Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into WI56094-countinuous-export

Author: ElazarK

articles/active-directory/external-identities/media/self-service-sign-up-add-api-connector/api-connector-config.png

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: article
-ms.date: 07/13/2021
+ms.date: 01/16/2023
 
 ms.author: mimart
 author: msmimart
@@ -30,13 +30,13 @@ To use an [API connector](api-connectors-overview.md), you first create the API
 3. In the left menu, select **External Identities**.
 4. Select **All API connectors**, and then select **New API connector**.
 
-    :::image type="content" source="media/self-service-sign-up-add-api-connector/api-connector-new.png" alt-text="Providing the basic configuration like target URL and display name for an API connector during the creation experience.":::
+    :::image type="content" source="media/self-service-sign-up-add-api-connector/api-connector-new.png" alt-text="Screenshot of adding a new API connector to External Identities.":::
 
 5. Provide a display name for the call. For example, **Check approval status**.
 6. Provide the **Endpoint URL** for the API call.
 7. Choose the **Authentication type** and configure the authentication information for calling your API. Learn how to [Secure your API Connector](self-service-sign-up-secure-api-connector.md).
 
-    :::image type="content" source="media/self-service-sign-up-add-api-connector/api-connector-config.png" alt-text="Providing authentication configuration for an API connector during the creation experience.":::
+    :::image type="content" source="media/self-service-sign-up-add-api-connector/api-connector-config.png" alt-text="Screenshot of configuring an API connector.":::
 
 8. Select **Save**.
 
@@ -129,7 +129,7 @@ Content-type: application/json
 }
 ```
 
-The exact claims sent to the API depends on which information is provided by the identity provider. 'email' is always sent.
+The exact claims sent to the API depend on which information is provided by the identity provider. 'email' is always sent.
 
 ### Expected response types from the web API at this step
 
@@ -187,7 +187,7 @@ Content-type: application/json
  "ui_locales":"en-US"
 }
 ```
-The exact claims sent to the API depends on which information is collected from the user or is provided by the identity provider.
+The exact claims sent to the API depend on which information is collected from the user or is provided by the identity provider.
 
 ### Expected response types from the web API at this step
 
@@ -212,7 +212,7 @@ A blocking response exits the user flow. It can be purposely issued by the API t
 See an example of a [blocking response](#example-of-a-blocking-response).
 
 ### Validation-error response
- When the API responds with a validation-error response, the user flow stays on the attribute collection page and a `userMessage` is displayed to the user. The user can then edit and resubmit the form. This type of response can be used for input validation.
+ When the API responds with a validation-error response, the user flow stays on the attribute collection page, and a `userMessage` is displayed to the user. The user can then edit and resubmit the form. This type of response can be used for input validation.
 
 See an example of a [validation-error response](#example-of-a-validation-error-response).
 
@@ -237,7 +237,7 @@ Content-type: application/json
 | version                                            | String            | Yes      | The version of your API.                                                                                                                                                                                                                                                                |
 | action                                             | String            | Yes      | Value must be `Continue`.                                                                                                                                                                                                                                                              |
 | \<builtInUserAttribute>                            | \<attribute-type> | No       | Values can be stored in the directory if they selected as a **Claim to receive** in the API connector configuration and **User attributes** for a user flow. Values can be returned in the token if selected as an **Application claim**.                                              |
-| \<extension\_{extensions-app-id}\_CustomAttribute> | \<attribute-type> | No       | The claim does not need to contain `_<extensions-app-id>_`, it is *optional*. Returned values can overwrite values collected from a user.  |
+| \<extension\_{extensions-app-id}\_CustomAttribute> | \<attribute-type> | No       | The claim doesn't need to contain `_<extensions-app-id>_`, it's *optional*. Returned values can overwrite values collected from a user.  |
 
