Merge branch 'main' into 6-azure-purview-to-microsoft-purview

Author: whhender

articles/active-directory/conditional-access/concept-conditional-access-users-groups.md

@@ -74,7 +74,7 @@ By default the policy will provide an option to exclude the current user from th
 
 ![Warning, don't lock yourself out!](./media/concept-conditional-access-users-groups/conditional-access-users-and-groups-lockout-warning.png)
 
-If you do find yourself locked out[What to do if you are locked out of the Azure portal?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out-of-the-azure-portal)
+If you do find yourself locked out, see [What to do if you are locked out of the Azure portal?](troubleshoot-conditional-access.md#what-to-do-if-youre-locked-out-of-the-azure-portal)
 
 ## Next steps
 

articles/active-directory/devices/howto-vm-sign-in-azure-ad-linux.md

@@ -56,6 +56,9 @@ It's not supported to use this extension on Azure Kubernetes Service (AKS) clust
 
 If you choose to install and use the CLI locally, you must be running the Azure CLI version 2.22.1 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).
 
+> [!NOTE]
+> This is functionality is also available for [Azure Arc-enabled servers](../../azure-arc/servers/ssh-arc-overview.md).
+
 ## Requirements for login with Azure AD using openSSH certificate-based authentication
 
 To enable Azure AD login using SSH certificate-based authentication for Linux VMs in Azure, ensure the following network, virtual machine, and client (ssh client) requirements are met.
@@ -365,8 +368,8 @@ For customers who are using previous version of Azure AD login for Linux that wa
    ```azurecli
    az vm extension delete -g MyResourceGroup --vm-name MyVm -n AADLoginForLinux
    ```
-> [!NOTE]
-> The extension uninstall can fail if there are any Azure AD users currently logged in on the VM. Make sure all users are logged off first.
+    > [!NOTE]
+    > The extension uninstall can fail if there are any Azure AD users currently logged in on the VM. Make sure all users are logged off first.
 
 1. Enable system-assigned managed identity on your VM.
 
@@ -448,7 +451,7 @@ Solution 1: Upgrade the Azure CLI client to version 2.21.0 or higher.
 
 After the user has successfully signed in using az login, connection to the VM using `az ssh vm -ip <addres>` or `az ssh vm --name <vm_name> -g <resource_group>` fails with *Connection closed by <ip_address> port 22*.
 
-Cause 1: The user isn’t assigned to the either the Virtual Machine Administrator/User Login Azure RBAC roles within the scope of this VM.
+Cause 1: The user isn’t assigned to either of the Virtual Machine Administrator/User Login Azure RBAC roles within the scope of this VM.
 
 Solution 1: Add the user to the either of the Virtual Machine Administrator/User Login Azure RBAC roles within the scope of this VM.
 

articles/active-directory/enterprise-users/domains-verify-custom-subdomain.md

@@ -25,11 +25,9 @@ After a root domain is added to Azure Active Directory (Azure AD), all subsequen
 
 In the Azure AD portal, when the parent domain is federated and the admin tries to verify a managed subdomain on the **Custom domain names** page, you'll get a 'Failed to add domain' error with the reason "One or more properties contains invalid values." If you try to add this subdomain from the Microsoft 365 admin center, you will receive a similar error. For more information about the error, see [A child domain doesn't inherit parent domain changes in Office 365, Azure, or Intune](/office365/troubleshoot/administration/child-domain-fails-inherit-parent-domain-changes).
 
-## How to verify a custom subdomain
-
 Because subdomains inherit the authentication type of the root domain by default, you must promote the subdomain to a root domain in Azure AD using the Microsoft Graph so you can set the authentication type to your desired type.
 
-### Add the subdomain and view its authentication type
+## Add the subdomain
 
 1. Use PowerShell to add the new subdomain, which has its root domain's default authentication type. The Azure AD and Microsoft 365 admin centers don't yet support this operation.
 
@@ -61,15 +59,15 @@ Because subdomains inherit the authentication type of the root domain by default
      },
    ```
 
-### Use Microsoft Graph API to make this a root domain
+## Change subdomain to a root domain
 
 Use the following command to promote the subdomain:
 
 ```http
 POST https://graph.microsoft.com/v1.0/domains/foo.contoso.com/promote
 ```
 
-#### Promote command error conditions
+### Promote command error conditions
 
 Scenario | Method | Code | Message
 -------- | ------ | ---- | -------

articles/active-directory/managed-identities-azure-resources/TOC.yml

@@ -125,6 +125,8 @@
       href: how-to-assign-app-role-managed-identity-cli.md
   - name: View managed identity activity
     href: how-to-view-managed-identity-activity.md
+  - name: Move a managed identity to a new region
+    href: how-to-managed-identity-regional-move.md
 
 - name: Reference
   items:

articles/active-directory/managed-identities-azure-resources/how-to-managed-identity-regional-move.md

