MicrosoftDocs
diff --git a/‎articles/active-directory/app-provisioning/accidental-deletions.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/app-provisioning/accidental-deletions.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/app-provisioning/how-provisioning-works.md
Lines changed: 9 additions & 10 deletions b/‎articles/active-directory/app-provisioning/how-provisioning-works.md
Lines changed: 9 additions & 10 deletions
diff --git a/‎articles/active-directory/authentication/concept-authentication-methods-manage.md
Lines changed: 1 addition & 0 deletions b/‎articles/active-directory/authentication/concept-authentication-methods-manage.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎articles/aks/dapr.md
Lines changed: 7 additions & 0 deletions b/‎articles/aks/dapr.md
Lines changed: 7 additions & 0 deletions
diff --git a/‎articles/api-management/api-management-howto-app-insights.md
Lines changed: 43 additions & 11 deletions b/‎articles/api-management/api-management-howto-app-insights.md
Lines changed: 43 additions & 11 deletions
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: how-to
 ms.workload: identity
-ms.date: 01/23/2023
+ms.date: 04/10/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 zone_pivot_groups: app-provisioning-cross-tenant-synchronization
@@ -86,13 +86,13 @@ You can test the feature by triggering disable / deletion events by setting the
 
 Let the provisioning job run (20 – 40 mins) and navigate back to the provisioning page. You'll see the provisioning job in quarantine and can choose to allow the deletions or review the provisioning logs to understand why the deletions occurred.
 
-## Common de-provisioning scenarios to test
+## Common deprovisioning scenarios to test
 - Delete a user / put them into the recycle bin.
 - Block sign in for a user.
 - Unassign a user or group from the application (or configuration).
 - Remove a user from a group that's providing them access to the application (or configuration).
 
-To learn more about de-provisioning scenarios, see [How Application Provisioning Works](how-provisioning-works.md#de-provisioning).
+To learn more about deprovisioning scenarios, see [How Application Provisioning Works](how-provisioning-works.md#deprovisioning).
 
 ## Frequently Asked Questions
 
 
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 04/04/2023
+ms.date: 04/10/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -31,7 +31,7 @@ The **Azure AD Provisioning Service** provisions users to SaaS apps and other sy
 
 ## Provisioning using SCIM 2.0
 
-The Azure AD provisioning service uses the [SCIM 2.0 protocol](https://techcommunity.microsoft.com/t5/Identity-Standards-Blog/bg-p/IdentityStandards) for automatic provisioning. The service connects to the SCIM endpoint for the application, and uses SCIM user object schema and REST APIs to automate the provisioning and de-provisioning of users and groups. A SCIM-based provisioning connector is provided for most applications in the Azure AD gallery. Developers use the SCIM 2.0 user management API in Azure AD to build endpoints for their apps that integrate with the provisioning service. For details, see [Build a SCIM endpoint and configure user provisioning](../app-provisioning/use-scim-to-provision-users-and-groups.md).
+The Azure AD provisioning service uses the [SCIM 2.0 protocol](https://techcommunity.microsoft.com/t5/Identity-Standards-Blog/bg-p/IdentityStandards) for automatic provisioning. The service connects to the SCIM endpoint for the application, and uses SCIM user object schema and REST APIs to automate the provisioning and deprovisioning of users and groups. A SCIM-based provisioning connector is provided for most applications in the Azure AD gallery. Developers use the SCIM 2.0 user management API in Azure AD to build endpoints for their apps that integrate with the provisioning service. For details, see [Build a SCIM endpoint and configure user provisioning](../app-provisioning/use-scim-to-provision-users-and-groups.md).
 
 To request an automatic Azure AD provisioning connector for an app that doesn't currently have one, see [Azure Active Directory Application Request](../manage-apps/v2-howto-app-gallery-listing.md).
 
@@ -43,7 +43,7 @@ Credentials are required for Azure AD to connect to the application's user manag
 
 When you enable user provisioning for a third-party SaaS application, the Azure portal controls its attribute values through attribute mappings. Mappings determine the user attributes that flow between Azure AD and the target application when user accounts are provisioned or updated.
 
-There's a pre-configured set of attributes and attribute mappings between Azure AD user objects and each SaaS app’s user objects. Some apps manage other types of objects along with Users, such as Groups.
+There's a preconfigured set of attributes and attribute mappings between Azure AD user objects and each SaaS app’s user objects. Some apps manage other types of objects along with Users, such as Groups.
 
 When setting up provisioning, it's important to review and configure the attribute mappings and workflows that define which user (or group) properties flow from Azure AD to the application. Review and configure the matching property (**Match objects using this attribute**) that is used to uniquely identify and match users/groups between the two systems.
 
