Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into linux-fixes-1

Author: asudbring

articles/active-directory/governance/entitlement-management-logic-apps-integration.md

@@ -70,7 +70,7 @@ These triggers to Logic Apps are controlled in a tab within access package polic
 1. The **Extension Configuration** tab allows you to decide if your extension has “launch and continue” or “launch and wait” behavior. With “Launch and continue” the linked policy action on the access package, such as a request, triggers the Logic App attached to the custom extension. After the Logic App is triggered, the entitlement management process associated with the access package will continue. For “Launch and wait”, we'll pause the associated access package action until after the Logic App linked to the extension completes its task, and a resume action is sent by the admin to continue the process. If no response is sent back in the wait time period defined, this process would be considered a failure. This process is further described below in its own section [Configuring custom extensions that pause entitlement management processes](entitlement-management-logic-apps-integration.md#configuring-custom-extensions-that-pause-entitlement-management-processes). 
 
 
-1. In the **Details** tab, choose whether you’d like to use an existing Logic App. Selecting Yes in the field “Create new logic app” (default) creates a new blank Logic App that is already linked to this custom extension. Regardless, you need to provide: 
+1. In the **Details** tab, choose whether you’d like to use an existing consumption plan Logic App. Selecting Yes in the field “Create new logic app” (default) creates a new blank consumption plan Logic App that is already linked to this custom extension. Regardless, you need to provide: 
 
     1. An Azure subscription.
 
@@ -161,7 +161,7 @@ A new update to the custom extensions feature is the ability to pause the access
 
 This pause process allows admins to have control of workflows they’d like to run before continuing with access lifecycle tasks in entitlement management. The only exception to this is if a timeout occurs. Launch and wait processes require a timeout of up to 14 days noted in minutes, hours, or days. If a resume response isn't sent back to entitlement management by the time the “timeout” period elapses, the entitlement management request workflow process pauses. 
 
-The admin is responsible for configuring an automated process that is able to send the API **resume request** payload back to entitlement management, once the Logic App workflow has completed. To send back the resume request payload, follow the instructions here in the graph API documents. See information here on the [resume request](/graph/api/accesspackageassignmentrequest-resume)
+The admin is responsible for configuring an automated process that is able to send the API **resume request** payload back to entitlement management, once the Logic App workflow has completed. To send back the resume request payload, follow the instructions here in the graph API documents. See information here on the [resume request](/graph/api/accesspackageassignmentrequest-resume).
 
 Specifically, when an access package policy has been enabled to call out a custom extension and the request processing is waiting for the callback from the customer, the customer can initiate a resume action. It's performed on an [accessPackageAssignmentRequest](/graph/api/resources/accesspackageassignmentrequest) object whose **requestStatus** is in a **WaitingForCallback** state. 
 
@@ -171,12 +171,25 @@ The resume request can be sent back for the following stages:
 microsoft.graph.accessPackageCustomExtensionStage.assignmentRequestCreated 
 microsoft.graph.accessPackageCustomExtensionStage.assignmentRequestApproved 
 microsoft.graph.accessPackageCustomExtensionStage.assignmentRequestGranted 
-Microsoft.graph.accessPackageCustomExtensionStage.assignmentRequestRemoved
+microsoft.graph.accessPackageCustomExtensionStage.assignmentRequestRemoved
 ``
 
 The following flow diagram shows the entitlement management callout to Logic Apps workflow:
-:::image type="content" source="media/entitlement-management-logic-apps/extensibility-diagram-flow.png" alt-text="A screenshot of the extensibility user diagram." lightbox="media/entitlement-management-logic-apps/extensibility-diagram-flow.png":::
+:::image type="content" source="media/entitlement-management-logic-apps/extensibility-diagram-flow.png" alt-text="A diagram of the entitlement management call to the logic apps workflow." lightbox="media/entitlement-management-logic-apps/extensibility-diagram-flow.png":::
 
