Merge pull request #226088 from MicrosoftDocs/main

2/02 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -13444,16 +13444,6 @@
             "redirect_url": "/azure/logic-apps/logic-apps-exception-handling",
             "redirect_document_id": false
         },
-        {
-            "source_path_from_root": "/articles/machine-learning/tutorial-power-bi-automated-model.md",
-            "redirect_url": "/azure/machine-learning/tutorial-power-bi-custom-model",
-            "redirect_document_id": false
-        },
-        {
-            "source_path_from_root": "/articles/machine-learning/tutorial-power-bi-designer-model.md",
-            "redirect_url": "/azure/machine-learning/tutorial-power-bi-custom-model",
-            "redirect_document_id": false
-        },
         {
             "source_path_from_root": "/articles/event-grid/cli-samples.md",
             "redirect_url": "/azure/event-grid/scripts/event-grid-cli-subscribe-custom-topic",

articles/active-directory/authentication/certificate-based-authentication-faq.yml

@@ -120,9 +120,10 @@ sections:
           The browser caches the certificate after the certificate picker appears. If the user retries, the cached certificate is used automatically. The user should close the browser, and reopen a new session to try CBA again.          
 
       - question: |
-          Why can't single-factor certificates be used to complete MFA?
+          How can I use single-factor certificates to complete MFA?
         answer: |
-          There's no support for a second factor when the first factor is a single-factor certificate. We're working to add support for second factors.
+          We have support for single factor CBA to get MFA. CBA SF + PSI (passwordless phone sign in) and CBA SF + FIDO2 are the two supported combinations to get MFA using single factor certificates.
+          [MFA with single factor certificates](../authentication/concept-certificate-based-authentication-technical-deep-dive.md#single-factor-certificate-based-authentication) 
           
       - question: |
           Will the changes to the Authentication methods policy take effect immediately?

articles/active-directory/authentication/concept-authentication-phone-options.md

@@ -30,7 +30,7 @@ To work properly, phone numbers must be in the format *+CountryCode PhoneNumber*
 > [!NOTE]
 > There needs to be a space between the country/region code and the phone number.
 >
-> Password reset doesn't support phone extensions. Even in the *+1 4251234567X12345* format, extensions are removed before the call is placed.
+> Password reset and Azure AD Multi-Factor Authentication don't support phone extensions. Even in the *+1 4251234567X12345* format, extensions are removed before the call is placed.
 
 ## Mobile phone verification
 

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -72,7 +72,7 @@ Now we'll walk through each step:
 1. Azure AD completes the sign-in process by sending a primary refresh token back to indicate successful sign-in.
 1. If the user sign-in is successful, the user can access the application.
 
-## Single-factor certificate-based authentication
+## MFA with Single-factor certificate-based authentication
 
 Azure AD CBA supports second factors to meet MFA requirements with single-factor certificates. Users can use either passwordless sign-in or FIDO2 security keys as second factors when the first factor is single-factor CBA. Users need to register passwordless sign-in or FIDO2 in advance to signing in with Azure AD CBA.
 

articles/active-directory/cloud-sync/how-to-prerequisites.md

@@ -26,7 +26,7 @@ You need the following to use Azure AD Connect cloud sync:
 - On-premises firewall configurations.
 
 ## Group Managed Service Accounts
-A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management,the ability to delegate the management to other administrators, and also extends this functionality over multiple servers.  Azure AD Connect Cloud Sync supports and uses a gMSA for running the agent.  You will be prompted for administrative credentials during setup, in order to create this account.  The account will appear as (domain\provAgentgMSA$).  For more information on a gMSA, see [Group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) 
+A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers.  Azure AD Connect Cloud Sync supports and uses a gMSA for running the agent.  You will be prompted for administrative credentials during setup, in order to create this account.  The account will appear as (domain\provAgentgMSA$).  For more information on a gMSA, see [group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) 
 
 ### Prerequisites for gMSA:
 1.	The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later.
@@ -48,46 +48,9 @@ If you are creating a custom gMSA account, you need to ensure that the account h
 |Allow |gMSA Account |Read all properties |Descendant Contact objects| 
 |Allow |gMSA Account |Create/delete User objects|This object and all descendant objects| 
 
