Merge branch 'MicrosoftDocs:main' into main

Author: mmacy

articles/active-directory/enterprise-users/groups-create-rule.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: enterprise-users
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/02/2021
+ms.date: 05/05/2022
 ms.author: curtand
 ms.reviewer: krbain
 ms.custom: it-pro
@@ -19,8 +19,7 @@ ms.collection: M365-identity-device-management
 
 # Create or update a dynamic group in Azure Active Directory
 
-In Azure Active Directory (Azure AD), you can use rules to determine group membership based on user or device properties. This article tells how to set up a rule for a dynamic group in the Azure portal.
-Dynamic membership is supported for security groups or Microsoft 365 Groups. When a group membership rule is applied, user and device attributes are evaluated for matches with the membership rule. When an attribute changes for a user or device, all dynamic group rules in the organization are processed for membership changes. Users and devices are added or removed if they meet the conditions for a group. Security groups can be used for either devices or users, but Microsoft 365 Groups can be only user groups. Using Dynamic groups requires Azure AD premium P1 license or Intune for Education license. See [Dynamic membership rules for groups](./groups-dynamic-membership.md) for more details. 
+In Azure Active Directory (Azure AD), you can use rules to determine group membership based on user or device properties. This article tells how to set up a rule for a dynamic group in the Azure portal. Dynamic membership is supported for security groups and Microsoft 365 Groups. When a group membership rule is applied, user and device attributes are evaluated for matches with the membership rule. When an attribute changes for a user or device, all dynamic group rules in the organization are processed for membership changes. Users and devices are added or removed if they meet the conditions for a group. Security groups can be used for either devices or users, but Microsoft 365 Groups can be only user groups. Using Dynamic groups requires Azure AD premium P1 license or Intune for Education license. See [Dynamic membership rules for groups](./groups-dynamic-membership.md) for more details. 
 
 ## Rule builder in the Azure portal
 
@@ -46,7 +45,7 @@ For examples of syntax, supported properties, operators, and values for a member
 1. Search for and select **Groups**.
 1. Select **All groups**, and select **New group**.
 
-   ![Select the command to add new group](./media/groups-create-rule/create-new-group-azure-active-directory.png)
+   ![Screenshot showing how to select the "add new group" action](./media/groups-create-rule/create-new-group-azure-active-directory.png)
 
 1. On the **Group** page, enter a name and description for the new group. Select a **Membership type** for either users or devices, and then select **Add dynamic query**. The rule builder supports up to five expressions. To add more than five expressions, you must use the text box.
 
@@ -67,7 +66,7 @@ If the rule you entered isn't valid, an explanation of why the rule couldn't be
 1. Select a group to open its profile.
 1. On the profile page for the group, select **Dynamic membership rules**. The rule builder supports up to five expressions. To add more than five expressions, you must use the text box.
 
-   ![Add membership rule for a dynamic group](./media/groups-create-rule/update-dynamic-group-rule.png)
+   ![Screenshot showing how to add a membership rule for a dynamic group](./media/groups-create-rule/update-dynamic-group-rule.png)
 
 1. To see the custom extension properties available for your membership rule:
    1. Select **Get custom extension properties**
@@ -80,29 +79,31 @@ When a new Microsoft 365 group is created, a welcome email notification is sent
 
 ## Check processing status for a rule
 
-You can see the membership processing status and the last updated date on the **Overview** page for the group.
+You can see the dynamic rule processing status and the last membership change date on the **Overview** page for the group.
 
-  ![display of dynamic group status](./media/groups-create-rule/group-status.png)
+  ![Diagram of dynamic group status](./media/groups-create-rule/group-status.png)
 
-The following status messages can be shown for **Membership processing** status:
+The following status messages can be shown for **Dynamic rule processing** status:
 
 - **Evaluating**:  The group change has been received and the updates are being evaluated.
 - **Processing**: Updates are being processed.
 - **Update complete**: Processing has completed and all applicable updates have been made.
 - **Processing error**:  Processing couldn't be completed because of an error evaluating the membership rule.
 - **Update paused**: Dynamic membership rule updates have been paused by the administrator. MembershipRuleProcessingState is set to “Paused”.
 
