Merge branch 'MicrosoftDocs:main' into main

Author: gmndrg

.openpublishing.redirection.azure-monitor.json

@@ -216,6 +216,11 @@
             "redirect_url": "/azure/azure-monitor/visualize/workbooks-overview",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/visualize/workbooks-sample-links.md",
+            "redirect_url": "/azure/azure-monitor/visualize/workbooks-samples",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/visualize/view-designer-conversion-access.md",
             "redirect_url": "/azure/azure-monitor/visualize/workbooks-overview",

articles/active-directory/enterprise-users/licensing-service-plan-reference.md

@@ -101,7 +101,7 @@ For information about Conditional Access and Teams, see [Overview of security an
 
 Currently, B2B direct connect enables the Teams Connect shared channels feature. B2B direct connect users can access an external organization's Teams shared channel without having to switch tenants or sign in with a different account. The B2B direct connect user’s access is determined by the shared channel’s policies.
 
-In the resource organization, the Teams shared channel owner can search within Teams for users from an external organization and add them to the shared channel. After they're added, the B2B direct connect users can access the shared channel from within their home instance of Teams, where they collaborate using features such as chat, calls, file-sharing, and app-sharing.  For details, see [Overview of teams and channels in Microsoft Teams](/microsoftteams/teams-channels-overview).For details about the resources, files, and applications, that are available to the B2B direct connect user via the Teams shared channel, refer to [Chat, teams, channels, & apps in Microsoft Teams](/microsoftteams/deploy-chat-teams-channels-microsoft-teams-landing-page).
+In the resource organization, the Teams shared channel owner can search within Teams for users from an external organization and add them to the shared channel. After they're added, the B2B direct connect users can access the shared channel from within their home instance of Teams, where they collaborate using features such as chat, calls, file-sharing, and app-sharing.  For details, see [Overview of teams and channels in Microsoft Teams](/microsoftteams/teams-channels-overview). For details about the resources, files, and applications, that are available to the B2B direct connect user via the Teams shared channel, refer to [Chat, teams, channels, & apps in Microsoft Teams](/microsoftteams/deploy-chat-teams-channels-microsoft-teams-landing-page).
 
 ## B2B direct connect vs. B2B collaboration
 

articles/active-directory/external-identities/b2b-direct-connect-overview.md

@@ -81,7 +81,7 @@ When a user clicks the **Accept invitation** link in an [invitation email](invit
 
 ![Screenshot showing the redemption flow diagram](media/redemption-experience/invitation-redemption-flow.png)
 
-**If the user’s User Principal Name (UPN) matches with both an existing Azure AD and personal MSA account, the user will be prompted to choose which account they want to redeem with.*
+**If the user’s User Principal Name (UPN) matches with both an existing Azure AD and personal MSA account, the user will be prompted to choose which account they want to redeem with. If Email OTP is enabled, existing unmanaged "viral" Azure AD accounts will be ignored (See step #9).*
 
 1. Azure AD performs user-based discovery to determine if the user exists in an [existing Azure AD tenant](./what-is-b2b.md#easily-invite-guest-users-from-the-azure-ad-portal).
 
@@ -137,4 +137,4 @@ If you see an error that requires admin consent while accessing an application,
 - [Add Azure Active Directory B2B collaboration users in the Azure portal](add-users-administrator.md)
 - [How do information workers add B2B collaboration users to Azure Active Directory?](add-users-information-worker.md)
 - [Add Azure Active Directory B2B collaboration users by using PowerShell](customize-invitation-api.md#powershell)
-- [Leave an organization as a guest user](leave-the-organization.md)
+- [Leave an organization as a guest user](leave-the-organization.md)

articles/active-directory/external-identities/redemption-experience.md

@@ -52,7 +52,18 @@ It's recommended that you follow the [swing migration](how-to-upgrade-previous-v
 >[!NOTE]  
 > If you are using an older build of group writeback in Azure AD Connect, the M365 groups being written back as universal distribution groups, will continue to be written back.  The new version of group writeback is backwards compatible.   
 
-## Enable group writeback using Azure AD Connect
+## Enable group writeback
+Enabling group writeback's new features is a two step process.  One step is done via Azure AD Connect.  This step enables the original group writeback features.  The second one is done using PowerShell and enables the new writeback features once the original features are enabled.  To enable group writeback complete the steps in the table below
+
+Steps|Description|
+|-----|-----|
+|[Enable group writeback using Azure AD Connect](#enable-group-writeback-using-azure-ad-connect)|Enables group writeback with the original features included in Azure AD Connect.  That is, it will writeback M365 groups as distribution groups. This option is **only** available if you have Exchange present in your on-premises Active Directory.|
+|[Enabling group writeback using PowerShell](#enable-group-writeback-using-powershell)|Enables the new group writeback features outlined in this article.
+
+>[!NOTE]
+>You must enable group writeback via Azure AD Connect before enabling group writeback via PowerShell to receive the new features outlined in this article.  You must do both and in the correct order.
+
+### Enable group writeback using Azure AD Connect
 
 To enable group writeback, use the following steps:
 
@@ -86,7 +97,7 @@ To enable group writeback, use the following steps:
 
 For more information on configuring the Microsoft 365 groups, see [Configure Microsoft 365 Groups with on-premises Exchange hybrid](/exchange/hybrid-deployment/set-up-microsoft-365-groups#enable-group-writeback-in-azure-ad-connect).
 
