Merge pull request #222066 from MicrosoftDocs/main

12/20 PM Publish

Author: huypub

.openpublishing.publish.config.json

@@ -386,6 +386,12 @@
       "branch": "main",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "azureml-examples-mavaisma-r-azureml",
+      "url": "https://github.com/azure/azureml-examples",
+      "branch": "mavaisma-r-azureml",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "azureml-examples-v2samplesreorg",
       "url": "https://github.com/azure/azureml-examples",

articles/active-directory-b2c/TOC.yml

@@ -66,7 +66,7 @@
     - name: Authentication library
       href: ../active-directory/develop/msal-overview.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json
       displayName: MSAL, client library, Microsoft Authentication Library
-  - name: Azure AD B2C global identitiy framework
+  - name: Azure AD B2C global identity framework
     items:
       - name: Global identity solutions
         href: azure-ad-b2c-global-identity-solutions.md

articles/active-directory/saas-apps/servicenow-provisioning-tutorial.md

@@ -149,6 +149,8 @@ After you've configured provisioning, use the following resources to monitor you
 
 - Self-hosted ServiceNow instances aren't supported. 
 
+- When an update to the *active* attribute in ServiceNow is provisioned, the attribute *locked_out* is also updated accordingly, even if *locked_out* is not mapped in the Azure provisioning service.  
+
 ## Additional resources
 
 - [Managing user account provisioning for enterprise apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

articles/aks/TOC.yml

@@ -2,7 +2,7 @@
   href: ./index.yml
 - name: Overview
   items:
-    - name: About AKS
+    - name: What is AKS?
       href: intro-kubernetes.md
     - name: Quotas and regional limits
       href: quotas-skus-regions.md

articles/aks/intro-kubernetes.md

@@ -7,7 +7,7 @@ ms.date: 11/18/2022
 ms.custom: mvc, ignite-2022
 ---
 
-# Azure Kubernetes Service
+# What is Azure Kubernetes Service?
 
 Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. When you create an AKS cluster, a control plane is automatically created and configured. This control plane is provided at no cost as a managed Azure resource abstracted from the user. You only pay for and manage the nodes attached to the AKS cluster.
 

articles/application-gateway/mutual-authentication-overview.md

@@ -69,11 +69,58 @@ For more information on how to extract trusted client CA certificate chains, see
 
 ## Server variables 
 
-With mutual authentication, there are additional server variables that you can use to pass information about the client certificate to the backend servers behind the Application Gateway. For more information about which server variables are available and how to use them, check out [server variables](./rewrite-http-headers-url.md#mutual-authentication-server-variables).
+With mutual TLS authentication, there are additional server variables that you can use to pass information about the client certificate to the backend servers behind the Application Gateway. For more information about which server variables are available and how to use them, check out [server variables](./rewrite-http-headers-url.md#mutual-authentication-server-variables).
 
