Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-aadroles-protected-actions-preview

Author: rolyon

articles/active-directory/conditional-access/howto-continuous-access-evaluation-troubleshoot.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: troubleshooting
-ms.date: 01/05/2023
+ms.date: 04/03/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -21,21 +21,21 @@ Administrators can monitor and troubleshoot sign in events where [continuous acc
 
 ## Continuous access evaluation sign-in reporting
 
-Administrators will have the opportunity to monitor user sign-ins where CAE is applied. This pane can be located by via the following instructions:
+Administrators can monitor user sign-ins where continuous access evaluation (CAE) is applied. This information is found in the Azure AD sign-in logs:
 
 1.	Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.
-1.	Browse to **Azure Active Directory** > **Sign-ins**. 
+1.	Browse to **Azure Active Directory** > **Sign-in logs**. 
 1.	Apply the **Is CAE Token** filter. 
 
-[ ![Add a filter to the Sign-ins log to see where CAE is being applied or not](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-sign-ins-log-apply-filter.png) ](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-sign-ins-log-apply-filter.png#lightbox)
+[ ![Screenshot showing how to add a filter to the Sign-ins log to see where CAE is being applied or not.](./media/howto-continuous-access-evaluation-troubleshoot/sign-ins-log-apply-filter.png) ](./media/howto-continuous-access-evaluation-troubleshoot/sign-ins-log-apply-filter.png#lightbox)
 
-From here, admins will be presented with information about their user’s sign-in events. Select any sign-in to see details about the session, like which Conditional Access policies were applied and is CAE enabled. 
+From here, admins are presented with information about their user’s sign-in events. Select any sign-in to see details about the session, like which Conditional Access policies applied and if CAE enabled. 
 
-There are multiple sign-in requests for each authentication. Some will be shown on the interactive tab, while others will be shown on the non-interactive tab. CAE will only be displayed as true for one of the requests, and it can be on the interactive tab or non-interactive tab. Admins need to check both tabs to confirm whether the user's authentication is CAE enabled or not. 
+There are multiple sign-in requests for each authentication. Some are on the interactive tab, while others are on the non-interactive tab. CAE is only marked true for one of the requests, it can be on the interactive tab or non-interactive tab. Admins must check both tabs to confirm whether the user's authentication is CAE enabled or not. 
 
 ### Searching for specific sign-in attempts
 
-Sign in logs contain information on Success as well as failure events. Use filters to narrow your search. For example, if a user signed in to Teams, use the Application filter and set it to Teams. Admins may need to check the sign-ins from both interactive and non-interactive tabs to locate the specific sign-in. To further narrow the search, admins may apply multiple filters.
+Sign in logs contain information on success and failure events. Use filters to narrow your search. For example, if a user signed in to Teams, use the Application filter and set it to Teams. Admins may need to check the sign-ins from both interactive and non-interactive tabs to locate the specific sign-in. To further narrow the search, admins may apply multiple filters.
 
 ## Continuous access evaluation workbooks
 
@@ -49,33 +49,29 @@ Log Analytics integration must be completed before workbooks are displayed. For
 1.	Browse to **Azure Active Directory** > **Workbooks**.
 1.	Under **Public Templates**, search for **Continuous access evaluation insights**.
 
-[ ![Find the CAE insights workbook in the gallery to continue monitoring](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-workbooks-continuous-access-evaluation.png) ](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-workbooks-continuous-access-evaluation.png#lightbox)
-
 The **Continuous access evaluation insights** workbook contains the following table:
 
 ### Potential IP address mismatch between Azure AD and resource provider  
 
-![Workbook table 1 showing potential IP address mismatches](./media/howto-continuous-access-evaluation-troubleshoot/continuous-access-evaluation-insights-workbook-table-1.png)
-
 The potential IP address mismatch between Azure AD & resource provider table allows admins to investigate sessions where the IP address detected by Azure AD doesn't match with the IP address detected by the resource provider. 
 
 This workbook table sheds light on these scenarios by displaying the respective IP addresses and whether a CAE token was issued during the session. 
 
-#### Continuous access evaluation insights per sign-in 
+### Continuous access evaluation insights per sign-in 
 
 The continuous access evaluation insights per sign-in page in the workbook connects multiple requests from the sign-in logs and displays a single request where a CAE token was issued. 
 
 This workbook can come in handy, for example,  when: A user opens Outlook on their desktop and attempts to access resources inside of Exchange Online. This sign-in action may map to multiple interactive and non-interactive sign-in requests in the logs making issues hard to diagnose.
 
-#### IP address configuration
+## IP address configuration
 
 Your identity provider and resource providers may see different IP addresses. This mismatch may happen because of the following examples:
 
 - Your network implements split tunneling.
 - Your resource provider is using an IPv6 address and Azure AD is using an IPv4 address.
 - Because of network configurations, Azure AD sees one IP address from the client and your resource provider sees a different IP address from the client.
 
