Merge pull request #178697 from MicrosoftDocs/master

Merge master to live, 4 AM

Author: v-ccolin

.openpublishing.publish.config.json

@@ -45,6 +45,12 @@
       "branch": "master",
       "branch_mapping": {}
     },
+    {
+      "path_to_root": "azure_arc_sample",
+      "url": "https://github.com/microsoft/azure_arc",
+      "branch": "main",
+      "branch_mapping": {}
+    },
     {
       "path_to_root": "resourcemanager-templates",
       "url": "https://github.com/Azure/azure-docs-json-samples",

.openpublishing.redirection.json

@@ -164,6 +164,8 @@
       href: howto-password-ban-bad-on-premises-agent-versions.md
   - name: Nudge Microsoft Authenticator setup (Preview)
     href: how-to-nudge-authenticator-app.md
+  - name: Use Microsoft managed settings 
+    href: how-to-mfa-microsoft-managed.md
   - name: Use a Temporary Access Pass (Preview)
     href: howto-authentication-temporary-access-pass.md
   - name: Use SMS-based authentication

articles/active-directory/authentication/TOC.yml

@@ -0,0 +1,35 @@
+---
+title: Use Microsoft managed settings for the Authentication Methods Policy - Azure Active Directory
+description: Learn how to use Microsoft managed settings for Microsoft Authenticator
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: authentication
+ms.topic: conceptual
+ms.date: 11/03/2021
+
+ms.author: justinha
+author: mjsantani
+manager: daveba
+
+ms.collection: M365-identity-device-management
+
+# Customer intent: As an identity administrator, I want to encourage users to use the Microsoft Authenticator app in Azure AD to improve and secure user sign-in events.
+---
+# How to use Microsoft managed settings - Authentication Methods Policy
+
+In addition to configuring Authentication Methods Policy settings to be either **Enabled** or **Disabled**, IT admins can configure some settings to be **Microsoft managed**. A setting that is configured as **Microsoft managed** allows Azure AD to enable or disable the setting. 
+
+## Settings that can be Microsoft managed
+
+The following table lists settings that can be set to Microsoft managed and whether it is enabled or disabled. 
+
+| Setting         | Configuration |
+|-----------------|---------------|
+| [Registration campaign](how-to-nudge-authenticator-app.md)  | Disabled      |
+| Number match        | Disabled      |
+| Additional context  | Disabled      |
+
+## Next steps
+
+[Authentication methods in Azure Active Directory - Microsoft Authenticator app](concept-authentication-authenticator-app.md)

articles/active-directory/authentication/how-to-mfa-microsoft-managed.md

@@ -169,6 +169,9 @@ More information about continuous access evaluation as a session control can be
 
 With the latest CAE setting under Conditional Access, strict enforcement is a new feature that allows for enhanced security based on two factors: IP address variation and client capability. This functionality can be enabled while customizing CAE options for a given policy. By turning on strict enforcement, CAE will revoke access upon detecting any instances of either [IP address variation](#ip-address-variation) or a lack of CAE [client capability](#client-capabilities).
 
+> [!NOTE] 
+> You should only enable strict enforcement after you ensure that all the client applications support CAE and you have included all your IP addresses seen by Azure AD and the resource providers, like Exchange online and Azure Resource Mananger, in your location policy under Conditional Access. Otherwise, you could be blocked.
+
 ## Limitations
 
 ### Group membership and Policy update effective time

articles/active-directory/conditional-access/concept-continuous-access-evaluation.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/21/2021
+ms.date: 11/03/2021
 ms.author: negoe
 ms.reviewer: marsma, negoe,celested
 ms.custom: aaddev,references_regions
@@ -24,9 +24,9 @@ Including the global Azure cloud, Azure Active Directory (Azure AD) is deplo
 
 - Azure Government
 - Azure China 21Vianet
-- Azure Germany ([Closing on October 29, 2021](https://www.microsoft.com/cloud-platform/germany-cloud-regions)). Learn more about [Azure Germany migration](#azure-germany-microsoft-cloud-deutschland).
+- Azure Germany ([Closed on October 29, 2021](https://www.microsoft.com/cloud-platform/germany-cloud-regions)). Learn more about [Azure Germany migration](#azure-germany-microsoft-cloud-deutschland).
 