@@ -0,0 +1,53 @@
+---
+title: Move managed identities to another region - Azure AD
+description: Steps involved in getting a managed identity recreated in another region
+services: active-directory
+documentationcenter: 
+author: barclayn
+manager: karenhoran
+editor: 
+
+ms.service: active-directory
+ms.subservice: msi
+ms.topic: how-to
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 04/13/2022
+ms.author: barclayn
+ms.custom: subject-moving-resources
+
+---
+
+# Move managed identity for Azure resources across regions
+
+There are situations in which you'd want to move your existing user-assigned managed identities from one region to another. For example, you may need to move a solution that uses user-assigned managed identities to another region. You may also want to move an existing identity to another region as part of disaster recovery planning, and testing.
+
+Moving User-assigned managed identities across Azure regions is not supported.  You can however, recreate a user-assigned managed identity in the target region.
+
+## Prerequisites
+
+- Permissions to list permissions granted to existing user-assigned managed identity.
+- Permissions to grant a new user-assigned managed identity the required permissions.
+- Permissions to assign a new user-assigned identity to the Azure resources.
+- Permissions to edit Group membership, if your user-assigned managed identity is a member of one or more groups.
+
+## Prepare and move
+
+1. Copy user-assigned managed identity assigned permissions. You can list [Azure role assignments](../../role-based-access-control/role-assignments-list-powershell.md) but that may not be enough depending on how permissions were granted to the user-assigned managed identity. You should confirm that your solution doesn't depend on permissions granted using a service specific option.
+1. Create a [new user-assigned managed identity](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-powershell#create-a-user-assigned-managed-identity-2) at the target region.
+1. Grant the managed identity the same permissions as the original identity that it's replacing, including Group membership. You can review [Assign Azure roles to a managed identity](../../role-based-access-control/role-assignments-portal-managed-identity.md), and [Group membership](../../active-directory/fundamentals/active-directory-groups-view-azure-portal.md).
+1. Specify the new identity in the properties of the resource instance that uses the newly created user assigned managed identity.
+
+## Verify
+
+After reconfiguring your service to use your new managed identities in the target region, you need to confirm that all operations have been restored.
+
+## Clean up
+
+Once that you confirm your service is back online, you can proceed to delete any resources in the source region that you no longer use.
+
+## Next steps
+
+In this tutorial, you took the steps needed to recreate a user-assigned managed identity in a new region.
+
+- [Manage user-assigned managed identities](how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-powershell#delete-a-user-assigned-managed-identity-2)

articles/active-directory/managed-identities-azure-resources/managed-identities-status.md

@@ -57,7 +57,7 @@ The following Azure services support managed identities for Azure resources:
 | Azure Media services            | [Managed identities](/azure/media-services/latest/concept-managed-identities) |
 | Azure Monitor                   | [Azure Monitor customer-managed key](../../azure-monitor/logs/customer-managed-keys.md?tabs=portal)                                                                                              |
 | Azure Policy                    | [Remediate non-compliant resources with Azure Policy](../../governance/policy/how-to/remediate-resources.md)      |
-| Azure Purview                   | [Credentials for source authentication in Azure Purview](../../purview/manage-credentials.md)                                                                                                                          |
+| Microsoft Purview                   | [Credentials for source authentication in Microsoft Purview](../../purview/manage-credentials.md)                                                                                                                          |
 | Azure Resource Mover            | [Move resources across regions (from resource group)](../../resource-mover/move-region-within-resource-group.md)
 | Azure Site Recovery             | [Replicate machines with private endpoints](../../site-recovery/azure-to-azure-how-to-enable-replication-private-endpoints.md#enable-the-managed-identity-for-the-vault)                                  |
 | Azure Search                    | [Set up an indexer connection to a data source using a managed identity](../../search/search-howto-managed-identities-data-sources.md)                                                                                            |

articles/api-management/api-management-api-import-restrictions.md

@@ -15,23 +15,27 @@ ms.author: danlep
 # API import restrictions and known issues
 
 When importing an API, you might encounter some restrictions or need to identify and rectify issues before you can successfully import. In this article, you'll learn:
+
 * API Management's behavior during OpenAPI import. 
 * OpenAPI import limitations and how OpenAPI export works.
 * Requirements and limitations for WSDL and WADL import.
 
 ## API Management during OpenAPI import
 
 During OpenAPI import, API Management:
+
 * Checks specifically for query string parameters marked as required.
 * Converts the query string parameters to template parameters. 
 
 If you prefer a different behavior, you can either: 
+
 * Manually change via form-based editor, or 
 * Remove the "required" attribute from the OpenAPI definition, thus not converting them to template parameters.
 
 ## <a name="open-api"> </a>OpenAPI/Swagger import limitations
 
 If you receive errors while importing your OpenAPI document, make sure you've validated it beforehand by either:
+
 * Using the designer in the Azure portal (Design > Front End > OpenAPI Specification Editor), or 
 * With a third-party tool, such as <a href="https://editor.swagger.io">Swagger Editor</a>.
 
