Merge branch 'master' into dbradish_MayMsCustomFix

Author: dbradish-microsoft

.openpublishing.redirection.json

@@ -5240,6 +5240,11 @@
       "redirect_url": "/azure/architecture/vdc/networking-virtual-datacenter",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/automation/how-to/remove-desired-state-configuration-package.md",
+      "redirect_url": "/azure/automation/state-configuration/remove-node-and-configuration-package",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/automation/automation-watchers-tutorial.md",
       "redirect_url": "/azure/automation/automation-scenario-using-watcher-task",
@@ -13515,6 +13520,11 @@
       "redirect_url": "/azure/azure-toolkit-for-intelliJ",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/azure-vmware/reset-vsphere-credentials.md",
+      "redirect_url": "/azure/azure-vmware/rotate-cloudadmin-credentials",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/azure-vmware/set-up-backup-server-for-azure-vmware-solution.md",
       "redirect_url": "/azure/backup/backup-azure-microsoft-azure-backup",
@@ -64850,6 +64860,11 @@
       "redirect_url": "/azure/azure-monitor/alerts/tutorial-response",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/azure-monitor/alerts/tutorial-response.md",
+      "redirect_url": "/azure/azure-monitor/alerts/alerts-log",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/azure-monitor/samples/cli-samples.md",
       "redirect_url": "/azure/azure-monitor//cli-samples",

articles/active-directory-b2c/add-password-reset-policy.md

@@ -9,7 +9,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/22/2021
+ms.date: 05/11/2021
 ms.custom: project-no-code
 ms.author: mimart
 ms.subservice: B2C
@@ -57,10 +57,10 @@ To enable self-service password reset for the sign-up or sign-in user flow:
 1. Select **User flows**.
 1. Select a sign-up or sign-in user flow (of type **Recommended**) that you want to customize.
 1. Under **Settings** in the left menu, select **Properties**.
-1. Under **Password complexity**, select **Self-service password reset**.
+1. Under **Password configuration**, select **Self-service password reset**.
 1. Select **Save**.
 1. Under **Customize** in the left menu, select **Page layouts**.
-1. In the **Page Layout Version**, choose **2.1.2 - Current** or above.
+1. In the **Page Layout Version**, choose **2.1.3** or above.
 1. Select **Save**.
 
 ::: zone-end

articles/active-directory-b2c/azure-monitor.md

@@ -255,7 +255,7 @@ The workbook will display reports in the form of a dashboard.
 
 ## Create alerts
 
-Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events are created, absence of an event, or a number of events are created within a particular time window. For example, alerts can be used to notify you when average number of sign-in exceeds a certain threshold. For more information, see [Create alerts](../azure-monitor/alerts/tutorial-response.md).
+Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events are created, absence of an event, or a number of events are created within a particular time window. For example, alerts can be used to notify you when average number of sign-in exceeds a certain threshold. For more information, see [Create alerts](../azure-monitor/alerts/alerts-log.md).
 
 
 Use the following instructions to create a new Azure Alert, which will send an [email notification](../azure-monitor/alerts/action-groups.md#configure-notifications) whenever there is a 25% drop in the **Total Requests** compare to previous period. Alert will run every 5 minutes and look for the drop within last 24 hours windows. The alerts are created using Kusto query language.

articles/active-directory/app-provisioning/application-provisioning-log-analytics.md

@@ -91,7 +91,7 @@ AADProvisioningLogs
 
 Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.
 
-To learn more about alerts, see [Respond to events with Azure Monitor Alerts](../../azure-monitor/alerts/tutorial-response.md).
+To learn more about alerts, see [Azure Monitor Log Alerts](../../azure-monitor/alerts/alerts-log.md).
 
 Alert when there's a spike in failures. Replace the jobID with the jobID for your application.
 

