Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into yelevin/analytics-health-and-audit

Author: yelevin

articles/active-directory-b2c/technical-overview.md

@@ -38,7 +38,7 @@ The primary resources you work with in an Azure AD B2C tenant are:
 An Azure AD B2C tenant is the first resource you need to create to get started with Azure AD B2C. Learn how to:
 
 * [Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md).
-* [Manage your Azure AD B2C tenant](tenant-management.md)
+* [Manage your Azure AD B2C tenant](tenant-management-manage-administrator.md)
 
 ## Accounts in Azure AD B2C
 

articles/active-directory-b2c/user-overview.md

@@ -21,7 +21,7 @@ In Azure Active Directory B2C (Azure AD B2C), there are several types of account
 The following types of accounts are available:
 
 - **Work account** - A work account can access resources in a tenant, and with an administrator role, can manage tenants.
-- **Guest account** - A guest account can only be a Microsoft account or an Azure AD user that can be used to share administration responsibilities such as [managing a tenant](tenant-management.md).
+- **Guest account** - A guest account can only be a Microsoft account or an Azure AD user that can be used to share administration responsibilities such as [managing a tenant](tenant-management-manage-administrator.md).
 - **Consumer account** - A consumer account is used by a user of the applications you've registered with Azure AD B2C. Consumer accounts can be created by:
   - The user going through a sign-up user flow in an Azure AD B2C application
   - Using Microsoft Graph API

articles/active-directory/authentication/concept-authentication-default-enablement.md

@@ -37,7 +37,7 @@ Number matching is a good example of protection for an authentication method tha
 As MFA fatigue attacks rise, number matching becomes more critical to sign-in security. As a result, Microsoft will change the default behavior for push notifications in Microsoft Authenticator. 
 
 >[!NOTE]
->Number matching will begin to be enabled for all users of Microsoft Authenticator starting February 27, 2023.
+>Number matching will begin to be enabled for all users of Microsoft Authenticator starting May 08, 2023.
 
 <!---Add link to Mayur Blog post here--->
 

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -72,9 +72,41 @@ Now we'll walk through each step:
 1. Azure AD completes the sign-in process by sending a primary refresh token back to indicate successful sign-in.
 1. If the user sign-in is successful, the user can access the application.
 
+## Certificate-based authentication is MFA capable
+
+Azure AD CBA is an MFA (Multi factor authentication) capable method, that is Azure AD CBA can be either Single (SF) or Multi-factor (MF) depending on the tenant configuration. Enabling CBA for a user indicates the user is potentially capable of MFA. This means a user may need additional configuration to proof up to register other authentication methods when the user is in scope for CBA. 
+
+This can happen when: 
+
+If CBA enabled user only has a Single Factor (SF) certificate
+	To unblock user:
+	1. Use Password + SF certificate.
+   1. Issue Temporary Access Pass (TAP)
+   1. Admin adds Phone Number to user account and allows Voice/SMS method for user.
+
+If CBA enabled user but has not yet been issued a certificate
+   To unblock user:
+   1. Issue Temporary Access Pass (TAP)
+   1. Admin adds Phone Number to user account and allows Voice/SMS method for user.
+
+If CBA enabled user cannot use MF cert (such as on mobile device without smart card support)
+   To unblock user: 
+   1. Issue Temporary Access Pass (TAP)
+   1. User Register another MFA method (when user can use MF cert)
+   1. Use Password + MF cert (when user can use MF cert)
+   1. Admin adds Phone Number to user account and allows Voice/SMS method for user
+
+
+
 ## MFA with Single-factor certificate-based authentication
 
-Azure AD CBA supports second factors to meet MFA requirements with single-factor certificates. Users can use either passwordless sign-in or FIDO2 security keys as second factors when the first factor is single-factor CBA. Users need to have another way to get MFA and register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
+Azure AD CBA can be used as a second factor to meet MFA requirements with single-factor certificates. The supported combintaions are
+
+CBA (first factor) + passwordless phone sign-in (PSI as second factor)
+CBA (first factor) + FIDO2 security keys
+Password (first factor) + CBA (second factor) 
+
+Users need to have another way to get MFA and register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
 
 >[!IMPORTANT]
 >A user will be considered MFA capable when a user is in scope for Certificate-based authentication auth method. This means user will not be able to use proof up as part of their authentication to registerd other available methods. More info on [Azure AD MFA](../authentication/concept-mfa-howitworks.md)

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -105,6 +105,7 @@ In addition:
   >[!IMPORTANT] 
   >MSCHAPv2 doesn't support OTP. If the NPS Server isn't configured to use PAP, user authorization will fail with events in the **AuthZOptCh** log of the NPS Extension server in Event Viewer:<br>
   >NPS Extension for Azure MFA: Challenge requested in Authentication Ext for User npstesting_ap. 
+  >You can configure the NPS Server to support PAP. If PAP is not an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications.
 