-Each cloud _instance_, the individual national clouds and the global Azure cloud, is a separate environment with its own endpoints. Cloud-specific endpoints include OAuth 2.0 access token and OpenID Connect ID token request endpoints, and URLs for app management and deployment, like the Azure portal.
+The individual national clouds and the global Azure cloud are cloud _instances_. Each cloud instance is separate from the others and has its own environment and _endpoints_. Cloud-specific endpoints include OAuth 2.0 access token and OpenID Connect ID token request endpoints, and URLs for app management and deployment, like the Azure portal.
 
 As you develop your apps, use the endpoints for the cloud instance where you'll deploy the application.
 
@@ -42,6 +42,18 @@ The following table lists the base URLs for the Azure AD endpoints used to regis
 | Azure portal China operated by 21Vianet | `https://portal.azure.cn`  |
 | Azure portal (global service)           | `https://portal.azure.com` |
 
+## Application endpoints
+
+You can find the authentication endpoints for your application in the Azure portal.
+
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
+1. Select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations**, and then select **Endpoints** in the top menu.
+
+   The **Endpoints** page is displayed showing the authentication endpoints for the application registered in your Azure AD tenant.
+
+   Use the endpoint that matches the authentication protocol you're using in conjunction with the **Application (client) ID** to craft the authentication request specific to your application.
+
 ## Azure AD authentication endpoints
 
 All the national clouds authenticate users separately in each environment and have separate authentication endpoints.
@@ -63,17 +75,15 @@ For single-tenant applications, replace "common" in the previous URLs with your
 
 ## Azure Germany (Microsoft Cloud Deutschland)
 
-> [!WARNING]
-> Azure Germany (Microsoft Cloud Deutschland) will be [closed on October 29, 2021](https://www.microsoft.com/cloud-platform/germany-cloud-regions). Services and applications you choose _not_ to migrate to a region in global Azure before that date will become inaccessible.
-
 If you haven't migrated your application from Azure Germany, follow [Azure Active Directory information for the migration from Azure Germany](/microsoft-365/enterprise/ms-cloud-germany-transition-azure-ad) to get started.
 
 ## Microsoft Graph API
 
 To learn how to call the Microsoft Graph APIs in a national cloud environment, go to [Microsoft Graph in national cloud deployments](/graph/deployments).
 
-> [!IMPORTANT]
-> Certain services and features that are in specific regions of the global service might not be available in all of the national clouds. To find out what services are available, go to [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-iowa,usgov-texas,usgov-virginia,china-non-regional,china-east,china-east-2,china-north,china-north-2,germany-non-regional,germany-central,germany-northeast).
+Some services and features in the global Azure cloud might be unavailable in other cloud instances like the national clouds.
+
+To find out which services and features are available in a given cloud instance, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-iowa,usgov-texas,usgov-virginia,china-non-regional,china-east,china-east-2,china-north,china-north-2,germany-non-regional,germany-central,germany-northeast).
 
 To learn how to build an application by using the Microsoft identity platform, follow the [Single-page application (SPA) using auth code flow tutorial](tutorial-v2-angular-auth-code.md). Specifically, this app will sign in a user and get an access token to call the Microsoft Graph API.
 
