Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into vnet-old-review

Author: asudbring

articles/active-directory/fundamentals/concept-fundamentals-security-defaults.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 09/13/2022
+ms.date: 03/23/2023
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -23,7 +23,7 @@ Microsoft is making security defaults available to everyone, because managing se
 
 Security defaults make it easier to help protect your organization from these identity-related attacks with preconfigured security settings:
 
-- [Requiring all users to register for Azure AD Multi-Factor Authentication](#require-all-users-to-register-for-azure-ad-multi-factor-authentication).
+- [Requiring all users to register for Azure AD Multifactor Authentication](#require-all-users-to-register-for-azure-ad-multifactor-authentication).
 - [Requiring administrators to do multifactor authentication](#require-administrators-to-do-multifactor-authentication).
 - [Requiring users to do multifactor authentication when necessary](#require-users-to-do-multifactor-authentication-when-necessary).
 - [Blocking legacy authentication protocols](#block-legacy-authentication-protocols).
@@ -49,16 +49,16 @@ To enable security defaults in your directory:
 1. Sign in to the [Azure portal](https://portal.azure.com) as a security administrator, Conditional Access administrator, or global administrator.
 1. Browse to **Azure Active Directory** > **Properties**.
 1. Select **Manage security defaults**.
-1. Set the **Enable security defaults** toggle to **Yes**.
+1. Set **Security defaults** to **Enabled **.
 1. Select **Save**.
 
 ![Screenshot of the Azure portal with the toggle to enable security defaults](./media/concept-fundamentals-security-defaults/security-defaults-azure-ad-portal.png)
 
 ## Enforced security policies
 
-### Require all users to register for Azure AD Multi-Factor Authentication
+### Require all users to register for Azure AD Multifactor Authentication
 
-All users in your tenant must register for multifactor authentication (MFA) in the form of the Azure AD Multi-Factor Authentication. Users have 14 days to register for Azure AD Multi-Factor Authentication by using the [Microsoft Authenticator app](../authentication/concept-authentication-authenticator-app.md) or any app supporting [OATH TOTP](../authentication/concept-authentication-oath-tokens.md). After the 14 days have passed, the user can't sign in until registration is completed. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.
+All users in your tenant must register for multifactor authentication (MFA) in the form of the Azure AD Multifactor Authentication. Users have 14 days to register for Azure AD Multifactor Authentication by using the [Microsoft Authenticator app](../authentication/concept-authentication-authenticator-app.md) or any app supporting [OATH TOTP](../authentication/concept-authentication-oath-tokens.md). After the 14 days have passed, the user can't sign in until registration is completed. A user's 14-day period begins after their first successful interactive sign-in after enabling security defaults.
 
 ### Require administrators to do multifactor authentication
 
@@ -67,7 +67,7 @@ Administrators have increased access to your environment. Because of the power t
 > [!TIP]
 > We recommend having separate accounts for administration and standard productivity tasks to significantly reduce the number of times your admins are prompted for MFA.
 
-After registration with Azure AD Multi-Factor Authentication is finished, the following Azure AD administrator roles will be required to do extra authentication every time they sign in:
+After registration with Azure AD Multifactor Authentication is finished, the following Azure AD administrator roles will be required to do extra authentication every time they sign in:
 
 - Global administrator
 - Application administrator
@@ -140,7 +140,7 @@ This policy applies to all users who are accessing Azure Resource Manager servic
 
 ### Authentication methods
 
-Security defaults users are required to register for and use Azure AD Multi-Factor Authentication using the [Microsoft Authenticator app using notifications](../authentication/concept-authentication-authenticator-app.md). Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option. Users can also use any third party application using [OATH TOTP](../authentication/concept-authentication-oath-tokens.md) to generate codes.
+Security defaults users are required to register for and use Azure AD Multifactor Authentication using the [Microsoft Authenticator app using notifications](../authentication/concept-authentication-authenticator-app.md). Users may use verification codes from the Microsoft Authenticator app but can only register using the notification option. Users can also use any third party application using [OATH TOTP](../authentication/concept-authentication-oath-tokens.md) to generate codes.
 
 > [!WARNING]
 > Do not disable methods for your organization if you are using security defaults. Disabling methods may lead to locking yourself out of your tenant. Leave all **Methods available to users** enabled in the [MFA service settings portal](../authentication/howto-mfa-getstarted.md#choose-authentication-methods-for-mfa).
@@ -182,7 +182,7 @@ Any [B2B guest](../external-identities/what-is-b2b.md) users or [B2B direct conn
 
 ### Disabled MFA status
 
-If your organization is a previous user of per-user based Azure AD Multi-Factor Authentication, don't be alarmed to not see users in an **Enabled** or **Enforced** status if you look at the Multi-Factor Auth status page. **Disabled** is the appropriate status for users who are using security defaults or Conditional Access based Azure AD Multi-Factor Authentication.
+If your organization is a previous user of per-user based Azure AD Multifactor Authentication, don't be alarmed to not see users in an **Enabled** or **Enforced** status if you look at the Multi-Factor Auth status page. **Disabled** is the appropriate status for users who are using security defaults or Conditional Access based Azure AD Multifactor Authentication.
 
