accounts (sMSAs) are managed domain accounts that help secure services running on a server. They can't be reused across multiple servers. sMSAs have automatic password management, simplified service principal name (SPN) management, and delegated management to administrators. 
 
-In Active Directory, sMSAs are tied to a specific server that runs a service. You can find these accounts listed in the Active Directory Users and Computers snap-in of the Microsoft Management Console.
+In Active Directory (AD), sMSAs are tied to a server that runs a service. You can find accounts in the Active Directory Users and Computers snap-in in Microsoft Management Console.
 
-![Screenshot of the Active Directory users and computers snap-in showing the managed service accounts OU.](./media/securing-service-accounts/secure-standalone-msa-image-1.png)
+   ![Screenshot of a service name and type under Active Directory Users and Computers.](./media/securing-service-accounts/secure-standalone-msa-image-1.png)
 
-Managed service accounts were introduced with Windows Server 2008 R2 Active Directory Schema, and they require at least Windows Server 2008 R2. 
+> [!NOTE]
+> Managed service accounts were introduced in Windows Server 2008 R2 Active Directory Schema, and they require Windows Server 2008 R2, or a later version. 
 
-## Benefits of using sMSAs
+## sMSA benefits
 
-sMSAs offer greater security than user accounts that are used as service accounts. At the same time, to help reduce administrative overhead, they:
+sMSAs have greater security than user accounts used as service accounts. They help reduce administrative overhead:
 
-* **Set strong passwords**: sMSAs use 240-byte, randomly generated complex passwords. The complexity and length of sMSA passwords minimizes the likelihood of a service getting compromised by brute force or dictionary attacks.
+* Set strong passwords - sMSAs use 240 byte, randomly generated complex passwords
+  * The complexity minimizes the likelihood of compromise by brute force or dictionary attacks
+* Cycle passwords regularly - Windows changes the sMSA password every 30 days. 
+  * Service and domain administrators don’t need to schedule password changes or manage the associated downtime
+* Simplify SPN management - SPNs are updated if the domain functional level is Windows Server 2008 R2. The SPN is updated when you:
+  * Rename the host computer account
+  * Change the host computer domain name server (DNS) name
+  * Use PowerShell to add or remove other sam-accountname or dns-hostname parameters
+  * See, [Set-ADServiceAccount](/powershell/module/activedirectory/set-adserviceaccount)
 
-* **Cycle passwords regularly**: Windows automatically changes the sMSA password every 30 days. Service and domain administrators don’t need to schedule password changes or manage the associated downtime.
+## Using sMSAs
 
-* **Simplify SPN management**: Service principal names are automatically updated if the domain functional level is Windows Server 2008 R2. For instance, the service principal name is automatically updated when you:
-   * Rename the host computer account.  
-   * Change the domain name server (DNS) name of the host computer.  
-   * Add or remove other sam-accountname or dns-hostname parameters by using [PowerShell](/powershell/module/activedirectory/set-adserviceaccount).
-
-## When to use sMSAs
-
-sMSAs can simplify management and security tasks. Use sMSAs when you have one or more services deployed to a single server and you can't use a group managed service account (gMSA). 
+Use sMSAs to simplify management and security tasks. sMSAs are useful when services are deployed to a server and you can't use a group managed service account (gMSA). 
 
 > [!NOTE] 
-> Although you can use sMSAs for more than one service, we recommend that each service have its own identity for auditing purposes. 
+> You can use sMSAs for more than one service, but it's recommended that each service has an identity for auditing. 
 
-If the creator of the software can’t tell you whether it can use an MSA, you must test your application. To do so, create a test environment and ensure that it can access all required resources. For more information, see [Create and install an sMSA](/archive/blogs/askds/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting).
+If the software creator can’t tell you if the application uses an MSA, test the application. Create a test environment and ensure it accesses required resources. 
 
