Merge pull request #189551 from MicrosoftDocs/main

2/23 PM Publish

Author: huypub

.openpublishing.publish.config.json

@@ -884,6 +884,7 @@
     "articles/azure-video-analyzer/.openpublishing.redirection.azure-video-analyzer.json",
     "articles/virtual-machines/.openpublishing.redirection.virtual-machines.json",
     "articles/virtual-machine-scale-sets/.openpublishing.redirection.virtual-machine-scale-sets.json",
-    "articles/mysql/.openpublishing.redirection.mysql.json"
+    "articles/mysql/.openpublishing.redirection.mysql.json",
+    "articles/container-apps/.openpublishing.redirection.container-apps.json"
   ]
 }

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 Thank you for taking the time to contribute to the Microsoft Azure documentation.
 
-This guide covers some general topics related to contribution and refers to the [contributors guide](/contribute) for more detailed explanations when required.
+This guide covers some general topics related to contribution and refers to the [contributors guide](https://docs.microsoft.com/contribute) for more detailed explanations when required.
 
 ## Code of Conduct
 
@@ -25,4 +25,4 @@ Follow the guidance for [Quick edits to existing documents](/contribute/#quick-e
 
 ### Pull Request
 
-Review the guidance for [Pull Requests](/contribute/how-to-write-workflows-major#pull-request-processing) in our contributors guide.
+Review the guidance for [Pull Requests](/contribute/how-to-write-workflows-major#pull-request-processing) in our contributors guide.

articles/active-directory/authentication/how-to-authentication-find-coverage-gaps.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/03/2021
+ms.date: 02/22/2022
 
 ms.author: justinha
 author: inbarckMS 
@@ -17,15 +17,15 @@ ms.collection: M365-identity-device-management
 ---
 # Find and address gaps in strong authentication coverage for your administrators
 
-Requiring multi-factor authentication (MFA) for the administrators in your tenant is one of the first steps you can take to increase the security of your tenant. In this article, we'll cover how to make sure all of your administrators are covered by multi-factor authentication.
+Requiring multifactor authentication (MFA) for the administrators in your tenant is one of the first steps you can take to increase the security of your tenant. In this article, we'll cover how to make sure all of your administrators are covered by multifactor authentication.
 
 ## Detect current usage for Azure AD Built-in administrator roles
 
 The [Azure AD Secure Score](../fundamentals/identity-secure-score.md) provides a score for **Require MFA for administrative roles** in your tenant. This improvement action tracks the MFA usage of Global administrator, Security administrator, Exchange administrator, and SharePoint administrator. 
 
 There are different ways to check if your admins are covered by an MFA policy. 
 
-- To troubleshoot sign-in for a specific administrator, you can use the sign-in logs. The sign-in logs let you filter **Authentication requirement** for specific users. Any sign-in where **Authentication requirement** is **Single-factor authentication** means there was no multi-factor authentication policy that was required for the sign-in.
+- To troubleshoot sign-in for a specific administrator, you can use the sign-in logs. The sign-in logs let you filter **Authentication requirement** for specific users. Any sign-in where **Authentication requirement** is **Single-factor authentication** means there was no multifactor authentication policy that was required for the sign-in.
 
   ![Screenshot of the sign-in log.](./media/how-to-authentication-find-coverage-gaps/auth-requirement.png)
 
@@ -35,23 +35,23 @@ There are different ways to check if your admins are covered by an MFA policy.
 
 - To choose which policy to enable based on your user licenses, we have a new MFA enablement wizard to help you [compare MFA policies](concept-mfa-licensing.md#compare-multi-factor-authentication-policies) and see which steps are right for your organization. The wizard shows administrators who were protected by MFA in the last 30 days.
 
-  ![Screenshot of the Multi-factor authentication enablement wizard.](./media/how-to-authentication-find-coverage-gaps/wizard.png)
+  ![Screenshot of the multifactor authentication enablement wizard.](./media/how-to-authentication-find-coverage-gaps/wizard.png)
 
-- To programmatically create a report listing all users with Admins roles in your tenant and their strong authentication status, you can run a [PowerShell script](https://github.com/microsoft/AzureADToolkit/blob/main/src/Find-AADToolkitUnprotectedUsersWithAdminRoles.ps1). This script enumerates all permanent and eligible built-in and custom role assignments as well as groups with roles assigned, and finds users that are either not registered for MFA or not signing in with MFA by evaluating their authentication methods and their sign-in activity.
+- You can run [this script](https://github.com/microsoft/AzureADToolkit/blob/main/src/Find-AADToolkitUnprotectedUsersWithAdminRoles.ps1) to programmatically generate a report of all users with directory role assignments who have signed in with or without MFA in the last 30 days. This script will enumerate all active built-in and custom role assignments, all eligible built-in and custom role assignments, and groups with roles assigned.
 