@@ -52,10 +56,10 @@ If you receive errors while importing your OpenAPI document, make sure you've va
 **Supported versions**
 
 API Management only supports:
+
 * OpenAPI version 2.
 * OpenAPI version 3.0.x (up to version 3.0.3).
-
-OpenAPI version 3.1 is currently not supported in API Management.
+* OpenAPI version 3.1 (import only)
 
 **Size limitations**
 
@@ -65,6 +69,7 @@ OpenAPI version 3.1 is currently not supported in API Management.
 | **Size limit doesn't apply** | When an OpenAPI document is provided via a URL to a location accessible from your API Management service. |
 
 #### Supported extensions
+
 The only supported extensions are:
 
 | Extension | Description |
@@ -73,40 +78,62 @@ The only supported extensions are:
 | **`x-servers`** | A backport of the [OpenAPI 3 `servers` object](https://swagger.io/docs/specification/api-host-and-base-path/) for OpenAPI 2. |
 
 #### Unsupported extensions
+
 | Extension | Description |
 | ----------- | ----------- |
 | **`Recursion`** | API Management doesn't support definitions defined recursively.<br />For example, schemas referring to themselves. |
 | **`Server` object** | Not supported on the API operation level. |
 | **`Produces` keyword** | Describes MIME types returned by an API. <br />Not supported. |
 
 #### Custom extensions
-- Are ignored on import.
-- Aren't saved or preserved for export.
+
+* Are ignored on import.
+* Aren't saved or preserved for export.
 
 #### Unsupported definitions 
+
 Inline schema definitions for API operations aren't supported. Schema definitions:
-- Are defined in the API scope.
-- Can be referenced in API operations request or response scopes.
+
+* Are defined in the API scope.
+* Can be referenced in API operations request or response scopes.
 
 #### Ignored definitions
+
 Security definitions are ignored.
 
+#### Definition restrictions
+
+<!-- Ref: 1851786 Query parameter handling -->
+When importing query parameters, only the default array serialization method (`style: form`, `explode: true`) is supported.  For more details on query parameters in OpenAPI specifications, refer to [the serialization specification](https://swagger.io/docs/specification/serialization/).
+
+<!-- Ref: 1795433 Parameter limitations -->
+Parameters [defined in cookies](https://swagger.io/docs/specification/describing-parameters/#cookie-parameters) are not supported.  You can still use policy to decode and validate the contents of cookies.  
+
 ### <a name="open-api-v2"> </a>OpenAPI version 2
 
 OpenAPI version 2 support is limited to JSON format only.
 
-### <a name="open-api-v3"> </a>OpenAPI version 3.0.x
+<!-- Ref: 1795433 Parameter limitations -->
+["Form" type parameters](https://swagger.io/specification/v2/#parameter-object) are not supported.  You can still use policy to decode and validate `application/x-www-form-urlencoded` and `application/form-data` payloads.
+
+### <a name="open-api-v3"> </a>OpenAPI version 3.x
 
-The latest supported OpenAPI version 3.0 is 3.0.3.
+API Management supports the following specification versions:
+
+* [OpenAPI 3.0.3](https://swagger.io/specification/)
+* [OpenAPI 3.1.0](https://spec.openapis.org/oas/v3.1.0) (import only)
 
 #### HTTPS URLs
-- If multiple `servers` are specified, API Management will use the first HTTPS URL it finds. 
-- If there aren't any HTTPS URLs, the server URL will be empty.
+
+* If multiple `servers` are specified, API Management will use the first HTTPS URL it finds. 
+* If there aren't any HTTPS URLs, the server URL will be empty.
 
 #### Supported
+
 - `example`
 
 #### Unsupported
+
 The following fields are included in [OpenAPI version 3.0.x](https://swagger.io/specification/), but are not supported:
 
 | Object | Field |
@@ -122,6 +149,7 @@ The following fields are included in [OpenAPI version 3.0.x](https://swagger.io/
 ### <a name="open-import-export-general"> </a>General
 
 API definitions exported from an API Management service are:
+
 * Primarily intended for external applications that need to call the API hosted in API Management service. 
 * Not intended to be imported into the same or different API Management service. 
 

articles/api-management/api-management-using-with-internal-vnet.md

@@ -66,7 +66,7 @@ After successful deployment, you should see your API Management service's **priv
  
 ### Enable connectivity using a Resource Manager template (`stv2` platform)
 
-* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-internal-vnet-publicip) (API version 2021-01-01-preview )
+* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-internal-vnet-publicip) (API version 2021-08-01 )
 
      [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-internal-vnet-publicip%2Fazuredeploy.json)
 

articles/api-management/api-management-using-with-vnet.md

@@ -53,7 +53,7 @@ It can take 15 to 45 minutes to update the API Management instance. The Develope
 
 ### Enable connectivity using a Resource Manager template (`stv2` compute platform)
 
-* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet-publicip) (API version 2021-01-01-preview)
+* Azure Resource Manager [template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.apimanagement/api-management-create-with-external-vnet-publicip) (API version 2021-08-01)
 
      [![Deploy to Azure](../media/template-deployments/deploy-to-azure.svg)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.apimanagement%2Fapi-management-create-with-external-vnet-publicip%2Fazuredeploy.json)