 ## Certificate Revocation
 
-Client certificate revocation with OCSP (Online Certificate Status Protocol) will be supported shortly. 
+When a client initiates a connection to an Application Gateway configured with mutual TLS authentication, not only can the certificate chain and issuer's distinguished name be validated, but revocation status of the client certificate can be checked with OCSP (Online Certificate Status Protocol). During validation, the certificate presented by the client will be looked up via the defined OCSP responder defined in its Authority Information Access (AIA) extension. In the event the client certificate has been revoked, the application gateway will respond to the client with an HTTP 400 status code and reason.  If the certificate is valid, the request will continue to be processed by application gateway and forwarded on to the defined backend pool.
+
+Client certificate revocation can be enabled via REST API, ARM, Bicep, or PowerShell.
+
+# [Azure PowerShell](#tab/powershell)
+To configure client revocation check on an existing Application Gateway via Azure PowerShell, the following commands can be referenced:
+```azurepowershell
+# Get Application Gateway configuration
+$AppGw = Get-AzApplicationGateway -Name "ApplicationGateway01" -ResourceGroupName "ResourceGroup01"
+
+# Create new SSL Profile
+$profile  = Get-AzApplicationGatewaySslProfile -Name "SslProfile01" -ApplicationGateway $AppGw
+
+# Verify Client Cert Issuer DN and enable Client Revocation Check
+Set-AzApplicationGatewayClientAuthConfiguration -SslProfile $profile -VerifyClientCertIssuerDN -VerifyClientRevocation OCSP
+
+# Update Application Gateway
+Set-AzApplicationGateway -ApplicationGateway $AppGw
+
+```
+
+A list of all Azure PowerShell references for Client Authentication Configuration on Application Gateway can be found here:
+- [Set-AzApplicationGatewayClientAuthConfiguration](/powershell/module/az.network/set-azapplicationgatewayclientauthconfiguration)
+- [New-AzApplicationGatewayClientAuthConfiguration](/powershell/module/az.network/new-azapplicationgatewayclientauthconfiguration)
+
+# [Azure CLI](#tab/cli)
+```azurecli
+# Update existing gateway's SSL Profile
+az network application-gateway update -n ApplicationGateway01 -g ResourceGroup01 --ssl-profiles [0].client-auth-configuration.verify-client-revocation=OCSP
+
+```
+
+A list of all Azure CLI references for client authentication configuration on Application Gateway can be found here:
+- [Azure CLI - Application Gateway](/cli/azure/network/application-gateway)
+
+# [Azure portal](#tab/portal)
+Azure portal support is currently not available.
+
+To verify OCSP revocation status has been evaluated, [access logs](./application-gateway-diagnostics.md#access-log) will contain a property called "sslClientVerify", with the status of the OCSP response.
+
+It is critical that the OCSP responder is highly available and network connectivity between Application Gateway and the responder is possible. In the event Application Gateway is unable to resolve the fully qualified domain name (FQDN) of the defined responder or network connectivity is blocked to/from the responder, certificate revocation status will fail and Application Gateway will return a 400 HTTP response to the requesting client.
+
+Note: OCSP checks are validated via local cache based on the nextUpdate time defined by a previous OCSP response. If the OCSP cache has not been populated from a previous request, the first response may fail. Upon retry of the client, the response should be found in the cache and the request will be processed as expected. 
+
+Limitations
+- Revocation check via CRL is not supported
+- Client revocation check was introduced in API version 2022-05-01
+- Azure portal support is not available
 
 ## Next steps
 

articles/azure-arc/kubernetes/move-regions.md

@@ -1,85 +1,72 @@
 ---
 title: "Move Arc-enabled Kubernetes clusters between regions"
-ms.date: 03/03/2021
+ms.date: 12/20/2022
 ms.topic: how-to
 ms.custom: subject-moving-resources
-author: anraghun
-ms.author: anraghun
-description: "Manually move your Azure Arc-enabled Kubernetes (or connected cluster resources) between regions."
-#Customer intent: As a Kubernetes cluster administrator, I want to move my Arc-enabled Kubernetes cluster to another Azure region.
+description: "Manually move your Azure Arc-enabled Kubernetes and connected cluster resources between regions."
 ---
 
 # Move Arc-enabled Kubernetes clusters across Azure regions
 
-This article describes how to move Arc-enabled Kubernetes clusters (or connected cluster resources) to a different Azure region. You might move your resources to another region for a number of reasons. For example, to take advantage of a new Azure region, to deploy features or services available in specific regions only, to meet internal policy and governance requirements, or in response to capacity planning requirements.
+In some circumstances, you may want to move your [Arc-enabled Kubernetes clusters](overview.md) to another region. For example, you might want to deploy features or services that are only available in specific regions, or you need to change regions due to internal policy and governance requirements or capacity planning considerations.
+
+This article describes how to move Arc-enabled Kubernetes clusters and any connected cluster resources to a different Azure region.
 