@@ -85,4 +95,4 @@ National cloud documentation:
 
 - [Azure Government](../../azure-government/index.yml)
 - [Azure China 21Vianet](/azure/china/)
-- [Azure Germany (Closing on October 29, 2021)](../../germany/index.yml)
+- [Azure Germany (Closed on October 29, 2021)](../../germany/index.yml)

articles/active-directory/develop/authentication-national-cloud.md

@@ -97,8 +97,6 @@
       - name: Compute platform
         href: compute-infrastructure.md
 
-
-
 - name: How-to guides
   items:
       - name: Define APIs
@@ -115,9 +113,11 @@
               href: websocket-api.md
             - name: Import a GraphQL API
               href: graphql-api.md
-            - name: Import a Web App
+            - name: Import an App Service web API
               href: import-app-service-as-api.md
-            - name: Import a Function App
+            - name: Import a Container App web API
+              href: import-container-app-with-oas.md
+            - name: Import a Function App web API
               href: import-function-app-as-api.md
             - name: Import a Logic App
               href: import-logic-app-as-api.md

articles/api-management/TOC.yml

@@ -0,0 +1,137 @@
+---
+title: Import Azure Container App to Azure API Management  | Microsoft Docs
+description: This article shows you how to use Azure API Management to import a web API hosted in Azure Container Apps.
+services: api-management
+documentationcenter: ''
+author: adrianhall
+
+ms.service: api-management
+ms.topic: article
+ms.date: 11/03/2021
+ms.author: adhal
+
+---
+# Import an Azure Container App as an API
+
+This article shows how to import an Azure Container App to Azure API Management and test the imported API using the Azure portal.  In this article, you learn how to:
+
+> [!div class="checklist"]
+> * Import a Container App that exposes a Web API
+> * Test the API in the Azure portal
+
+> [!NOTE]
+> Azure Container Apps are currently in preview.
+
+## Expose Container App with API Management
+
+[Azure Container Apps](../container-apps/overview.md) allows you to deploy containerized apps without managing complex infrastructure. API developers can write code using their preferred programming language or framework, build microservices with full support for Distributed Application Runtime (Dapr), and scale based on HTTP traffic or other events.
+
+API Management is the recommended environment to expose a Container App hosted web API, for several reasons:
+
+* Decouple managing and securing the front end exposed to API consumers from managing and monitoring the backend web API
+* Manage web APIs hosted as Container Apps in the same environment as your other APIs
+* Apply [policies](api-management-policies.md) to change API behavior, such as call rate limiting
+* Direct API consumers to API Management's customizable [developer portal](api-management-howto-developer-portal.md) to discover and learn about your APIs, request access, and try them
+
+For more information, see [About API Management](api-management-key-concepts.md).
+
+## OpenAPI specification versus wildcard operations
+
+API Management supports import of Container Apps that provide an OpenAPI specification (Swagger definition). However, an OpenAPI specification isn't required. We recommend providing an OpenAPI specification.  API Management can import individual operations, allowing you to validate, manage, secure, and update configurations for each operation separately.
+
+If the Container App exposes an OpenAPI specification, API Management creates API operations that map directly to the definition. API Management will look in several locations for an OpenAPI Specification
+
+* The Container App configuration.
+* `/openapi.json`
+* `/openapi.yml`
+* `/swagger/v1/swagger.json`
+
+If an OpenAPI specification isn't provided, API Management generates [wildcard operations](add-api-manually.md#add-and-test-a-wildcard-operation) for the common HTTP verbs (GET, PUT, and so on). You can still take advantage of the same API Management features, but operations aren't defined at the same level of detail.
+
+In either case, you can [edit](edit-api.md) or [add](add-api-manually.md) operations to the API after import.
+ 
+### Example
+
+Your backend Container App might support two GET operations:
+
+*  `https://myappservice.azurewebsites.net/customer/{id}`
+*  `https://myappservice.azurewebsites.net/customers`
+
+You import the Container App to your API Management service at a path such as `https://contosoapi.azure-api.net/store`. The following table shows the operations that are imported to API Management, either with or without an OpenAPI specification: 
+
+| Type |Imported operations  |Sample requests |
+|---------|---------|---------|
