Syncing with main. Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into work-macos-sep23

Author: Heidilohr

.openpublishing.publish.config.json

@@ -1189,11 +1189,14 @@
   "articles/data-catalog/.openpublishing.redirection.data-catalog.json",
   "articles/data-factory/.openpublishing.redirection.data-factory.json",
   "articles/data-lake-analytics/.openpublishing.redirection.data-lake-analytics.json",
+  "articles/deployment-environments/.openpublishing.redirection.deployment-environments.json",
+  "articles/dev-box/.openpublishing.redirection.dev-box.json",
   "articles/digital-twins/.openpublishing.redirection.digital-twins.json",
   "articles/event-grid/.openpublishing.redirection.event-grid.json",
   "articles/event-hubs/.openpublishing.redirection.event-hubs.json",
   "articles/hdinsight/.openpublishing.redirection.hdinsight.json",
   "articles/healthcare-apis/.openpublishing.redirection.healthcare-apis.json",
+  "articles/internet-peering/.openpublishing.redirection.internet-peering.json",
   "articles/iot-accelerators/.openpublishing.redirection.iot-accelerators.json",
   "articles/iot-central/.openpublishing.redirection.iot-central.json",
   "articles/iot-develop/.openpublishing.redirection.iot-develop.json",
@@ -1208,9 +1211,12 @@
   "articles/mariadb/.openpublishing.redirection.mariadb.json",
   "articles/marketplace/.openpublishing.redirection.marketplace.json",
   "articles/mysql/.openpublishing.redirection.mysql.json",
+  "articles/network-watcher/.openpublishing.redirection.network-watcher.json",
   "articles/object-anchors/.openpublishing.redirection.object-anchors.json",
+  "articles/peering-service/.openpublishing.redirection.peering-service.json",
   "articles/postgresql/.openpublishing.redirection.postgresql.json",
   "articles/purview/.openpublishing.redirection.purview.json",
+  "articles/route-server/.openpublishing.redirection.route-server.json",
   "articles/sap/.openpublishing.redirection.sap.json",
   "articles/service-bus-messaging/.openpublishing.redirection.service-bus-messaging.json",
   "articles/spatial-anchors/.openpublishing.redirection.spatial-anchors.json",
@@ -1220,9 +1226,6 @@
   "articles/stream-analytics/.openpublishing.redirection.stream-analytics.json",
   "articles/synapse-analytics/.openpublishing.redirection.synapse-analytics.json",
   "articles/virtual-machine-scale-sets/.openpublishing.redirection.virtual-machine-scale-sets.json",
-  "articles/virtual-machines/.openpublishing.redirection.virtual-machines.json",
-  "articles/dev-box/.openpublishing.redirection.dev-box.json",
-  "articles/deployment-environments/.openpublishing.redirection.deployment-environments.json",
-  "articles/network-watcher/.openpublishing.redirection.network-watcher.json"
+  "articles/virtual-machines/.openpublishing.redirection.virtual-machines.json"
 ]
 }

.openpublishing.redirection.active-directory.json

@@ -5460,6 +5460,11 @@
       "redirect_url": "/azure/active-directory/fundamentals/concept-fundamentals-security-defaults",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/active-directory/reports-monitoring/reference-azure-ad-sla-performance.md",
+      "redirect_url": "/azure/active-directory/reports-monitoring/reference-sla-performance",
+      "redirect_document_id": true
+    },
     {
       "source_path_from_root": "/articles/active-directory/reports-monitoring/quickstart-filter-audit-log.md",
       "redirect_url": "/azure/active-directory/reports-monitoring/howto-customize-filter-logs",