-The following status messages can be shown for **Membership last updated** status:
+The following status messages can be shown for **Last membership change** status:
 
 - <**Date and time**>: The last time the membership was updated.
 - **In Progress**: Updates are currently in progress.
 - **Unknown**: The last update time can't be retrieved. The group might be new.
 
 If an error occurs while processing the membership rule for a specific group, an alert is shown on the top of the **Overview page** for the group. If no pending dynamic membership updates can be processed for all the groups within the organization for more than 24 hours, an alert is shown on the top of **All groups**.
 
-![processing error message alerts](./media/groups-create-rule/processing-error.png)
+![Screenshot showing how to process error message alerts](./media/groups-create-rule/processing-error.png)
 
-These articles provide additional information on groups in Azure Active Directory.
+## Next steps
+
+The following articles provide additional information on how to use groups in Azure Active Directory.
 
 - [See existing groups](../fundamentals/active-directory-groups-view-azure-portal.md)
 - [Create a new group and adding members](../fundamentals/active-directory-groups-create-azure-portal.md)

articles/active-directory/enterprise-users/media/groups-create-rule/group-status.png

@@ -7,7 +7,7 @@ metadata:
   ms.service: active-directory
   ms.subservice: B2B
   ms.topic: faq
-  ms.date: 03/31/2022
+  ms.date: 05/06/2022
   ms.author: mimart
   author: msmimart
   manager: celestedg
@@ -56,10 +56,9 @@ sections:
           The inviting organization performs multifactor authentication. The inviting organization must make sure that the organization has enough licenses for their B2B users who are using multifactor authentication.
 
       - question: |
-          What if a partner organization already has multifactor authentication set up? Can we trust their multifactor authentication, and not use our own multifactor authentication?
+          What if a partner organization already has multifactor authentication set up? Can we trust their multifactor authentication?
         answer: |
-          This feature is currently not supported. If access to your organization's resources requires multifactor authentication, the partner organization will need to register for multifactor authentication in your (the inviting) organization.
-
+          [Cross-tenant access settings](cross-tenant-access-overview.md) (preview) let you trust multifactor authentication and device claims ([compliant claims and hybrid Azure AD joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Azure AD organizations.
       - question: |
           How can I use delayed invitations?
         answer: |

articles/active-directory/external-identities/faq.yml

@@ -77,6 +77,9 @@ All of the tasks that you do on resources using the Azure Resource Manager must
 
 Before calling the APIs that generate the backup and restore, you need to get a token. The following example uses the [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package to retrieve the token.
 
