Merge pull request #185875 from MicrosoftDocs/master

Merge master to live, 4 AM

Author: ttorble

.openpublishing.redirection.json

@@ -25258,6 +25258,11 @@
       "redirect_url": "/azure/spring-cloud/expose-apps-gateway",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/spring-cloud/tutorial-dump-jvm-options.md",
+      "redirect_url": "/azure/spring-cloud/how-to-dump-jvm-options",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/spring-cloud/how-to-provision-azure-spring-cloud-instance-terraform.md",
       "redirect_url": "/azure/spring-cloud/quickstart-deploy-infrastructure-vnet-terraform",

articles/active-directory/roles/delegate-by-task.md

@@ -152,7 +152,7 @@ You can further restrict permissions by assigning roles at smaller scopes or by
 > | Manage user settings | [Global Administrator](../roles/permissions-reference.md#global-administrator) |  |
 > | Read access review of a group or of an app | [Security Reader](../roles/permissions-reference.md#security-reader) | [Security Administrator](../roles/permissions-reference.md#security-administrator)<br/>[User Administrator](../roles/permissions-reference.md#user-administrator) |
 > | Read all configuration | [Default user role](../fundamentals/users-default-permissions.md) |  |
-> | Update enterprise application assignments | [Enterprise application owner](../fundamentals/users-default-permissions.md#object-ownership) | [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator)<br/>[Application Administrator](../roles/permissions-reference.md#application-administrator) |
+> | Update enterprise application assignments | [Enterprise application owner](../fundamentals/users-default-permissions.md#object-ownership) | [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator)<br/>[Application Administrator](../roles/permissions-reference.md#application-administrator)<br/>[User Administrator](../roles/permissions-reference.md#user-administrator) |
 > | Update enterprise application owners | [Enterprise application owner](../fundamentals/users-default-permissions.md#object-ownership) | [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator)<br/>[Application Administrator](../roles/permissions-reference.md#application-administrator) |
 > | Update enterprise application properties | [Enterprise application owner](../fundamentals/users-default-permissions.md#object-ownership) | [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator)<br/>[Application Administrator](../roles/permissions-reference.md#application-administrator) |
 > | Update enterprise application provisioning | [Enterprise application owner](../fundamentals/users-default-permissions.md#object-ownership) | [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator)<br/>[Application Administrator](../roles/permissions-reference.md#application-administrator) |

articles/aks/use-group-managed-service-accounts.md

@@ -1,12 +1,12 @@
 ---
-title: Enable Group Managed Service Accounts (GMSA) for you Windows Server nodes on your Azure Kubernetes Service (AKS) cluster (Preview)
-description: Learn how to enable Group Managed Service Accounts (GMSA) for you Windows Server nodes on your Azure Kubernetes Service (AKS) cluster for securing your pods.
+title: Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster (Preview)
+description: Learn how to enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster for securing your pods.
 services: container-service
 ms.topic: article
 ms.date: 11/01/2021
 ---
 
-# Enable Group Managed Service Accounts (GMSA) for you Windows Server nodes on your Azure Kubernetes Service (AKS) cluster (Preview)
+# Enable Group Managed Service Accounts (GMSA) for your Windows Server nodes on your Azure Kubernetes Service (AKS) cluster (Preview)
 
 [Group Managed Service Accounts (GMSA)][gmsa-overview] is a managed domain account for multiple servers that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrators. AKS provides the ability to enable GMSA on your Windows Server nodes, which allows containers running on Windows Server nodes to integrate with and be managed by GMSA.
 
@@ -389,4 +389,4 @@ After running `kubectl get pods --watch` and waiting several minutes, if your po
 [az-provider-register]: /cli/azure/provider#az_provider_register
 [gmsa-getting-started]: /windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts
 [gmsa-overview]: /windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
-[rdp]: rdp.md
+[rdp]: rdp.md

articles/app-service/configure-language-nodejs.md

@@ -4,7 +4,7 @@ description: Learn how to configure a Node.js app in the native Windows instance
 ms.custom: devx-track-js, devx-track-azurecli
 ms.devlang: javascript
 ms.topic: article
-ms.date: 04/23/2021
+ms.date: 01/21/2022
 zone_pivot_groups: app-service-platform-windows-linux
 