.openpublishing.redirection.json

@@ -20,16 +20,6 @@
             "redirect_URL": "tutorial-assess-webapps",
             "redirect_document_id": false
         },
-        {
-            "source_path": "articles/route-server/tutorial-protect-route-server.md",
-            "redirect_URL": "/azure/route-server/tutorial-protect-route-server-ddos",
-            "redirect_document_id": false
-        },
-        {
-            "source_path": "articles/route-server/routing-preference.md",
-            "redirect_url": "/azure/route-server/overview",
-            "redirect_document_id": false
-        },
         {
             "source_path": "articles/cloud-services-extended-support/deploy-visual-studio.md",
             "redirect_url": "/visualstudio/azure/cloud-services-extended-support?context=%2Fazure%2Fcloud-services-extended-support%2Fcontext%2Fcontext",
@@ -24553,22 +24543,22 @@
         },
         {
             "source_path_from_root": "/articles/active-directory/develop/single-page-app-tutorial-01-register-app.md",
-            "redirect_url": "/azure/active-directory/develop/tutorial-single-page-app-react-register-app.md",
+            "redirect_url": "/azure/active-directory/develop/tutorial-single-page-app-react-register-app",
             "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/active-directory/develop/single-page-app-tutorial-02-prepare-spa.md",
-            "redirect_url": "/azure/active-directory/develop/tutorial-single-page-app-react-prepare-spa.md",
+            "redirect_url": "/azure/active-directory/develop/tutorial-single-page-app-react-prepare-spa",
             "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/active-directory/develop/single-page-app-tutorial-03-sign-in-users.md",
-            "redirect_url": "/azure/active-directory/develop/tutorial-single-page-app-react-sign-in-users.md",
+            "redirect_url": "/azure/active-directory/develop/tutorial-single-page-app-react-sign-in-users",
             "redirect_document_id": false
         },
         {
             "source_path_from_root": "/articles/active-directory/develop/single-page-app-tutorial-04-call-api.md",
-            "redirect_url": "/azure/active-directory/develop/tutorial-single-page-app-react-call-api.md",
+            "redirect_url": "/azure/active-directory/develop/tutorial-single-page-app-react-call-api",
             "redirect_document_id": false
         }
     ]

articles/active-directory/app-provisioning/skip-out-of-scope-deletions.md

@@ -59,10 +59,10 @@ Copy the Response into a text file. It looks like the JSON text shown, with valu
 Here's the JSON block to add to the mapping. 
 
 ```json
-        {
-            "key": "SkipOutOfScopeDeletions",
-            "value": "True"
-        }
+{
+  "key": "SkipOutOfScopeDeletions",
+  "value": "True"
+}
 ```
 
 ## Step 4: Update the secrets endpoint with the SkipOutOfScopeDeletions flag

articles/active-directory/authentication/concept-authentication-strengths.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 09/14/2023
+ms.date: 09/27/2023
 
 ms.author: justinha
 author: justinha
@@ -232,7 +232,7 @@ An authentication strength Conditional Access policy works together with [MFA tr
 
 - **Authentication methods that aren't currently supported by authentication strength** - The **Email one-time pass (Guest)** authentication method isn't included in the available combinations.
 
-- **Windows Hello for Business** – If the user signed in with Windows Hello for Business as their primary authentication method, it can be used to satisfy an authentication strength requirement that includes Windows Hello for Business. But if the user signed in with another method like password as their primary authenticating method, and the authentication strength requires Windows Hello for Business, they get prompted to sign in with Windows Hello for Business. 
+- **Windows Hello for Business** – If the user signed in with Windows Hello for Business as their primary authentication method, it can be used to satisfy an authentication strength requirement that includes Windows Hello for Business. However, if the user signed in with another method like password as their primary authenticating method, and the authentication strength requires Windows Hello for Business, they aren't prompted to sign in with Windows Hello for Business. The user needs to restart the session, choose **Sign-in options**, and select a method required by the authentication strength.
 
 
 ## Known isssues

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 09/25/2023
+ms.date: 09/27/2023
 
 
 ms.author: justinha
@@ -49,15 +49,21 @@ Now we'll walk through each step:
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-alt.png" alt-text="Screenshot of the Sign-in if FIDO2 is also enabled.":::
 
-1. Once the user selects certificate-based authentication, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) or [`https://t<tenant id>.certauth.login.microsoftonline.com`](`https://t<tenant id>.certauth.login.microsoftonline.com`) for Azure Global. For [Azure Government](../../azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us).  
+1. Once the user selects certificate-based authentication, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](../../azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us).  
 
-   The endpoint performs TLS mutual authentication, and requests the client certificate as part of the TLS handshake. You'll see an entry for this request in the Sign-ins log.
+However, with the issue hints feature enabled (coming soon), the new certauth endpoint will change to `https://t{tenantid}.certauth.login.microsoftonline.com`.
+
+The endpoint performs TLS mutual authentication, and requests the client certificate as part of the TLS handshake. You'll see an entry for this request in the Sign-ins log.
 
-   :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the Sign-ins log in Microsoft Entra ID." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png":::
-   
    >[!NOTE]
-   >The network administrator should allow access to the User sign-in page and certauth endpoint *.certauth.login.microsoftonline.com for the customer’s cloud environment. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.
+   >The network administrator should allow access to the User sign-in page and certauth endpoint `*.certauth.login.microsoftonline.com` for the customer's cloud environment. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.
+
+   Customers should make sure their TLS inspection disablement also work for the new url with issuer hints. Our recommendation is not to hardcode the url with tenantId as for B2B users the tenantId might change. Use a regular expression to allow both the old and new URL to work for TLS inspection disablement. For example, use `*.certauth.login.microsoftonline.com` or `*certauth.login.microsoftonline.com`for Azure Global tenants, and `*.certauth.login.microsoftonline.us` or `*certauth.login.microsoftonline.us` for Azure Government tenants, depending on the proxy used.
 
