Merge pull request #259519 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 11/27

Author: ttorble

articles/active-directory-b2c/add-api-connector-token-enrichment.md

@@ -15,6 +15,7 @@ ms.author: godonnell
 ms.subservice: B2C
 zone_pivot_groups: b2c-policy-type
 ---
+
 # Enrich tokens with claims from external sources using API connectors
 [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
 Azure Active Directory B2C (Azure AD B2C) enables identity developers to integrate an interaction with a RESTful API into their user flow using [API connectors](api-connectors-overview.md). It enables developers to dynamically retrieve data from external identity sources. At the end of this walkthrough, you'll be able to create an Azure AD B2C user flow that interacts with APIs to enrich tokens with information from external sources.
@@ -98,6 +99,7 @@ Additionally, these claims are typically sent in all requests for this step:
 
 > [!IMPORTANT]
 > If a claim does not have a value at the time the API endpoint is called, the claim will not be sent to the API. Your API should be designed to explicitly check and handle the case in which a claim is not in the request.
+
 ## Expected response types from the web API at this step
 When the web API receives an HTTP request from Microsoft Entra ID during a user flow, it can return a "continuation response."
 ### Continuation response
@@ -106,6 +108,7 @@ In a continuation response, the API can return additional claims. A claim return
 The claim value in the token will be that returned by the API, not the value in the directory. Some claim values cannot be overwritten by the API response. Claims that can be returned by the API correspond to the set found under **User attributes** with the exception of `email`.
 > [!NOTE]
 > The API is only invoked during an initial authentication. When using refresh tokens to silently get new access or ID tokens, the token will include the values evaluated during the initial authentication. 
+
 ## Example response
 ### Example of a continuation response
 ```http
@@ -132,6 +135,7 @@ You can also design the interaction as a validation technical profile. This is s
 ## Prerequisites
 - Complete the steps in [Get started with custom policies](tutorial-create-user-flows.md?pivots=b2c-custom-policy). You should have a working custom policy for sign-up and sign-in with local accounts.
 - Learn how to [Integrate REST API claims exchanges in your Azure AD B2C custom policy](api-connectors-overview.md).
+
 ## Prepare a REST API endpoint
 For this walkthrough, you should have a REST API that validates whether a user's Azure AD B2C objectId is registered in your back-end system. 
 If registered, the REST API returns the user account balance. Otherwise, the REST API registers the new account in the directory and returns the starting balance `50.00`.
@@ -155,6 +159,7 @@ A claim provides temporary storage of data during an Azure AD B2C policy executi
 1. Search for the [BuildingBlocks](buildingblocks.md) element. If the element doesn't exist, add it.
 1. Locate the [ClaimsSchema](claimsschema.md) element. If the element doesn't exist, add it.
 1. Add the following claims to the **ClaimsSchema** element.  
+
 ```xml
 <ClaimType Id="balance">
   <DisplayName>Your Balance</DisplayName>
@@ -205,6 +210,7 @@ After you deploy your REST API, set the metadata of the `REST-GetProfile` techni
 - **AuthenticationType**. Set the type of authentication being performed by the RESTful claims provider such as `Basic` or `ClientCertificate` 
 - **AllowInsecureAuthInProduction**. In a production environment, make sure to set this metadata to `false`.
 
+
 See the [RESTful technical profile metadata](restful-technical-profile.md#metadata) for more configurations.
 The comments above `AuthenticationType` and `AllowInsecureAuthInProduction` specify changes you should make when you move to a production environment. To learn how to secure your RESTful APIs for production, see [Secure your RESTful API](secure-rest-api.md).
 ## Add an orchestration step
@@ -231,6 +237,7 @@ The comments above `AuthenticationType` and `AllowInsecureAuthInProduction` spec
     <OrchestrationStep Order="8" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />
     ```
 1. Repeat the last two steps for the **ProfileEdit** and **PasswordReset** user journeys.
+
 ## Include a claim in the token 
 To return the `balance` claim back to the relying party application, add an output claim to the <em>`SocialAndLocalAccounts/`**`SignUpOrSignIn.xml`**</em> file. Adding an output claim will issue the claim into the token after a successful user journey, and will be sent to the application. Modify the technical profile element within the relying party section to add `balance` as an output claim.
 
