Merge pull request #226050 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

.openpublishing.redirection.azure-monitor.json

@@ -5701,6 +5701,11 @@
             "source_path_from_root": "/articles/azure-monitor/autoscale/autoscale-resource-log-schema.md",
             "redirect_url": "/azure/azure-monitor/autoscale/autoscale-diagnostics",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/alerts/proactive-performance-diagnostics.md",
+            "redirect_url": "https://azure.microsoft.com/updates/public-preview-alerts-based-smart-detection-for-application-insights/",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory-domain-services/TOC.yml

@@ -109,6 +109,8 @@
           href: use-azure-monitor-workbooks.md
         - name: Secure remote access to VMs
           href: secure-remote-vm-access.md
+        - name: Security baseline
+          href: /security/benchmark/azure/baselines/azure-active-directory-domain-services-security-baseline?toc=/azure/active-directory-domain-services/TOC.json          
     - name: Domain-join VMs
       items:
         - name: Windows Server VM from template

articles/advisor/toc.yml

@@ -67,7 +67,7 @@
 - name: Reference
   items:
   - name: Security baseline
-    href: /security/benchmark/azure/baselines/advisor-security-baseline?toc=/azure/advisor/toc.json
+    href: /security/benchmark/azure/baselines/azure-advisor-security-baseline?toc=/azure/advisor/toc.json
   - name: Defender for Cloud
     href: https://azure.microsoft.com/services/security-center/
   - name: SQL Database Advisor

articles/analysis-services/TOC.yml

@@ -48,6 +48,10 @@
     href: analysis-services-datasource.md
   - name: Network connectivity FAQ
     href: analysis-services-network-faq.yml
+  - name: Security
+    items:
+    - name: Security baseline
+      href: /security/benchmark/azure/baselines/azure-analysis-services-security-baseline?toc=/azure/analysis-services/TOC.json
 - name: How-to
   items:
   - name: Server

articles/azure-app-configuration/TOC.yml

@@ -160,7 +160,7 @@
         - name: Security controls by Azure Policy
           href: ./security-controls-policy.md
         - name: Security baseline
-          href: /security/benchmark/azure/baselines/app-config-security-baseline?toc=/azure/azure-app-configuration/TOC.json
+          href: /security/benchmark/azure/baselines/azure-app-configuration-security-baseline?toc=/azure/azure-app-configuration/TOC.json
 - name: How-to guides
   items:
     - name: Use labels for per-environment configuration

articles/azure-arc/kubernetes/toc.yml

@@ -70,6 +70,10 @@
             href: use-gitops-with-helm.md
           - name: At-scale deployment of Flux v1 configurations using Azure Policy
             href: use-azure-policy.md
+  - name: Security
+    items:
+    - name: Security baseline
+      href: /security/benchmark/azure/baselines/azure-arc-enabled-kubernetes-security-baseline?toc=/azure/azure-arc/kubernetes/toc.json
   - name: Frequently Asked Questions
     href: faq.md
 - name: How-to guides

articles/azure-arc/network-requirements-consolidated.md

@@ -1,7 +1,7 @@
 ---
 title: Azure Arc network requirements
 description: A consolidated list of network requirements for Azure Arc features and Azure Arc-enabled services. Lists endpoints, ports, and protocols.
-ms.date: 01/30/2023
+ms.date: 02/01/2023
 ms.topic: reference
 ---
 
@@ -13,7 +13,7 @@ This article lists the endpoints, ports, and protocols required for Azure Arc-en
 
 ## Azure Arc-enabled Kubernetes endpoints
 
-Connectivity to the Arc Kubernetes-based endpoints is required for all Kubernetes based Arc offerings, including:
+Connectivity to the Arc Kubernetes-based endpoints is required for all Kubernetes-based Arc offerings, including:
 
 - Azure Arc-enabled Kubernetes
 - Azure Arc-enabled App services
@@ -26,7 +26,7 @@ For an example, see [Quickstart: Connect an existing Kubernetes cluster to Azure
 
 ## Azure Arc-enabled data services
 
-This section describes additional requirements specific to Azure Arc-enabled data services, in addition to the Arc-enabled Kubernetes endpoints listed above.
+This section describes requirements specific to Azure Arc-enabled data services, in addition to the Arc-enabled Kubernetes endpoints listed above.
 