+|OpenAPI specification    | `GET  /customer/{id}`<br/><br/> `GET  /customers`         |  `GET https://contosoapi.azure-api.net/store/customer/1`<br/><br/>`GET https://contosoapi.azure-api.net/store/customers`       |
+|Wildcard     | `GET  /*`         | `GET https://contosoapi.azure-api.net/store/customer/1`<br/><br/>`GET https://contosoapi.azure-api.net/store/customers`  |
+
+The wildcard operation allows the same requests to the backend service as the operations in the OpenAPI specification. However, the OpenAPI-specified operations can be managed separately in API Management. 
+
+## Prerequisites
+
++ Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).
++ Make sure there's a Container App that exposes a Web API in your subscription. For more information, see [Container Apps documentation](../container-apps/index.yml).
+
+[!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-navigate-to-instance.md)]
+
+## <a name="create-api"> </a>Import and publish a backend API 
+
+1. Navigate to your API Management service in the Azure portal and select **APIs** from the menu.
+2. Select **Container App** from the list.
+
+    :::image type="content" source="media/import-container-app-with-oas/add-api.png" alt-text="Create from Container App":::
+
+3. Select **Browse** to see the list of Container Apps in your subscription.
+4. Select a Container App. If an OpenAPI definition is associated with the selected Container App, API Management fetches it and imports it. If an OpenAPI definition isn't found, API Management exposes the API by generating wildcard operations for common HTTP verbs.
+1. Add an API URL suffix. The suffix is a name that identifies this specific API in this API Management instance. It has to be unique in this API Management instance.
+2. Publish the API by associating the API with a product. In this case, the "*Unlimited*" product is used. If you want the API to be published and be available to developers, add it to a product.
+
+    > [!NOTE]
+    > Products are associations of one or more APIs. You can include many APIs and offer them to developers through the developer portal. Developers must first subscribe to a product to get access to the API. When they subscribe, they get a subscription key that is good for any API in that product. If you created the API Management instance, you're an administrator and subscribed to every product by default.
+    >
+    > Each API Management instance comes with two sample products when createdgg:
+    > * **Starter**
+    > * **Unlimited**
+
+3. Enter other API settings. You can set the values during creation or configure them later by going to the **Settings** tab. The settings are explained in the [Import and publish your first API](import-and-publish.md#import-and-publish-a-backend-api) tutorial.
+4. Select **Create**.
+
+    :::image type="content" source="media/import-container-app-with-oas/import-container-app.png" alt-text="Create API from Container App":::
+
+## Test the new API in the Azure portal
+
+Operations can be called directly from the Azure portal, which provides a convenient way to view and test the operations of an API. You can also test the API in the [developer portal](api-management-howto-developer-portal.md) or using your own REST client tools.
+
+1. Select the API you created in the previous step.
+1. Select the **Test** tab.
+1. Select an operation.
+
+    The page displays fields for query parameters and fields for the headers. One of the headers is `Ocp-Apim-Subscription-Key`, for the subscription key of the product that is associated with this API. If you created the API Management instance, you are an administrator already, so the key is filled in automatically.
+
+1. Press **Send**.
+
+    When the test is successful, the backend responds with **200 OK** and some data.
+
+### Test wildcard operation in the portal
+
+When wildcard operations are generated, the operations might not map directly to the backend API. For example, a wildcard GET operation imported in API Management uses the path `/` by default. However, your backend API might support a GET operation at the following path:
+
+`/api/TodoItems`
+
+You can test the path `/api/TodoItems` as follows.
+
+1. Select the API you created, and select the operation.
+1. Select the **Test** tab.
+1. In **Template parameters**, update the value next to the wildcard (*) name. For example, enter `api/TodoItems`. This value gets appended to the path `/` for the wildcard operation.
+
+    :::image type="content" source="media/import-container-app-with-oas/test-wildcard-operation.png" alt-text="Test wildcard operation":::
+
+1. Select **Send**.
+
+[!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-append-apis.md)]
+
+[!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)]
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Transform and protect a published API](transform-api.md)