@@ -258,13 +265,14 @@ Repeat this step for the **ProfileEdit.xml**, and **PasswordReset.xml** user jou
 Save the files you changed: *TrustFrameworkBase.xml*, and *TrustFrameworkExtensions.xml*, *SignUpOrSignin.xml*, *ProfileEdit.xml*, and *PasswordReset.xml*. 
 ## Test the custom policy
 1. Sign in to the [Azure portal](https://portal.azure.com).
-1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
+1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Microsoft Entra tenant from the **Directories + subscriptions** menu.
 1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **App registrations**.
 1. Select **Identity Experience Framework**.
 1. Select **Upload Custom Policy**, and then upload the policy files that you changed: *TrustFrameworkBase.xml*, and *TrustFrameworkExtensions.xml*, *SignUpOrSignin.xml*, *ProfileEdit.xml*, and *PasswordReset.xml*. 
 1. Select the sign-up or sign-in policy that you uploaded, and click the **Run now** button.
 1. You should be able to sign up using an email address or a Facebook account.
 1. The token sent back to your application includes the `balance` claim.
+
 ```json
 {
   "typ": "JWT",
@@ -324,21 +332,25 @@ In general, it's helpful to use the logging tools enabled by your web API servic
 * A 401 or 403 HTTP status code typically indicates there's an issue with your authentication. Double-check your API's authentication layer and the corresponding configuration in the API connector.
 * Use more aggressive levels of logging (for example "trace" or "debug") in development if needed.
 * Monitor your API for long response times. 
+
 Additionally, Azure AD B2C logs metadata about the API transactions that happen during user authentications via a user flow. To find these:
 1. Go to **Azure AD B2C**
 1. Under **Activities**, select **Audit logs**.
 1. Filter the list view: For **Date**, select the time interval you want, and for **Activity**, select **An API was called as part of a user flow**.
 1. Inspect individual logs. Each row represents an API connector attempting to be called during a user flow. If an API call fails and a retry occurs, it's still represented as a single row. The `numberOfAttempts` indicates the number of times your API was called. This value can be `1`or `2`. Other information about the API call is detailed in the logs.
    ![Screenshot of an example audit log with API connector transaction.](media/add-api-connector-token-enrichment/example-anonymized-audit-log.png)
+
 ::: zone-end
 ## Next steps
 ::: zone pivot="b2c-user-flow"
 - Get started with our [samples](api-connector-samples.md#api-connector-rest-api-samples).
 - [Secure your API Connector](secure-rest-api.md)
+
 ::: zone-end
 ::: zone pivot="b2c-custom-policy"
 To learn how to secure your APIs, see the following articles:
 - [Walkthrough: Integrate REST API claims exchanges in your Azure AD B2C user journey as an orchestration step](add-api-connector-token-enrichment.md)
 - [Secure your RESTful API](secure-rest-api.md)
 - [Reference: RESTful technical profile](restful-technical-profile.md)
+
 ::: zone-end

articles/azure-app-configuration/quickstart-azure-kubernetes-service.md

@@ -289,10 +289,11 @@ Add following key-values to the App Configuration store and leave **Label** and
               mountPath: /app
           volumes:
           - name: config-volume 
-            configMap: configmap-created-by-appconfig-provider 
-            items:
-            - key: mysettings.json
-              path: mysettings.json
+            configMap: 
+              name: configmap-created-by-appconfig-provider
+              items:
+              - key: mysettings.json
+                path: mysettings.json
     ```
 
 3. Run the following command to deploy the changes. Replace the namespace if you are using your existing AKS application.

articles/azure-arc/system-center-virtual-machine-manager/overview.md

@@ -1,7 +1,7 @@
 ---
 title:  Overview of the Azure Connected System Center Virtual Machine Manager 
 description: This article provides a detailed overview of the Azure Arc-enabled System Center Virtual Machine Manager.
-ms.date: 11/15/2023