+The diagram flow diagram shows:
+
+1. The user creates a custom endpoint able to receive the call from the Identity Service
+1. The identity service makes a test call to confirm the endpoint can be called by the Identity Service
+1. The User calls Graph API to request to add a user to an access package
+1. The Identity Service is added to the queue triggering the backend workflow
+1. Entitlement Management Service request processing calls the logic app with the request payload
+1. Workflow expects the accepted code
+1. The Entitlement Management Service waits for the blocking custom action to resume
+1. The customer system calls the request resume API to the identity service to resume processing the request
+1. The identity service adds the  resume request message to the Entitlement Management Service queue resuming the backend workflow
+1. The Entitlement Management Service is resumed from the blocked state
+
 An example of a resume request payload is:
 
 ``` http

articles/active-directory/governance/media/entitlement-management-logic-apps/extensibility-diagram-flow.png

@@ -14,9 +14,9 @@
     - name: Getting started
       items:
         - name: Well-architected considerations
-          href: /azure/architecture/framework/services/compute/azure-kubernetes-service/azure-kubernetes-service?bc=/azure/aks/breadcrumb/toc.json&toc=/azure/aks/toc.json?WT.mc_id=AKSDOCSTOC
+          href: /azure/architecture/framework/services/compute/azure-kubernetes-service/azure-kubernetes-service?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
         - name: Plan your implementation
-          href: /azure/architecture/reference-architectures/containers/aks-start-here?bc=/azure/aks/breadcrumb/toc.json&toc=/azure/aks/toc.json?WT.mc_id=AKSDOCSTOC
+          href: /azure/architecture/reference-architectures/containers/aks-start-here?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
         - name: Optimize costs
           href: best-practices-cost.md
 - name: Quickstarts
@@ -86,7 +86,7 @@
         - name: Vulnerability management
           href: concepts-vulnerability-management.md
         - name: Security Baseline
-          href: /security/benchmark/azure/baselines/aks-security-baseline?context=/azure/aks/context/aks-context
+          href: /security/benchmark/azure/baselines/aks-security-baseline?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
         - name: Container Security
           href: concepts-security.md
         - name: Security controls by Azure Policy
@@ -127,7 +127,7 @@
         - name: Overview
           href: best-practices.md
         - name: Baseline architecture for an AKS cluster
-          href: /azure/architecture/reference-architectures/containers/aks/secure-baseline-aks
+          href: /azure/architecture/reference-architectures/containers/aks/secure-baseline-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
           maintainContext: True
         - name: Security
           items:
@@ -164,22 +164,22 @@
         - name: Plan and execute a migration
           href: aks-migration.md
         - name: Spring Boot
-          href: /azure/developer/java/migration/migrate-spring-boot-to-azure-kubernetes-service
+          href: /azure/developer/java/migration/migrate-spring-boot-to-azure-kubernetes-service?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
           maintainContext: false
         - name: Tomcat
-          href: /azure/developer/java/migration/migrate-tomcat-to-containers-on-azure-kubernetes-service
+          href: /azure/developer/java/migration/migrate-tomcat-to-containers-on-azure-kubernetes-service?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
           maintainContext: false
         - name: Wildfly
-          href: /azure/developer/java/migration/migrate-wildfly-to-wildfly-on-azure-kubernetes-service
+          href: /azure/developer/java/migration/migrate-wildfly-to-wildfly-on-azure-kubernetes-service?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
           maintainContext: false
         - name: WebLogic
-          href: /azure/developer/java/migration/migrate-weblogic-to-wildfly-on-azure-kubernetes-service
+          href: /azure/developer/java/migration/migrate-weblogic-to-wildfly-on-azure-kubernetes-service?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
           maintainContext: false
         - name: WebSphere
-          href: /azure/developer/java/migration/migrate-websphere-to-wildfly-on-azure-kubernetes-service
+          href: /azure/developer/java/migration/migrate-websphere-to-wildfly-on-azure-kubernetes-service?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
           maintainContext: false
         - name: JBoss EAP
-          href: /azure/developer/java/migration/migrate-jboss-eap-to-wildfly-on-azure-kubernetes-service
+          href: /azure/developer/java/migration/migrate-jboss-eap-to-wildfly-on-azure-kubernetes-service?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
           maintainContext: false
         - name: Java web app containerization and migration
           href: ../migrate/tutorial-app-containerization-java-kubernetes.md
@@ -341,7 +341,7 @@
             - name: Use Azure Policy
               href: use-azure-policy.md
             - name: Control deployments with Azure Policy
-              href: ../governance/policy/concepts/policy-for-kubernetes.md?toc=/azure/aks/toc.json
+              href: ../governance/policy/concepts/policy-for-kubernetes.md?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