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -8,10 +8,9 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 04/28/2021
+ms.date: 05/10/2021
 ms.author: kenwith
 ms.reviewer: arvinh
-ms.custom: contperf-fy21q2
 ---
 # Tutorial: Develop and plan provisioning for a SCIM endpoint
 
@@ -78,7 +77,7 @@ To design your schema, follow these steps:
 |lastName|name.familyName|surName|
 |workMail|emails[type eq “work”].value|Mail|
 |manager|manager|manager|
-|tag|urn:ietf:params:scim:schemas:extension:2.0:CustomExtension:tag|extensionAttribute1|
+|tag|urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:tag|extensionAttribute1|
 |status|active|isSoftDeleted (computed value not stored on user)|
 
 **Example list of required attributes**
@@ -98,7 +97,7 @@ To design your schema, follow these steps:
      "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
      "Manager": "123456"
    },
-     "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:CustomAttribute:User": {
+     "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {
      "tag": "701984",
    },
    "meta": {

articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md

@@ -35,6 +35,8 @@ Administrators can assign a Conditional Access policy to the following cloud app
 - [Office 365](#office-365)
 - Azure Analysis Services
 - Azure DevOps
+- Azure Event Hubs
+- Azure Service Bus
 - [Azure SQL Database and Azure Synapse Analytics](../../azure-sql/database/conditional-access-configure.md)
 - Dynamics CRM Online
 - Microsoft Application Insights Analytics

articles/active-directory/develop/howto-configure-publisher-domain.md

@@ -82,14 +82,16 @@ If your app isn't registered in a tenant, you'll only see the option to verify a
 
 1. Click the **Verify and save domain** button.
 
+You're not required to maintain the resources that are used for verification after a domain has been verified. When the verification is finished, you can remove the hosted file.
+
 ### To select a verified domain
 
-- If your tenant has verified domains, select one of the domains from the **Select a verified domain** dropdown.
+If your tenant has verified domains, select one of the domains from the **Select a verified domain** dropdown.
 
->[!Note]
-> The expected 'Content-Type' header that should be returned is `application/json`. You may get an error as mentioned below if you use anything else like `application/json; charset=utf-8` 
+> [!NOTE]
+> The expected `Content-Type` header that should be returned is `application/json`. You may get an error as mentioned below if you use anything else, like `application/json; charset=utf-8`:
 > 
->``` "Verification of publisher domain failed. Error getting JSON file from https:///.well-known/microsoft-identity-association. The server returned an unexpected content type header value. " ```
+> `Verification of publisher domain failed. Error getting JSON file from https:///.well-known/microsoft-identity-association. The server returned an unexpected content type header value.`
 >
 
 ## Implications on the app consent prompt

articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: how-to
-ms.date: 05/07/2021
+ms.date: 05/10/2021
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -50,8 +50,9 @@ The following Linux distributions are currently supported during the preview of
 The following Azure regions are currently supported during the preview of this feature:
 
 - Azure Global
-- Azure Government
-- Azure China
+
+> [!Note]
+> The preview of this feature will be supported in Azure Government and Azure China by June of 2021.
  
 It's not supported to use this extension on Azure Kubernetes Service (AKS) clusters. For more information, see [Support policies for AKS](../../aks/support-policies.md).
 
@@ -67,24 +68,24 @@ VM network configuration must permit outbound access to the following endpoints
 
 For Azure Global
 
-- https://packages.microsoft.com – For package installation and upgrades.
-- http://169.254.169.254 – Azure Instance Metadata Service endpoint.
-- https://login.microsoftonline.com – For PAM (pluggable authentication modules) based authentication flows.
-- https://pas.windows.net – For Azure RBAC flows.
+- `https://packages.microsoft.com` – For package installation and upgrades.
+- `http://169.254.169.254` – Azure Instance Metadata Service endpoint.
+- `https://login.microsoftonline.com` – For PAM (pluggable authentication modules) based authentication flows.
+- `https://pas.windows.net` – For Azure RBAC flows.
 
 For Azure Government
 
-- https://packages.microsoft.com – For package installation and upgrades.
-- http://169.254.169.254 – Azure Instance Metadata Service endpoint.
-- https://login.microsoftonline.us – For PAM (pluggable authentication modules) based authentication flows.
-- https://pasff.usgovcloudapi.net – For Azure RBAC flows.
+- `https://packages.microsoft.com` – For package installation and upgrades.
+- `http://169.254.169.254` – Azure Instance Metadata Service endpoint.
+- `https://login.microsoftonline.us` – For PAM (pluggable authentication modules) based authentication flows.
+- `https://pasff.usgovcloudapi.net` – For Azure RBAC flows.
 
