Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into vnet-old-review

Author: asudbring

.openpublishing.redirection.azure-monitor.json

@@ -45,6 +45,11 @@
             "redirect_url": "/azure/azure-monitor/app/app-insights-overview",
             "redirect_document_id": false
         },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/console.md",
+            "redirect_url": "/previous-versions/azure/azure-monitor/app/console",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/azure-monitor/app/resource-manager-web-app.md",
             "redirect_url": "/previous-versions/azure/azure-monitor/app/resource-manager-web-app",

articles/active-directory/authentication/media/how-to-authentication-methods-manage/authentication-methods-policy.png

@@ -21,6 +21,8 @@
         href: ../conditional-access/workload-identity.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
       - name: Conditional access evaluation for workload identities
         href: ../conditional-access/concept-continuous-access-evaluation-workload.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+      - name: App health recommendations
+        href: ../reports-monitoring/howto-use-recommendations.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
 - name: How-to guides
   items:
   - name: Connect workloads without managing secrets
@@ -37,6 +39,14 @@
     href: ../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
   - name: Manage custom security attributes for an app
     href: ../manage-apps/custom-security-attributes-apps.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+  - name: Check app health status and mitigate risk
+    items:
+      - name: Remove unused applications
+        href: ../reports-monitoring/recommendation-remove-unused-apps.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+      - name: Remove unused credentials from apps
+        href: ../reports-monitoring/recommendation-remove-unused-credential-from-apps.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+      - name: Renew expiring application credentials
+        href: ../reports-monitoring/recommendation-renew-expiring-application-credential.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
   - name: Reference
     items:
     - name: Federated identity credentials considerations and limitations

articles/active-directory/authentication/media/how-to-authentication-methods-manage/start-mfa-migration.png

@@ -22,4 +22,7 @@
     topicHref: /azure/active-directory/index
   - name: Active Directory
     tocHref: /azure/active-directory/manage-apps/
+    topicHref: /azure/active-directory/index
+  - name: Active Directory
+    tocHref: /azure/active-directory/reports-monitoring/
     topicHref: /azure/active-directory/index

articles/active-directory/workload-identities/TOC.yml

@@ -8,7 +8,7 @@ metadata:
   description: "Learn how to manage and help secure identities for digital workloads, such as apps and services."
   manager: celested
   ms.author: ryanwi
-  ms.date: 03/02/2023
+  ms.date: 03/22/2023
   ms.service: active-directory
   ms.subservice: workload-identities
   ms.topic: landing-page
@@ -27,13 +27,17 @@ landingContent:
           - text: Frequently asked questions about license plans
             url: workload-identities-faqs.md
   # Card
-  - title: Secure risky workload identities
+  - title: Check app health status and mitigate risk
     linkLists:
-      - linkListType: overview
+      - linkListType: how-to-guide
         links:
-          - text: Secure workload identities
-            url: ../identity-protection/concept-workload-identity-risk.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
-  # Card
+        - text: Remove unused applications
+          url: ../reports-monitoring/recommendation-remove-unused-apps.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+        - text: Remove unused credentials from apps
+          url: ../reports-monitoring/recommendation-remove-unused-credential-from-apps.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+        - text: Renew expiring application credentials
+          url: ../reports-monitoring/recommendation-renew-expiring-application-credential.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+# Card
   - title: Connect workloads without managing secrets
     linkLists:
       - linkListType: overview
@@ -51,6 +55,13 @@ landingContent:
           - text: Configure a managed identity to trust an external identity provider
             url: workload-identity-federation-create-trust-user-assigned-managed-identity.md
   # Card
+  - title: Secure risky workload identities
+    linkLists:
+      - linkListType: overview
+        links:
+          - text: Secure workload identities
+            url: ../identity-protection/concept-workload-identity-risk.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json
+    # Card
   - title: Apply Conditional Access policies to service principals
     linkLists:
       - linkListType: how-to-guide

