Merge pull request #186611 from MicrosoftDocs/master

Merge Master to Live, 4 AM

Author: PMEds28

.openpublishing.redirection.json

@@ -45236,7 +45236,11 @@
       "source_path_from_root": "/articles/azure-monitor/agents/azure-monitor-agent-install.md",
       "redirect_url": "/azure/azure-monitor/agents/azure-monitor-agent-manage",
       "redirect_document_id": true
+    },
+    {
+    "source_path_from_root": "/articles/azure/virtual-desktop/azure-advisor.md",
+    "redirect_url": "/azure/advisor/advisor-overview",
+    "redirect_document_id": false
     }
-
   ]
 }

articles/active-directory/develop/workload-identities-overview.md

@@ -1,11 +1,9 @@
 ---
 title: Workload identities 
 titleSuffix: Microsoft identity platform
-description: 
-services: active-directory
+description: Understand the concepts and supported scenarios for using workload identity in Azure Active Directory.
 author: rwike77
 manager: CelesteDG
-
 ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
@@ -50,4 +48,4 @@ Here are some ways you can use workload identities:
 
 ## Next steps
 
-Learn how to [secure access of workload identities](../conditional-access/workload-identity.md) with adaptive policies.
+Learn how to [secure access of workload identities](../conditional-access/workload-identity.md) with adaptive policies.

articles/active-directory/manage-apps/f5-big-ip-kerberos-easy-button.md

@@ -29,13 +29,13 @@ To learn about all of the benefits, see the article on [F5 BIG-IP and Azure AD i
 
 ## Scenario description
 
-For this scenario, you will configure a critical line of business (LOB) application for **Kerberos authentication**, also known as **Integrated Windows Authentication (IWA)**.
+For this scenario, we have an application using **Kerberos authentication**, also known as **Integrated Windows Authentication (IWA)**, to gate access to protected content.
 
-Ideally, Azure AD should manage the application, but being legacy, it does not support any form of modern authentication protocols. Modernization would take considerable effort, introducing inevitable costs, and risk of potential downtime.
+Being legacy, the application lacks modern protocols to support a direct integration with Azure AD. Modernizing the app would be ideal, but is costly, requires careful planning, and introduces risk of potential impact.
 
-Instead, a BIG-IP Virtual Edition (VE) deployed between the public internet and the internal Azure VNet application is connected and will be used to gate inbound access to the application, along with Azure AD for its extensive choice of authentication and authorization capabilities.
+One option would be to consider using [Azure AD Application Proxy](/azure/active-directory/app-proxy/application-proxy), as it provides the protocol transitioning required to bridge the legacy application to the modern identity control plane. Or for our scenario, we'll achieve this using F5's BIG-IP Application Delivery Controller (ADC).
 
-Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and header-based SSO. It significantly improves the overall security posture of the application, and allows the business to continue operating at pace, without interruption.
+Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and header-based SSO, significantly improving the overall security posture of the application for remote and local access.
 
 ## Scenario architecture
 
@@ -47,7 +47,7 @@ The SHA solution for this scenario is made up of the following:
 
 **KDC:** Key Distribution Center (KDC) role on a Domain Controller (DC), issuing Kerberos tickets.
 
-**BIG-IP:** Reverse proxy functionality enables publishing backend applications. The APM then overlays published applications with SAML Service Provider (SP) and SSO functionality.
+**BIG-IP:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the PeopleSoft service.
 
 SHA for this scenario supports both SP and IdP initiated flows. The following image illustrates the SP initiated flow.
 
@@ -179,7 +179,7 @@ These are general and service account properties. Consider this section to be th
 
 Some of these are global settings so can be re-used for publishing more applications, further reducing deployment time and effort.
 
-1. Enter **Configuration Name.** A unique name that enables an admin to easily distinguish between Easy Button configurations for published applications
+1. Provide a unique **Configuration Name** that enables admins to easily distinguish between Easy Button configurations
 
 2. Enable **Single Sign-On (SSO) & HTTP Headers**
 
@@ -249,7 +249,7 @@ As our AD infrastructure is based on a .com domain suffix used both, internally
 
 #### Additional User Attributes
 
-In the **Additional User Attributes tab**, you can enable session augmentation required by various distributed systems such as Oracle, SAP, and other JAVA based implementations requiring attributes stored in other directories. Attributes fetched from an LDAP source can then be injected as additional SSO headers to further control access based on roles, Partner IDs, etc.![Graphical user interface, text, application, email
+The **Additional User Attributes** tab can support a variety of distributed systems requiring attributes stored in other directories, for session augmentation. Attributes fetched from an LDAP source can then be injected as additional SSO headers to further control access based on roles, Partner IDs, etc.
 