 For Azure China
 
-- https://packages.microsoft.com – For package installation and upgrades.
-- http://169.254.169.254 – Azure Instance Metadata Service endpoint.
-- https://login.chinacloudapi.cn – For PAM (pluggable authentication modules) based authentication flows.
-- https://pas.chinacloudapi.cn – For Azure RBAC flows.
+- `https://packages.microsoft.com` – For package installation and upgrades.
+- `http://169.254.169.254` – Azure Instance Metadata Service endpoint.
+- `https://login.chinacloudapi.cn` – For PAM (pluggable authentication modules) based authentication flows.
+- `https://pas.chinacloudapi.cn` – For Azure RBAC flows.
 
 ### Virtual machine
 
@@ -366,6 +367,9 @@ For customers who are using previous version of Azure AD login for Linux that wa
                 --resource-group myResourceGroup \
                 --vm-name myVM
       ```
+## Using Azure Policy to ensure standards and assess compliance
+
+Use Azure policy to ensure Azure AD login is enabled for your new and existing Linux virtual machines and assess compliance of your environment at scale on your Azure policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Linux VMs within your environment that do not have Azure AD login enabled. You can also use Azure policy to deploy the Azure AD extension on new Linux VMs that do not have Azure AD login enabled, as well as remediate existing Linux VMs to the same standard. In addition to these capabilities, you can also use policy to detect and flag Linux VMs that have non-approved local accounts created on their machines. To learn more, review [Azure policy](https://www.aka.ms/AzurePolicy).
 
 ## Troubleshoot sign-in issues
 
@@ -430,10 +434,6 @@ Solution 2: Perform these actions:
 
 Virtual machine scale set VM connections may fail if the virtual machine scale set instances are running an old model. Upgrading virtual machine scale set instances to the latest model may resolve issues, especially if an upgrade has not been done since the Azure AD Login extension was installed. Upgrading an instance applies a standard virtual machine scale set configuration to the individual instance.
 
-### Other limitations
-
-Users that inherit access rights through nested groups or role assignments aren't currently supported. The user or group must be directly assigned the required role assignments. For example, the use of management groups or nested group role assignments won't grant the correct permissions to allow the user to sign in.
-
 ## Preview feedback
 
 Share your feedback about this preview feature or report issues using it on the [Azure AD feedback forum](https://feedback.azure.com/forums/169401-azure-active-directory?category_id=166032).

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: how-to
-ms.date: 07/20/2020
+ms.date: 05/10/2021
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -27,7 +27,7 @@ There are many security benefits of using Azure AD based authentication to login
 - With Conditional Access, configure policies to require multi-factor authentication and other signals such as low user and sign in risk before you can RDP to Windows VMs. 
 - Use Azure deploy and audit policies to require Azure AD login for Windows VMs and to flag use of no approved local account on the VMs.
 - Login to Windows VMs with Azure Active Directory also works for customers that use Federation Services.
-- Automate and scale Azure AD join with MDM auto enrollment with Intune of Azure Windows VMs that are part for your VDI deployments. MDM enrollment does not apply to Windows Server 2019 VM depolyments
+- Automate and scale Azure AD join with MDM auto enrollment with Intune of Azure Windows VMs that are part for your VDI deployments. Auto MDM enrollment requires Azure AD P1 license. Windows Server 2019 VMs do not support MDM enrollment.
 