 ---
@@ -56,10 +56,13 @@ az webapp list-runtimes --linux | grep NODE
 To set your app to a [supported Node.js version](#show-nodejs-version), run the following command in the [Cloud Shell](https://shell.azure.com) to set `WEBSITE_NODE_DEFAULT_VERSION` to a supported version:
 
 ```azurecli-interactive
-az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_NODE_DEFAULT_VERSION="10.15"
+az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_NODE_DEFAULT_VERSION="~16"
 ```
 
-This setting specifies the Node.js version to use, both at runtime and during automated package restore during App Service build automation. This setting only recognizes major minor versions, the _LTS_ moniker is not supported.
+> [!NOTE] 
+> This example uses the recommended "tilde syntax" to target the latest available version of Node.js 16 runtime on App Service.
+> 
+>Since the runtime is regularly patched and updated by the platform it's not recommended to target a specific minor version/patch as these are not guaranteed to be available due to potential security risks.
 
 > [!NOTE]
 > You should set the Node.js version in your project's `package.json`. The deployment engine runs in a separate process that contains all the supported Node.js versions.
@@ -71,7 +74,7 @@ This setting specifies the Node.js version to use, both at runtime and during au
 To set your app to a [supported Node.js version](#show-nodejs-version), run the following command in the [Cloud Shell](https://shell.azure.com):
 
 ```azurecli-interactive
-az webapp config set --resource-group <resource-group-name> --name <app-name> --linux-fx-version "NODE|10.14"
+az webapp config set --resource-group <resource-group-name> --name <app-name> --linux-fx-version "NODE|14-lts"
 ```
 
 This setting specifies the Node.js version to use, both at runtime and during automated package restore in Kudu.

articles/app-service/media/scenario-secure-app-access-microsoft-graph/enterprise-apps-all-applications.png

@@ -4,7 +4,7 @@ description: Learn about the OS functionality in Azure App Service on Windows. F
 
 ms.assetid: 39d5514f-0139-453a-b52e-4a1c06d8d914
 ms.topic: article
-ms.date: 09/09/2021
+ms.date: 01/21/2022
 ms.custom: seodec18
 
 ---
@@ -29,7 +29,8 @@ Because App Service supports a seamless scaling experience between different tie
 ## Development frameworks
 App Service pricing tiers control the amount of compute resources (CPU, disk storage, memory, and network egress) available to apps. However, the breadth of framework functionality available to apps remains the same regardless of the scaling tiers.
 
-App Service supports a variety of development frameworks, including ASP.NET, classic ASP, Node.js, PHP, and Python - all of which run as extensions within IIS. In order to simplify and normalize security configuration, App Service apps typically run the various development frameworks with their default settings. One approach to configuring apps could have been to customize the API surface area and functionality for each individual development framework. App Service instead takes a more generic approach by enabling a common baseline of operating system functionality regardless of an app's development framework.
+App Service supports a variety of development frameworks, including ASP.NET, classic ASP, Node.js, PHP, and Python.
+In order to simplify and normalize security configuration, App Service apps typically run the various development frameworks with their default settings. The frameworks and runtime components provided by the platform are updated regularly to satisfy security and compliance requirements, for this reason we do not guarantee specific minor/patch versions and recommend customers target major version as needed.
 
 The following sections summarize the general kinds of operating system functionality available to App Service apps.
 

articles/app-service/operating-system-functionality.md

@@ -2,7 +2,7 @@
 title: OS and runtime patching cadence
 description: Learn how Azure App Service updates the OS and runtimes, what runtimes and patch level your apps has, and how you can get update announcements.
 ms.topic: article
-ms.date: 02/02/2018
+ms.date: 01/21/2021
 ms.custom: seodec18, devx-track-azurecli
 
 ---
@@ -52,10 +52,13 @@ When a new major or minor version is added, it is installed side by side with th
 ```azurecli-interactive
 az webapp config set --net-framework-version v4.7 --resource-group <groupname> --name <appname>
 az webapp config set --php-version 7.0 --resource-group <groupname> --name <appname>
-az webapp config appsettings set --settings WEBSITE_NODE_DEFAULT_VERSION=8.9.3 --resource-group <groupname> --name <appname>
+az webapp config appsettings set --settings WEBSITE_NODE_DEFAULT_VERSION=~14 --resource-group <groupname> --name <appname>
 az webapp config set --python-version 3.8 --resource-group <groupname> --name <appname>
 az webapp config set --java-version 1.8 --java-container Tomcat --java-container-version 9.0 --resource-group <groupname> --name <appname>
 ```
+> [!NOTE] 
+> This example uses the recommended "tilde syntax" to target the latest available version of Node.js 16 runtime on Windows App Service.
+> 
 