 If your organization uses Remote Desktop Gateway and the user is registered for OTP code along with Microsoft Authenticator push notifications, the user won't be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail. In this case, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to **Approve**/**Deny** push notifications with Microsoft Authenticator.
 

articles/active-directory/develop/scenario-desktop-acquire-token-device-code-flow.md

@@ -68,7 +68,7 @@ static async Task<AuthenticationResult> GetATokenForGraph()
     }
     catch (MsalUiRequiredException ex)
     {
-        // No token found in the cache or AAD insists that a form interactive auth is required (e.g. the tenant admin turned on MFA)
+        // No token found in the cache or Azure AD insists that a form interactive auth is required (e.g. the tenant admin turned on MFA)
         // If you want to provide a more complex user experience, check out ex.Classification
 
         return await AcquireByDeviceCodeAsync(pca);
@@ -253,7 +253,7 @@ if accounts:
     result = app.acquire_token_silent(config["scope"], account=chosen)
 
 if not result:
-    logging.info("No suitable token exists in cache. Let's get a new one from AAD.")
+    logging.info("No suitable token exists in cache. Let's get a new one from Azure AD.")
 
     flow = app.initiate_device_flow(scopes=config["scope"])
     if "user_code" not in flow:

articles/active-directory/governance/understanding-lifecycle-workflows.md

@@ -33,10 +33,10 @@ For delegated scenarios, the admin needs one of the following [Azure AD roles](/
 - Global reader
 - Lifecycle workflows administrator
 
-## Restrictions
+## Limits
 
 
-|Column1  |Limit  |
+|Category  |Limit  |
 |---------|---------|
 |Number of Workflows     |   50 per tenant      |
 |Number of Tasks     |  25 per workflow       |

articles/api-management/how-to-self-hosted-gateway-on-kubernetes-in-production.md

@@ -186,7 +186,7 @@ Request throttling in a self-hosted gateway can be enabled by using the API Mana
 ## Security
 The self-hosted gateway is able to run as non-root in Kubernetes allowing customers to run the gateway securely.
 
-Here's an example of the security context for the self-hosted gateway:
+Here's an example of the security context for the self-hosted gateway container:
 ```yml
 securityContext:
   allowPrivilegeEscalation: false

articles/azure-arc/system-center-virtual-machine-manager/quickstart-connect-system-center-virtual-machine-manager-to-arc.md

@@ -6,7 +6,7 @@ ms.author: jsuri
 ms.topic: quickstart
 ms.services: azure-arc
 ms.subservice: azure-arc-scvmm
-ms.date: 02/01/2023
+ms.date: 02/17/2023
 ms.custom: references_regions
 ---
 
@@ -19,12 +19,13 @@ This QuickStart shows you how to connect your SCVMM management server to Azure A
 ## Prerequisites
 
 >[!Note]
->If VMM server is running on Windows Server 2016 machine, ensure that [Open SSH package](https://github.com/PowerShell/Win32-OpenSSH/releases) is installed. 
+>- If VMM server is running on Windows Server 2016 machine, ensure that [Open SSH package](https://github.com/PowerShell/Win32-OpenSSH/releases) is installed. 
+>- If you deploy an older version of appliance (version lesser than 0.2.25), Arc operation fails with the error *Appliance cluster is not deployed with AAD authentication*. To fix this issue, download the latest version of the onboarding script and deploy the resource bridge again.
 
 | **Requirement** | **Details** |
 | --- | --- |
 | **Azure** | An Azure subscription  <br/><br/> A resource group in the above subscription where you have the *Owner/Contributor* role. |
-| **SCVMM** | You need an SCVMM management server running version 2016 or later.<br/><br/> A private cloud that has at least one cluster with minimum free capacity of 16 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> For dynamic IP allocation to appliance VM, DHCP server is required. For static IP allocation, VMM static IP pool is required. |
+| **SCVMM** | You need an SCVMM management server running version 2016 or later.<br/><br/> A private cloud with minimum free capacity of 16 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> For dynamic IP allocation to appliance VM, DHCP server is required. For static IP allocation, VMM static IP pool is required. |
 | **SCVMM accounts** | An SCVMM admin account that can perform all administrative actions on all objects that VMM manages. <br/><br/> The user should be part of local administrator account in the SCVMM server. <br/><br/>This will be used for the ongoing operation of Azure Arc-enabled SCVMM as well as the deployment of the Arc Resource bridge VM. |
 | **Workstation** | The workstation will be used to run the helper script.<br/><br/> A Windows/Linux machine that can access both your SCVMM management server and internet, directly or through proxy.<br/><br/> The helper script can be run directly from the VMM server machine as well.<br/><br/> To avoid network latency issues, we recommend executing the helper script directly in the VMM server machine.<br/><br/> Note that when you execute the script from a Linux machine, the deployment takes a bit longer and you may experience performance issues. |
 

articles/azure-monitor/essentials/prometheus-metrics-enable.md

@@ -295,7 +295,7 @@ Deploy the template with the parameter file using any valid method for deploying
 
 ## Verify Deployment
 
-Run the following command to which verify that the daemon set was deployed properly:
+Run the following command to verify that the daemon set was deployed properly:
 
 ```
 kubectl get ds ama-metrics-node --namespace=kube-system