-### Assess the security posture of sMSAs
+Learn more: [Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting](/archive/blogs/askds/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting)
 
-sMSAs are inherently more secure than standard user accounts, which require ongoing password management. However, it's important to consider sMSAs’ scope of access as part of their overall security posture.
+### Assess sMSA security posture
 
-To see how to mitigate potential security issues posed by sMSAs, refer to the following table:
+Consider the sMSA scope of access as part of the security posture. To mitigate potential security issues, see the following table:
 
 | Security issue| Mitigation |
 | - | - |
-| sMSA is a member of privileged groups. | <li>Remove the sMSA from elevated privileged groups, such as Domain Admins.<li>Use the *least privileged* model, and grant the sMSA only the rights and permissions it requires to run its services.<li>If you're unsure of the required permissions, consult the service creator. |
-| sMSA has read/write access to sensitive resources. | <li>Audit access to sensitive resources.<li>Archive audit logs to a Security Information and Event Management (SIEM) program, such as Azure Log Analytics or Microsoft Sentinel, for analysis.<li>Remediate resource permissions if an undesirable level of access is detected. |
-| By default, the sMSA password rollover frequency is 30 days. | You can use group policy to tune the duration, depending on enterprise security requirements. To set the password expiration duration, use the following path:<br>*Computer Configuration\Policies\Windows Settings\Security Settings\Security Options*. For domain member, use **Maximum machine account password age**. |
-| | |
-
+| sMSA is a member of privileged groups | - Remove the sMSA from elevated privileged groups, such as Domain Admins</br> - Use the least-privileged model </br> - Grant the sMSA rights and permissions to run its services</br> - If you're unsure about permissions, consult the service creator|
+| sMSA has read/write access to sensitive resources | - Audit access to sensitive resources</br> - Archive audit logs to a security information and event management (SIEM) program, such as Azure Log Analytics or Microsoft Sentinel </br> - Remediate resource permissions if an undesirable access is detected |
+| By default, the sMSA password rollover frequency is 30 days | Use group policy to tune the duration, depending on enterprise security requirements. To set the password expiration duration, go to:<br>Computer Configuration>Policies>Windows Settings>Security Settings>Security Options. For domain member, use **Maximum machine account password age**. |
 
-
-### Challenges with sMSAs
-
-The challenges associated with sMSAs are as follows:
+### sMSA challenges
+  
+Use the following table to associate challenges with mitigations.
 
 | Challenge| Mitigation |
 | - | - |
-| sMSAs can be used on a single server only. | Use a gMSA if you need to use the account across servers. |
-| sMSAs can't be used across domains. | Use a gMSA if you need to use the account across domains. |
-| Not all applications support sMSAs. | Use a gMSA if possible. Otherwise, use a standard user account or a computer account, as recommended by the application creator. |
-| | |
-
+| sMSAs are on a single server | Use a gMSA to use the account across servers |
+| sMSAs can't be used across domains | Use a gMSA to use the account across domains |
+| Not all applications support sMSAs| Use a gMSA, if possible. Otherwise, use a standard user account or a computer account, as recommended by the creator|
 
 ## Find sMSAs
 
-On any domain controller, run DSA.msc, and then expand the managed service accounts container to view all sMSAs. 
+On a domain controller, run DSA.msc, and then expand the managed service accounts container to view all sMSAs. 
 
 To return all sMSAs and gMSAs in the Active Directory domain, run the following PowerShell command: 
 
 `Get-ADServiceAccount -Filter *`
 
-To return only sMSAs in the Active Directory domain, run the following command:
+To return sMSAs in the Active Directory domain, run the following command:
 
 `Get-ADServiceAccount -Filter * | where { $_.objectClass -eq "msDS-ManagedServiceAccount" }`
 
 ## Manage sMSAs
 
-To manage your sMSAs, you can use the following Active Directory PowerShell cmdlets:
+To manage your sMSAs, you can use the following AD PowerShell cmdlets:
 
 `Get-ADServiceAccount`
 `Install-ADServiceAccount`
@@ -100,16 +97,17 @@ To manage your sMSAs, you can use the following Active Directory PowerShell cmdl
 
 ## Move to sMSAs
 
-If an application service supports sMSAs but not gMSAs, and you're currently using a user account or computer account for the security context, [Create and install an sMSA](/archive/blogs/askds/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting) on the server. 
+If an application service supports sMSAs, but not gMSAs, and you're using a user account or computer account for the security context, see</br>
+[Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting](/archive/blogs/askds/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting).
 
-Ideally, you would move resources to Azure and use Azure Managed Identities or service principals.
+If possible, move resources to Azure and use Azure managed identities, or service principals.
 