 ### Example of a blocking response
 
@@ -248,7 +248,7 @@ Content-type: application/json
 {
     "version": "1.0.0",
     "action": "ShowBlockPage",
-    "userMessage": "There was a problem with your request. You are not able to sign up at this time.",
+    "userMessage": "There was an error with your request. Please try again or contact support.",
 }
 
 ```
@@ -305,7 +305,7 @@ Ensure that:
 * Your API implements an authentication method outlined in [secure your API Connector](self-service-sign-up-secure-api-connector.md).
 * Your API responds as quickly as possible to ensure a fluid user experience.
     * Azure AD will wait for a maximum of *20 seconds* to receive a response. If none is received, it will make *one more attempt (retry)* at calling your API.
-    * If using a serverless function or scalable web service, use a hosting plan that keeps the API "awake" or "warm" in production. For Azure Functions, it's recommended to use at minimum the [Premium plan](../../azure-functions/functions-scale.md)
+    * If using a serverless function or scalable web service, use a hosting plan that keeps the API "awake" or "warm" in production. For Azure Functions, it's recommended to use at minimum the [Premium plan](../../azure-functions/functions-scale.md#overview-of-plans)
 * Ensure high availability of your API.
 * Monitor and optimize performance of downstream APIs, databases, or other dependencies of your API.
 * Your endpoints must comply with the Azure AD TLS and cipher security requirements. For more information, see [TLS and cipher suite requirements](../../active-directory-b2c/https-cipher-tls-requirements.md). 

articles/active-directory/external-identities/media/self-service-sign-up-add-api-connector/api-connector-new.png

@@ -4,7 +4,7 @@ description: Learn how Azure App Service helps you host your RESTful APIs with C
 ms.assetid: a820e400-06af-4852-8627-12b3db4a8e70
 ms.devlang: csharp
 ms.topic: tutorial
-ms.date: 04/28/2020
+ms.date: 01/31/2023
 ms.custom: "devx-track-csharp, mvc, devcenter, seo-javascript-september2019, seo-javascript-october2019, seodec18, devx-track-azurecli"
 ---
 
@@ -158,7 +158,7 @@ Next, you enable the built-in CORS support in App Service for your API.
 
     ![CORS error in browser client](./media/app-service-web-tutorial-rest-api/azure-app-service-cors-error.png)
 
-    Because of the domain mismatch between the browser app (`http://localhost:5000`) and remote resource (`http://<app_name>.azurewebsites.net`), and the fact that your API in App Service is not sending the `Access-Control-Allow-Origin` header, your browser has prevented cross-domain content from loading in your browser app.
+    The domain mismatch between the browser app (`http://localhost:5000`) and remote resource (`http://<app_name>.azurewebsites.net`) is recognized by your browser as a cross-origin resource request. Also, the fact that your REST API the App Service app is not sending the `Access-Control-Allow-Origin` header, the browser has prevented cross-domain content from loading.
 
     In production, your browser app would have a public URL instead of the localhost URL, but the way to enable CORS to a localhost URL is the same as a public URL.
 
@@ -170,13 +170,7 @@ In the Cloud Shell, enable CORS to your client's URL by using the [`az webapp co
 az webapp cors add --resource-group myResourceGroup --name <app-name> --allowed-origins 'http://localhost:5000'
 ```
 
-You can set more than one client URL in `properties.cors.allowedOrigins` (`"['URL1','URL2',...]"`). You can also enable all client URLs with `"['*']"`.
-
-> [!NOTE]
-> If your app requires credentials such as cookies or authentication tokens to be sent, the browser may require the `ACCESS-CONTROL-ALLOW-CREDENTIALS` header on the response. To enable this in App Service, set `properties.cors.supportCredentials` to `true` in your CORS config. This cannot be enabled when `allowedOrigins` includes `'*'`.
-
-> [!NOTE]
-> Specifying `AllowAnyOrigin` and `AllowCredentials` is an insecure configuration and can result in cross-site request forgery. The CORS service returns an invalid CORS response when an app is configured with both methods.
+You can add multiple allowed origins by running the command multiple times or by adding a comma-separate list in `--allowed-origins`. To allow all origins, use `--allowed-origins '*'`.
 
 ### Test CORS again
 
@@ -186,7 +180,13 @@ Refresh the browser app at `http://localhost:5000`. The error message in the **C
 
 Congratulations, you're running an API in Azure App Service with CORS support.
 
