Merge pull request #187198 from MicrosoftDocs/master

2/2 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -2518,6 +2518,11 @@
       "redirect_url": "/azure/machine-learning/how-to-configure-auto-train#troubleshooting",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/machine-learning/how-to-compute-cluster-instance-os-upgrade.md",
+      "redirect_url": "/azure/machine-learning/concept-vulnerability-management",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/machine-learning/how-to-deploy-custom-docker-image.md",
       "redirect_url": "/azure/machine-learning/how-to-deploy-custom-container",
@@ -40772,6 +40777,16 @@
       "redirect_url": "/azure/aks/open-service-mesh-about",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/aks/open-service-mesh-deploy-new-application.md",
+      "redirect_url": "/azure/aks/open-service-mesh-about",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/aks/open-service-mesh-deploy-existing-application.md",
+      "redirect_url": "/azure/aks/open-service-mesh-about",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/azure-monitor/platform/alerts-metric-create-templates.md",
       "redirect_url": "/azure/azure-monitor/alerts/alerts-metric-create-templates",

articles/active-directory/develop/includes/remind-not-to-relay-token-nonaud.md

@@ -0,0 +1,25 @@
+---
+title: Don't send your middle-tier OBO token to any non-audience party
+description: Include file warning that access tokens acquired by the middle-tier shouldn't be sent to any party except that which is identified by the audience claim.
+services: active-directory
+author: iambmelt
+manager: CelesteDG
+
+ms.service: active-directory
+ms.subservice: develop
+ms.workload: identity
+ms.topic: include
+ms.date: 12/7/2021
+ms.author: brianmel
+ms.reviewer: brianmel
+ms.custom: aaddev
+---
+
+> [!WARNING]
+> **DO NOT** send access tokens that were issued to the middle tier to any other party. Access tokens issued to the middle tier are intended for use _only_ by that middle tier.
+>
+> Security risks of relaying access tokens from a middle-tier resource to a client (instead of the client getting the access tokens themselves) include:
+>
+> - Increased risk of token interception over compromised SSL/TLS channels.
+> - Inability to satisfy token binding and Conditional Access scenarios requiring claim step-up (for example, MFA, Sign-in Frequency).
+> - Incompatibility with admin-configured device-based policies (for example, MDM, location-based policies).

articles/active-directory/develop/publisher-verification-overview.md

@@ -23,8 +23,12 @@ Publisher verification helps admins and end users understand the authenticity of
 When an application is marked as publisher verified, it means that the publisher has verified their identity using a [Microsoft Partner Network](https://partner.microsoft.com/membership) account that has completed the [verification](/partner-center/verification-responses) process and has associated this MPN account with their application registration. 
 
 A blue "verified" badge appears on the Azure AD consent prompt and other screens:
+
 ![Consent prompt](./media/publisher-verification-overview/consent-prompt.png)
 
+> [!NOTE]
+> We recently changed the color of the "verified" badge from blue to gray. We will revert that change sometime in the last half of February 2022, so the "verified" badge will be blue.
+
 This feature is primarily for developers building multi-tenant apps that leverage [OAuth 2.0 and OpenID Connect](active-directory-v2-protocols.md) with the [Microsoft identity platform](v2-overview.md). These apps can sign users in using OpenID Connect, or they may use OAuth 2.0 to request access to data using APIs like [Microsoft Graph](https://developer.microsoft.com/graph/).
 
