Merge pull request #186053 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/azure-docs (branch master)

Author: huypub

articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md

@@ -53,6 +53,10 @@ You must also meet the following system requirements:
     - [Windows Server 2016](https://support.microsoft.com/help/4534307/windows-10-update-kb4534307)
     - [Windows Server 2019](https://support.microsoft.com/help/4534321/windows-10-update-kb4534321)
 
+- Have the credentials required to complete the steps in the scenario:
+    - An Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest. Referred to as **$domainCred**.
+    - An Azure Active Directory user who is a member of the Global Administrators role. Referred to as **$cloudCred**.
+ 
 ### Supported scenarios
 
 The scenario in this article supports SSO in both of the following instances:
@@ -108,10 +112,10 @@ Run the following steps in each domain and forest in your organization that cont
    $domain = "contoso.corp.com"
 
    # Enter an Azure Active Directory global administrator username and password.
-   $cloudCred = Get-Credential
+   $cloudCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest.'
 
    # Enter a domain administrator username and password.
-   $domainCred = Get-Credential
+   $domainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.'
 
    # Create the new Azure AD Kerberos Server object in Active Directory
    # and then publish it to Azure Active Directory.

articles/active-directory/develop/msal-net-client-assertions.md

@@ -71,36 +71,44 @@ jti | (a Guid) | The "jti" (JWT ID) claim provides a unique identifier for the J
 nbf | 1601519114 | The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. [RFC 7519, Section 4.1.5](https://tools.ietf.org/html/rfc7519#section-4.1.5).  Using the current time is appropriate. 
 sub | {ClientID} | The "sub" (subject) claim identifies the subject of the JWT, in this case also your application. Use the same value as `iss`. 
 
-Here is an example of how to craft these claims:
+If you use a certificate as a client secret, the certificate must be deployed safely. We recommend that you store the certificate in a secure spot supported by the platform, such as in the certificate store on Windows or by using Azure Key Vault.
+
+Here's an example of how to craft these claims:
 
 ```csharp
-private static IDictionary<string, string> GetClaims()
+using System.Collections.Generic;
+private static IDictionary<string, object> GetClaims(string tenantId, string clientId)
 {
-      //aud = https://login.microsoftonline.com/ + Tenant ID + /v2.0
-      string aud = $"https://login.microsoftonline.com/{tenantId}/v2.0";
-
-      string ConfidentialClientID = "00000000-0000-0000-0000-000000000000" //client id
-      const uint JwtToAadLifetimeInSeconds = 60 * 10; // Ten minutes
-      DateTime validFrom = DateTime.UtcNow;
-      var nbf = ConvertToTimeT(validFrom);
-      var exp = ConvertToTimeT(validFrom + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds));
-
-      return new Dictionary<string, string>()
-           {
-                { "aud", aud },
-                { "exp", exp.ToString() },
-                { "iss", ConfidentialClientID },
-                { "jti", Guid.NewGuid().ToString() },
-                { "nbf", nbf.ToString() },
-                { "sub", ConfidentialClientID }
-            };
+    //aud = https://login.microsoftonline.com/ + Tenant ID + /v2.0
+    string aud = $"https://login.microsoftonline.com/{tenantId}/v2.0";
+
+    string ConfidentialClientID = clientId; //client id 00000000-0000-0000-0000-000000000000
+    const uint JwtToAadLifetimeInSeconds = 60 * 10; // Ten minutes
+    DateTimeOffset validFrom = DateTimeOffset.UtcNow;
+    DateTimeOffset validUntil = validFrom.AddSeconds(JwtToAadLifetimeInSeconds);
+
+    return new Dictionary<string, object>()
+    {
+        { "aud", aud },
+        { "exp", validUntil.ToUnixTimeSeconds() },
+        { "iss", ConfidentialClientID },
+        { "jti", Guid.NewGuid().ToString() },
+        { "nbf", validFrom.ToUnixTimeSeconds() },
+        { "sub", ConfidentialClientID }
+    };
 }
 ```
 