@@ -56,15 +56,15 @@ When you configure provisioning to a SaaS application, one of the types of attri
 
 For outbound provisioning from Azure AD to a SaaS application, relying on [user or group assignments](../manage-apps/assign-user-or-group-access-portal.md) is the most common way to determine which users are in scope for provisioning. Because user assignments are also used for enabling single sign-on, the same method can be used for managing both access and provisioning. Assignment-based scoping doesn't apply to inbound provisioning scenarios such as Workday and Successfactors.
 
-* **Groups.** With an Azure AD Premium license plan, you can use groups to assign access to a SaaS application. Then, when the provisioning scope is set to **Sync only assigned users and groups**, the Azure AD provisioning service provisions or de-provisions users based on whether they're members of a group that's assigned to the application. The group object itself isn't provisioned unless the application supports group objects. Ensure that groups assigned to your application have the property "SecurityEnabled" set to "True".
+* **Groups.** With an Azure AD Premium license plan, you can use groups to assign access to a SaaS application. Then, when the provisioning scope is set to **Sync only assigned users and groups**, the Azure AD provisioning service provisions or deprovisions users based on whether they're members of a group that's assigned to the application. The group object itself isn't provisioned unless the application supports group objects. Ensure that groups assigned to your application have the property "SecurityEnabled" set to "True".
 
 * **Dynamic groups.** The Azure AD user provisioning service can read and provision users in [dynamic groups](../enterprise-users/groups-create-rule.md). Keep these caveats and recommendations in mind:
 
   * Dynamic groups can impact the performance of end-to-end provisioning from Azure AD to SaaS applications.
 
-  * How fast a user in a dynamic group is provisioned or de-provisioned in a SaaS application depends on how fast the dynamic group can evaluate membership changes. For information about how to check the processing status of a dynamic group, see [Check processing status for a membership rule](../enterprise-users/groups-create-rule.md).
+  * How fast a user in a dynamic group is provisioned or deprovisioned in a SaaS application depends on how fast the dynamic group can evaluate membership changes. For information about how to check the processing status of a dynamic group, see [Check processing status for a membership rule](../enterprise-users/groups-create-rule.md).
 
-  * When a user loses membership in the dynamic group, it's considered a de-provisioning event. Consider this scenario when creating rules for dynamic groups.
+  * When a user loses membership in the dynamic group, it's considered a deprovisioning event. Consider this scenario when creating rules for dynamic groups.
 
 * **Nested groups.** The Azure AD user provisioning service can't read or provision users in nested groups. The service can only read and provision users that are immediate members of an explicitly assigned group. This limitation of "group-based assignments to applications" also affects single sign-on (see [Using a group to manage access to SaaS applications](../enterprise-users/groups-saasapps.md)). Instead, directly assign or otherwise [scope in](define-conditional-rules-for-provisioning-user-accounts.md) the groups that contain the users who need to be provisioned.
 
@@ -184,8 +184,8 @@ Performance depends on whether your provisioning job is running an initial provi
 
 All operations run by the user provisioning service are recorded in the Azure AD [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). The logs include all read and write operations made to the source and target systems, and the user data that was read or written during each operation. For information on how to read the provisioning logs in the Azure portal, see the [provisioning reporting guide](./check-status-user-account-provisioning.md).
 
-## De-provisioning
-The Azure AD provisioning service keeps source and target systems in sync by de-provisioning accounts when user access is removed.
+## Deprovisioning
+The Azure AD provisioning service keeps source and target systems in sync by deprovisioning accounts when user access is removed.
 
 The provisioning service supports both deleting and disabling (sometimes referred to as soft-deleting) users. The exact definition of disable and delete varies based on the target app's implementation, but generally a disable indicates that the user can't sign in. A delete indicates that the user has been removed completely from the application. For SCIM applications, a disable is a request to set the *active* property to false on a user. 
 
@@ -201,8 +201,7 @@ Confirm the mapping for *active* for your application. If you're using an applic
 **Configure your application to delete a user**
 
 The scenario triggers a disable or a delete: 
-* A user is soft-deleted in Azure AD (sent to the recycle bin / AccountEnabled property set to false).
-    30 days after a user is deleted in Azure AD, they're permanently deleted from the tenant. At this point, the provisioning service sends a DELETE request to permanently delete the user in the application. At any time during the 30-day window, you can [manually delete a user permanently](../fundamentals/active-directory-users-restore.md), which sends a delete request to the application.
+* A user is soft-deleted in Azure AD (sent to the recycle bin / AccountEnabled property set to false). Thirty days after a user is deleted in Azure AD, they're permanently deleted from the tenant. At this point, the provisioning service sends a DELETE request to permanently delete the user in the application. At any time during the 30-day window, you can [manually delete a user permanently](../fundamentals/active-directory-users-restore.md), which sends a delete request to the application.
 * A user is permanently deleted / removed from the recycle bin in Azure AD.
 * A user is unassigned from an app.
 * A user goes from in scope to out of scope (doesn't pass a scoping filter anymore).
 