-If this scenario exists in your environment, to avoid infinite loops, Azure AD will issue a one-hour CAE token and won't enforce client location change during that one-hour period. Even in this case, security is improved compared to traditional one-hour tokens since we're still evaluating the other events besides client location change events.
+If this scenario exists in your environment, to avoid infinite loops, Azure AD issues a one-hour CAE token and doesn't enforce client location change during that one-hour period. Even in this case, security is improved compared to traditional one-hour tokens since we're still evaluating the other events besides client location change events.
 
 Admins can view records filtered by time range and application. Admins can compare the number of mismatched IPs detected with the total number of sign-ins during a specified time period. 
 

articles/active-directory/conditional-access/media/howto-continuous-access-evaluation-troubleshoot/azure-ad-sign-ins-log-apply-filter.png

@@ -59,7 +59,7 @@ For the past release history, see [Kubernetes history](https://en.wikipedia.org/
 
 With AKS, you can create a cluster without specifying the exact patch version. When you create a cluster without designating a patch, the cluster will run the minor version's latest GA patch. For example, if you create a cluster with **`1.21`**, your cluster will run **`1.21.7`**, which is the latest GA patch version of *1.21*.
 
-When you upgrade by alias minor version, only a higher minor version is supported. For example, upgrading from `1.14.x` to `1.14` won't trigger an upgrade to the latest GA `1.14` patch, but upgrading to `1.15` will trigger an upgrade to the latest GA `1.15` patch.
+When you upgrade by alias minor version, only a higher minor version is supported. For example, upgrading from `1.14.x` to `1.14` won't trigger an upgrade to the latest GA `1.14` patch, but upgrading to `1.15` will trigger an upgrade to the latest GA `1.15` patch. If you wish to upgrade your patch version in the same minor version, please use [auto-upgrade](https://learn.microsoft.com/azure/aks/auto-upgrade-cluster#using-cluster-auto-upgrade).
 
 To see what patch you're on, run the `az aks show --resource-group myResourceGroup --name myAKSCluster` command. The `currentKubernetesVersion` property shows the whole Kubernetes version.
 

articles/active-directory/conditional-access/media/howto-continuous-access-evaluation-troubleshoot/azure-ad-workbooks-continuous-access-evaluation.png

@@ -364,8 +364,10 @@
           items:
             - name: Export API as custom connector
               href: export-api-power-platform.md
-            - name: Enable CORS to test custom connector
+              displayName: Power Platform
+            - name: Enable CORS for custom connector
               href: enable-cors-power-platform.md
+              displayName: Power Platform
       - name: Monitor APIs
         items:
         - name: Get API analytics

articles/active-directory/conditional-access/media/howto-continuous-access-evaluation-troubleshoot/continuous-access-evaluation-insights-workbook-table-1.png

@@ -1,6 +1,6 @@
 ---
-title: Enable CORS policies to test Azure API Management custom connector 
-description: How to enable CORS policies in Azure API Management and Power Platform to test a custom connector from Power Platform applications.
+title: Enable CORS policies for Azure API Management custom connector 
+description: How to enable CORS policies in Azure API Management and Power Platform to test and use a custom connector from Power Platform applications.
 services: api-management
 author: dlepow
 
@@ -10,10 +10,10 @@ ms.date: 03/24/2023
 ms.author: danlep
 
 ---
-# Enable CORS policies to test custom connector from Power Platform
+# Enable CORS policies for API Management custom connector 
 Cross-origin resource sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. Customers can add a [CORS policy](cors-policy.md) to their web APIs in Azure API Management, which adds cross-origin resource sharing support to an operation or an API to allow cross-domain calls from browser-based clients.
 
-If you've exported an API from API Management as a [custom connector](export-api-power-platform.md) in the Power Platform and want to use the Power Apps or Power Automate test console to call the API, you need to configure your API to explicitly enable cross-origin requests from Power Platform applications. This article shows you how to configure the following two necessary policy settings:
+If you've exported an API from API Management as a [custom connector](export-api-power-platform.md) in the Power Platform and want to use browser-based clients including Power Apps or Power Automate to call the API, you need to configure your API to explicitly enable cross-origin requests from Power Platform applications. This article shows you how to configure the following two necessary policy settings:
 
 * Add a CORS policy to your API
 

articles/active-directory/conditional-access/media/howto-continuous-access-evaluation-troubleshoot/continuous-access-evaluation-insights-workbook-table-2.png

@@ -50,7 +50,7 @@ You can manage your custom connector in your Power Apps or Power Platform enviro
 1. Select the pencil (Edit) icon to edit and test the custom connector. 
 
 > [!IMPORTANT]
-> To call the API from the Power Apps test console, you need to configure a CORS policy in your API Management instance and create a policy in the custom connector to set an Origin header in HTTP requests. For more information, see [Enable CORS policies to test custom connector from Power Platform](enable-cors-power-platform.md).
+> To call the API from the Power Apps test console, you need to configure a CORS policy in your API Management instance and create a policy in the custom connector to set an Origin header in HTTP requests. For more information, see [Enable CORS policies for custom connector](enable-cors-power-platform.md).
 > 
 
 ## Update a custom connector