+   Without this change, certificate-based authentication will fail when you enable Issuer Hints feature.
+
+   :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the Sign-ins log in Microsoft Entra ID." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png":::
+   
    Click the log entry to bring up **Activity Details** and click **Authentication Details**. You'll see an entry for the X.509 certificate.
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/entry.png" alt-text="Screenshot of the entry for X.509 certificate.":::

articles/active-directory/authentication/howto-mfa-userdevicesettings.md

@@ -92,9 +92,7 @@ If you're assigned the *Authentication Administrator* role, you can require user
 1. Browse to **Identity** > **Users** > **All users**. 
 1. Choose the user you wish to perform an action on and select **Authentication methods**. At the top of the window, then choose one of the following options for the user:
    - **Reset Password** resets the user's password and assigns a temporary password that must be changed on the next sign-in.
-   - **Require Re-register MFA** makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method.
-      > [!NOTE]
-      > The user's currently registered authentication methods aren't deleted when an admin requires re-registration for MFA. After a user re-registers for MFA, we recommend they review their security info and delete any previously registered authentication methods that are no longer usable.
+   - **Require Re-register MFA** deactivates the user's hardware OATH tokens and deletes the following authentication methods from this user: phone numbers, Microsoft Authenticator apps and software OATH tokens. If needed, the user is requested to set up a new MFA authentication method the next time they sign in.
    - **Revoke MFA Sessions** clears the user's remembered MFA sessions and requires them to perform MFA the next time it's required by the policy on the device.
 
     :::image type="content" source="media/howto-mfa-userdevicesettings/manage-authentication-methods-in-azure.png" alt-text="Manage authentication methods from the Microsoft Entra admin center":::
@@ -119,3 +117,4 @@ To delete a user's app passwords, complete the following steps:
 This article showed you how to configure individual user settings. To configure overall Microsoft Entra multifactor authentication service settings, see [Configure Microsoft Entra multifactor authentication settings](howto-mfa-mfasettings.md).
 
 If your users need help, see the [User guide for Microsoft Entra multifactor authentication](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc).
+

articles/active-directory/authentication/troubleshoot-authentication-strengths.md

@@ -6,12 +6,12 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 06/02/2023
+ms.date: 09/27/2023
 
 ms.author: justinha
 author: justinha
 manager: amycolannino
-ms.reviewer: michmcla, inbarckms
+ms.reviewer: inbarckms
 
 ms.collection: M365-identity-device-management
 ---
@@ -38,7 +38,7 @@ To verify if a method can be used:
    1. As needed, check if the tenant is enabled for any method required for the authentication strength. Click **Security** > **Multifactor Authentication** > **Additional cloud-based multifactor authentication settings**. 
 1. Check which authentication methods are registered for the user in the Authentication methods policy. Click **Users and groups** > _username_ > **Authentication methods**. 
 
-If the user is registered for an enabled method that meets the authentication strength, they might need to use another method that isn't available after primary authentication, such as Windows Hello for Business or certificate-based authentication. For more information, see [How each authentication method works](concept-authentication-methods.md#how-each-authentication-method-works). The user needs to restart the session, choose **Sign-in options** , and select a method required by the authentication strength.
+If the user is registered for an enabled method that meets the authentication strength, they might need to use another method that isn't available after primary authentication, such as Windows Hello for Business. For more information, see [How each authentication method works](concept-authentication-methods.md#how-each-authentication-method-works). The user needs to restart the session, choose **Sign-in options** , and select a method required by the authentication strength.
 
 :::image type="content" border="true" source="./media/troubleshoot-authentication-strengths/choose-another-method.png" alt-text="Screenshot of how to choose another sign-in method.":::
 

articles/active-directory/develop/test-throttle-service-limits.md

@@ -55,7 +55,7 @@ The following table lists Microsoft Entra throttling limits to consider when run
 | Limit type | Resource unit quota | Write quota |
 |-------------------|----------------|----------------|
 | application+tenant pair | S: 3500, M:5000, L:8000 per 10 seconds | 3000 per 2 minutes and 30 seconds |
-| application | 150,000 per 20 seconds | 70,000 per 5 minutes |
+| application | 150,000 per 20 seconds | 35,000 per 5 minutes |
 | tenant | Not Applicable | 18,000 per 5 minutes |
 
 The application + tenant pair limit varies based on the number of users in the tenant requests are run against. The tenant sizes are defined as follows: S - under 50 users, M - between 50 and 500 users, and L - above 500 users.