@@ -105,6 +105,7 @@ Tenants are set to either Pre-migration or Migration in Progress by default, dep
 
 ## Known issues and limitations
 - In recent updates we removed the ability to target individual users. Previously targeted users will remain in the policy but we recommend moving them to a targeted group.
+- Registration of FIDO2 security keys may fail for some users if the FIDO2 Authentication method policy is targeted for a group and the overall Authentication methods policy has more than 20 groups configured. We're working on increasing the policy size limit and in the mean time recommend limiting the number of group targets to no more than 20.
 
 ## Next steps
 
 
@@ -63,6 +63,7 @@ Global Azure cloud is supported with Arc support on the following regions:
 | ------ | ----------- | -------------------------- |
 | `australiaeast` | :heavy_check_mark: | :heavy_check_mark: |
 | `australiasoutheast` | :heavy_check_mark: | :x: |
+| `brazilsouth` | :heavy_check_mark: | :x: |
 | `canadacentral` | :heavy_check_mark: | :heavy_check_mark: |
 | `canadaeast` | :heavy_check_mark: | :heavy_check_mark: |
 | `centralindia` | :heavy_check_mark: | :heavy_check_mark: |
@@ -72,18 +73,24 @@ Global Azure cloud is supported with Arc support on the following regions:
 | `eastus2` | :heavy_check_mark: | :heavy_check_mark: |
 | `eastus2euap` | :x: | :heavy_check_mark: |
 | `francecentral` | :heavy_check_mark: | :heavy_check_mark: |
+| `francesouth` | :heavy_check_mark: | :x: |
 | `germanywestcentral` | :heavy_check_mark: | :heavy_check_mark: |
 | `japaneast` | :heavy_check_mark: | :heavy_check_mark: |
+| `japanwest` | :heavy_check_mark: | :x: |
 | `koreacentral` | :heavy_check_mark: | :heavy_check_mark: |
+| `koreasouth` | :heavy_check_mark: | :x: |
 | `northcentralus` | :heavy_check_mark: | :heavy_check_mark: |
 | `northeurope` | :heavy_check_mark: | :heavy_check_mark: |
 | `norwayeast` | :heavy_check_mark: | :x: |
 | `southafricanorth` | :heavy_check_mark: | :x: |
 | `southcentralus` | :heavy_check_mark: | :heavy_check_mark: |
 | `southeastasia` | :heavy_check_mark: | :heavy_check_mark: |
+| `southindia` | :heavy_check_mark: | :x: |
 | `swedencentral` | :heavy_check_mark: | :heavy_check_mark: |
 | `switzerlandnorth` | :heavy_check_mark: | :heavy_check_mark: |
+| `uaenorth` | :heavy_check_mark: | :x: |
 | `uksouth` | :heavy_check_mark: | :heavy_check_mark: |
+| `ukwest` | :heavy_check_mark: | :x: |
 | `westcentralus` | :heavy_check_mark: | :heavy_check_mark: |
 | `westeurope` | :heavy_check_mark: | :heavy_check_mark: |
 | `westus` | :heavy_check_mark: | :heavy_check_mark: |
 
@@ -7,9 +7,10 @@ author: dlepow
 
 ms.service: api-management
 ms.tgt_pltfrm: na
-ms.topic: article
-ms.date: 10/27/2021
+ms.topic: how-to
+ms.date: 04/03/2023
 ms.author: danlep
+ms.custom: engagement-fy23
 
 ---
 
@@ -55,9 +56,14 @@ To use Application Insights, [create an instance of the Application Insights ser
 
 ## Enable Application Insights logging for your API
 
+Use the following steps to enable Application Insights logging for an API. You can also enable Application Insights logging for all APIs.
+
 1. Navigate to your **Azure API Management service instance** in the **Azure portal**.
 1. Select **APIs** from the menu on the left.
 1. Click on your API, in this case **Demo Conference API**. If configured, select a version.
+
+   > [!TIP]
+   > To enable logging for all APIs, select **All APIs**.
 1. Go to the **Settings** tab from the top bar.
 1. Scroll down to the **Diagnostics Logs** section.  
     :::image type="content" source="media/api-management-howto-app-insights/apim-app-insights-api-1.png" alt-text="App Insights logger":::
@@ -66,8 +72,8 @@ To use Application Insights, [create an instance of the Application Insights ser
 1. Input **100** as **Sampling (%)** and select the **Always log errors** checkbox.
 1. Leave the rest of the settings as is. For details about the settings, see [Diagnostic logs settings reference](diagnostic-logs-reference.md).
 