 ## Benefits

articles/active-directory/develop/sample-v2-code.md

@@ -83,7 +83,7 @@ The following samples show public client desktop applications that access the Mi
 > | Java | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-java-desktop/) | MSAL Java | Integrated Windows authentication |
 > | Node.js | [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-desktop) | MSAL Node | Authorization code with PKCE |
 > | Powershell | [Call Microsoft Graph by signing in users using username/password](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2) | MSAL.NET | Resource owner password credentials |
-> | Python | [Sign in users](https://github.com/Azure-Samples/ms-identity-python-desktop) | MSAL Python | Authorization code with PKCE |
+> | Python | [Sign in users](https://github.com/Azure-Samples/ms-identity-python-desktop) | MSAL Python | Resource owner password credentials |
 > | Universal Window Platform (UWP) | [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/main/2-With-broker) | MSAL.NET | Web account manager |
 > | Windows Presentation Foundation (WPF) | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) | MSAL.NET | Authorization code with PKCE |
 > | XAML | &#8226; [Sign in users and call ASP.NET core web API](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API) <br/> &#8226; [Sign in users and call Microsoft Graph](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | MSAL.NET | Authorization code with PKCE |

articles/active-directory/develop/scenario-daemon-app-configuration.md

@@ -81,7 +81,12 @@ Configuration parameters for the [Node.js daemon sample](https://github.com/Azur
 # Credentials
 TENANT_ID=Enter_the_Tenant_Info_Here
 CLIENT_ID=Enter_the_Application_Id_Here
+
+// You provide either a ClientSecret or a CertificateConfiguration, or a ClientAssertion. These settings are exclusive
 CLIENT_SECRET=Enter_the_Client_Secret_Here
+CERTIFICATE_THUMBPRINT=Enter_the_certificate_thumbprint_Here
+CERTIFICATE_PRIVATE_KEY=Enter_the_certificate_private_key_Here
+CLIENT_ASSERTION=Enter_the_Assertion_String_Here
 
 # Endpoints
 // the Azure AD endpoint is the authority endpoint for token issuance
@@ -267,6 +272,7 @@ app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
     .WithAuthority(new Uri(config.Authority))
     .Build();
 ```
+
 # [Java](#tab/java)
 
 In MSAL Java, there are two builders to instantiate the confidential client application with certificates:
@@ -302,7 +308,24 @@ ConfidentialClientApplication cca =
 
 # [Node.js](#tab/nodejs)
 
-The sample application does not implement initialization with certificates at the moment.
+```JavaScript
+
+const config = {
+    auth: {
+        clientId: process.env.CLIENT_ID,
+        authority: process.env.AAD_ENDPOINT + process.env.TENANT_ID,
+        clientCertificate: {
+            thumbprint:  process.env.CERTIFICATE_THUMBPRINT, // a 40-digit hexadecimal string
+            privateKey:  process.env.CERTIFICATE_PRIVATE_KEY,
+        }
+    }
+};
+
+// Create an MSAL application object
+const cca = new msal.ConfidentialClientApplication(config);
+```
+
+For details, see [Use certificate credentials with MSAL Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/certificate-credentials.md).
 
 # [Python](#tab/python)
 
@@ -371,7 +394,18 @@ ConfidentialClientApplication cca =
 
 # [Node.js](#tab/nodejs)
 
-The sample application does not implement initialization with assertions at the moment.
+```JavaScript
+const clientConfig = {
+    auth: {
+        clientId: process.env.CLIENT_ID,
+        authority: process.env.AAD_ENDPOINT + process.env.TENANT_ID,
+        clientAssertion:  process.env.CLIENT_ASSERTION
+    }
+};
+const cca = new msal.ConfidentialClientApplication(clientConfig);
+```
+
+For details, see [Initialize the ConfidentialClientApplication object](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md).
 
 # [Python](#tab/python)
 

articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md

@@ -52,6 +52,8 @@ To request an access token, make an HTTP POST to the tenant-specific Microsoft i
 https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
 ```
 
+[!INCLUDE [remind-not-to-relay-token-nonaud](includes/remind-not-to-relay-token-nonaud.md)]
+
 There are two cases depending on whether the client application chooses to be secured by a shared secret or a certificate.
 