articles/active-directory/workload-identities/breadcrumb/toc.yml

@@ -66,6 +66,14 @@ DBUSER=<db-user-name>
 DBPASS=<db-password>
 ```
 
+Create a SECRET_KEY value for your app by running the following command at a terminal prompt: `python -c 'import secrets; print(secrets.token_hex())'`.
+
+Set the returned value as the value of `SECRET_KEY` in the .env file.
+
+```
+SECRET_KEY=<secret-key>
+```
+
 Create a virtual environment for the app:
 
 [!INCLUDE [Virtual environment setup](<./includes/quickstart-python/virtual-environment-setup.md>)]
@@ -128,7 +136,7 @@ Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps
         1. *Region* &rarr; Any Azure region near you.
         1. *Name* &rarr; **msdocs-python-postgres-XYZ** where *XYZ* is any three random characters. This name must be unique across Azure.
         1. *Runtime stack* &rarr; **Python 3.10**.
-        1. *Database* &rarr;  **PostgreSQL - Flexible Server** is selected by default as the database engine. The server name and database name is also set by default to appropriate values.
+        1. *Database* &rarr;  **PostgreSQL - Flexible Server** is selected by default as the database engine. The server name and database name are also set by default to appropriate values.
         1. *Hosting plan* &rarr; **Basic**. When you're ready, you can [scale up](manage-scale-up.md) to a production pricing tier later.
         1. Select **Review + create**.
         1. After validation completes, select **Create**.
@@ -154,7 +162,7 @@ Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps
 
 ## 2. Verify connection settings
 
-The creation wizard generated the connectivity variables for you already as [app settings](configure-common.md#configure-app-settings).
+The creation wizard generated the connectivity variables for you already as [app settings](configure-common.md#configure-app-settings). App settings are one way to keep connection secrets out of your code repository. When you're ready to move your secrets to a more secure location, here's an [article on storing in Azure Key Vault](../key-vault/certificates/quick-create-python.md).
 
 :::row:::
     :::column span="2":::
@@ -167,14 +175,35 @@ The creation wizard generated the connectivity variables for you already as [app
 :::row:::
     :::column span="2":::
         **Step 2.** In the **Application settings** tab of the **Configuration** page, verify that `AZURE_POSTGRESQL_CONNECTIONSTRING` is present. That will be injected into the runtime environment as an environment variable.
-        App settings are one way to keep connection secrets out of your code repository. 
-        When you're ready to move your secrets to a more secure location,
-        here's an [article on storing in Azure Key Vault](../key-vault/certificates/quick-create-python.md).
     :::column-end:::
     :::column:::
         :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-get-connection-string-2.png" alt-text="A screenshot showing how to see the autogenerated connection string." lightbox="./media/tutorial-python-postgresql-app/azure-portal-get-connection-string-2.png":::
     :::column-end:::
 :::row-end:::
+:::row:::
+    :::column span="2":::
+        **Step 3.** In a terminal or command prompt, run the following Python script to generate a unique secret: `python -c 'import secrets; print(secrets.token_hex())'`. Copy the output value to use in the next step.
+    :::column-end:::
+    :::column:::
+    :::column-end:::
+:::row-end:::
+:::row:::
+    :::column span="2":::
+        **Step 4.** In the **Application settings** tab of the **Configuration** page, select **New application setting**. Name the setting `SECRET_KEY`. Paste the value from the previous value. Select **OK**.
+    :::column-end:::
+    :::column:::
+        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting.png" alt-text="A screenshot showing how to set the SECRET_KEY app setting in the Azure portal." lightbox="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting.png":::
+    :::column-end:::
+:::row-end:::
+:::row:::
+    :::column span="2":::
+        **Step 5.** Select **Save**.
+    :::column-end:::
+    :::column:::
+        :::image type="content" source="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting-save.png" alt-text="A screenshot showing how to save the SECRET_KEY app setting in the Azure portal." lightbox="./media/tutorial-python-postgresql-app/azure-portal-app-service-app-setting-save.png":::
+    :::column-end:::
+:::row-end:::
+
 
 Having issues? Check the [Troubleshooting guide](configure-language-python.md#troubleshooting).
 
@@ -552,7 +581,7 @@ The `azd up` command cloned the sample app project template to your machine. The
 
 * **Source code**: The code and assets for a Flask or Django web app that can be used for local development or deployed to Azure.
 * **Bicep files**: Infrastructure as code (IaC) files that are used by `azd` to create the necessary resources in Azure.
-* **Configuration files**: Essential configuration files such as `azure.yaml` that are used by `azd` to provision, deploy and wire resources together to produce a fully-fledged application.
+* **Configuration files**: Essential configuration files such as `azure.yaml` that are used by `azd` to provision, deploy and wire resources together to produce a fully fledged application.
 
 ### 2. Provisioned the Azure resources
 
@@ -563,7 +592,7 @@ The `azd up` command created all of the resources for the sample application in
 * **Azure App Service plan**: An App Service plan was created to host App Service instances. App Service plans define what compute resources are available for one or more web apps.
 * **Azure App Service**: An App Service instance was created in the new App Service plan to host and run the deployed application. In this case a Linux instance was created and configured to run Python apps. Additional configurations were also applied to the app service, such as setting the Postgres connection string and secret keys. 
 * **Azure Database for PostgresSQL**: A Postgres database and server were created for the app hosted on App Service to connect to. The required admin user, network and connection settings were also configured.
-* **Azure Application Insights**: Application insights was setup and configured for the app hosted on the App Service. This service enables detailed telemetry and monitoring for your application.
+* **Azure Application Insights**: Application insights was set up and configured for the app hosted on the App Service. This service enables detailed telemetry and monitoring for your application.
 
 You can inspect the Bicep files in the [`infra`](https://github.com/Azure-Samples/msdocs-flask-postgresql-sample-app/tree/main/infra) folder of the project to understand how each of these resources were provisioned in more detail. The `resources.bicep` file defines most of the different services created in Azure. For example, the App Service plan and App Service web app instance were created and connected using the following Bicep code: