Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory-b2c/add-api-connector-token-enrichment.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 08/29/2021
+ms.date: 11/09/2021
 ms.author: kengaderdus
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
@@ -248,7 +248,7 @@ After you deploy your REST API, set the metadata of the `REST-GetProfile` techni
 - **ServiceUrl**. Set the URL of the REST API endpoint.
 - **SendClaimsIn**. Specify how the input claims are sent to the RESTful claims provider.
 - **AuthenticationType**. Set the type of authentication being performed by the RESTful claims provider such as `Basic` or `ClientCertificate` 
-- **AllowInsecureAuthInProduction**. In a production environment, make sure to set this metadata to `false`
+- **AllowInsecureAuthInProduction**. In a production environment, make sure to set this metadata to `false`.
 
 See the [RESTful technical profile metadata](restful-technical-profile.md#metadata) for more configurations.
 

articles/active-directory-b2c/custom-email-mailjet.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/15/2021
+ms.date: 11/10/2021
 ms.author: kengaderdus
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
@@ -174,6 +174,8 @@ With a Mailjet account created and the Mailjet API key stored in an Azure AD B2C
 1. From the right-top select **Save & Publish**, and then **Yes, publish changes**
 1. Record the **Template ID** of template you created for use in a later step. You specify this ID when you [add the claims transformation](#add-the-claims-transformation).
 
+[!INCLUDE [active-directory-b2c-important-for-custom-email-provider](../../includes/active-directory-b2c-important-for-custom-email-provider.md)]
+
 ## Add Azure AD B2C claim types
 
 In your policy, add the following claim types to the `<ClaimsSchema>` element within `<BuildingBlocks>`.
@@ -397,7 +399,7 @@ As with the OTP technical profiles, add the following technical profiles to the
 
 ## Make a reference to the DisplayControl
 
-In the final step, add a reference to the DisplayControl you created. Replace your existing `LocalAccountSignUpWithLogonEmail` and `LocalAccountDiscoveryUsingEmailAddress` self-asserted technical profiles with the following. If you used an earlier version of Azure AD B2C policy. These technical profiles use `DisplayClaims` with a reference to the DisplayControl..
+In the final step, add a reference to the DisplayControl you created. Override your existing `LocalAccountSignUpWithLogonEmail` and `LocalAccountDiscoveryUsingEmailAddress` self-asserted technical profiles that are configured in the base policy with the following XML snippet. If you used an earlier version of Azure AD B2C policy, these technical profiles use `DisplayClaims` with a reference to the `DisplayControl`.
 
 For more information, see [Self-asserted technical profile](restful-technical-profile.md) and [DisplayControl](display-controls.md).
 
@@ -472,7 +474,7 @@ To localize the email, you must send localized strings to Mailjet, or your email
     <!--
     <BuildingBlocks> -->
       <Localization Enabled="true">
-        <SupportedLanguages DefaultLanguage="en" MergeBehavior="Append">
+        <SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll">
           <SupportedLanguage>en</SupportedLanguage>
           <SupportedLanguage>es</SupportedLanguage>
         </SupportedLanguages>
@@ -567,9 +569,7 @@ The Localization element allows you to support multiple locales or languages in
 
 ## Next steps
 
-You can find an example of a custom email verification policy on GitHub:
-
-- [Custom email verification - DisplayControls](https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-email-verifcation-displaycontrol)
+- You can find an example of a [Custom email verification - DisplayControls](https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-email-verifcation-displaycontrol/policy/Mailjet) custom policy on GitHub.
 - For information about using a custom REST API or any HTTP-based SMTP email provider, see [Define a RESTful technical profile in an Azure AD B2C custom policy](restful-technical-profile.md).
 
 ::: zone-end

articles/active-directory-b2c/custom-email-sendgrid.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/15/2021
+ms.date: 11/10/2021
 ms.author: kengaderdus
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
@@ -164,6 +164,9 @@ With a SendGrid account created and SendGrid API key stored in an Azure AD B2C p
 1. Return to the **Transactional Templates** page by selecting the back arrow.
 1. Record the **ID** of template you created for use in a later step. For example, `d-989077fbba9746e89f3f6411f596fb96`. You specify this ID when you [add the claims transformation](#add-the-claims-transformation).
 