 ![Screenshot for additional user attributes](./media/f5-big-ip-kerberos-easy-button/additional-user-attributes.png)
 
@@ -260,17 +260,17 @@ In the **Additional User Attributes tab**, you can enable session augmentation r
 
 You can further protect the published application with policies returned from your Azure AD tenant. These policies are enforced after the first-factor authentication has been completed and uses signals from conditions like device platform, location, user or group membership, or application to determine access.
 
-The **Available Policies** list, by default, displays a list of policies that target selected apps.
+The **Available Policies** by default, lists all CA policies defined without user based actions.
 
-The **Selected Policies** list, by default, displays all policies targeting All cloud apps. These policies cannot be deselected or moved to the Available Policies list. They are included by default but can be excluded if necessary.
+The **Selected Policies**, by default, displays all policies targeting All cloud apps. These policies cannot be deselected or moved to the Available Policies list.
 
 To select a policy to be applied to the application being published:
 
 1. Select the desired policy in the **Available Policies** list
 
 2. Select the right arrow and move it to the **Selected Policies** list
 
-   Selected policies should either have an **Include** or **Exclude** option checked. If both options are checked, the selected policy is not enforced. **Exclude** all policies while testing. You can go back and enable them later.
+   Selected policies should either have an **Include** or **Exclude** option checked. If both options are checked, the selected policy is not enforced. Excluding all policies may ease testing, you can go back and enable them later.
 
   ![Screenshot for CA policies](./media/f5-big-ip-kerberos-easy-button/conditional-access-policy.png)
 
@@ -293,7 +293,7 @@ A virtual server is a BIG-IP data plane object represented by a virtual IP addre
 
 ### Pool Properties
 
-The **Application Pool tab** details the services behind a BIG-IP that are represented as a pool, containing one or more application servers.
+The **Application Pool tab** details the services behind a BIG-IP, represented as a pool containing one or more application servers.
 
 1. Choose from **Select a Pool.** Create a new pool or select an existing one
 
@@ -420,7 +420,7 @@ For more information, see [Kerberos Constrained Delegation across domains](/prev
 
 ## Next steps
 
-From a browser, **connect** to the application’s external URL or select the **application’s icon** in the [Microsoft MyApps portal](https://myapps.microsoft.com/). After authenticating against Azure AD, you’ll be redirected to the BIG-IP virtual server for the application and automatically signed in through SSO.
+From a browser, **connect** to the application’s external URL or select the **application’s icon** in the [Microsoft MyApps portal](https://myapps.microsoft.com/). After authenticating to Azure AD, you’ll be redirected to the BIG-IP virtual server for the application and automatically signed in through SSO.
 
 ![Screenshot for App views](./media/f5-big-ip-kerberos-easy-button/app-view.png)
 

articles/app-service/configure-ssl-certificate.md

@@ -58,17 +58,27 @@ To secure a custom domain in a TLS binding, the certificate has additional requi
 > [!NOTE]
 > Before creating a free managed certificate, make sure you have [fulfilled the prerequisites](#prerequisites) for your app.
 
-The free App Service managed certificate is a turn-key solution for securing your custom DNS name in App Service. It's a TLS/SSL server certificate that's fully managed by App Service and renewed continuously and automatically in six-month increments, 45 days before expiration. You create the certificate and bind it to a custom domain, and let App Service do the rest.
+The free App Service managed certificate is a turn-key solution for securing your custom DNS name in App Service. It's a TLS/SSL server certificate that's fully managed by App Service and renewed continuously and automatically in six-month increments, 45 days before expiration, as long as the prerequisites set-up remain the same without any action required from you. All the associated bindings will be updated with the renewed certificate. You create the certificate and bind it to a custom domain, and let App Service do the rest.
 