 ### Conditional Access
 
@@ -208,7 +208,7 @@ To disable security defaults in your directory:
 1. Sign in to the [Azure portal](https://portal.azure.com) as a security administrator, Conditional Access administrator, or global administrator.
 1. Browse to **Azure Active Directory** > **Properties**.
 1. Select **Manage security defaults**.
-1. Set the **Enable security defaults** toggle to **No**.
+1. Set **Security defaults** to **Disabled (not recommended)**.
 1. Select **Save**.
 
 ## Next steps

articles/active-directory/fundamentals/media/concept-fundamentals-security-defaults/security-defaults-azure-ad-portal.png

@@ -2,7 +2,7 @@
 title: Abort an Azure Kubernetes Service (AKS) long running operation (preview)
 description: Learn how to terminate a long running operation on an Azure Kubernetes Service cluster at the node pool or cluster level.
 ms.topic: article
-ms.date: 11/23/2022
+ms.date: 3/23/2023
 
 ---
 
@@ -68,6 +68,8 @@ In the response, an HTTP status code of 204 is returned.
 
 The provisioning state on the managed cluster or agent pool should be **Canceled**. Use the REST API [Get Managed Clusters](/rest/api/aks/managed-clusters/get) or [Get Agent Pools](/rest/api/aks/agent-pools/get) to verify the operation. The provisioning state should update to **Canceled** within a few seconds of the abort request being accepted. Operation status of last running operation ID on the managed cluster/agent pool, which can be retrieved by performing a GET operation against the Managed Cluster or agent pool, should show a status of **Canceling**.
 
+When you terminate an operation, it doesn't roll back to the previous state and it stops at whatever step in the operation was in-process. Once complete, the cluster provisioning state shows a **Canceled** state. If the operation happens to be a cluster upgrade, during a cancel operation it stops where it is.
+
 ## Next steps
 
 Learn more about [Container insights](../azure-monitor/containers/container-insights-overview.md) to understand how it helps you monitor the performance and health of your Kubernetes cluster and container workloads.

articles/active-directory/fundamentals/media/concept-fundamentals-security-defaults/security-defaults-conditional-access.png

@@ -3,7 +3,7 @@ title: Deploy and configure an Azure Kubernetes Service (AKS) cluster with workl
 description: In this Azure Kubernetes Service (AKS) article, you deploy an Azure Kubernetes Service cluster and configure it with an Azure AD workload identity (preview).
 ms.topic: article
 ms.custom: devx-track-azurecli
-ms.date: 01/11/2023
+ms.date: 03/14/2023
 ---
 
 # Deploy and configure workload identity (preview) on an Azure Kubernetes Service (AKS) cluster
@@ -66,7 +66,7 @@ Create an AKS cluster using the [az aks create][az-aks-create] command with the
 ```azurecli-interactive
 az group create --name myResourceGroup --location eastus
 
-az aks create -g myResourceGroup -n myAKSCluster --node-count 1 --enable-oidc-issuer --enable-workload-identity --generate-ssh-keys
+az aks create -g myResourceGroup -n myAKSCluster --enable-oidc-issuer --enable-workload-identity
 ```
 
 After a few minutes, the command completes and returns JSON-formatted information about the cluster.
@@ -80,38 +80,18 @@ To get the OIDC Issuer URL and save it to an environmental variable, run the fol
 export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv)"
 ```
 
-## Create a managed identity and grant permissions to access Azure Key Vault
+## Create a managed identity
 
-This step is necessary if you need to access secrets, keys, and certificates that are mounted in Azure Key Vault from a pod. Perform the following steps to configure access with a managed identity. These steps assume you have an Azure Key Vault already created and configured in your subscription. If you don't have one, see [Create an Azure Key Vault using the Azure CLI][create-key-vault-azure-cli].
-
-Before proceeding, you need the following information:
-
-* Name of the Key Vault
-* Resource group holding the Key Vault
+Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription. Then use the [az identity create][az-identity-create] command to create a managed identity.
 
-You can retrieve this information using the Azure CLI command: [az keyvault list][az-keyvault-list].
-
-1. Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription. Then use the [az identity create][az-identity-create] command to create a managed identity.
-
-    ```azurecli
-    export SUBSCRIPTION_ID="$(az account show --query id --output tsv)"
-    export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
-    export RG_NAME="myResourceGroup"
-    export LOCATION="eastus"
-
-    az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RG_NAME}" --location "${LOCATION}" --subscription "${SUBSCRIPTION_ID}"
-    ```
-
-2. Set an access policy for the managed identity to access secrets in your Key Vault by running the following commands:
-
-    ```azurecli
-    export RG_NAME="myResourceGroup"
-    export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
-    export KEYVAULT_NAME="myKeyVault"
-    export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RG_NAME}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"
+```azurecli
+export SUBSCRIPTION_ID="$(az account show --query id --output tsv)"
+export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
+export RG_NAME="myResourceGroup"
+export LOCATION="eastus"
 