+
+[!INCLUDE [active-directory-b2c-important-for-custom-email-provider](../../includes/active-directory-b2c-important-for-custom-email-provider.md)]
+
 ## Add Azure AD B2C claim types
 
 In your policy, add the following claim types to the `<ClaimsSchema>` element within `<BuildingBlocks>`.
@@ -384,7 +387,7 @@ As with the OTP technical profiles, add the following technical profiles to the
 
 ## Make a reference to the DisplayControl
 
-In the final step, add a reference to the DisplayControl you created. Replace your existing `LocalAccountSignUpWithLogonEmail` and `LocalAccountDiscoveryUsingEmailAddress` self-asserted technical profiles with the following. If you used an earlier version of Azure AD B2C policy. These technical profiles use `DisplayClaims` with a reference to the DisplayControl.
+In the final step, add a reference to the DisplayControl you created. Override your existing `LocalAccountSignUpWithLogonEmail` and `LocalAccountDiscoveryUsingEmailAddress` self-asserted technical profiles that are configured in the base policy with the following XML snippet. If you used an earlier version of Azure AD B2C policy, these technical profiles use `DisplayClaims` with a reference to the `DisplayControl`.
 
 For more information, see [Self-asserted technical profile](restful-technical-profile.md) and [DisplayControl](display-controls.md).
 
@@ -455,7 +458,7 @@ To localize the email, you must send localized strings to SendGrid, or your emai
     <!--
     <BuildingBlocks> -->
       <Localization Enabled="true">
-        <SupportedLanguages DefaultLanguage="en" MergeBehavior="Append">
+        <SupportedLanguages DefaultLanguage="en" MergeBehavior="ReplaceAll">
           <SupportedLanguage>en</SupportedLanguage>
           <SupportedLanguage>es</SupportedLanguage>
         </SupportedLanguages>
@@ -552,9 +555,7 @@ The Localization element allows you to support multiple locales or languages in
 
 ## Next steps
 
-You can find an example of a custom email verification policy on GitHub:
-
-- [Custom email verification - DisplayControls](https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-email-verifcation-displaycontrol)
+- You can find an example of [Custom email verification - DisplayControls custom policy](https://github.com/azure-ad-b2c/samples/tree/master/policies/custom-email-verifcation-displaycontrol/policy/SendGrid) on GitHub.
 - For information about using a custom REST API or any HTTP-based SMTP email provider, see [Define a RESTful technical profile in an Azure AD B2C custom policy](restful-technical-profile.md).
 
 ::: zone-end

articles/active-directory-b2c/saml-service-provider.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/05/2021
+ms.date: 11/12/2021
 ms.author: kengaderdus
 ms.subservice: B2C
 ms.custom: fasttrack-edit

articles/active-directory/conditional-access/concept-continuous-access-evaluation.md

@@ -73,7 +73,7 @@ This process enables the scenario where users lose access to organizational file
 
 | | OneDrive web | OneDrive Win32 | OneDrive iOS | OneDrive Android | OneDrive Mac |
 | :--- | :---: | :---: | :---: | :---: | :---: |
-| **SharePoint Online** | Supported | Supported | Supported | Supported | Supported |
+| **SharePoint Online** | Supported | Not Supported | Supported | Supported | Not Supported |
 
 | | Teams web | Teams Win32 | Teams iOS | Teams Android | Teams Mac |
 | :--- | :---: | :---: | :---: | :---: | :---: |

articles/active-directory/devices/azuread-joined-devices-frx.md

@@ -11,7 +11,7 @@ ms.date: 06/28/2019
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: karenhoran
-ms.reviewer: jairoc
+ms.reviewer: ravenn
 
 #Customer intent: As a user, I want to join my corporate device during a first-run so that I can access my corporate resources 
 
@@ -21,7 +21,7 @@ ms.collection: M365-identity-device-management
 
 With device management in Azure Active Directory (Azure AD), you can ensure that your users are accessing your resources from devices that meet your standards for security and compliance. For more information, see the [introduction to device management in Azure Active Directory](overview.md).
 
-With Windows 10, You can join a new device to Azure AD during the first-run experience (FRX).  
+With Windows 10, You can join a new device to Azure AD during the first-run out-of-box experience (OOBE).  
 This enables you to distribute shrink-wrapped devices to your employees or students.
 