+ms.date: 11/27/2023
 ms.topic: conceptual
 ms.services: azure-arc
 ms.subservice: azure-arc-scvmm
@@ -22,9 +22,9 @@ Arc-enabled System Center VMM allows you to:
 
 - Perform various VM lifecycle operations such as start, stop, pause, and delete VMs on SCVMM managed VMs directly from Azure.
 - Empower developers and application teams to self-serve VM operations on demand using [Azure role-based access control (RBAC)](https://learn.microsoft.com/azure/role-based-access-control/overview).
-- Browse your VMM resources (VMs, templates, VM networks, and storage) in Azure, providing you a single pane view for your infrastructure across both environments.
+- Browse your VMM resources (VMs, templates, VM networks, and storage) in Azure, providing you with a single pane view for your infrastructure across both environments.
 - Discover and onboard existing SCVMM managed VMs to Azure.
-- Install the Arc-connected machine agents at scale on SCVMM VMs to [govern, protect, configure, and monitor them](https://learn.microsoft.com/azure/azure-arc/servers/overview#supported-cloud-operations).
+- Install the Arc-connected machine agents at scale on SCVMM VMs to [govern, protect, configure, and monitor them](../servers/overview.md#supported-cloud-operations).
 
 ## Onboard resources to Azure management at scale
 
@@ -47,7 +47,7 @@ The following image shows the architecture for the Arc-enabled SCVMM:
 - Azure Arc-enabled servers interact on the guest operating system level, with no awareness of the underlying infrastructure fabric and the virtualization platform that they're running on. Since Arc-enabled servers also support bare-metal machines, there might, in fact, not even be a host hypervisor in some cases.
 - Azure Arc-enabled SCVMM is a superset of Arc-enabled servers that extends management capabilities beyond the guest operating system to the VM itself. This provides lifecycle management and CRUD (Create, Read, Update, and Delete) operations on an SCVMM VM. These lifecycle management capabilities are exposed in the Azure portal and look and feel just like a regular Azure VM. Azure Arc-enabled SCVMM also provides guest operating system management, in fact, it uses the same components as Azure Arc-enabled servers.
 
-You have the flexibility to start with either option, or incorporate the other one later without any disruption. With both options, you will enjoy the same consistent experience.
+You have the flexibility to start with either option, or incorporate the other one later without any disruption. With both options, you'll enjoy the same consistent experience.
 
 ### Supported scenarios
 
@@ -57,20 +57,21 @@ The following scenarios are supported in Azure Arc-enabled SCVMM:
 - Administrators can use the Azure portal to browse SCVMM inventory and register SCVMM cloud, virtual machines, VM networks, and VM templates into Azure.
 - Administrators can provide app teams/developers fine-grained permissions on those SCVMM resources through Azure RBAC.
 - App teams can use Azure interfaces (portal, CLI, or REST API) to manage the lifecycle of on-premises VMs they use for deploying their applications (CRUD, Start/Stop/Restart).
-- Administrators can install Arc agents on SCVMM VMs at-scale and install corresponding extensions to leverage Azure management services like Microsoft Defender for Cloud, Azure Update Manager, Azure Monitor, etc.  
+- Administrators can install Arc agents on SCVMM VMs at-scale and install corresponding extensions to use Azure management services like Microsoft Defender for Cloud, Azure Update Manager, Azure Monitor, etc.  
 
 ### Supported VMM versions
 
-Azure Arc-enabled SCVMM works with VMM 2019 and 2022 versions and supports SCVMM management servers with a maximum of 15000 VMs.
+Azure Arc-enabled SCVMM works with VMM 2019 and 2022 versions and supports SCVMM management servers with a maximum of 15,000 VMs.
 
 ### Supported regions
 
 Azure Arc-enabled SCVMM is currently supported in the following regions:
 
 - East US
-- East US2
-- West US2
-- West US3
+- East US 2
+- West US 2
+- West US 3
+- Central US
 - South Central US
 - UK South
 - North Europe