Merge pull request #219141 from MicrosoftDocs/main

11/21 AM Publish

Author: huypub

articles/active-directory/conditional-access/workload-identity.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 03/25/2022
+ms.date: 11/21/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -56,7 +56,7 @@ Create a location based Conditional Access policy that applies to service princi
 
 ### Create a risk-based Conditional Access policy
 
-Create a location based Conditional Access policy that applies to service principals.
+Create a risk-based Conditional Access policy that applies to service principals.
 
 :::image type="content" source="media/workload-identity/conditional-access-workload-identity-risk-policy.png" alt-text="Creating a Conditional Access policy with a workload identity and risk as a condition." lightbox="media/workload-identity/conditional-access-workload-identity-risk-policy.png":::
 

articles/active-directory/develop/msal-logging-js.md

@@ -29,6 +29,8 @@ The loggerOptions object has the following properties:
 - `piiLoggingEnabled` (optional): if set to true, logs personal and organizational data. By default this is false so that your application doesn't log personal data. Personal data logs are never written to default outputs like Console, Logcat, or NSLog.
 
 ```javascript
+import msal from "@azure/msal-browser"
+
 const msalConfig = {
     auth: {
         clientId: "enter_client_id_here",
@@ -47,35 +49,30 @@ const msalConfig = {
     },
     system: {
         loggerOptions: {
-            loggerCallback: (level: LogLevel, message: string, containsPii: boolean): void => {
+            logLevel: msal.LogLevel.Verbose,
+            loggerCallback: (level, message, containsPii) => {
                 if (containsPii) {
                     return;
                 }
                 switch (level) {
-                    case LogLevel.Error:
+                    case msal.LogLevel.Error:
                         console.error(message);
                         return;
-                    case LogLevel.Info:
+                    case msal.LogLevel.Info:
                         console.info(message);
                         return;
-                    case LogLevel.Verbose:
+                    case msal.LogLevel.Verbose:
                         console.debug(message);
                         return;
-                    case LogLevel.Warning:
+                    case msal.LogLevel.Warning:
                         console.warn(message);
                         return;
                 }
             },
             piiLoggingEnabled: false
         },
-        windowHashTimeout: 60000,
-        iframeHashTimeout: 6000,
-        loadFrameTimeout: 0,
-        asyncPopups: false
-    };
-}
-
-const msalInstance = new PublicClientApplication(msalConfig);
+    },
+};
 ```
 
 ## Next steps

articles/active-directory/develop/msal-migration.md

@@ -29,6 +29,16 @@ If any of your applications use the Azure Active Directory Authentication Librar
 
 ## Why switch to MSAL?
 
+To understand 'Why MSAL?', it's important to first understand the differences between Microsoft identity platform (v2.0) and Azure Active Directory (v1.0) endpoints. The v1.0 endpoint is used by Azure AD Authentication Library (ADAL) while the v2.0 endpoint is used by Microsoft Authentication Library (MSAL). If you've developed apps against the v1.0 endpoint in the past, you're likely using ADAL. Since the v2.0 endpoint has changed significantly enough, the new library (MSAL) was built for the new endpoint entirely. 
+
+The following diagram shows the v2.0 vs v1.0 endpoint experience at a high level, including the app registration experience, SDKs, endpoints, and supported identities.
+
+![Diagram that shows the v1.0 versus the v2.0 architecture.](../azuread-dev/media/about-microsoft-identity-platform/about-microsoft-identity-platform.svg)
+
+MSAL leverages all the [benefits of Microsoft identity platform (v2.0) endpoint](../azuread-dev/azure-ad-endpoint-comparison.md).
+
+MSAL is designed to enable a secure solution without developers having to worry about the implementation details. it simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. We recommend you use MSAL to [increase the resilience of authentication and authorization in client applications that you develop](../fundamentals/resilience-client-app.md?tabs=csharp#use-the-microsoft-authentication-library-msal).
+
 MSAL provides multiple benefits over ADAL, including the following features: 
 
 |Features|MSAL|ADAL|
@@ -46,6 +56,13 @@ MSAL provides multiple benefits over ADAL, including the following features:
 | Proactive token renewal |![Proactive token renewal - MSAL provides the feature][y]|![Proactive token renewal - ADAL doesn't provide the feature][n]|
 | Throttling |![Throttling - MSAL provides the feature][y]|![Throttling - ADAL doesn't provide the feature][n]|
 