-## App Service CORS vs. your CORS
+## Frequently asked questions
+
+- [App Service CORS vs. your CORS](#app-service-cors-vs-your-cors)
+- [How do I set allowed origins to a wildcard subdomain?](#how-do-i-set-allowed-origins-to-a-wildcard-subdomain)
+- [How do I enable the ACCESS-CONTROL-ALLOW-CREDENTIALS header on the response?](#how-do-i-enable-the-access-control-allow-credentials-header-on-the-response)
+
+#### App Service CORS vs. your CORS
 
 You can use your own CORS utilities instead of App Service CORS for more flexibility. For example, you may want to specify different allowed origins for different routes or methods. Since App Service CORS lets you specify one set of accepted origins for all API routes and methods, you would want to use your own CORS code. See how ASP.NET Core does it at [Enabling Cross-Origin Requests (CORS)](/aspnet/core/security/cors).
 
@@ -197,6 +197,26 @@ The built-in App Service CORS feature does not have options to allow only specif
 >
 >
 
+#### How do I set allowed origins to a wildcard subdomain?
+
+A wildcard subdomain like `*.contoso.com` is more restrictive than the wildcard origin `*`. However, the app's CORS management page in the Azure portal doesn't let you set a wildcard subdomain as an allowed origin. However, you can do it using the Azure CLI, like so:
+
+```azurecli-interactive
+az webapp cors add --resource-group <group-name> --name <app-name> --allowed-origins 'https://*.contoso.com'
+```
+
+#### How do I enable the ACCESS-CONTROL-ALLOW-CREDENTIALS header on the response?
+
+If your app requires credentials such as cookies or authentication tokens to be sent, the browser may require the `ACCESS-CONTROL-ALLOW-CREDENTIALS` header on the response. To enable this in App Service, set `properties.cors.supportCredentials` to `true`.
+
+```azurecli-interactive
+az resource update --name web --resource-group <group-name> \
+  --namespace Microsoft.Web --resource-type config \
+  --parent sites/<app-name> --set properties.cors.supportCredentials=true
+```
+
+This operation is not allowed when allowed origins include the wildcard origin `'*'`. Specifying `AllowAnyOrigin` and `AllowCredentials` is an insecure configuration and can result in cross-site request forgery. To allow credentials, try replacing the wildcard origin with [wildcard subdomains](#how-do-i-set-allowed-origins-to-a-wildcard-subdomain). 
+
 [!INCLUDE [cli-samples-clean-up](../../includes/cli-samples-clean-up.md)]
 
 <a name="next"></a>

articles/active-directory/external-identities/self-service-sign-up-add-api-connector.md

@@ -520,7 +520,7 @@ Structured logging (attaching custom dimensions to your logs) can be accomplishe
     <dependency>
       <groupId>com.microsoft.azure</groupId>
       <artifactId>applicationinsights-core</artifactId>
-      <version>3.4.7</version>
+      <version>3.4.8</version>
     </dependency>
     ```
 