-Here is how to craft a signed client assertion:
+Here's how to craft a signed client assertion:
 
 ```csharp
-string Encode(byte[] arg)
+using System.Collections.Generic;
+using System.Security.Cryptography.X509Certificates;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+...
+static string Base64UrlEncode(byte[] arg)
 {
     char Base64PadCharacter = '=';
     char Base64Character62 = '+';
@@ -116,30 +124,28 @@ string Encode(byte[] arg)
     return s;
 }
 
-string GetSignedClientAssertion()
+static string GetSignedClientAssertion(X509Certificate2 certificate, string tenantId, string clientId)
 {
-    //Signing with SHA-256
-    string rsaSha256Signature = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
-     X509Certificate2 certificate = new X509Certificate2("Certificate.pfx", "Password", X509KeyStorageFlags.EphemeralKeySet);
-
-    //Create RSACryptoServiceProvider
-    var x509Key = new X509AsymmetricSecurityKey(certificate);
-    var privateKeyXmlParams = certificate.PrivateKey.ToXmlString(true);
-    var rsa = new RSACryptoServiceProvider();
-    rsa.FromXmlString(privateKeyXmlParams);
+    // Get the RSA with the private key, used for signing.
+    var rsa = certificate.GetRSAPrivateKey();
 
     //alg represents the desired signing algorithm, which is SHA-256 in this case
-    //kid represents the certificate thumbprint
+    //x5t represents the certificate thumbprint base64 url encoded
     var header = new Dictionary<string, string>()
-         {
-              { "alg", "RS256"},
-              { "kid", Encode(certificate.GetCertHash()) }
-         };
+    {
+        { "alg", "RS256"},
+        { "typ", "JWT" },
+        { "x5t", Base64UrlEncode(certificate.GetCertHash()) }
+    };
 
     //Please see the previous code snippet on how to craft claims for the GetClaims() method
-    string token = Encode(Encoding.UTF8.GetBytes(JObject.FromObject(header).ToString())) + "." + Encode(Encoding.UTF8.GetBytes(JObject.FromObject(GetClaims()).ToString()));
+    var claims = GetClaims(tenantId, clientId);
 
-    string signature = Encode(rsa.SignData(Encoding.UTF8.GetBytes(token), new SHA256Cng()));
+    var headerBytes = JsonSerializer.SerializeToUtf8Bytes(header);
+    var claimsBytes = JsonSerializer.SerializeToUtf8Bytes(claims);
+    string token = Base64UrlEncode(headerBytes) + "." + Base64UrlEncode(claimsBytes);
+
+    string signature = Base64UrlEncode(rsa.SignData(Encoding.UTF8.GetBytes(token), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
     string signedClientAssertion = string.Concat(token, ".", signature);
     return signedClientAssertion;
 }
@@ -150,10 +156,8 @@ string GetSignedClientAssertion()
 You also have the option of using [Microsoft.IdentityModel.JsonWebTokens](https://www.nuget.org/packages/Microsoft.IdentityModel.JsonWebTokens/) to create the assertion for you. The code will be a more elegant as shown in the example below:
 
 ```csharp
-        string GetSignedClientAssertion()
+        string GetSignedClientAssertionAlt(X509Certificate2 certificate)
         {
-            var cert = new X509Certificate2("Certificate.pfx", "Password", X509KeyStorageFlags.EphemeralKeySet);
-
             //aud = https://login.microsoftonline.com/ + Tenant ID + /v2.0
             string aud = $"https://login.microsoftonline.com/{tenantID}/v2.0";
 