+## Additional Capabilities of MSAL over ADAL
+- Auth broker support – Device-based Conditional Access policy
+- Proof of possession tokens
+- Azure AD certificate-based authentication (CBA) on mobile
+- System browsers on mobile devices
+- Where ADAL had only authentication context class, MSAL exposes the notion of a collection of client apps (public client and confidential client).
+
 ## AD FS support in MSAL.NET
 
 You can use MSAL.NET, MSAL Java, and MSAL Python to get tokens from Active Directory Federation Services (AD FS) 2019 or later. Earlier versions of AD FS, including AD FS 2016, are unsupported by MSAL.
@@ -61,6 +78,15 @@ After identifying your apps that use ADAL, migrate them to MSAL depending on you
 
 [!INCLUDE [application type](includes/adal-msal-migration.md)]
 
+MSAL Supports a wide range of application types and scenarios. Please refer to [Microsoft Authentication Library support for several application types](reference-v2-libraries.md#single-page-application-spa).
+
+ADAL to MSAL Migration Guide for different platforms are available in the following link.
+- [Migrate to MSAL iOS and MacOS](migrate-objc-adal-msal.md)
+- [Migrate to MSAL Java](migrate-adal-msal-java.md)
+- [Migrate to MSAL .Net](msal-net-migration.md)
+- [Migrate to MSAL Node](msal-node-migration.md)
+- [Migrate to MSAL Python](migrate-python-adal-msal.md)   
+
 ## Migration help
 
 If you have questions about migrating your app from ADAL to MSAL, here are some options:
@@ -82,4 +108,4 @@ For more information about MSAL, including usage information and which libraries
  ![X indicating no.][n] | ![Green check mark.][y] | ![Green check mark.][y] | -- |
 -->
 [y]: media/common/yes.png
-[n]: media/common/no.png
+[n]: media/common/no.png

articles/active-directory/develop/tutorial-v2-javascript-spa.md

@@ -165,7 +165,7 @@ sampleApp/
 In the next steps, you'll create a new folder for the JavaScript SPA and set up the user interface (UI).
 
 > [!TIP]
-> When you set up an Azure Active Directory (Azure AD) account, you create a tenant. This is a digital representation of your organization. It's primarily associated with a domain, like Microsoft.com. If you want to learn how applications can work with multiple tenants, refer to the [application model](/articles/active-directory/develop/application-model.md).
+> When you set up an Azure Active Directory (Azure AD) account, you create a tenant. This is a digital representation of your organization. It's primarily associated with a domain, like Microsoft.com. If you want to learn how applications can work with multiple tenants, refer to the [application model](/azure/active-directory/develop/application-model).
 
 ## Create the SPA UI
 

articles/active-directory/develop/tutorial-v2-shared-device-mode.md

@@ -155,7 +155,7 @@ private void loadAccount()
       }
     }
     @Override
-    public void on AccountChanged(@Nullable IAccount priorAccount, @Nullable Iaccount currentAccount)
+    public void onAccountChanged(@Nullable IAccount priorAccount, @Nullable Iaccount currentAccount)
     {
       if (currentAccount == null)
       {

articles/aks/integrations.md

@@ -53,7 +53,7 @@ Both extensions and add-ons are supported ways to add functionality to your AKS
 
 ## GitHub Actions
 
-GitHub Actions helps you automate your software development workflows from within GitHub. For more details on using GitHub Actions with Azure, see [What is GitHub Actions for Azures][github-actions]. For an example of using GitHub Actions with an AKS cluster, see [Build, test, and deploy containers to Azure Kubernetes Service using GitHub Actions][github-actions-aks].
+GitHub Actions helps you automate your software development workflows from within GitHub. For more details on using GitHub Actions with Azure, see [What is GitHub Actions for Azure][github-actions]. For an example of using GitHub Actions with an AKS cluster, see [Build, test, and deploy containers to Azure Kubernetes Service using GitHub Actions][github-actions-aks].
 