 ## Prerequisites
 
-- Ensure that Azure Arc-enabled Kubernetes resource (Microsoft.Kubernetes/connectedClusters) is supported in the target region.
-- Ensure that Azure Arc-enabled Kubernetes configuration (Microsoft.KubernetesConfiguration/SourceControlConfigurations, Microsoft.KubernetesConfiguration/Extensions, Microsoft.KubernetesConfiguration/FluxConfigurations) resources are supported in the target region. 
-- Ensure that the Arc-enabled services you've deployed on top are supported in the target region.
-- Ensure you have network access to the api server of your underlying Kubernetes cluster.
+- Ensure that Azure Arc-enabled Kubernetes resources (`Microsoft.Kubernetes/connectedClusters`) are [supported in the target region](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=azure-arc).
+- Ensure that any Azure Arc-enabled Kubernetes configuration resources (`Microsoft.KubernetesConfiguration/SourceControlConfigurations`, `Microsoft.KubernetesConfiguration/Extensions`, `Microsoft.KubernetesConfiguration/FluxConfigurations`) are supported in the target region.
+- Ensure that the Arc-enabled services you've deployed on top of the cluster are supported in the target region.
+- Ensure you have network access to the API server of your underlying Kubernetes cluster.
 
 ## Prepare
 
-Before you begin, it's important to understand what moving these resources mean.
-
-### Kubernetes configurations
-
-Source control configurations, Flux configurations and extensions are child resources to the connected cluster resource. In order to move these resources, you'll first need to move the parent connected cluster resource.
+Before you begin, it's important to understand what moving these resources involves.
 
-### Connected cluster 
+The `connectedClusters` resource is the Azure Resource Manager representation of a Kubernetes cluster outside of Azure (such as on-premises, another cloud, or edge). The underlying infrastructure lies in your environment, and Azure Arc provides a representation of the cluster on Azure by installing agents on the cluster.
 
-The connectedClusters resource is the ARM representation of your Kubernetes clusters outside of Azure (on-premises, another cloud, edge...). The underlying infrastructure lies in your environment and Arc provides a first-class representation of the cluster on Azure, by installing agents on your cluster.
+Moving a connected cluster to a new region means deleting the ARM resource in the source region, cleaning up the agents on your cluster, and then connecting your cluster again in the target region.
 
-When it comes to "moving" your Arc connected cluster, it means deleting the ARM resource in the source region, cleaning up the agents on your cluster and re-onboarding your cluster again in the target region.
+Source control configurations, [Flux configurations](conceptual-gitops-flux2.md) and [extensions](conceptual-extensions.md) within the cluster are child resources of the connected cluster resource. To move these resources, you'll need to save details about the resources, then move the parent `connectedClusters` resource. After that, you can recreate the child resources in the target cluster resource.
 
 ## Move
 
-### Kubernetes configurations
+1. Do a LIST to get all configuration resources in the source cluster (the cluster to be moved) and save the response body:
 
-1. Do a LIST of all configuration resources in the source cluster (the cluster to be moved) and save the response body to be used as the request body when re-creating these resources.
-    - [Microsoft.KubernetesConfiguration/SourceControlConfigurations](/cli/azure/k8s-configuration?view=azure-cli-latest&preserve-view=true#az-k8sconfiguration-list)
-    - [Microsoft.KubernetesConfiguration/Extensions](/cli/azure/k8s-extension?view=azure-cli-latest&preserve-view=true#az-k8s-extension-list)
-    - [Microsoft.KubernetesConfiguration/FluxConfigurations](/cli/azure/k8s-configuration/flux?view=azure-cli-latest&preserve-view=true#az-k8s-configuration-flux-list)
-    > [!NOTE]
-    > LIST/GET of configuration resources **do not** return `ConfigurationProtectedSettings`.
-    > For such cases, the only option is to save the original request body and reuse them while creating the resources in the new region.
-2. [Delete](./move-regions.md#kubernetes-configurations-3) the above configuration resources.
-2. Ensure the Arc connected cluster is up and running in the new region. This is the target cluster.
-3. Re-create each of the configuration resources obtained in the LIST command from the source cluster on the target cluster.
+   - [Microsoft.KubernetesConfiguration/SourceControlConfigurations](/cli/azure/k8s-configuration?view=azure-cli-latest&preserve-view=true#az-k8sconfiguration-list)
+   - [Microsoft.KubernetesConfiguration/Extensions](/cli/azure/k8s-extension?view=azure-cli-latest&preserve-view=true#az-k8s-extension-list)
+   - [Microsoft.KubernetesConfiguration/FluxConfigurations](/cli/azure/k8s-configuration/flux?view=azure-cli-latest&preserve-view=true#az-k8s-configuration-flux-list)
 
-### Connected cluster
+   > [!NOTE]
+   > LIST/GET of configuration resources **do not** return `ConfigurationProtectedSettings`. For such cases, the only option is to save the original request body and reuse them while creating the resources in the new region.
 