-## Enabling group writeback using PowerShell
+### Enable group writeback using PowerShell
 
 To enable group writeback via PowerShell:
 

articles/active-directory/hybrid/how-to-connect-group-writeback-v2.md

@@ -23,7 +23,7 @@ ms.custom: devx-track-azurepowershell
 Managed identities for Azure resources provide Azure services with an identity in Azure Active Directory. They work without needing credentials in your code. Azure services use this identity to authenticate to services that support Azure AD authentication. Application roles provide a form of role-based access control, and allow a service to implement authorization rules.
 
 > [!NOTE]
-> The tokens which your application receives are cached by the underlying infrastructure, which means that any changes to the managed identity's roles can take significant time to take effect. For more information, see [Limitation of using managed identities for authorization](managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization).
+> The tokens that your application receives are cached by the underlying infrastructure, which means that any changes to the managed identity's roles can take significant time to take effect. For more information, see [Limitation of using managed identities for authorization](managed-identity-best-practice-recommendations.md#limitation-of-using-managed-identities-for-authorization).
 
 In this article, you learn how to assign a managed identity to an application role exposed by another application using Azure AD PowerShell.
 
@@ -33,40 +33,50 @@ In this article, you learn how to assign a managed identity to an application ro
 - If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before continuing.
 - To run the example scripts, you have two options:
     - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.
-    - Run scripts locally by installing the latest version of [the Az PowerShell module](/powershell/azure/install-az-ps) and the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).
+    - Run scripts locally by installing the latest version of [the Az PowerShell module](/powershell/azure/install-az-ps). You can also use the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started).
 
 ## Assign a managed identity access to another application's app role
 
 1. Enable managed identity on an Azure resource, [such as an Azure VM](qs-configure-powershell-windows-vm.md).
 
 1. Find the object ID of the managed identity's service principal.
 
-   **For a system-assigned managed identity**, you can find the object ID on the Azure portal on the resource's **Identity** page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the resource you created in step 1, which is available in the Azure portal on the resource's **Properties** page.
+    **For a system-assigned managed identity**, you can find the object ID on the Azure portal on the resource's **Identity** page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the resource you created in step 1, which is available in the Azure portal on the resource's **Properties** page.
 
-    ```powershell
-    $resourceIdWithManagedIdentity = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.Compute/virtualMachines/{my virtual machine name}'
-    (Get-AzResource -ResourceId $resourceIdWithManagedIdentity).Identity.PrincipalId
-    ```
+     ```powershell
+     $resourceIdWithManagedIdentity = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.Compute/virtualMachines/{my virtual machine name}'
+     (Get-AzResource -ResourceId $resourceIdWithManagedIdentity).Identity.PrincipalId
+     ```
 
-    **For a user-assigned managed identity**, you can find the managed identity's object ID on the Azure portal on the resource's **Overview** page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the user-assigned managed identity.
+     **For a user-assigned managed identity**, you can find the managed identity's object ID on the Azure portal on the resource's **Overview** page. You can also use the following PowerShell script to find the object ID. You'll need the resource ID of the user-assigned managed identity.
 
-    ```powershell
-    $userManagedIdentityResourceId = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{my managed identity name}'
-    (Get-AzResource -ResourceId $userManagedIdentityResourceId).Properties.PrincipalId
-    ```
+     ```powershell
+     $userManagedIdentityResourceId = '/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{my managed identity name}'
+     (Get-AzResource -ResourceId $userManagedIdentityResourceId).Properties.PrincipalId
+     ```
 
 1. Create a new application registration to represent the service that your managed identity will send a request to. If the API or service that exposes the app role grant to the managed identity already has a service principal in your Azure AD tenant, skip this step. For example, if you want to grant the managed identity access to the Microsoft Graph API, you can skip this step.
 
 1. Find the object ID of the service application's service principal. You can find this using the Azure portal. Go to Azure Active Directory and open the **Enterprise applications** page, then find the application and look for the **Object ID**. You can also find the service principal's object ID by its display name using the following PowerShell script:
 