 ## Open source and third-party integrations
 

articles/automation/automation-hybrid-runbook-worker.md

@@ -3,7 +3,7 @@ title: Azure Automation Hybrid Runbook Worker overview
 description: Know about Hybrid Runbook Worker. How to install and run the  runbooks on machines in your local datacenter or cloud provider.
 services: automation
 ms.subservice: process-automation
-ms.date: 11/11/2021
+ms.date: 11/09/2022
 ms.topic: conceptual 
 ms.custom: devx-track-azurepowershell
 ---
@@ -21,21 +21,18 @@ Azure Automation provides native integration of the Hybrid Runbook Worker role t
 
 :::image type="content" source="./media/automation-hybrid-runbook-worker/hybrid-worker-group-platform-inline.png" alt-text="Screenshot of hybrid worker group showing platform field." lightbox="./media/automation-hybrid-runbook-worker/hybrid-worker-group-platform-expanded.png":::
 
-Here's a list of benefits available with the extension-based Hybrid Runbook Worker role:
-
-| Benefit | Description |
-|---|---|
-|Seamless onboarding| Removes dependency on a Log Analytics solution for onboarding Hybrid Runbook Workers, which is a multi-step process, is time consuming, and error-prone. |
-|Unified onboarding experience| Installation is managed using the same supported methods for Azure and non-Azure machines. |
-|Ease of Manageability| Native integration with ARM identity for Hybrid Runbook Worker and provides the flexibility for governance at scale through policies and templates. |
-|Azure AD-based authentication| Uses VM system assigned-identities provided by Azure AD. This centralizes control and management of identities and resource credentials.|
-
 For Hybrid Runbook Worker operations after installation, the process of executing runbooks on Hybrid Runbook Workers is the same. The purpose of the extension-based approach is to simplify the installation and management of the Hybrid Runbook Worker role and remove the complexity working with the agent-based version. The new extension-based installation doesn't affect the installation or management of an agent-based Hybrid Runbook Worker role. Both Hybrid Runbook Worker types can co-exist on the same machine.
 
 The extension-based Hybrid Runbook Worker only supports the user Hybrid Runbook Worker type, and doesn't include the system Hybrid Runbook Worker required for the Update Management feature.
 
->[!NOTE]
-> PowerShell support to install the extension-based Hybrid Runbook Worker is not supported at this time.
+## Benefits of extension-based User Hybrid Workers
+The extension-based approach greatly simplifies the installation and management of the User Hybrid Runbook Worker, removing the complexity of working with the agent-based approach. Here are some key benefits:
+- **Seamless onboarding** – The Agent-based approach for onboarding Hybrid Runbook worker is dependent on the Log Analytics agent, which is a multi-step, time-consuming, and error-prone process. The extension-based approach is no longer dependent on the Log Analytics agent. 
+- **Ease of Manageability** – It offers native integration with ARM identity for Hybrid Runbook Worker and provides the flexibility for governance at scale through policies and templates.
+- **Azure Active Directory based authentication** – It uses a VM system-assigned managed identities provided by Azure Active Directory. This centralizes control and management of identities and resource credentials.
+- **Unified experience** – It offers an identical experience for managing Azure and off-Azure Arc-enabled machines.
+- **Multiple onboarding channels** – You can choose to onboard and manage extension-based workers through the Azure portal, PowerShell cmdlets, Bicep, ARM templates, REST API and Azure CLI. You can also install the extension on an existing Azure VM or Arc-enabled server within the Azure portal experience of that machine through the Extensions blade.
+- **Default Automatic upgrade** – It offers Automatic upgrade of minor versions by default, significantly reducing the manageability of staying updated on the latest version. We recommend enabling Automatic upgrades to take advantage of any security or feature updates without the manual overhead. You can also opt out of automatic upgrades at any time. Any major version upgrades are currently not supported and should be managed manually.
 
 ## Runbook Worker types
 
@@ -75,6 +72,15 @@ A Hybrid Runbook Worker doesn't have many of the [Azure sandbox](automation-runb
 
 To control the distribution of runbooks on Hybrid Runbook Workers and when or how the jobs are triggered, you can register the hybrid worker against different Hybrid Runbook Worker groups within your Automation account. Target the jobs against the specific group or groups in order to support your execution arrangement.
 