+> [!IMPORTANT]
+> The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020.   We strongly encourage you to upgrade, see the [migration guide](/azure/active-directory/develop/msal-migration) for more details. 
+
 ```csharp
 using Microsoft.IdentityModel.Clients.ActiveDirectory;
 using System;

articles/api-management/api-management-howto-disaster-recovery-backup-restore.md

@@ -42,6 +42,16 @@
       href: application-lifecycle-management.md
     - name: Microservices
       href: microservices.md
+    - name: Networking
+      items: 
+      - name: Architecture overview
+        href: networking.md
+      - name: Deploy with an external environment
+        href: vnet-custom.md
+      - name: Deploy with an internal environment
+        href: vnet-custom-internal.md
+      - name: Firewall integration
+        href: firewall-integration.md
     - name: Observability
       href: observability.md
     - name: Health probes

articles/container-apps/TOC.yml

@@ -25,7 +25,7 @@ The following resources are free during each calendar month, per subscription:
 This article describes how to calculate the cost of running your container app. For pricing details in your account's currency, see [Azure Container Apps Pricing](https://azure.microsoft.com/pricing/details/container-apps/).
 
 > [!NOTE]
-> If you use Container Apps with [your own virtual network](vnet-custom.md#managed-resources) or your apps utilize other Azure resources, additional charges may apply.
+> If you use Container Apps with [your own virtual network](networking.md#managed-resources) or your apps utilize other Azure resources, additional charges may apply.
 
 ## Resource consumption charges
 

articles/container-apps/billing.md

@@ -0,0 +1,67 @@
+---
+title: Securing a custom VNET in Azure Container Apps Preview
+description: Firewall settings to secure a custom VNET in Azure Container Apps Preview
+services: container-apps
+author: JennyLawrance
+ms.service: container-apps
+ms.topic:  reference
+ms.date: 4/15/2022
+ms.author: jennylaw
+---
+
+# Securing a custom VNET in Azure Container Apps
+
+Firewall settings Network Security Groups (NSGs) needed to configure virtual networks closely resemble the settings required by Kubernetes.
+
+Some outbound dependencies of Azure Kubernetes Service (AKS) clusters rely exclusively on fully qualified domain names (FQDN), therefore securing an AKS cluster purely with NSGs isn't possible. Refer to [Control egress traffic for cluster nodes in Azure Kubernetes Service](/azure/aks/limit-egress-traffic) for details.
+
+* You can lock down a network via NSGs with more restrictive rules than the default NSG rules.
+* To fully secure a cluster, use a combination of NSGs and a firewall.
+
+## NSG allow rules
+
+The following tables describe how to configure a collection of NSG allow rules.
+
+### Inbound
+
+| Protocol | Port | ServiceTag | Description |
+|--|--|--|--|
+| Any | \* | Control plane subnet address space | Allow communication between IPs in the control plane subnet. This address is passed to as a parameter when you create an environment. For example, `10.0.0.0/21`. |
+| Any | \* | App subnet address space | Allow communication between nodes in the app subnet. This address is passed as a parameter when you create an environment. For example, `10.0.8.0/21`. |
+
+### Outbound with ServiceTags
+
+| Protocol | Port | ServiceTag | Description
+|--|--|--|--|
+| UDP | `1194` | `AzureCloud.<REGION>` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
+| TCP | `9000` | `AzureCloud.<REGION>` | Required for internal AKS secure connection between underlying nodes and control plane. Replace `<REGION>` with the region where your container app is deployed. |
+| TCP | `443` | `AzureMonitor` | Allows outbound calls to Azure Monitor. |
+
+### Outbound with wild card IP rules
+
+As the following rules require allowing all IPs, use a Firewall solution to lock down to specific FQDNs.
+
+| Protocol | Port | IP | Description |
+|--|--|--|--|
+| TCP | `443` | \* | Allow all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. |
+| UDP | `123` | \* | NTP server. If using firewall, allowlist `ntp.ubuntu.com:123`. |
+| Any | \* | Control plane subnet address space | Allow communication between IPs in the control plane subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/21`. |
+| Any | \* | App subnet address space | Allow communication between nodes in the App subnet. This address is passed as a parameter when you create an environment. For example, `10.0.8.0/21`. |
+
+## Firewall configuration
+
+### Outbound FQDN dependencies
+
+| FQDN | Protocol | Port | Description |
+|--|--|--|--|
+| `*.hcp.<REGION>.azmk8s.io` | HTTPS | `443` | Required for internal AKS secure connection between nodes and control plane. |
+| `mcr.microsoft.com` | HTTPS | `443` | Required to access images in Microsoft Container Registry (MCR). This registry contains first-party images and charts (for example, coreDNS). These images are required for the correct creation and functioning of the cluster, including scale and upgrade operations. |
+| `*.data.mcr.microsoft.com` | HTTPS | `443` | Required for MCR storage backed by the Azure content delivery network (CDN). |
+| `management.azure.com` | HTTPS | `443` | Required for Kubernetes operations against the Azure API. |
+| `login.microsoftonline.com` | HTTPS | `443` | Required for Azure Active Directory authentication. |
+| `packages.microsoft.com` | HTTPS | `443` | This address is the Microsoft packages repository used for cached apt-get operations. Example packages include Moby, PowerShell, and Azure CLI. |
+| `acs-mirror.azureedge.net` | HTTPS | `443` | This address is for the repository required to download and install required binaries like `kubenet` and Azure Container Networking Interface. |
+| `dc.services.visualstudio.com` | HTTPS | `443` | This endpoint is used for metrics and monitoring using Azure Monitor. |
+| `*.ods.opinsights.azure.com` | HTTPS | `443` | This endpoint is used by Azure Monitor for ingesting log analytics data. |
+| `*.oms.opinsights.azure.com` | HTTPS | `443` | This endpoint is used by `omsagent`, which is used to authenticate the log analytics service. |
+| `*.monitoring.azure.com` | HTTPS | `443` | This endpoint is used to send metrics data to Azure Monitor. |