Merge branch 'MicrosoftDocs:main' into CIAM-rename

Author: cilwerner

articles/active-directory/governance/index.yml

@@ -30,8 +30,10 @@ landingContent:
             url: https://www.youtube.com/watch?v=bFfowdpApu4&list=PLQXpv_NQsPIBg3op2xONM9KgwlayFDue6
       - linkListType: reference
         links:
+          - text: Microsoft Entra ID Governance licensing fundamentals
+            url: licensing-fundamentals.md
           - text: Identity Governance dashboard (Preview)
-            url: governance-dashboard.md      
+            url: governance-dashboard.md            
 
   # Card
   - title: Govern the lifecycle of access to groups, apps, and sites

articles/defender-for-cloud/adaptive-application-controls.md

@@ -4,7 +4,7 @@ description: This document helps you use adaptive application control in Microso
 author: dcurwin
 ms.author: dacurwin
 ms.topic: how-to
-ms.date: 06/14/2023
+ms.date: 08/09/2023
 
 ---
 # Use adaptive application controls to reduce your machines' attack surfaces
@@ -114,14 +114,16 @@ To edit the rules for a group of machines:
 
       ![Add a custom rule.](./media/adaptive-application/adaptive-application-add-custom-rule.png)
 
-   1. If you're defining a known safe path, change the **Rule type** to 'Path' and enter a single path. You can include wildcards in the path.
-
+   1. If you're defining a known safe path, change the **Rule type** to 'Path' and enter a single path. You can include wildcards in the path. The following screens show some examples of how to use wildcards.
+   
+       :::image type="content" source="media/adaptive-application/wildcard-examples.png" alt-text="Screenshot that shows examples of using wildcards." lightbox="media/adaptive-application/wildcard-examples.png":::
+   
       > [!TIP]
       > Some scenarios for which wildcards in a path might be useful:
       >
       > - Using a wildcard at the end of a path to allow all executables within this folder and sub-folders.
       > - Using a wildcard in the middle of a path to enable a known executable name with a changing folder name (for example, personal user folders containing a known executable, automatically generated folder names, etc).
-  
+
    1. Define the allowed users and protected file types.
 
    1. When you've finished defining the rule, select **Add**.

articles/defender-for-cloud/media/adaptive-application/wildcard-examples.png

@@ -1,24 +1,24 @@
 ---
-title: Manage secrets with agentless secret scanning
+title: Manage secrets with agentless secret scanning (preview)
 description: Learn how to scan your servers for secrets with Defender for Server's agentless secret scanning.
 ms.topic: overview
-ms.date: 07/18/2023
+ms.date: 08/15/2023
 ---
 
-# Manage secrets with agentless secret scanning
+# Manage secrets with agentless secret scanning (preview)
 
 Attackers can move laterally across networks, find sensitive data, and exploit vulnerabilities to damage critical information systems by accessing internet-facing workloads and exploiting exposed credentials and secrets.
 
 Defender for Cloud's agentless secret scanning for Virtual Machines (VM) locates plaintext secrets that exist in your environment. If secrets are detected, Defender for Cloud can assist your security team to prioritize and take actionable remediation steps to minimize the risk of lateral movement, all without affecting your machine's performance.
 
 By using agentless secret scanning, you can proactively discover the following types of secrets across your environments:
 
-- **Insecure SSH private keys** - supports RSA algorithm for PuTTy files, PKCS#8 and PKCS#1 standards
-- **Plaintext Azure SQL connection strings** - supports SQL PAAS
-- **Plaintext Azure storage account connection strings**
-- **Plaintext Azure storage account SAS tokens**
-- **Plaintext AWS access keys**
-- **Plaintext AWS RDS SQL connection string** -supports SQL PAAS
+- **Insecure SSH private keys (Azure, AWS, GCP)** - supports RSA algorithm for PuTTy files, PKCS#8 and PKCS#1 standards
+- **Plaintext Azure SQL connection strings (Azure, AWS)** - supports SQL PAAS
+- **Plaintext Azure storage account connection strings (Azure, AWS)**
+- **Plaintext Azure storage account SAS tokens (Azure, AWS)**
+- **Plaintext AWS access keys (Azure, AWS)**
+- **Plaintext AWS RDS SQL connection string (Azure, AWS)** -supports SQL PAAS
 
 In addition to detecting SSH private keys, the agentless scanner verifies whether they can be used to move laterally in the network. Keys that we didn't successfully verify are categorized as **unverified** in the **Recommendation** pane.
 
@@ -68,6 +68,12 @@ Agentless secret scanning for AWS instances supports the following attack path s
 
 - `Vulnerable EC2 instance has insecure secrets that are used to authenticate to an AWS RDS server`.
 
+### GCP instances supported attack path scenarios
+
+Agentless secret scanning for GCP VM instances supports the following attack path scenarios:
+
+- `Exposed Vulnerable GCP VM instance has an insecure SSH private key that is used to authenticate to a GCP VM instance`.
+
 **To investigate secrets with Attack path**:
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
@@ -88,6 +94,8 @@ If a secret is found on your resource, that resource triggers an affiliated reco
 
 - **AWS resources**: `EC2 instances should have secret findings resolved`
 
+- **GCP resources**: `VM instances should have secret findings resolved`
+
 **To remediate secrets from the recommendations page**:
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
@@ -101,6 +109,7 @@ If a secret is found on your resource, that resource triggers an affiliated reco
     - **Azure resources**: `Machines should have secrets findings resolved`
 
     - **AWS resources**: `EC2 instances should have secret findings resolved`
+    - **GCP resources**: `VM instances should have secret findings resolved`
 