-## Enforce multi-factor authentication on your administrators
+## Enforce multifactor authentication on your administrators
 
-Based on gaps you found, require administrators to use multi-factor authentication in one of the following ways:
+If you find administrators who aren't protected by multifactor authentication, you can protect them in one of the following ways:
 
 - If your administrators are licensed for Azure AD Premium, you can [create a Conditional Access policy](tutorial-enable-azure-mfa.md) to enforce MFA for administrators. You can also update this policy to require MFA from users who are in custom roles.  
 
 - Run the [MFA enablement wizard](https://aka.ms/MFASetupGuide) to choose your MFA policy.
 
-- If you assign custom or built-in admin roles in [Privileged Identity Management](../privileged-identity-management/pim-configure.md), require multi-factor authentication upon role activation.
+- If you assign custom or built-in admin roles in [Privileged Identity Management](../privileged-identity-management/pim-configure.md), require multifactor authentication upon role activation.
 
 ## Use Passwordless and phishing resistant authentication methods for your administrators
 
-After your admins are enforced for multi-factor authentication and have been using it for a while, it is time to raise the bar on strong authentication and use Passwordless and phishing resistant authentication method: 
+After your admins are enforced for multifactor authentication and have been using it for a while, it is time to raise the bar on strong authentication and use Passwordless and phishing resistant authentication method: 
 
 - [Phone Sign-in (with Microsoft Authenticator)](concept-authentication-authenticator-app.md)
 - [FIDO2](concept-authentication-passwordless.md#fido2-security-keys)

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 11/17/2021
+ms.date: 02/23/2022
 ms.author: justinha
 author: mjsantani
 ms.collection: M365-identity-device-management
@@ -37,6 +37,9 @@ Number matching is available for the following scenarios. When enabled, all scen
 - [AD FS adapter](howto-mfaserver-adfs-windows-server.md)
 - [NPS extension](howto-mfa-nps-extension.md)
 
+>[!NOTE]
+>For passwordless users, enabling number matching has no impact because it's already part of the passwordless experience. 
+
 ### Multifactor authentication
 
 When a user responds to an MFA push notification using Microsoft Authenticator, they will be presented with a number. They need to type that number into the app to complete the approval. 
@@ -240,10 +243,6 @@ To enable number matching in the Azure AD portal, complete the following steps:
    ![Screenshot of enabling number match.](media/howto-authentication-passwordless-phone/enable-number-matching.png)
 
 
-## Known issues
-
-- Number matching for admin roles during SSPR is pending and unavailable for a couple days.
-
 ## Next steps
 
 [Authentication methods in Azure Active Directory - Microsoft Authenticator app](concept-authentication-authenticator-app.md)

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -299,11 +299,11 @@ This Exit code translates to `DSREG_AUTOJOIN_DISC_FAILED` because the extension
 
 1. Verify the required endpoints are accessible from the VM using PowerShell:
 
-   - `curl https://login.microsoftonline.com/ -D -`
-   - `curl https://login.microsoftonline.com/<TenantID>/ -D -`
-   - `curl https://enterpriseregistration.windows.net/ -D -`
-   - `curl https://device.login.microsoftonline.com/ -D -`
-   - `curl https://pas.windows.net/ -D -`
+   - `curl https://login.microsoftonline.com// -D`
+   - `curl https://login.microsoftonline.com/<TenantID>// -D`
+   - `curl https://enterpriseregistration.windows.net// -D`
+   - `curl https://device.login.microsoftonline.com// -D`
+   - `curl https://pas.windows.net// -D`
 
    > [!NOTE]
    > Replace `<TenantID>` with the Azure AD Tenant ID that is associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name to get the directory / tenant ID, or select **Azure Active Directory > Properties > Directory ID** in the Azure portal.<br/>`enterpriseregistration.windows.net` and `pas.windows.net` should return 404 Not Found, which is expected behavior.

articles/active-directory/devices/media/device-management-azure-portal/all-devices-azure-portal.png

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: overview
-ms.date: 02/07/2022
+ms.date: 02/23/2022
 ms.author: mimart
 author: msmimart
 manager: celestedg
@@ -53,9 +53,9 @@ Learn more about [B2B collaboration in Azure AD](what-is-b2b.md).
 