               maintainContext: true
         - name: Node security
           items:
@@ -598,7 +598,7 @@
         - name: Kubernetes Event-driven Autoscaler (KEDA) integrations
           href: keda-integrations.md
         - name: Troubleshoot Kubernetes Event-driven Autoscaler (KEDA)
-          href: /troubleshoot/azure/azure-kubernetes/troubleshoot-kubernetes-event-driven-autoscaling-add-on?context=/azure/aks/context/aks-context
+          href: /troubleshoot/azure/azure-kubernetes/troubleshoot-kubernetes-event-driven-autoscaling-add-on?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
     - name: Use cluster extensions
       href: cluster-extensions.md
     - name: DevOps
@@ -607,7 +607,7 @@
           href: /azure/developer/ansible/aks-configure-clusters
           maintainContext: true
         - name: Jenkins continuous deployment
-          href: /azure/developer/jenkins/deploy-from-github-to-aks
+          href: /azure/developer/jenkins/deploy-from-github-to-aks?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
         - name: Azure DevOps Project
           href: ../devops-project/azure-devops-project-aks.md
           maintainContext: true

articles/aks/TOC.yml

@@ -91,6 +91,9 @@
       - name: Observability
         href: observability.md
         displayName: monitoring
+      - name: Compute platform
+        href: compute-infrastructure.md
+        displayName: stv1, stv2
       - name: DevOps and CI/CD
         href: devops-api-development-templates.md  
       - name: APIs
@@ -152,6 +155,8 @@
             - name: Recover a deleted instance
               displayName: soft delete
               href: soft-delete.md
+            - name: Migrate to stv2 platform
+              href: migrate-stv1-to-stv2.md
             - name: Configure networking
               items:
                 - name: Connect to a virtual network

articles/api-management/TOC.yml

@@ -6,7 +6,7 @@ description: Learn how to enable user sign-in to the API Management developer po
 author: dlepow
 ms.service: api-management
 ms.topic: article
-ms.date: 03/17/2023
+ms.date: 04/18/2023
 ms.author: danlep
 ms.custom: engagement-fy23
 ---
@@ -152,26 +152,11 @@ Now that you've enabled access for users in an Azure AD tenant, you can:
 * Add Azure AD groups into API Management. 
 * Control product visibility using Azure AD groups.
 
-Follow these steps to grant:
-* `User.Read` **delegated** permission for Microsoft Graph API. 
-* `Directory.ReadAll` **application** permission for Microsoft Graph API. 
-
-1. Update the first 3 lines of the following Azure CLI script to match your environment and run it.
-
-   ```azurecli
-   $subId = "Your Azure subscription ID" # Example: "1fb8fadf-03a3-4253-8993-65391f432d3a"
-   $tenantId = "Your Azure AD Tenant or Organization ID" # Example: 0e054eb4-e5d0-43b8-ba1e-d7b5156f6da8"
-   $appObjectID = "Application Object ID that has been registered in AAD" # Example: "2215b54a-df84-453f-b4db-ae079c0d2619"
-   #Login and Set the Subscription
-   az login
-   az account set --subscription $subId
-   #Assign the following permission: Microsoft Graph Delegated Permission: User.Read, Microsoft Graph Application Permission: Directory.ReadAll
-   az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/$($tenantId)/applications/$($appObjectID)" --body "{'requiredResourceAccess':[{'resourceAccess': [{'id': 'e1fe6dd8-ba31-4d61-89e7-88639da4683d','type': 'Scope'},{'id': '7ab1d382-f21e-4acd-a863-ba3e13f7da61','type': 'Role'}],'resourceAppId': '00000003-0000-0000-c000-000000000000'}]}"
-   ```
-
-1. Sign out and sign back in to the Azure portal.
 1. Navigate to the App Registration page for the application you registered in [the previous section](#enable-user-sign-in-using-azure-ad---portal). 
-1. Select **API Permissions**. You should see the permissions granted by the Azure CLI script in step 1. 
+1. Select **API Permissions**. 
+1. Add the following minimum **application** permissions for Microsoft Graph API:
+    * `User.Read.All` application permission – so API Management can read the user’s group membership to perform group synchronization at the time the user logs in. 
+    * `Group.Read.All` application permission – so API Management can read the Azure AD groups when an administrator tries to add the group to API Management using the **Groups** blade in the portal. 
 1. Select **Grant admin consent for {tenantname}** so that you grant access for all users in this directory. 
 
 Now you can add external Azure AD groups from the **Groups** tab of your API Management instance.

articles/api-management/api-management-howto-aad.md

@@ -6,7 +6,7 @@ documentationcenter: ''
 author: dlepow
 ms.service: api-management
 ms.topic: reference
-ms.date: 08/26/2022
+ms.date: 01/10/2023
 ms.author: danlep
 ---
 
@@ -40,7 +40,7 @@ After 31 August 2024, any instance hosted on the `stv1` platform won't be suppor
 
 **Migrate all your existing instances hosted on the `stv1` compute platform to the `stv2` compute platform by 31 August 2024.**  
 
-If you have existing instances hosted on the `stv1` platform, you can follow our [migration guide](../compute-infrastructure.md#how-do-i-migrate-to-the-stv2-platform) which provides all the details to ensure a successful migration. 
+If you have existing instances hosted on the `stv1` platform, you can follow our [migration guide](../migrate-stv1-to-stv2.md) which provides all the details to ensure a successful migration. 
 
 ## Help and support