Merge pull request #274359 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 5/6

Author: ttorble

articles/active-directory-b2c/add-captcha.md

@@ -5,7 +5,7 @@ author: kengaderdus
 manager: mwongerapk
 ms.service: active-directory
 ms.topic: how-to
-ms.date: 03/01/2024
+ms.date: 05/03/2024
 ms.custom: project-no-code
 ms.author: kengaderdus
 ms.subservice: B2C
@@ -234,9 +234,9 @@ For the various page layouts, use the following page layout versions:
 
 |Page layout |Page layout version range |
 |---------|---------|
-| Selfasserted  | >=2.1.29 |
-| Unifiedssp  | >=2.1.17 |
-|  Multifactor  |    >=1.2.15  |
+| Selfasserted  | >=2.1.30 |
+| Unifiedssp  | >=2.1.18 |
+|  Multifactor  |    >=1.2.16  |
 
 **Example:**
 
@@ -331,4 +331,4 @@ Use the steps in [Test the custom policy](tutorial-create-user-flows.md?pivots=b
 ## Next steps 
 
 - Learn how to [Define a CAPTCHA technical profile](captcha-technical-profile.md).
-- Learn how to [Configure CAPTCHA display control](display-control-captcha.md).
+- Learn how to [Configure CAPTCHA display control](display-control-captcha.md).

articles/app-service/overview-authentication-authorization.md

@@ -114,7 +114,7 @@ For client browsers, App Service can automatically direct all unauthenticated us
 
 In the [Azure portal](https://portal.azure.com), you can configure App Service with a number of behaviors when incoming request is not authenticated. The following headings describe the options.
 
-**Restric access**
+**Restrict access**
 
 - **Allow unauthenticated requests** This option defers authorization of unauthenticated traffic to your application code. For authenticated requests, App Service also passes along authentication information in the HTTP headers.
 

articles/defender-for-cloud/TOC.yml

@@ -211,6 +211,9 @@
         href: concept-easm.md
       - name: Critical assets protection
         href: critical-assets-protection.md
+      - name: Permissions management
+        displayName: permissions, management, role-based access control, RBAC, azure, azure ad, active directory
+        href: permissions-management.md
       - name: Agentless machine scanning
         href: concept-agentless-data-collection.md
       - name: Secrets protection
@@ -319,6 +322,9 @@
         - name: Integrate security solutions
           displayName: security, solutions, integrate, integrated, data sources
           href: partner-integration.md
+        - name: Enable permissions management
+          displayName: permissions, management, role-based access control, RBAC, azure, azure ad, active directory
+          href: enable-permissions-management.md
     - name: AI security posture
       items:
         - name: Discover generative AI workloads
@@ -525,6 +531,10 @@
         href: defender-partner-applications.md
       - name: Onboard 42Crunch (preview)
         href: onboarding-guide-42crunch.md
+      - name: Onboard StackHawk (preview)
+        href: onboarding-guide-stackhawk.md
+      - name: Onboard Bright Security (preview)
+        href: onboarding-guide-bright.md
   - name: Defender for Servers
     displayName: hybrid, arc, Defender for Servers
     items:
@@ -704,6 +714,9 @@
       - name: Kubernetes data plane hardening
         displayName: k8s, containers, aks
         href: kubernetes-workload-protections.md
+      - name: Vulnerability assessment for Azure powered by Qualys (Deprecated)
+        displayName: ACR, registry, images, qualys
+        href: defender-for-containers-vulnerability-assessment-azure.md
       - name: Defender for Kubernetes (deprecated)
         displayName: clusters, k8s, aks
         href: defender-for-kubernetes-introduction.md

articles/defender-for-cloud/defender-for-storage-malware-scan.md

@@ -64,8 +64,10 @@ You can [enable and configure Malware Scanning at scale](tutorial-enable-storage
 
 #### On-upload triggers
 
-When a blob is uploaded to a protected storage account - a malware scan is triggered. All upload methods trigger the scan. Modifying a blob is an upload operation and therefore the modified content is scanned after the update.
+Malware scans are triggered in a protected storage account by any operation that results in a `BlobCreated` event, as specified in the [Azure Blob Storage as an Event Grid source](/azure/event-grid/event-schema-blob-storage?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=cloud-event-schema) page. These operations include the initial uploading of new blobs, overwriting existing blobs, and finalizing changes to blobs through specific operations. Finalizing operations might involve `PutBlockList`, which assembles block blobs from multiple blocks, or `FlushWithClose`, which commits data appended to a blob in Azure Data Lake Storage Gen2.
 