-For steps on how to upgrade an existing agent to use a gMSA account see [Group Managed Service Accounts](how-to-install.md#group-managed-service-accounts).
-
-#### Create gMSA account with PowerShell
-You can use the following PowerShell script to create a custom gMSA account.  Then you can use the [cloud sync gMSA cmdlets](how-to-gmsa-cmdlets.md) to apply more granular permissions.
-
-```powershell
-# Filename:    1_SetupgMSA.ps1
-# Description: Creates and installs a custom gMSA account for use with Azure AD Connect cloud sync.
-#
-# DISCLAIMER:
-# Copyright (c) Microsoft Corporation. All rights reserved. This 
-# script is made available to you without any express, implied or 
-# statutory warranty, not even the implied warranty of 
-# merchantability or fitness for a particular purpose, or the 
-# warranty of title or non-infringement. The entire risk of the 
-# use or the results from the use of this script remains with you.
-#
-#
-#
-#
-# Declare variables
-$Name = 'provAPP1gMSA'
-$Description = "Azure AD Cloud Sync service account for APP1 server"
-$Server = "APP1.contoso.com"
-$Principal = Get-ADGroup 'Domain Computers'
-
-# Create service account in Active Directory
-New-ADServiceAccount -Name $Name `
--Description $Description `
--DNSHostName $Server `
--ManagedPasswordIntervalInDays 30 `
--PrincipalsAllowedToRetrieveManagedPassword $Principal `
--Enabled $True `
--PassThru
-
-# Install the new service account on Azure AD Cloud Sync server
-Install-ADServiceAccount -Identity $Name
-```
-
-For additional information on the cmdlets above, see [Getting Started with Group Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)?redirectedfrom=MSDN).
+For steps on how to upgrade an existing agent to use a gMSA account see [group Managed Service Accounts](how-to-install.md#group-managed-service-accounts).
+
+For more information on how to prepare your Active Directory for group Managed Service Account, see [group Managed Service Accounts Overview](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
 
 ### In the Azure Active Directory admin center
 
@@ -104,7 +67,7 @@ Run the [IdFix tool](/office365/enterprise/prepare-directory-attributes-for-sync
 
 2. The PowerShell execution policy on the local server must be set to Undefined or RemoteSigned.
 
-3. If there's a firewall between your servers and Azure AD, configure see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.  
+3. If there's a firewall between your servers and Azure AD, see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.  
 
 >[!NOTE]
 > Installing the cloud provisioning agent on Windows Server Core is not supported.

articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-overview.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: multi-tenant-organizations
 ms.topic: overview
-ms.date: 01/23/2023
+ms.date: 02/02/2023
 ms.author: rolyon
 ms.custom: it-pro
 
@@ -121,7 +121,9 @@ For anyone that has used Azure AD to [provision identities into a SaaS applicati
 
 ## License requirements
 
-Using this feature requires Azure AD Premium P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant. To find the right license for your requirements, see [Compare generally available features of Azure AD](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+In the source tenant: Using this feature requires Azure AD Premium P1 licenses. Each user who is synchronized with cross-tenant synchronization must have a P1 license in their home/source tenant. To find the right license for your requirements, see [Compare generally available features of Azure AD](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+
+In the target tenant: Cross-tenant sync relies on the Azure AD External Identities billing model. To understand the external identities licensing model, see [MAU billing model for Azure AD External Identities](../external-identities/external-identities-pricing.md)
 
 ## Frequently asked questions
 

articles/app-service/deploy-staging-slots.md

@@ -62,7 +62,7 @@ The app must be running in the **Standard**, **Premium**, or **Isolated** tier i
 
 6. Select the app URL on the slot's resource page. The deployment slot has its own host name and is also a live app. To limit public access to the deployment slot, see [Azure App Service IP restrictions](app-service-ip-restrictions.md).
 
-The new deployment slot has no content, even if you clone the settings from a different slot. For example, you can [publish to this slot with Git](./deploy-local-git.md). You can deploy to the slot from a different repository branch or a different repository.
+The new deployment slot has no content, even if you clone the settings from a different slot. For example, you can [publish to this slot with Git](./deploy-local-git.md). You can deploy to the slot from a different repository branch or a different repository.  Get publish profile [from Azure App Service](/visualstudio/azure/how-to-get-publish-profile-from-azure-app-service) can provide required information to deploy to the slot.  The profile can be imported by Visual Studio to deploy contents to the slot.
 
 The slot's URL will be of the format `http://sitename-slotname.azurewebsites.net`. To keep the URL length within necessary DNS limits, the site name will be truncated at 40 characters, the slot name will be truncated at 19 characters, and an additional 4 random characters will be appended to ensure the resulting domain name is unique. 
 
@@ -283,7 +283,7 @@ By default, new slots are given a routing rule of `0%`, shown in grey. When you
 
 ## Delete a slot
 
-Search for and select your app. Select **Deployment slots** > *\<slot to delete>* > **Overview**. The app type is shown as **App Service (Slot)** to remind you that you're viewing a deployment slot. Select **Delete** on the command bar.  
+Search for and select your app. Select **Deployment slots** > *\<slot to delete>* > **Overview**. The app type is shown as **App Service (Slot)** to remind you that you're viewing a deployment slot. Before deleting a slot, make sure to stop the slot and set the traffic in the slot to zero.  Select **Delete** on the command bar.  
 