 The free certificate comes with the following limitations:
 
 - Does not support wildcard certificates.
 - Does not support usage as a client certificate by certificate thumbprint (removal of certificate thumbprint is planned).
+- Does not support private DNS.
 - Is not exportable.
-- Is not supported on App Service not publicly accessible.
 - Is not supported on App Service Environment (ASE).
+- Only supports alphanumeric characters, dashes (-), and periods (.).
+
+# [Apex domain](#tab/apex)
+- Must have an A record pointing to your web app's IP address.
 - Is not supported with root domains that are integrated with Traffic Manager.
-- If a certificate is for a CNAME-mapped domain, the CNAME must be mapped directly to `<app-name>.azurewebsites.net`.
+- All the above must be met for successful certificate issuances and renewals
+
+# [Subdomain](#tab/subdomain)
+- Must have CNAME mapped _directly_ to <app-name>.azurewebsites.net; using services that proxy the CNAME value will block certificate issuance and renewal
+- All the above must be met for successful certificate issuance and renewals
+
+-----
 
 > [!NOTE]
 > The free certificate is issued by DigiCert. For some domains, you must explicitly allow DigiCert as a certificate issuer by creating a [CAA domain record](https://wikipedia.org/wiki/DNS_Certification_Authority_Authorization) with the value: `0 issue digicert.com`.

articles/azure-cache-for-redis/cache-managed-identity.md

@@ -93,7 +93,7 @@ To use managed identity, you must have a premium-tier cache.
 
    :::image type="content" source="media/cache-managed-identity/identity-add.png" alt-text="User assigned identity status is on":::
 
-1. A sidebar pops up to allow you to select any available user-assigned identity to your subscription. Choose an identity and select **Add**. For more information on user assigned managed identities, see [manage user-assigned identity](/azure/active-directory/managed-identities-azure-resources/manage-user-assigned-managed-identities.md).
+1. A sidebar pops up to allow you to select any available user-assigned identity to your subscription. Choose an identity and select **Add**. For more information on user assigned managed identities, see [manage user-assigned identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
    >[!Note]
    >You need to [create a user assigned identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp) in advance of this step.
    >

articles/azure-monitor/app/usage-overview.md

@@ -130,14 +130,16 @@ To do this, [set up a telemetry initializer](./api-filtering-sampling.md#addmodi
     // Telemetry initializer class
     public class MyTelemetryInitializer : ITelemetryInitializer
     {
+        // In this example, to differentiate versions, we use the value specified in the AssemblyInfo.cs
+        // for ASP.NET apps, or in your project file (.csproj) for the ASP.NET Core apps. Make sure that
+        // you set a different assembly version when you deploy your application for A/B testing.
+        static readonly string _version = 
+            System.Reflection.Assembly.GetExecutingAssembly().GetName().Version.ToString();
+            
         public void Initialize(ITelemetry item)
-            {
-                var itemProperties = item as ISupportProperties;
-                if (itemProperties != null && !itemProperties.Properties.ContainsKey("AppVersion"))
-                {
-                    itemProperties.Properties["AppVersion"] = "v2.1";
-                }
-            }
+        {
+            item.Context.Component.Version = _version;
+        }
     }
 ```
 
@@ -149,7 +151,7 @@ In the web app initializer such as Global.asax.cs:
     {
         // ...
         TelemetryConfiguration.Active.TelemetryInitializers
-         .Add(new MyTelemetryInitializer());
+            .Add(new MyTelemetryInitializer());
     }
 ```
 
@@ -161,16 +163,14 @@ In the web app initializer such as Global.asax.cs:
 For [ASP.NET Core](asp-net-core.md#adding-telemetryinitializers) applications, adding a new `TelemetryInitializer` is done by adding it to the Dependency Injection container, as shown below. This is done in `ConfigureServices` method of your `Startup.cs` class.
 
 ```csharp
- using Microsoft.ApplicationInsights.Extensibility;
- using CustomInitializer.Telemetry;
- public void ConfigureServices(IServiceCollection services)
+using Microsoft.ApplicationInsights.Extensibility;
+
+public void ConfigureServices(IServiceCollection services)
 {
     services.AddSingleton<ITelemetryInitializer, MyTelemetryInitializer>();
 }
 ```
 
-All new TelemetryClients automatically add the property value you specify. Individual telemetry events can override the default values.
-
 ## Next steps
    - [Users, Sessions, Events](usage-segmentation.md)
    - [Funnels](usage-funnels.md)