         :::image type="content" source="media/secret-scanning/recommendation-findings.png" alt-text="Screenshot that shows either of the two results under the Remediate vulnerabilities security control." lightbox="media/secret-scanning/recommendation-findings.png":::
 
@@ -130,9 +139,9 @@ The [cloud security explorer](concept-attack-path.md#what-is-cloud-security-expl
 
 1. Select one of the following templates:
 
-    - **VM with plaintext secret that can authenticate to another VM** - Returns all Azure VMs or AWS EC2 instances with plaintext secret that can access other VMs or EC2s.
-    - **VM with plaintext secret that can authenticate to a storage account** - Returns all Azure VMs or AWS EC2 instances with plaintext secret that can access storage accounts.
-    - **VM with plaintext secret that can authenticate to a SQL database** - Returns all Azure VMs or AWS EC2 instances with plaintext secret that can access SQL databases.
+    - **VM with plaintext secret that can authenticate to another VM** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access other VMs or EC2s.
+    - **VM with plaintext secret that can authenticate to a storage account** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access storage accounts.
+    - **VM with plaintext secret that can authenticate to a SQL database** - Returns all Azure VMs, AWS EC2 instances, or GCP VM instances with plaintext secret that can access SQL databases.
 
 If you don't want to use any of the available templates, you can also [build your own query](how-to-manage-cloud-security-explorer.md) on the cloud security explorer.
 

articles/defender-for-cloud/secret-scanning.md

@@ -6,8 +6,8 @@ author: halkazwini
 ms.author: halkazwini
 ms.service: network-watcher
 ms.topic: how-to
-ms.date: 07/25/2023
-ms.custom: template-how-to, devx-track-azurepowershell, devx-track-azurecli, engagement-fy23
+ms.date: 08/15/2023
+ms.custom: devx-track-azurepowershell, devx-track-azurecli
 ---
 
 # Diagnose network security rules
@@ -817,11 +817,11 @@ Use [az group delete](/cli/azure/group#az-group-delete) to remove the resource g
 
 ```azurecli-interactive
 # Delete the resource group and all the resources it contains. 
-az group delete --name myResourceGroup --yes --no-wait
+az group delete --name 'myResourceGroup' --yes --no-wait
 ```
 
 ---
 
 ## Next steps
 - To learn about other Network Watcher tools, see [Azure Network Watcher overview](network-watcher-monitoring-overview.md).
-- To learn how to troubleshoot virtual machine routing problems, see [Diagnose a virtual machine network routing problem](diagnose-vm-network-routing-problem.md).
+- To learn how to troubleshoot virtual machine routing problems, see [Diagnose a virtual machine network routing problem](diagnose-vm-network-routing-problem.md).

articles/network-watcher/diagnose-network-security-rules.md

@@ -30,7 +30,7 @@ The following regions currently support availability zones:
 |---|---|---|---|---|
 | Brazil South | France Central | Qatar Central | South Africa North | Australia East |
 | Canada Central | Italy North* | UAE North | | Central India |
-| Central US |  Germany West Central | | | Japan East |
+| Central US |  Germany West Central | Israel Central* | | Japan East |
 | East US | Norway East | | | Korea Central |
 | East US 2 | North Europe  | | | Southeast Asia |
 | South Central US | UK South | | | East Asia |

articles/reliability/availability-zones-service-support.md

@@ -10,7 +10,7 @@
 ---
 
 
-This section contains recommendations for achieving resiliency and availability for your Azure Virtual Machines.  All recommendations fall into one of two categories:
+This section contains recommendations for achieving resiliency and availability.  Each recommendation falls into one of two categories:
 
 - **Health items** cover areas such as configuration items and the proper function of the major components that make up your Azure Workload, such as Azure Resource configuration settings, dependencies on other services, and so on.
 

articles/reliability/includes/reliability-recommendations-include.md

@@ -11,7 +11,7 @@ ms.author: cherylmc
 ---
 # How to configure BGP for Azure VPN Gateway
 
-This article helps you enable BGP on cross-premises site-to-site (S2S) VPN connections and VNet-to-VNet connections using the Azure portal. This article helps you enable BGP on cross-premises site-to-site (S2S) VPN connections and VNet-to-VNet connections using Azure PowerShell. You can also create this configuration using the [Azure portal](bgp-howto.md) or [PowerShell](vpn-gateway-bgp-resource-manager-ps.md) steps.
+This article helps you enable BGP on cross-premises site-to-site (S2S) VPN connections and VNet-to-VNet connections using the Azure portal. You can also create this configuration using the [Azure CLI](bgp-how-to-cli.md) or [PowerShell](vpn-gateway-bgp-resource-manager-ps.md) steps.
 
 BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. BGP enables the VPN gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.
 
@@ -155,15 +155,15 @@ In this step, you create a new connection that has BGP enabled. If you already h
 #### To create a connection
 
 1. To create a new connection, go to your virtual network gateway **Connections** page.
-1. Click **+Add** to open the **Add a connection page**.
+1. Select **+Add** to open the **Add a connection page**.
 1. Fill in the necessary values.
 1. Select **Enable BGP** to enable BGP on this connection.
-1. Click **OK** to save changes.
+1. Select **OK** to save changes.
 
 #### To update an existing connection
 
 1. Go to your virtual network gateway **Connections** page.
-1. Click the connection you want to modify.
+1. Select the connection you want to modify.
 1. Go to the **Configuration** page for the connection.
 1. Change the **BGP** setting to **Enabled**.
 1. **Save** your changes.