+> [!NOTE]
+> Incremental operations such as `AppendFile` in Azure Data Lake Storage Gen2 and `PutBlock` in Azure BlockBlob, which allow data to be added without immediate finalization, do not trigger a malware scan on their own. A malware scan is initiated only when these additions are officially committed: `FlushWithClose` commits and finalizes `AppendFile` operations, triggering a scan, and `PutBlockList` commits blocks in BlockBlob, initiating a scan. Understanding this distinction is critical for managing scanning costs effectively, as each commit can lead to a new scan and potentially increase expenses due to multiple scans of incrementally updated data.
 #### Scan regions and data retention
 
 The malware scanning service that uses Microsoft Defender Antivirus technologies reads the blob. Malware Scanning scans the content "in-memory" and deletes scanned files immediately after scanning. The content isn't retained. The scanning occurs within the same region of the storage account. In some cases, when a file is suspicious, and more data is required, Malware Scanning might share file metadata outside the scanning region, including metadata classified as customer data (for example, SHA-256 hash), with Microsoft Defender for Endpoint.

articles/defender-for-cloud/defender-partner-applications.md

@@ -10,11 +10,11 @@ ms.date: 11/15/2023
 
 # Partner applications in Microsoft Defender for Cloud for API security testing (preview)
 
-Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines).
+Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including source code repositories & CI/CD pipelines).
 
 ## Overview
 
-The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud. This support enables full lifecycle API security, and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production.
+The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from partner solutions with Microsoft Defender for Cloud. This support enables full lifecycle API security, and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production.
 
 The security scan results from partner applications are now available within Defender for Cloud, ensuring that central security teams have visibility into the health of APIs within the Defender for Cloud recommendation experience. These security teams can now take governance steps that are natively available through Defender for Cloud recommendations, and extensibility to export scan results from the Azure Resource Graph into management tools of their choice.
 
@@ -29,13 +29,15 @@ This feature requires a GitHub connector in Defender for Cloud. See [how to onbo
 | Release state | Preview <br> The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.|
 | Required/preferred environmental requirements | APIs within source code repository, including API specification files such as OpenAPI, Swagger.                                                      |
 | Clouds                                          |  Available in commercial clouds. Not available in national/sovereign clouds (Azure Government, Microsoft Azure operated by 21Vianet).                                                 |
-| Source code management systems                  |  GitHub-supported versions: GitHub Free, Pro, Team, and GitHub Enterprise Cloud. This also requires a license for GitHub Advanced Security (GHAS). |
+| Source code management systems                  |   [GitHub Enterprise Cloud](https://docs.github.com/enterprise-cloud@latest/admin/overview/about-github-enterprise-cloud). This also requires a license for GitHub Advanced Security (GHAS). <br> <br > [Azure DevOps Services](https://azure.microsoft.com/products/devops/)  |
 
 ## Supported applications
 
-| Logo | Partner name | Description                                                                                                                                                                                    | Enablement Guide |
-|----------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|
-| :::image type="content" source="media/defender-partner-applications/42crunch-logo.png" alt-text="42Crunch logo.":::         | [42Crunch](https://aka.ms/APISecurityTestingPartnershipIgnite2023)         | Developers can proactively test and harden APIs within their CI/CD pipelines through static and dynamic testing of APIs against the top OWASP API risks and OpenAPI specification best practices. | [42Crunch onboarding guide](onboarding-guide-42crunch.md)                 |
+| Partner name | Description                                                                                                                                                                                    | Enablement Guide |
+|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|
+| [42Crunch](https://aka.ms/APISecurityTestingPartnershipIgnite2023)         | Developers can proactively test and harden APIs within their CI/CD pipelines through static and dynamic testing of APIs against the top OWASP API risks and OpenAPI specification best practices. | [42Crunch onboarding guide](onboarding-guide-42crunch.md)                 |
+| [StackHawk](https://aka.ms/APISecurityTestingPRStackHawk) | StackHawk is the only modern DAST and API security testing tool that runs in CI/CD, enabling developers to quickly find and fix security issues before they hit production. | [StackHawk onboarding guide](https://aka.ms/APISecurityTestingOnboardingGuideStackHawk) |
+| [Bright Security](https://aka.ms/APISecurityTestingPRBrightSecurity) | Bright Security’s dev-centric DAST platform empowers both developers and AppSec professionals with enterprise grade security testing capabilities for web applications, APIs, and GenAI and LLM applications. Bright knows how to deliver the right tests, at the right time in the SDLC, in developers and AppSec tools and stacks of choice with minimal false positives and alert fatigue. | [Bright Security onboarding guide](https://aka.ms/APISecurityTestingOnboardingGuideBrightSecurity) |
 
 ## Next steps