+## Common Scenarios for User Hybrid Runbook Workers
+
+- To execute Azure Automation runbooks for in-guest VM management directly on an existing Azure virtual machine (VM) and off-Azure server registered as Azure Arc-enabled server or Azure Arc-enabled VMware VM (preview). Azure Arc-enabled servers can be Windows and Linux physical servers and virtual machines hosted outside of Azure, on your corporate network, or other cloud providers. 
+- To overcome the Azure Automation sandbox limitation - the common scenarios include executing long-running operations beyond three-hour limit for cloud jobs, performing resource-intensive automation operations, interacting with local services running on-premises or in hybrid environment, run scripts that require elevated permissions.
+- To overcome organization restrictions to keep data in Azure for governance and security reasons - as you cannot execute Automation jobs on the cloud, you can run it on an on-premises machine that is onboarded as a User Hybrid Runbook Worker.
+- To automate operations on multiple —Off-Azure resources running on-premises or multicloud environments. You can onboard one of those machines as a User Hybrid Runbook Worker and target automation on the remaining machines in the local environment.
+- To access other services privately from the Azure Virtual Network (VNet) without opening an outbound internet connection, you can execute runbooks on a Hybrid Worker connected to the Azure VNet.
+
+
 ## Hybrid Runbook Worker installation
 
 The process to install a user Hybrid Runbook Worker depends on the operating system. The table below defines the deployment types.

articles/automation/automation-linux-hrw-install.md

@@ -17,12 +17,11 @@ The Linux Hybrid Runbook Worker executes runbooks as a special user that can be
 After you successfully deploy a runbook worker, review [Run runbooks on a Hybrid Runbook Worker](automation-hrw-run-runbooks.md) to learn how to configure your runbooks to automate processes in your on-premises datacenter or other cloud environment.
 
 > [!NOTE]
-> A hybrid worker can co-exist with both platforms: **Agent based (V1)** and **Extension based (V2)**. If you install Extension based (V2) on a hybrid worker already running Agent based (V1), then you would see two entries of the Hybrid Runbook Worker in the group. One with Platform Extension based (V2) and the other Agent based (V1). [**Learn more**](./extension-based-hybrid-runbook-worker-install.md#install-extension-based-v2-on-existing-agent-based-v1-hybrid-worker).
-
+> A hybrid worker can co-exist with both platforms: **Agent based (V1)** and **Extension based (V2)**. If you install Extension based (V2) on a hybrid worker already running Agent based (V1), then you would see two entries of the Hybrid Runbook Worker in the group. One with Platform Extension based (V2) and the other Agent based (V1). [**Learn more**](./extension-based-hybrid-runbook-worker-install.md#migrate-an-existing-agent-based-to-extension-based-hybrid-workers).
 
 ## Prerequisites
 
-Before you start, make sure that you have the following.
+Before you start, make sure that you've the following.
 
 ### A Log Analytics workspace
 
@@ -162,7 +161,7 @@ To install and configure a Linux Hybrid Runbook Worker, perform the following st
 
       - Using Azure Policy.
 
-        Using this approach, you use the Azure Policy [Deploy Log Analytics agent to Linux or Windows Azure Arc machines](../governance/policy/samples/built-in-policies.md#monitoring) built-in policy definition to audit if the Arc-enabled server has the Log Analytics agent installed. If the agent isn't installed, it automatically deploys it using a remediation task. If you plan to monitor the machines with Azure Monitor for VMs, instead use the [Enable Azure Monitor for VMs](../governance/policy/samples/built-in-initiatives.md#monitoring) initiative to install and configure the Log Analytics agent.
+        Using this approach, you use the Azure Policy [Deploy Log Analytics agent to Linux or Microsoft Azure Arc machines](../governance/policy/samples/built-in-policies.md#monitoring) built-in policy definition to audit if the Arc-enabled server has the Log Analytics agent installed. If the agent isn't installed, it automatically deploys it using a remediation task. If you plan to monitor the machines with Azure Monitor for VMs, instead use the [Enable Azure Monitor for VMs](../governance/policy/samples/built-in-initiatives.md#monitoring) initiative to install and configure the Log Analytics agent.
 
       We recommend installing the Log Analytics agent for Windows or Linux using Azure Policy.