 [!INCLUDE [network-requirements](data/includes/network-requirements.md)]
 
@@ -49,26 +49,33 @@ For examples, see [Connected Machine agent network requirements](servers/network
 
 ## Azure Arc resource bridge (preview)
 
-This section describes additional networking requirements specific to deploying Azure Arc resource bridge (preview) in your enterprise. These additional requirements also apply to Azure Arc-enabled VMware vSphere (preview) and Azure Arc-enabled System Center Virtual Machine Manager (preview).
+This section describes additional networking requirements specific to deploying Azure Arc resource bridge (preview) in your enterprise. These requirements also apply to Azure Arc-enabled VMware vSphere (preview) and Azure Arc-enabled System Center Virtual Machine Manager (preview).
 
 [!INCLUDE [network-requirements](resource-bridge/includes/network-requirements.md)]
 
 ## Azure Arc-enabled System Center Virtual Machine Manager (preview)
 
-Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) requires the connectivity described below:
+Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) also requires:
 
 | **Service** | **Port** | **URL** | **Direction** | **Notes**|
 | --- | --- | --- | --- | --- |
 | SCVMM management Server | 443 | URL of the SCVMM management server | Appliance VM IP and control plane endpoint need outbound connection. | Used by the SCVMM server to communicate with the Appliance VM and the control plane. |
 
-
 For more information, see [Overview of Arc-enabled System Center Virtual Machine Manager (preview)](system-center-virtual-machine-manager/overview.md).
+
 ## Azure Arc-enabled VMware vSphere (preview)
 
-Azure Arc-enabled VMware vSphere requires the connectivity described below:
+Azure Arc-enabled VMware vSphere also requires:
 
 | **Service** | **Port** | **URL** | **Direction** | **Notes**|
 | --- | --- | --- | --- | --- |
 | vCenter Server | 443 | URL of the vCenter server  | Appliance VM IP and control plane endpoint need outbound connection. | Used to by the vCenter server to communicate with the Appliance VM and the control plane.|
 
-For more information, see [Support matrix for Azure Arc-enabled VMware vSphere (preview)](vmware-vsphere/support-matrix-for-arc-enabled-vmware-vsphere.md).
+For more information, see [Support matrix for Azure Arc-enabled VMware vSphere (preview)](vmware-vsphere/support-matrix-for-arc-enabled-vmware-vsphere.md).
+
+## Additional endpoints
+
+Depending on your scenario, you may need connectivity to other URLs, such as those used by the Azure portal, management tools, or other Azure services. In particular, review these lists to ensure that you allow connectivity to any necessary endpoints:
+
+- [Azure portal URLs](../azure-portal/azure-portal-safelist-urls.md)
+- [Azure CLI endpoints for proxy bypass](/cli/azure/azure-cli-endpoints)

articles/azure-arc/servers/toc.yml

@@ -39,6 +39,8 @@
          href: security-overview.md
        - name: Private Link networking
          href: private-link-security.md
+       - name: Security baseline
+         href: /security/benchmark/azure/baselines/azure-arc-enabled-servers-security-baseline?toc=/azure/azure-arc/servers/toc.json
 - name: How-to guides
   items:
   - name: Deploy

articles/azure-government/documentation-government-overview-jps.md

@@ -6,7 +6,7 @@ ms.topic: article
 author: stevevi
 ms.author: stevevi
 recommendations: false
-ms.date: 10/30/2022
+ms.date: 02/01/2023
 ---
 
 # Azure for public safety and justice
@@ -95,6 +95,27 @@ Microsoft enables you to protect your data throughout its entire lifecycle: at r
 
 Technologies like [Intel Software Guard Extensions](https://software.intel.com/sgx) (Intel SGX), or [AMD Secure Encrypted Virtualization](https://www.amd.com/en/processors/amd-secure-encrypted-virtualization) (SEV-SNP) are recent CPU improvements supporting confidential computing implementations. These technologies are designed as virtualization extensions and provide feature sets including memory encryption and integrity, CPU-state confidentiality and integrity, and attestation. For more information, see [Azure confidential computing](../confidential-computing/index.yml) documentation.
 