+    # [Azure PowerShell](#tab/azurepowershell)
+
+    ```powershell
+    $serverServicePrincipalObjectId = (Get-AzureADServicePrincipal -Filter "DisplayName eq '$applicationName'").ObjectId
+    ```
+
+    # [Microsoft Graph](#tab/microsoftgraph)
+
     ```powershell
     $serverServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "DisplayName eq '$applicationName'").Id
     ```
 
+    ---
+
     > [!NOTE]
     > Display names for applications are not unique, so you should verify that you obtain the correct application's service principal.
 
-1. Add an [app role](../develop/howto-add-app-roles-in-azure-ad-apps.md) to the application you created in step 3. You can create the role using the Azure portal or using Microsoft Graph. For example, you could add an app role like this:
+1. Add an [app role](../develop/howto-add-app-roles-in-azure-ad-apps.md) to the application you created in step 3. You can create the role using the Azure portal or by using Microsoft Graph. For example, you could add an app role like this:
 
     ```json
     {
@@ -88,6 +98,18 @@ In this article, you learn how to assign a managed identity to an application ro
    
    Execute the following PowerShell command to add the role assignment:
 
+    # [Azure PowerShell](#tab/azurepowershell)
+
+    ```powershell
+    New-AzureADServiceAppRoleAssignment `
+        -ObjectId $managedIdentityObjectId `
+        -Id $appRoleId `
+        -PrincipalId $managedIdentityObjectId `
+        -ResourceId $serverServicePrincipalObjectId
+    ```
+
+    # [Microsoft Graph](#tab/microsoftgraph)
+
     ```powershell
     New-MgServicePrincipalAppRoleAssignment `
         -ServicePrincipalId $managedIdentityObjectId `
@@ -96,10 +118,51 @@ In this article, you learn how to assign a managed identity to an application ro
         -AppRoleId $appRoleId
     ```
 
+    ---
+
 ## Complete script
 
 This example script shows how to assign an Azure web app's managed identity to an app role.
 
+# [Azure PowerShell](#tab/azurepowershell)
+
+```powershell
+# Install the module. This step requires you to be an administrator on your machine.
+# Install-Module AzureAD
+
+# Your tenant ID (in the Azure portal, under Azure Active Directory > Overview).
+$tenantID = '<tenant-id>'
+
+# The name of your web app, which has a managed identity that should be assigned to the server app's app role.
+$webAppName = '<web-app-name>'
+$resourceGroupName = '<resource-group-name-containing-web-app>'
+
+# The name of the server app that exposes the app role.
+$serverApplicationName = '<server-application-name>' # For example, MyApi
+
+# The name of the app role that the managed identity should be assigned to.
+$appRoleName = '<app-role-name>' # For example, MyApi.Read.All
+
+# Look up the web app's managed identity's object ID.
+$managedIdentityObjectId = (Get-AzWebApp -ResourceGroupName $resourceGroupName -Name $webAppName).identity.principalid
+
+Connect-AzureAD -TenantId $tenantID
+
+# Look up the details about the server app's service principal and app role.
+$serverServicePrincipal = (Get-AzureADServicePrincipal -Filter "DisplayName eq '$serverApplicationName'")
+$serverServicePrincipalObjectId = $serverServicePrincipal.Id
+$appRoleId = ($serverServicePrincipal.AppRoles | Where-Object {$_.Value -eq $appRoleName }).Id
+
+# Assign the managed identity access to the app role.
+New-AzureADServiceAppRoleAssignment `
+    -ObjectId $managedIdentityObjectId `
+    -Id $appRoleId `
+    -PrincipalId $managedIdentityObjectId `
+    -ResourceId $serverServicePrincipalObjectId
+```
+
+# [Microsoft Graph](#tab/microsoftgraph)
+
 ```powershell
 # Install the module.
 # Install-Module Microsoft.Graph -Scope CurrentUser
@@ -135,6 +198,8 @@ New-MgServicePrincipalAppRoleAssignment `
     -AppRoleId $appRoleId
 ```
 
+---
+
 ## Next steps
 
 - [Managed identity for Azure resources overview](overview.md)

articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md

@@ -1,7 +1,7 @@
 ---
 title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS)
 description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources.
-ms.date: 06/16/2022
+ms.date: 07/06/2022
 ms.topic: sample
 ms.service: container-service
 ms.custom: subject-policy-compliancecontrols

articles/aks/security-controls-policy.md

@@ -186,7 +186,7 @@ If `identity-type=jwt` is configured, a JWT token is required to be validated. T
 | authorization-id | The authorization resource identifier. | Yes |   |
 | context-variable-name | The name of the context variable to receive the [`Authorization` object](#authorization-object). | Yes |   |
 | identity-type | Type of identity to be checked against the authorization access policy. <br> - `managed`: managed identity of the API Management service. <br> - `jwt`: JWT bearer token specified in the `identity` attribute. | No | managed |
-| identity | An Azure AD JWT bearer token to be checked against the authorization permissions. Ignored for `identity-type` other than `jwt`. <br><br>Expected claims: <br> - audience: https://azure-api.net/authorization-manager <br> - `oid`: Permission object ID <br> - `tid`: Permission tenant ID | No |   |
+| identity | An Azure AD JWT bearer token to be checked against the authorization permissions. Ignored for `identity-type` other than `jwt`. <br><br>Expected claims: <br> - audience: `https://azure-api.net/authorization-manager` <br> - `oid`: Permission object ID <br> - `tid`: Permission tenant ID | No |   |
 | ignore-error | Boolean. If acquiring the authorization context results in an error (for example, the authorization resource is not found or is in an error state): <br> - `true`: the context variable is assigned a value of null. <br> - `false`: return `500` | No | false |
 
 ### Authorization object