 Azure AD B2C is a Customer Identity and Access Management (CIAM) solution that lets you build user journeys for consumer- and customer-facing apps. If you're a business or individual developer creating customer-facing apps, you can scale to millions of consumers, customers, or citizens by using Azure AD B2C. Developers can use Azure AD B2C as the full-featured CIAM system for their applications.
 
-With Azure AD B2C, customers can sign in with an identity they've already established (like Facebook or Gmail). With Azure AD B2C, you can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications. For more information, see the Azure AD B2C documentation.
+With Azure AD B2C, customers can sign in with an identity they've already established (like Facebook or Gmail). You can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications. 
 
-Learn more about [Azure AD B2C](../../active-directory-b2c/index.yml).
+Although Azure AD B2C is built on the same technology as Azure AD, it's a separate service with some feature differences. For more information about how an Azure AD B2C tenant differs from an Azure AD tenant, see [Supported Azure AD features](../../active-directory-b2c/supported-azure-ad-features.md) in the [Azure AD B2C documentation](../../active-directory-b2c/index.yml).
 
 ## Comparing External Identities feature sets
 

articles/active-directory/external-identities/external-identities-overview.md

@@ -120,7 +120,7 @@ To ensure interoperability of your credentials, it's recommended that you work c
         {
           "mapping": {
             "first_name": {
-              "claim": "$.vc.credentialSubject.firstName",
+              "claim": "$.vc.credentialSubject.firstName"
             },
             "last_name": {
               "claim": "$.vc.credentialSubject.lastName",
@@ -143,7 +143,7 @@ To ensure interoperability of your credentials, it's recommended that you work c
     "vc": {
       "type": [
         "ProofOfNinjaNinja"
-      ],
+      ]
     }
   }
   ```

articles/active-directory/verifiable-credentials/credential-design.md

@@ -62,6 +62,7 @@ The following limitations apply when you integrate Azure Dedicated Host with Azu
 
 * An existing agent pool can't be converted from non-ADH to ADH or ADH to non-ADH.
 * It is not supported to update agent pool from host group A to host group B.
+* Fault domain count can only be 1.
 
 ## Add a Dedicated Host Group to an AKS cluster
 
@@ -80,7 +81,7 @@ Not all host SKUs are available in all regions, and availability zones. You can
 az vm list-skus -l eastus2  -r hostGroups/hosts  -o table
 ```
 
-## Add Dedicated Hosts to the Host Group
+## Create a Host Group
 
 Now create a dedicated host in the host group. In addition to a name for the host, you are required to provide the SKU for the host. Host SKU captures the supported VM series as well as the hardware generation for your dedicated host.
 
@@ -95,7 +96,40 @@ az vm host group create \
 --name myHostGroup \
 -g myDHResourceGroup \
 -z 1\
---platform-fault-domain-count 2
+--platform-fault-domain-count 1
+```
+
+## Create a Dedicated Host
+
+Now create a dedicated host in the host group. In addition to a name for the host, you are required to provide the SKU for the host. Host SKU captures the supported VM series as well as the hardware generation for your dedicated host.
+
+If you set a fault domain count for your host group, you will need to specify the fault domain for your host.
+
+```azurecli-interactive
+az vm host create \
+--host-group myHostGroup \
+--name myHost \
+--sku DSv3-Type1 \
+--platform-fault-domain 1 \
+-g myDHResourceGroup
+```
+
+## Use a user-assigned Identity
+
+> [!IMPORTANT]
+> A user-assigned Identity with "contributor" role on the Resource Group of the Host Group is required.
+>
+
+First, create a Managed Identity
+
+```azurecli-interactive
+az identity create -g <Resource Group> -n <Managed Identity name>
+```
+
+Assign Managed Identity
+
+```azurecli-interactive
+az role assignment create --assignee <id> --role "Storage Account Key Operator Service Role" --scope <Resource id>
 ```
 
 ## Create an AKS cluster using the Host Group