+## Multi-factor authentication (MFA)
+
+The CJIS Security Policy v5.9.2 revised multi-factor authentication (MFA) requirements for CJI protection. MFA requires the use of two or more different factors defined as follows:
+
+- Something you know, for example, username/password or personal identification number (PIN)
+- Something you have, for example, a hard token such as a cryptographic key stored on or a one-time password (OTP) transmitted to a specialized hardware device
+- Something you are, for example, biometric information
+
+According to the CJIS Security Policy, identification and authentication of organizational users requires MFA to privileged and non-privileged accounts as part of CJI access control requirements. MFA is required at Authenticator Assurance Level 2 (AAL2), as described in the National Institute of Standards and Technology (NIST) [SP 800-63](https://pages.nist.gov/800-63-3/sp800-63-3.html) *Digital Identity Guidelines*. Authenticators and verifiers operated at AAL2 shall be validated to meet the requirements of FIPS 140 Level 1.
+
+The [Microsoft Authenticator app](../active-directory/authentication/concept-authentication-authenticator-app.md) provides an extra level of security to your Azure Active Directory (Azure AD) account. It's available on mobile phones running Android and iOS. With the Microsoft Authenticator app, you can provide secondary verification for MFA scenarios to meet your CJIS Security Policy MFA requirements. As mentioned previously, CJIS Security Policy requires that solutions for hard tokens use cryptographic modules validated at FIPS 140 Level 1. The Microsoft Authenticator app meets FIPS 140 Level 1 validation requirements for all Azure AD authentications, as explained in [Authentication methods in Azure Active Directory - Microsoft Authenticator app](../active-directory/authentication/concept-authentication-authenticator-app.md#fips-140-compliant-for-azure-ad-authentication). FIPS 140 compliance for Microsoft Authenticator is currently in place for iOS and in progress for Android.
+
+Moreover, Azure can help you meet and **exceed** your CJIS Security Policy MFA requirements by supporting the highest Authenticator Assurance Level 3 (AAL3). According to [NIST SP 800-63B Section 4.3](https://pages.nist.gov/800-63-3/sp800-63b.html#sec4), multi-factor **authenticators** used at AAL3 shall rely on hardware cryptographic modules validated at FIPS 140 Level 2 overall with at least FIPS 140 Level 3 for physical security, which exceeds the CJIS Security Policy MFA requirements. **Verifiers** at AAL3 shall be validated at FIPS 140 Level 1 or higher.
+
+Azure Active Directory (Azure AD) supports both authenticator and verifier NIST SP 800-63B AAL3 requirements:
+
+- **Authenticator requirements:** FIDO2 security keys, smartcards, and Windows Hello for Business can help you meet AAL3 requirements, including the underlying FIPS 140 validation requirements. Azure AD support for NIST SP 800-63B AAL3 **exceeds** the CJIS Security Policy MFA requirements.
+- **Verifier requirements:** Azure AD uses the [Windows FIPS 140 Level 1](/windows/security/threat-protection/fips-140-validation) overall validated cryptographic module for all its authentication related cryptographic operations. It is therefore a FIPS 140 compliant verifier.
+
+For more information, see [Azure NIST SP 800-63 documentation](/azure/compliance/offerings/offering-nist-800-63).
+
 ## Restrictions on insider access
 
 Insider threat is characterized as potential for providing back-door connections and cloud service provider (CSP) privileged administrator access to your systems and data. For more information on how Microsoft restricts insider access to your data, see [Restrictions on insider access](./documentation-government-plan-security.md#restrictions-on-insider-access).