 ## How can I query OS and runtime update status on my instances?  
 

articles/app-service/overview-patch-os-runtime.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: app-service-web
 ms.topic: tutorial
 ms.workload: identity
-ms.date: 11/02/2021
+ms.date: 01/21/2022
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.devlang: csharp, javascript
@@ -105,9 +105,9 @@ az rest --method post --uri $uri --body $body --headers "Content-Type=applicatio
 
 After executing the script, you can verify in the [Azure portal](https://portal.azure.com) that the requested API permissions are assigned to the managed identity.
 
-Go to **Azure Active Directory**, and then select **Enterprise applications**. This pane displays all the service principals in your tenant. In **All Applications**, select the service principal for the managed identity. 
+Go to **Azure Active Directory**, and then select **Enterprise applications**. This pane displays all the service principals in your tenant. In **Managed Identities**, select the service principal for the managed identity.
 
-If you're following this tutorial, there are two service principals with the same display name (SecureWebApp2020094113531, for example). The service principal that has a **Homepage URL** represents the web app in your tenant. The service principal without the **Homepage URL** represents the system-assigned managed identity for your web app. The **Object ID** value for the managed identity matches the object ID of the managed identity that you previously created.
+If you're following this tutorial, there are two service principals with the same display name (SecureWebApp2020094113531, for example). The service principal that has a **Homepage URL** represents the web app in your tenant. The service principal that appears in **Managed Identities** should *not* have a **Homepage URL** listed and the **Object ID** should match the object ID value of the managed identity in the [previous step](#enable-managed-identity-on-app).
 
 Select the service principal for the managed identity.
 
@@ -121,7 +121,7 @@ In **Overview**, select **Permissions**, and you'll see the added permissions fo
 
 # [C#](#tab/programming-language-csharp)
 
-The [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) class is used to get a token credential for your code to authorize requests to Microsoft Graph. Create an instance of the [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) class, which uses the managed identity to fetch tokens and attach them to the service client. The following code example gets the authenticated token credential and uses it to create a service client object, which gets the users in the group.
+The [ChainedTokenCredential](/dotnet/api/azure.identity.chainedtokencredential), [ManagedIdentityCredential](/dotnet/api/azure.identity.managedidentitycredential), and [EnvironmentCredential](/dotnet/api/azure.identity.environmentcredential) classes are used to get a token credential for your code to authorize requests to Microsoft Graph. Create an instance of the [ChainedTokenCredential](/dotnet/api/azure.identity.chainedtokencredential) class, which uses the managed identity in the App Service environment or the development environment variables to fetch tokens and attach them to the service client. The following code example gets the authenticated token credential and uses it to create a service client object, which gets the users in the group.
 
 To see this code as part of a sample application, see the [sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-dotnet-storage-graphapi/tree/main/3-WebApp-graphapi-managed-identity).
 
@@ -165,8 +165,12 @@ public IList<MSGraphUser> Users { get; set; }
 
 public async Task OnGetAsync()
 {
-    // Create the Microsoft Graph service client with a DefaultAzureCredential class, which gets an access token by using the available Managed Identity.
-    var credential = new DefaultAzureCredential();
+    // Create the Graph service client with a ChainedTokenCredential which gets an access
+    // token using the available Managed Identity or environment variables if running
+    // in development.
+    var credential = new ChainedTokenCredential(
+        new ManagedIdentityCredential(),
+        new EnvironmentCredential());
     var token = credential.GetToken(
         new Azure.Core.TokenRequestContext(
             new[] { "https://graph.microsoft.com/.default" }));

articles/app-service/scenario-secure-app-access-microsoft-graph-as-app.md

@@ -57,7 +57,7 @@ You can increase or remove quotas from your app by upgrading your App Service pl
 ## Understand metrics
 
 > [!NOTE]
-> **File System Usage** is a new metric being rolled out globally, no data is expected unless your app is hosted in an App Service Environment.
+> **File System Usage** is now available globally for apps hosted in multi-tenants and App Service Environment.
 > 
 
 > [!IMPORTANT]