 
 > [!NOTE]
@@ -58,24 +58,24 @@ This feature is now available in the following Azure clouds:
 To enable Azure AD authentication for your Windows VMs in Azure, you need to ensure your VMs network configuration permits outbound access to the following endpoints over TCP port 443:
 
 For Azure Global
-- https://enterpriseregistration.windows.net For device registration.
-- http://169.254.169.254 For Azure Instance Metadata Service endpoint.
-- https://login.microsoftonline.com For authentication flows.
-- https://pas.windows.net For Azure RBAC flows.
+- `https://enterpriseregistration.windows.net` - For device registration.
+- `http://169.254.169.254` - Azure Instance Metadata Service endpoint.
+- `https://login.microsoftonline.com` - For authentication flows.
+- `https://pas.windows.net` - For Azure RBAC flows.
 
 
 For Azure Government
-- https://enterpriseregistration.microsoftonline.us For device registration.
-- http://169.254.169.254 For Azure Instance Metadata Service.
-- https://login.microsoftonline.us For authentication flows.
-- https://pasff.usgovcloudapi.net For Azure RBAC flows.
+- `https://enterpriseregistration.microsoftonline.us` - For device registration.
+- `http://169.254.169.254` - Azure Instance Metadata Service.
+- `https://login.microsoftonline.us` - For authentication flows.
+- `https://pasff.usgovcloudapi.net` - For Azure RBAC flows.
 
 
 For Azure China
-- https://enterpriseregistration.partner.microsoftonline.cn For device registration.
-- http://169.254.169.254 Azure Instance Metadata Service endpoint.
-- https://login.chinacloudapi.cn For authentication flows.
-- https://pas.chinacloudapi.cn For Azure RBAC flows.
+- `https://enterpriseregistration.partner.microsoftonline.cn` - For device registration.
+- `http://169.254.169.254` - Azure Instance Metadata Service endpoint.
+- `https://login.chinacloudapi.cn` - For authentication flows.
+- `https://pas.chinacloudapi.cn` - For Azure RBAC flows.
 
 
 ## Enabling Azure AD login in for Windows VM in Azure
@@ -239,6 +239,10 @@ You are now signed in to the Windows Server 2019 Azure virtual machine with the
 > [!NOTE]
 > You can save the .RDP file locally on your computer to launch future remote desktop connections to your virtual machine instead of having to navigate to virtual machine overview page in the Azure portal and using the connect option.
 
+## Using Azure Policy to ensure standards and assess compliance
+
+Use Azure policy to ensure Azure AD login is enabled for your new and existing Windows virtual machines and assess compliance of your environment at scale on your Azure policy compliance dashboard. With this capability, you can use many levels of enforcement: you can flag new and existing Windows VMs within your environment that do not have Azure AD login enabled. You can also use Azure policy to deploy the Azure AD extension on new Windows VMs that do not have Azure AD login enabled, as well as remediate existing Windows VMs to the same standard. In addition to these capabilities, you can also use policy to detect and flag Windows VMs that have non-approved local accounts created on their machines. To learn more, review [Azure policy](https://www.aka.ms/AzurePolicy).
+
 ## Troubleshoot
 
 ### Troubleshoot deployment issues

articles/active-directory/external-identities/external-identities-pricing.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 09/21/2020
+ms.date: 05/05/2021
 
 ms.author: mimart
 author: msmimart
@@ -35,8 +35,8 @@ To take advantage of MAU billing, your Azure AD tenant must be linked to an Azur
 ## About monthly active users (MAU) billing
 
 In your Azure AD tenant, guest user collaboration usage is billed based on the count of unique guest users with authentication activity within a calendar month. This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant. When your tenant is linked to a subscription and you use External Identities features to collaborate with guest users, you'll be automatically billed using the MAU-based billing model.
-  
-The pricing tier that applies to your guest users is based on the highest pricing tier assigned to your Azure AD tenant. For example, if the highest pricing tier in your tenant is Azure AD Premium P1, the Premium P1 pricing tier also applies to your guest users. If the highest pricing is Azure AD Free, you'll be asked to upgrade to a premium pricing tier when you try to use premium features for guest users.
+
+The pricing tier that applies to your guest users is based on the highest pricing tier assigned to your Azure AD tenant. For more information, see [Azure Active Directory External Identities Pricing](https://azure.microsoft.com/en-us/pricing/details/active-directory/external-identities/).
 
 ## Link your Azure AD tenant to a subscription