 ![Delete a deployment slot](./media/web-sites-staged-publishing/DeleteStagingSiteButton.png)
 

articles/app-service/language-support-policy.md

@@ -0,0 +1,52 @@
+---
+title: Language Support Policy
+description: App Service language runtime support policies 
+author: jeffmartinez
+
+ms.topic: article
+ms.date: 01/23/2023
+ms.author: jefmarti
+ms.custom: seodec18
+
+---
+# App Service language runtime support policy
+
+This document describes the App Service language runtime support policy for updating existing stacks and retiring process for upcoming end-of-life stacks.  This policy is to clarify existing practices and doesn't represent a change to customer commitments.    
+
+## Updates to existing stacks
+App Service will update existing stacks after they become available from each community.  App Service will update major versions of stacks but can't guarantee any specific patch versions.  Patch versions are controlled by the platform, and it is not possible for App Service to pin a specific patch version.  For example, Python 3.10 will be updated by App Service, but a specific Python 3.10.x version won't be guaranteed.  If you need a specific patch version, use a [custom container](quickstart-custom-container.md).  
+
+## Retirements
+App Service follows community support timelines for the lifecycle of the runtime.  Once community support for a given language reaches end-of-life, your applications will continue to run unchanged.  However, App Service cannot provide security patches or related customer support for that runtime version past its end-of-life date.  If your application has any issues past the end-of-life date for that version, you should move up to a supported version to receive the latest security patches and features.  
+
+> [!IMPORTANT]
+> You're encouraged to upgrade the language version of your affected apps to a supported version. If you're running apps using an unsupported language version, you'll be required to upgrade before receiving support for your app.
+>
+
+## Notifications
+End-of-life dates for runtime versions are determined independently by their respective stacks and are outside the control of App Service.  App Service will send reminder notifications to subscription owners for upcoming end-of-life runtime versions 12 months prior to the end-of-life date.
+
+Those who receive notifications include account administrators, service administrators, and co-administrators.  Contributors, readers, or other roles won't directly receive notifications, unless they opt-in to receive notification emails, using [Service Health Alerts](/service-health/alerts-activity-log-service-notifications-portal.md).  
+
+## Language runtime version support timelines
+To learn more about specific language support policy timelines, visit the following resources:
+
+- [ASP.NET](https://aka.ms/aspnetrelease)
+- [.NET](https://aka.ms/dotnetrelease)
+- [Node](https://aka.ms/noderelease)
+- [Java](https://aka.ms/javarelease)
+- [Python](https://aka.ms/pythonrelease)
+- [PHP](https://aka.ms/phprelease)
+- [Go](https://aka.ms/gorelease)
+
+
+
+## Configure language versions
+To learn more about how to update your App Service application language versions, see the following resources:
+
+- [.NET](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/dot_net_core.md#how-to-update-your-app-to-target-a-different-version-of-net-or-net-core)
+- [Node](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/node_support.md#node-on-linux-app-service)
+- [Java](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/java_support.md#java-on-app-service)
+- [Python](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/python_support.md#how-to-update-your-app-to-target-a-different-version-of-python)
+- [PHP](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#how-to-update-your-app-to-target-a-different-version-of-php)    
+

articles/app-service/toc.yml

@@ -470,6 +470,8 @@
       href: ../azure-resource-manager/management/azure-subscription-service-limits.md#app-service-limits
     - name: Service Updates
       href: https://azure.microsoft.com/updates/?product=app-service
+    - name: Language support policy
+      href: language-support-policy.md
     - name: Kudu service
       href: resources-kudu.md
     - name: Best practices

articles/azure-arc/data/faq.yml

@@ -20,9 +20,10 @@ sections:
       - question: Is there a cost to enable Microsoft Defender via Policy?
         answer: No. Azure Arc server is an Azure resource. There is no cost to use Azure Policy with Azure resources. For details, see [Azure Pricing policy](https://azure.microsoft.com/pricing/details/azure-policy/).
 
-      - question: Can we customize ir modify policies?   
+      - question: Can we customize or modify policies?   
         answer: |
          Yes, you can copy policies that we provide in Azure and customize them. The only policy we provide at this time is the at-scale onboarding one.
+         
   - name: Reporting
     questions:
       - question: Can we get a roll-up report that indicates how many instances fall into the high priority category instead of one machine at a time?