@@ -172,7 +176,7 @@ You also have the option of using [Microsoft.IdentityModel.JsonWebTokens](https:
             var securityTokenDescriptor = new SecurityTokenDescriptor
             {
                 Claims = claims,
-                SigningCredentials = new X509SigningCredentials(cert)
+                SigningCredentials = new X509SigningCredentials(certificate)
             };
 
             var handler = new JsonWebTokenHandler();
@@ -183,7 +187,10 @@ You also have the option of using [Microsoft.IdentityModel.JsonWebTokens](https:
 Once you have your signed client assertion, you can use it with the MSAL apis as shown below.
 
 ```csharp
-            string signedClientAssertion = GetSignedClientAssertion();
+            X509Certificate2 certificate = ReadCertificate(config.CertificateName);
+            string signedClientAssertion = GetSignedClientAssertion(certificate, tenantId, ConfidentialClientID)
+            // OR
+            //string signedClientAssertion = GetSignedClientAssertionAlt(certificate);
 
             var confidentialApp = ConfidentialClientApplicationBuilder
                 .Create(ConfidentialClientID)

articles/active-directory/fundamentals/security-operations-privileged-accounts.md

@@ -198,7 +198,7 @@ You can monitor privileged account changes by using Azure AD Audit logs and Azur
 
 | What to monitor| Risk level| Where| Filter/subfilter| Notes |
 | - | - | - | - | - |
-| Added to eligible privileged role| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = ​<br>-and-<br>Activity type = Add member to role completed (eligible)<br>-and-<br>Status = Success or failure​<br>-and-<br>Modified properties = Role.DisplayName| Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml) |
+| Added to eligible privileged role| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role management​<br>-and-<br>Activity type = Add member to role completed (eligible)<br>-and-<br>Status = Success or failure​<br>-and-<br>Modified properties = Role.DisplayName| Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml) |
 | Roles assigned out of PIM| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role management​<br>-and-<br>Activity type = Add member to role (permanent)<br>-and-<br>Status = Success or failure<br>-and-<br>Modified properties = Role.DisplayName| These roles should be closely monitored and alerted. Users shouldn't be assigned roles outside of PIM where possible.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivlegedRoleAssignedOutsidePIM.yaml) |
 | Elevations| Medium| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity type = Add member to role completed (PIM activation)<br>-and-<br>Status = Success or failure <br>-and-<br>Modified properties = Role.DisplayName| After a privileged account is elevated, it can now make changes that could affect the security of your tenant. All elevations should be logged and, if happening outside of the standard pattern for that user, should be alerted and investigated if not planned. |
 | Approvals and deny elevation| Low| Azure AD Audit Logs| Service = Access Review<br>-and-<br>Category = UserManagement<br>-and-<br>Activity type = Request approved or denied<br>-and-<br>Initiated actor = UPN| Monitor all elevations because it could give a clear indication of the timeline for an attack.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PIMElevationRequestRejected.yaml) |

articles/active-directory/saas-apps/pendo-tutorial.md

@@ -70,8 +70,8 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 
 1. On the **Set-up single sign-on with SAML** page, perform the following steps:
 
-    a. In the **Identifier** text box, type a URL using the following pattern:
-    `https://sso.connect.pingidentity.com/<CUSTOM_GUID>`
+    a. In the **Identifier** text box, enter `PingConnect`. (If this identifier is already used by another application, contact the [Pendo support team](mailto:[email protected]).)
+    
 
     b. In the **Relay State** text box, type a URL using the following pattern:
     `https://pingone.com/1.0/<CUSTOM_GUID>`

articles/automation/overview.md

@@ -99,7 +99,7 @@ Azure Automation supports management throughout the lifecycle of your infrastruc
 * **Dev/test automation scenarios** - Start and start resources, scale resources, etc.
 * **Governance related automation** - Automatically apply or update tags, locks, etc.
 * **Azure Site Recovery** - orchestrate pre/post scripts defined in a Site Recovery DR workflow.
-* **Windows Virtual Desktop** - orchestrate scaling of VMs or start/stop VMs based on utilization.
+* **Azure Virtual Desktop** - orchestrate scaling of VMs or start/stop VMs based on utilization.
 