 If you have either Windows 10 Professional or Windows 10 Enterprise installed on a device, the experience defaults to the setup process for company-owned devices.
@@ -47,16 +47,16 @@ In addition, if your tenant is federated, your Identity provider MUST support WS
 1. When you turn on your new device and start the setup process, you should see the  **Getting Ready** message. Follow the prompts to set up your device.
 1. Start by customizing your region and language. Then accept the Microsoft Software License Terms.
 
-    ![Customize for your region](./media/azuread-joined-devices-frx/01.png)
+    <!--![Customize for your region](./media/azuread-joined-devices-frx/01.png)-->
 
 1. Select the network you want to use for connecting to the Internet.
 1. Click **This device belongs to my organization**. 
 
-    ![Who owns this PC screen](./media/azuread-joined-devices-frx/02.png)
+    <!--![Who owns this PC screen](./media/azuread-joined-devices-frx/02.png)-->
 
 1. Enter the credentials that were provided to you by your organization, and then click **Sign in**.
 
-    ![Sign-in screen](./media/azuread-joined-devices-frx/03.png)
+    <!--![Sign-in screen](./media/azuread-joined-devices-frx/03.png)-->
 
 1. Your device locates a matching tenant in Azure AD. If you are in a federated domain, you are redirected to your on-premises Secure Token Service (STS) server, for example, Active Directory Federation Services (AD FS).
 1. If you are a user in a non-federated domain, enter your credentials directly on the Azure AD-hosted page. 

articles/active-directory/managed-identities-azure-resources/TOC.yml

@@ -121,6 +121,8 @@
     items:
     - name: PowerShell
       href: how-to-assign-app-role-managed-identity-powershell.md
+    - name: CLI
+      href: how-to-assign-app-role-managed-identity-cli.md
   - name: View managed identity activity
     href: how-to-view-managed-identity-activity.md
 

articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-cli.md

@@ -0,0 +1,109 @@
+---
+title: Assign a managed identity to an application role using Azure CLI - Azure AD
+description: Step-by-step instructions for assigning a managed identity access to another application's role, using Azure CLI.
+services: active-directory
+documentationcenter: 
+author: christoc
+manager:
+editor: 
+
+ms.service: active-directory
+ms.subservice: msi
+ms.devlang: na
+ms.topic: how-to
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 11/03/2021
+ms.author: christoc
+ms.collection: M365-identity-device-management 
+ms.custom: devx-track-azurepowershell
+---
+
+# Assign a managed identity access to an application role using Azure CLI
+
+Managed identities for Azure resources provide Azure services with an identity in Azure Active Directory. They work without needing credentials in your code. Azure services use this identity to authenticate to services that support Azure AD authentication. Application roles provide a form of role-based access control, and allow a service to implement authorization rules.
+
+In this article, you learn how to assign a managed identity to an application role exposed by another application using Azure CLI.
+
+## Prerequisites
+
+- If you're unfamiliar with managed identities for Azure resources, check out the [overview section](overview.md). **Be sure to review the [difference between a system-assigned and user-assigned managed identity](overview.md#managed-identity-types)**.
+
+[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](../../../includes/azure-cli-prepare-your-environment-no-header.md)]
+
+## Assign a managed identity access to another application's app role
+
+1. Enable managed identity on an Azure resource, [such as an Azure VM](qs-configure-cli-windows-vm.md).
+
+1. Find the object ID of the managed identity's service principal.
+
+   **For a system-assigned managed identity**, you can find the object ID on the Azure portal on the resource's **Identity** page. You can also use the following script to find the object ID. You'll need the resource ID of the resource you created in step 1, which is available in the Azure portal on the resource's **Properties** page.
+
+    ```azurecli
+    resourceIdWithManagedIdentity="/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.Compute/virtualMachines/{my virtual machine name}"
+    
+    oidForMI=$(az resource show --ids $resourceIdWithManagedIdentity --query "identity.principalId" -o tsv | tr -d '[:space:]')
+    echo "object id for managed identity is: $oidForMI"
+    ```
+
+    **For a user-assigned managed identity**, you can find the managed identity's object ID on the Azure portal on the resource's **Overview** page. You can also use the following script to find the object ID. You'll need the resource ID of the user-assigned managed identity.
+
+    ```azurecli
+    userManagedIdentityResourceId="/subscriptions/{my subscription ID}/resourceGroups/{my resource group name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{my managed identity name}"
+    
+    oidForMI=$(az resource show --id $userManagedIdentityResourceId --query "properties.principalId" -o tsv | tr -d '[:space:]')
+    echo "object id for managed identity is: $oidForMI"
+    ```
+
+1. Create a new application registration to represent the service that your managed identity will send a request to. If the API or service that exposes the app role grant to the managed identity already has a service principal in your Azure AD tenant, skip this step.
+
+1. Find the object ID of the service application's service principal. You can find this using the Azure portal. Go to Azure Active Directory and open the **Enterprise applications** page, then find the application and look for the **Object ID**. You can also find the service principal's object ID by its display name using the following script:
+
+    ```azurecli
+    appName="{name for your application}"
+    serverSPOID=$(az ad sp list --filter "displayName eq 'My App'" --query '[0].objectId' -o tsv | tr -d '[:space:]')
+    echo "object id for server service principal is: $serverSPOID"
+    ```
+
+    > [!NOTE]
+    > Display names for applications are not unique, so you should verify that you obtain the correct application's service principal.
+
+    Alternatively you can find the Object ID by the unique Application ID for your application registration:
+
+    ```azurecli
+    appID="{application id for your application}"
+    serverSPOID=$(az ad sp list --filter "appId eq '$appID'" --query '[0].objectId' -o tsv | tr -d '[:space:]')
+    echo "object id for server service principal is: $serverSPOID"
+    ```
+
+1. Add an [app role](../develop/howto-add-app-roles-in-azure-ad-apps.md) to the application you created in step 3. You can create the role using the Azure portal or using Microsoft Graph. For example, you could add an app role like this:
+
+    ```json
+    {
+        "allowedMemberTypes": [
+            "Application"
+        ],
+        "displayName": "Read data from MyApi",
+        "id": "0566419e-bb95-4d9d-a4f8-ed9a0f147fa6",
+        "isEnabled": true,
+        "description": "Allow the application to read data as itself.",
+        "value": "MyApi.Read.All"
+    }
+    ```
+
+1. Assign the app role to the managed identity. You'll need the following information to assign the app role:
+    * `managedIdentityObjectId`: the object ID of the managed identity's service principal, which you found in step 2.
+    * `serverServicePrincipalObjectId`: the object ID of the server application's service principal, which you found in step 4.
+    * `appRoleId`: the ID of the app role exposed by the server app, which you generated in step 5 - in the example, the app role ID is `0566419e-bb95-4d9d-a4f8-ed9a0f147fa6`.
+   
+   Execute the following script to add the role assignment.  Note that this functionality is not directly exposed on the Azure CLI and that a REST command is used here instead:
+
+    ```azurecli
+    roleguid="0566419e-bb95-4d9d-a4f8-ed9a0f147fa6"
+    az rest -m POST -u https://graph.microsoft.com/beta/servicePrincipals/$oidForMI/appRoleAssignments -b "{\"principalId\": \"$oidForMI\", \"resourceId\": \"$serverSPOID\",\"appRoleId\": \"$roleguid\"}"
+    ```
+
+## Next steps
+
+- [Managed identity for Azure resources overview](overview.md)
+- To enable managed identity on an Azure VM, see [Configure managed identities for Azure resources on an Azure VM using PowerShell](qs-configure-cli-windows-vm.md).

articles/aks/azure-files-volume.md

@@ -60,7 +60,7 @@ Make a note of the storage account name and key shown at the end of the script o
 
 Kubernetes needs credentials to access the file share created in the previous step. These credentials are stored in a [Kubernetes secret][kubernetes-secret], which is referenced when you create a Kubernetes pod.
 
-Use the `kubectl create secret` command to create the secret. The following example creates a shared named *azure-secret* and populates the *azurestorageaccountname* and *azurestorageaccountkey* from the previous step. To use an existing Azure storage account, provide the account name and key.
+Use the `kubectl create secret` command to create the secret. The following example creates a secret named *azure-secret* and populates the *azurestorageaccountname* and *azurestorageaccountkey* from the previous step. To use an existing Azure storage account, provide the account name and key.
 
 ```console
 kubectl create secret generic azure-secret --from-literal=azurestorageaccountname=$AKS_PERS_STORAGE_ACCOUNT_NAME --from-literal=azurestorageaccountkey=$STORAGE_KEY