 ## Next steps
 
-To learn more about securing service accounts, see the following articles:
+To learn more about securing service accounts, see:
 
-* [Introduction to on-premises service accounts](service-accounts-on-premises.md)  
+* [Securing on-premises service accounts](service-accounts-on-premises.md)  
 * [Secure group managed service accounts](service-accounts-group-managed.md)  
-* [Secure computer accounts](service-accounts-computer.md)  
-* [Secure user accounts](service-accounts-user-on-premises.md)  
+* [Secure on-premises computer accounts with AD](service-accounts-computer.md)  
+* [Secure user-based service accounts in AD](service-accounts-user-on-premises.md)  
 * [Govern on-premises service accounts](service-accounts-govern-on-premises.md)
@@ -125,6 +125,20 @@ creating a node pool to run Windows Server containers, the default value for `-V
 [restricted VM sizes][restricted-vm-sizes]. The minimum recommended size is **Standard_D2s_v3**. The
 previous command also uses the default subnet in the default vnet created when running `New-AzAksCluster`.
 
+## Add a Windows Server 2019 or Windows Server 2022 node pool
+
+AKS supports Windows Server 2019 and 2022 node pools. For Kubernetes version 1.25.0 and higher, Windows Server 2022 is the default operating system. For earlier Kubernetes versions, Windows Server 2019 is the default OS. To use Windows Server 2019, you need to specify the following parameters:
+- **osType** set the value to `Windows`
+- **osSKU** set the value to `Windows2019`
+
+> [!NOTE]
+> OsSKU requires PowerShell Az module version "9.2.0" or higher.
+> Windows Server 2022 requires Kubernetes version "1.23.0" or higher.
+
+```azurepowershell-interactive
+New-AzAksNodePool -ResourceGroupName myResourceGroup -ClusterName myAKSCluster -VmSetType VirtualMachineScaleSets -OsType Windows -OsSKU Windows2019 Windows -Name npwin
+```
+
 ## Connect to the cluster
 
 To manage a Kubernetes cluster, you use [kubectl][kubectl], the Kubernetes command-line client. If
 
@@ -37,7 +37,7 @@ This article walks through the steps in the Azure portal to create a custom Powe
 
     :::image type="content" source="media/export-api-power-platform/create-custom-connector.png" alt-text="Create custom connector to API in API Management":::
 
-Once the connector is created, navigate to your [Power Apps](https://make.powerapps.com) or [Power Automate](https://flow.microsoft.com) environment. You will see the API listed under **Data > Custom Connectors**.
+Once the connector is created, navigate to your [Power Apps](https://make.powerapps.com) or [Power Automate](https://make.powerautomate.com) environment. You will see the API listed under **Data > Custom Connectors**.
 
 :::image type="content" source="media/export-api-power-platform/custom-connector-power-app.png" alt-text="Custom connector in Power Platform":::
 
@@ -49,7 +49,7 @@ You can manage your custom connector in your Power Apps or Power Platform enviro
 1. Select the pencil (Edit) icon to edit and test the custom connector. 
 
 > [!NOTE]
-> To call the API from the Power Apps test console, you need to add the `https://flow.microsoft.com` URL as an origin to the [CORS policy](cors-policy.md) in your API Management instance.
+> To call the API from the Power Apps test console, you need to add the `https://make.powerautomate.com` URL as an origin to the [CORS policy](cors-policy.md) in your API Management instance.
 
 ## Update a custom connector
 
 
@@ -3,7 +3,7 @@ title: Configure custom domain suffix for App Service Environment
 description: Configure a custom domain suffix for the Azure App Service Environment.
 author: seligj95
 ms.topic: tutorial
-ms.date: 09/01/2022
+ms.date: 02/09/2023
 ms.author: jordanselig
 zone_pivot_groups: app-service-environment-portal-arm
 ---
@@ -61,7 +61,9 @@ The certificate for custom domain suffix must be stored in an Azure Key Vault. A
 
 :::image type="content" source="./media/custom-domain-suffix/key-vault-networking.png" alt-text="Screenshot of a sample networking page for key vault to allow custom domain suffix feature.":::
 
-Your certificate must be a wildcard certificate for the selected custom domain name. For example, *internal-contoso.com* would need a certificate covering **.internal-contoso.com*. If the certificate used custom domain suffix contains a Subject Alternate Name (SAN) entry for scm, for example **.scm.internal-contoso.com*, the scm site will also available using the custom domain suffix.
+Your certificate must be a wildcard certificate for the selected custom domain name. For example, *internal-contoso.com* would need a certificate covering **.internal-contoso.com*. If the certificate used by the custom domain suffix contains a Subject Alternate Name (SAN) entry for scm, for example **.scm.internal-contoso.com*, the scm site will also available using the custom domain suffix.
+
+If you rotate your certificate in Azure Key Vault, the App Service Environment will pick up the change within 24 hours.
 
 ::: zone pivot="experience-azp"