 Depending on your requirements, one or more of the following Azure services integrate with or compliment Azure Automation to help fullfil them:
 
@@ -125,4 +125,4 @@ You can review the prices associated with Azure Automation on the [pricing](http
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Create an Automation account](./quickstarts/create-account-portal.md)
+> [Create an Automation account](./quickstarts/create-account-portal.md)

articles/azure-percept/azure-percept-devkit-container-release-notes.md

@@ -17,7 +17,7 @@ To download the container updates, go to [Azure Percept Studio](https://ms.porta
 ## December (2112) Release
 
 - Removed lines in the image frames using automatic image capture in Azure Percept Studio. This issue was introduced in the 2108 module release.  
-- Security fixes for docker services running as root in azureeyemodule, azureearspeechclientmodule, and webstreammodule. 
+- Security fixes for docker services running as root in azureeyemodule (mcr.microsoft.com/azureedgedevices/azureeyemodule:2112-1), azureearspeechclientmodule, and webstreammodule. 
 
 ## August (2108) Release
 

articles/azure-sql/database/features-comparison.md

@@ -148,7 +148,7 @@ The Azure platform provides a number of PaaS capabilities that are added as an a
 | [SQL Server Reporting Services (SSRS)](/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports) | No - [see Power BI](/power-bi/) | No - use [Power BI paginated reports](/power-bi/paginated-reports/paginated-reports-report-builder-power-bi) instead or host SSRS on an Azure VM. While SQL Managed Instance cannot run SSRS as a service, it can host [SSRS catalog databases](/sql/reporting-services/install-windows/ssrs-report-server-create-a-report-server-database#database-server-version-requirements) for a reporting server installed on Azure Virtual Machine, using SQL Server authentication. |
 | [Query Performance Insights (QPI)](query-performance-insight-use.md) | Yes | No. Use built-in reports in SQL Server Management Studio and Azure Data Studio. |
 | [VNet](../../virtual-network/virtual-networks-overview.md) | Partial, it enables restricted access using [VNet Endpoints](vnet-service-endpoint-rule-overview.md) | Yes, SQL Managed Instance is injected in customer's VNet. See [subnet](../managed-instance/transact-sql-tsql-differences-sql-server.md#subnet) and [VNet](../managed-instance/transact-sql-tsql-differences-sql-server.md#vnet) |
-| VNet Service endpoint | [Yes](vnet-service-endpoint-rule-overview.md) | No |
+| VNet Service endpoint | [Yes](vnet-service-endpoint-rule-overview.md) | Yes |
 | VNet Global peering | Yes, using [Private IP and service endpoints](vnet-service-endpoint-rule-overview.md) | Yes, using [Virtual network peering](https://techcommunity.microsoft.com/t5/azure-sql/new-feature-global-vnet-peering-support-for-azure-sql-managed/ba-p/1746913). |
 | [Private connectivity](../../private-link/private-link-overview.md) | Yes, using [Private Link](../../private-link/private-endpoint-overview.md) | Yes, using VNet. | 
 

articles/frontdoor/front-door-routing-architecture.md

@@ -20,7 +20,7 @@ When Azure Front Door receives your client requests, it will do one of two thing
 
 Traffic routed to the Azure Front Door environments uses [Anycast](https://en.wikipedia.org/wiki/Anycast) for both DNS (Domain Name System) and HTTP (Hypertext Transfer Protocol) traffic, which allows for user requests to reach the closest environment in the fewest network hops. This architecture offers better round-trip times for end users by maximizing the benefits of Split TCP. Front Door organizes its environments into primary and fallback "rings". The outer ring has environments that are closer to users, offering lower latencies.  The inner ring has environments that can handle the failover for the outer ring environment in case any issues happen. The outer ring is the preferred target for all traffic and the inner ring is to handle traffic overflow from the outer ring. Each frontend host or domain served by Front Door gets assigned a primary VIP (Virtual Internet Protocol addresses), which gets announced by environments in both the inner and outer ring. A fallback VIP is only announced by environments in the inner ring. 
 
-This architecture ensures that requests from your end users always reach the closest Front Door environment. Even if the preferred Front Door environment is unhealthy all traffic automatically moves to the next closest environment.
+This architecture ensures that requests from your end users always reach the closest Front Door environment. If the preferred Front Door environment is unhealthy, all traffic automatically moves to the next closest environment.
 
 ## <a name = "splittcp"></a>Connecting to Front Door environment (Split TCP)