-    az keyvault set-policy --name "${KEYVAULT_NAME}" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"
-    ```
+az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RG_NAME}" --location "${LOCATION}" --subscription "${SUBSCRIPTION_ID}"
+```
 
 ## Create Kubernetes service account
 
@@ -166,6 +146,28 @@ az identity federated-credential create --name myfederatedIdentity --identity-na
 kubectl apply -f <your application>
 ```
 
+## Optional - Grant permissions to access Azure Key Vault
+
+This step is necessary if you need to access secrets, keys, and certificates that are mounted in Azure Key Vault from a pod. Perform the following steps to configure access with a managed identity. These steps assume you have an Azure Key Vault already created and configured in your subscription. If you don't have one, see [Create an Azure Key Vault using the Azure CLI][create-key-vault-azure-cli].
+
+Before proceeding, you need the following information:
+
+* Name of the Key Vault
+* Resource group holding the Key Vault
+
+You can retrieve this information using the Azure CLI command: [az keyvault list][az-keyvault-list].
+
+1. Set an access policy for the managed identity to access secrets in your Key Vault by running the following commands:
+
+    ```azurecli
+    export RG_NAME="myResourceGroup"
+    export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
+    export KEYVAULT_NAME="myKeyVault"
+    export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RG_NAME}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"
+
+    az keyvault set-policy --name "${KEYVAULT_NAME}" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"
+    ```
+
 ## Disable workload identity
 
 To disable the Azure AD workload identity on the AKS cluster where it's been enabled and configured, you can run the following command:

articles/aks/manage-abort-operations.md

@@ -1,14 +1,14 @@
 ---
-title: Modernize your Azure Kubernetes Service (AKS) application to use workload identity (preview)
+title: Migrate your Azure Kubernetes Service (AKS) pod to use workload identity (preview)
 description: In this Azure Kubernetes Service (AKS) article, you learn how to configure your Azure Kubernetes Service pod to authenticate with workload identity.
 ms.topic: article
 ms.custom: devx-track-azurecli
-ms.date: 02/08/2023
+ms.date: 03/14/2023
 ---
 
-# Modernize application authentication with workload identity (preview)
+# Migrate from pod managed-identity to workload identity (preview)
 
-This article focuses on pod-managed identity migration to Azure Active Directory (Azure AD) workload identity (preview) for your Azure Kubernetes Service (AKS) cluster. It also provides guidance depending on the version of the [Azure Identity][azure-identity-supported-versions] client library used by your container-based application.
+This article focuses on migrating from a pod-managed identity to Azure Active Directory (Azure AD) workload identity (preview) for your Azure Kubernetes Service (AKS) cluster. It also provides guidance depending on the version of the [Azure Identity][azure-identity-supported-versions] client library used by your container-based application.
 
 [!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
 
@@ -30,10 +30,10 @@ For either scenario, you need to have the federated trust set up before you upda
 
 If your cluster is already using the latest version of the Azure Identity SDK, perform the following steps to complete the authentication configuration:
 
-- Deploy workload identity in parallel to where the trust is setup. You can restart your application deployment to begin using the workload identity, where it injects the OIDC annotations into the application automatically.
+- Deploy workload identity in parallel with pod-managed identity. You can restart your application deployment to begin using the workload identity, where it injects the OIDC annotations into the application automatically.
 - After verifying the application is able to authenticate successfully, you can [remove the pod-managed identity](#remove-pod-managed-identity) annotations from your application and then remove the pod-managed identity add-on.
 
-## Migrate from older version
+### Migrate from older version
 
 If your cluster isn't using the latest version of the Azure Identity SDK, you have two options:
 
@@ -65,7 +65,7 @@ If you don't have a managed identity created and assigned to your pod, perform t
     export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "resourceGroupName" --name "userAssignedIdentityName" --query 'clientId' -otsv)"
     ```
 
-2. Grant the managed identity the permissions required to access the resources in Azure it requires.
+2. Grant the managed identity the permissions required to access the resources in Azure it requires. For information on how to do this, see [Assign a managed identity access to a resource][assign-rbac-managed-identity].
 
 3. To get the OIDC Issuer URL and save it to an environmental variable, run the following command. Replace the default values for the cluster name and the resource group name.
 
@@ -208,6 +208,7 @@ This article showed you how to set up your pod to authenticate using a workload
 [azure-identity-libraries]: ../active-directory/develop/reference-v2-libraries.md
 [openid-connect-overview]: ../active-directory/develop/v2-protocols-oidc.md
 [install-azure-cli]: /cli/azure/install-azure-cli
+[assign-rbac-managed-identity]: ../active-directory/managed-identities-azure-resources/howto-assign-access-cli.md
 
 <!-- EXTERNAL LINKS -->
 [kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe

articles/aks/workload-identity-deploy-cluster.md

@@ -2,7 +2,7 @@
 title: Use an Azure AD workload identities (preview) on Azure Kubernetes Service (AKS)
 description: Learn about Azure Active Directory workload identity (preview) for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.  
 ms.topic: article
-ms.date: 01/06/2023
+ms.date: 03/14/2023
 
 ---