articles/app-service/app-service-web-tutorial-rest-api.md

@@ -45,7 +45,7 @@ To enable Application Insights Java programmatically, you must add the following
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>applicationinsights-runtime-attach</artifactId>
-    <version>3.4.3</version>
+    <version>3.4.8</version>
 </dependency>
 ```
 

articles/azure-monitor/app/java-in-process-agent.md

@@ -30,6 +30,8 @@ You can access archived data by [running a search job](search-jobs.md) or [resto
 > [!NOTE]
 > The archive period can only be set at the table level, not at the workspace level.
 
+When you shorten an existing retention policy, it takes 30 days for Azure Monitor to remove data, to prevent data loss in error configuration, and let you revert it. You can [purge data](#purge-retained-data) immediately when required. 
+
 ## Configure the default workspace retention policy
 
 You can set the workspace default retention policy in the Azure portal to 30, 31, 60, 90, 120, 180, 270, 365, 550, and 730 days. You can set a different policy for specific tables by [configuring the retention and archive policy at the table level](#set-retention-and-archive-policy-by-table). If you're on the *free* tier, you'll need to upgrade to the paid tier to change the data retention period.
@@ -215,8 +217,6 @@ Get-AzOperationalInsightsTable -ResourceGroupName ContosoRG -WorkspaceName Conto
 
 ## Purge retained data
 
-When you shorten an existing retention policy, it takes several days for Azure Monitor to remove data that you no longer want to keep.
-
 If you set the data retention policy to 30 days, you can purge older data immediately by using the `immediatePurgeDataOn30Days` parameter in Azure Resource Manager. The purge functionality is useful when you need to remove personal data immediately. The immediate purge functionality isn't available through the Azure portal.
 
 Workspaces with a 30-day retention policy might keep data for 31 days if you don't set the `immediatePurgeDataOn30Days` parameter.

articles/azure-monitor/app/java-spring-boot.md

@@ -43,7 +43,7 @@ Log Analytics workspace data export continuously exports data that's sent to you
 - Currently, data export isn't supported in China.
 
 ## Data completeness
-Data export is optimized for moving large data volumes to your destinations. In certain retry conditions, it can include a fraction of duplicated records. The export operation might fail when ingress limits are reached. For more information, see [Create or update a data export rule](#create-or-update-a-data-export-rule). In such a case, a retry continues for up to 30 minutes. If the destination is still unavailable, data will be discarded until the destination becomes available.
+Data export is optimized for moving large data volumes to your destinations. The export operation might fail when destinations ingress limits are reached, and a retry continues for up to 12 hours. For more information, see [Create or update a data export rule](#create-or-update-a-data-export-rule) for limits and recommended alerts. If the destination is still unavailable, data is discarded. In certain retry conditions, retry can cause a fraction of duplicated records.
 
 ## Pricing model
 Data export charges are based on the volume of data exported measured in bytes. The size of data exported by Log Analytics Data Export is the number of bytes in the exported JSON-formatted data. Data volume is measured in GB (10^9 bytes).

articles/azure-monitor/logs/data-retention-archive.md

@@ -4,7 +4,7 @@ description: Learn how to configure continuous export of security alerts and rec
 author: bmansheim
 ms.author: benmansheim
 ms.topic: how-to
-ms.date: 11/30/2022
+ms.date: 01/19/2023
 ---
 # Continuously export Microsoft Defender for Cloud data
 
@@ -182,6 +182,46 @@ To export data to an Azure Event hub or Log Analytics workspace in a different t
 
 You can also configure export to another tenant through the REST API. For more information, see the automations [REST API](/rest/api/defenderforcloud/automations/create-or-update?tabs=HTTP).
 
+## Continuously export to an Event Hub behind a firewall
+
+You can enable continuous export as a trusted service, so that you can send data to an Event Hub that has an Azure Firewall enabled. 
+
+**To grant access to continuous export as a trusted service**: 
+
+1. Sign in to the [Azure portal](https://portal.azure.com). 
+
+1. Navigate to **Microsoft Defender for Cloud** > **Environmental settings**.
+
+1. Select the relevant resource.
+
+1. Select **Continuous export**.
+
+1. Select **Export as a trusted service**.
+
+    :::image type="content" source="media/continuous-export/export-as-trusted.png" alt-text="Screenshot that shows where the checkbox is located to select export as trusted service.":::
+
+You'll now need to add the relevant role assignment on the destination Event Hub.
+
+**To add the relevant role assignment on the destination Event Hub**:
+
+1. Navigate to the selected Event Hub. 
+    
+1. Select **Access Control** > **Add role assignment** 
+    
+    :::image type="content" source="media/continuous-export/add-role-assignment.png" alt-text="Screenshot that shows where the add role assignment button is found." lightbox="media/continuous-export/add-role-assignment.png":::
+    
+1. Select **Azure Event Hubs Data Sender**.
+    
+1. Select the **Members** tab.
+    
+1. Select **+ Select members**. 
+    
+1. Search for and select **Windows Azure Security Resource Provider**.
+
+    :::image type="content" source="media/continuous-export/windows-security-resource.png" alt-text="Screenshot that shows you where to enter and search for Windows Azure Security Resource Provider." lightbox="media/continuous-export/windows-security-resource.png":::
+
+1. Select **Review + assign**.
+
 ##  View exported alerts and recommendations in Azure Monitor
 
 You might also choose to view exported Security Alerts and/or recommendations in [Azure Monitor](../azure-monitor/alerts/alerts-overview.md).