-    > [!WARNING]
-    > Overriding the default **Number of payload bytes to log** value **0** may significantly decrease the performance of your APIs.
+   > [!WARNING]
+   > Overriding the default **Number of payload bytes to log** value **0** may significantly decrease the performance of your APIs.
 
 1. Select **Save**.
 1. Behind the scenes, a [Diagnostic](/rest/api/apimanagement/current-ga/diagnostic/create-or-update) entity named `applicationinsights` is created at the API level.
@@ -83,7 +89,7 @@ You can specify loggers on different levels:
 + A logger for all APIs
 
 Specifying *both*:
-- By default, the single API logger (more granular level) will override the one for all APIs.
+- By default, the single API logger (more granular level) overrides the one for all APIs.
 - If the loggers configured at the two levels are different, and you need both loggers to receive telemetry (multiplexing), please contact Microsoft Support. 
 
 ## What data is added to Application Insights
@@ -97,15 +103,41 @@ Application Insights receives:
 | *Exception* | For every failed request: <ul><li>Failed because of a closed client connection</li><li>Triggered an *on-error* section of the API policies</li><li>Has a response HTTP status code matching 4xx or 5xx</li></ul> |
 | *Trace* | If you configure a [trace](trace-policy.md) policy. <br /> The `severity` setting in the `trace` policy must be equal to or greater than the `verbosity` setting in the Application Insights logging. |
 
-### Emit custom metrics
-You can emit custom metrics by configuring the [`emit-metric`](emit-metric-policy.md) policy. 
+> [!NOTE]
+> See [Application Insights limits](../azure-monitor/service-limits.md#application-insights) for information about the maximum size and number of metrics and events per Application Insights instance.
 
-To make Application Insights pre-aggregated metrics available in API Management, you'll need to manually enable custom metrics in the service.
-1. Use the [`emit-metric`](emit-metric-policy.md) policy with the [Create or Update API](/rest/api/apimanagement/current-ga/api-diagnostic/create-or-update).
-1. Add `"metrics":true` to the payload, along with any other properties.
+## Emit custom metrics
+You can emit [custom metrics](../azure-monitor/essentials/metrics-custom-overview.md) to Application Insights from your API Management instance. API Management emits custom metrics using the [emit-metric](emit-metric-policy.md) policy.
 
 > [!NOTE]
-> See [Application Insights limits](../azure-monitor/service-limits.md#application-insights) for information about the maximum size and number of metrics and events per Application Insights instance.
+> Custom metrics are a preview feature of Azure Monitor and subject to limitations.
+
+To emit custom metrics, perform the following configuration steps. 
+
+1. Enable **Custom metrics (Preview)** with custom dimensions in your Application Insights instance. 
+
+    1. Navigate to your Application Insights instance in the portal.
+    1. In the left menu, select **Usage and estimated costs**.
+    1. Select **Custom metrics (Preview)** > **With dimensions**.
+    1. Select **OK**. 
+
+1. Add the `"metrics": true` property to the `applicationInsights` diagnostic entity that's configured in API Management. Currently you must add this property using the API Management [Diagnostic - Create or Update](/rest/api/apimanagement/current-ga/diagnostic/create-or-update) REST API. For example:
+
+    ```http
+    PUT https://management.azure.com/subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroupName}/providers/Microsoft.ApiManagement/service/{APIManagementServiceName}/diagnostics/applicationinsights
+
+    {
+        [...]
+        {
+        "properties": {
+            "loggerId": "/subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroupName}/providers/Microsoft.ApiManagement/service/{APIManagementServiceName}/loggers/{ApplicationInsightsLoggerName}",
+            "metrics": true
+            [...]
+        }
+    }
+    ```
+1. Ensure that the Application Insights logger is configured at the scope you intend to emit custom metrics (either all APIs, or a single API). For more information, see [Enable Application Insights logging for your API](#enable-application-insights-logging-for-your-api), earlier in this article.
+1. Configure the `emit-metric` policy at a scope where Application Insights logging is configured (either all APIs, or a single API) and is enabled for custom metrics. For policy details, see the [`emit-metric`](emit-metric-policy.md) policy reference.
 
 ## Performance implications and log sampling