-1. [Delete](./move-regions.md#connected-cluster-3) the previous Arc deployment from the underlying Kubernetes cluster.
-2. With network access to the underlying Kubernetes cluster, run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#connect-an-existing-kubernetes-cluster) to create the Arc connected cluster in the new region.
-> [!NOTE]
-> The above command creates the cluster by default in the same location as its resource group.
-> Use the `--location` parameter to explicitly provide the target region value.
+1. [Delete](./move-regions.md#clean-up-source-resources) the previous Arc deployment from the underlying Kubernetes cluster.
+1. With network access to the underlying Kubernetes cluster, run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#connect-an-existing-kubernetes-cluster) to connect that cluster in the new region.
 
-## Verify
+   > [!NOTE]
+   > The above command creates the cluster by default in the same location as its resource group. Use the `--location` parameter to explicitly provide the target region value.
+
+1. [Verify](#verify) that the Arc connected cluster is successfully running in the new region. This is the target cluster.
+1. Using the response body you saved, recreate each of the configuration resources obtained in the LIST command from the source cluster on the target cluster.
 
-### Kubernetes configurations
+If you don't need to move the cluster, but want to move configuration resources to an Arc-enabled Kubernetes cluster in a different region, do the following:
 
-Do a LIST of all configuration resources in the target cluster. This should match the LIST response from the source cluster.
+1. Do a LIST to get all configuration resources in the source cluster as noted above, and save the response body.
+1. Delete the resources from the source cluster.
+1. In the target cluster, recreate each of the configuration resources obtained in the LIST command from the source cluster.
 
-### Connected cluster
+## Verify
 
 1. Run `az connectedk8s show -n <connected-cluster-name> -g <resource-group>` and ensure the `connectivityStatus` value is `Connected`.
-2. Run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#view-azure-arc-agents-for-kubernetes) to verify all Arc agents are successfully deployed on the underlying cluster.
+1. Run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#view-azure-arc-agents-for-kubernetes) to verify all Arc agents are successfully deployed on the underlying cluster.
+1. Do a LIST of all configuration resources in the target cluster. This should match the original LIST response from the source cluster.
 
 ## Clean up source resources
 
-### Kubernetes configurations
+With network access to the underlying Kubernetes cluster, run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#clean-up-resources) to delete the Arc connected cluster. This command deletes the Azure Arc-enabled Kubernetes cluster resource, any associated configuration resources, and any agents running on the cluster.
+
+If you need to delete individual configuration resources in the source cluster without deleting the cluster resource, you can delete these resources individually:
 
-Delete each of the configuration resources returned in the LIST command in the source cluster:
 - [Microsoft.KubernetesConfiguration/SourceControlConfigurations](/cli/azure/k8s-configuration?view=azure-cli-latest&preserve-view=true#az-k8s-configuration-delete)
 - [Microsoft.KubernetesConfiguration/Extensions](/cli/azure/k8s-extension?view=azure-cli-latest&preserve-view=true#az-k8s-extension-delete)
 - [Microsoft.KubernetesConfiguration/FluxConfigurations](/cli/azure/k8s-configuration/flux?view=azure-cli-latest&preserve-view=true#az-k8s-configuration-flux-delete)
-
-> [!NOTE]
-> This step may be skipped if the parent Arc connected cluster is also being deleted. Doing so would automatically remove the configuration resources on top.
-
-### Connected cluster
-
-With network access to the underlying Kubernetes cluster, run [this command](./quickstart-connect-cluster.md?tabs=azure-cli#clean-up-resources) to delete the Arc connected cluster. This command will clean up the Arc footprint on the underlying cluster as well as on ARM.