 ### First case: Access token request with a shared secret

articles/active-directory/hybrid/how-to-connect-health-adfs-risky-ip-workbook.md

@@ -24,7 +24,7 @@ ms.collection:
 
 AD FS customers may expose password authentication endpoints to the internet to provide authentication services for end users to access SaaS applications such as Microsoft 365. In this case, it is possible for a bad actor to attempt logins against your AD FS system to guess an end user’s password and get access to application resources. AD FS provides the extranet account lockout functionality to prevent these types of attacks since AD FS in Windows Server 2012 R2. If you are on a lower version, we strongly recommend that you upgrade your AD FS system to Windows Server 2016. <br />
 
-Additionally, it is possible for a single IP address to attempt multiple logins against multiple users. In these cases, the number of attempts per user may be under the threshold for account lockout protection in AD FS. Azure AD Connect Health now provides the “Risky IP report” that detects this condition and notifies administrators when this occurs. The following are the key benefits for this report: 
+Additionally, it is possible for a single IP address to attempt multiple logins against multiple users. In these cases, the number of attempts per user may be under the threshold for account lockout protection in AD FS. Azure AD Connect Health now provides the “Risky IP report” that detects this condition and notifies administrators. The following are the key benefits for this report: 
 - Detection of IP addresses that exceed a threshold of failed password-based logins
 - Supports failed logins due to bad password or due to extranet lockout state
 - Supports enabling alerts through Azure Alerts
@@ -41,7 +41,7 @@ Additionally, it is possible for a single IP address to attempt multiple logins
 
 
 ## What is in the report?
-The Risky IP report workbook is powered from data in the ADFSSignInLogs stream and has pre-existing queries to be able to quickly visualize and analyze risky IPs. The parameters can be configured and customized for threshold counts. The workbook is also configurable based on queries, and each query can be updated and modified based on the organization’s needs.
+The Risky IP report workbook is powered from data in the ADFSSignInLogs stream and can quickly visualize and analyze risky IPs. The parameters can be configured and customized for threshold counts. The workbook is also configurable based on queries, and each query can be updated and modified based on the organization’s needs.
 
 The risky IP workbook analyzes data from ADFSSignInLogs to help you detect password spray or password brute force attacks. The workbook has two parts. The first part "Risky IP Analysis" identifies risky IP addresses based on designated error thresholds and detection window length. The second part provides the sign-in details and error counts for selected IPs.
 
@@ -66,6 +66,14 @@ Each item in the Risky IP report table shows aggregated information about failed
 
 Filter the report by IP address or user name to see an expanded view of sign-ins details for each risky IP event.
 
+## Accessing the workbook
+
+To access the workbook:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. Navigate to **Azure Active Directory** > **Monitoring** > **Workbooks**. 
+3. Select the Risky IP report workbook. 
+
 ## Load balancer IP addresses in the list
 Load balancer aggregate failed sign-in activities and hit the alert threshold. If you are seeing load balancer IP addresses, it is highly likely that your external load balancer is not sending the client IP address when it passes the request to the Web Application Proxy server. Please configure your load balancer correctly to pass forward client IP address. 
 

articles/active-directory/saas-apps/cornerstone-ondemand-provisioning-tutorial.md

@@ -18,6 +18,7 @@ ms.author: jeedes
 This tutorial demonstrates the steps to perform in Cornerstone OnDemand and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and deprovision users or groups to Cornerstone OnDemand.
 
 > [!NOTE]
+> This Conerstone OnDemand automatic provisioning service is deprecated and support will end soon.
 > This tutorial describes a connector that's built on top of the Azure AD user provisioning service. For information on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to software-as-a-service (SaaS) applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
 
 ## Prerequisites

articles/active-directory/saas-apps/kronos-workforce-dimensions-tutorial.md

@@ -1,5 +1,5 @@
 ---
-title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Kronos Workforce Dimensions | Microsoft Docs'
+title: 'Tutorial: Azure AD SSO integration with Kronos Workforce Dimensions'
 description: Learn how to configure single sign-on between Azure Active Directory and Kronos Workforce Dimensions.
 services: active-directory
 author: jeevansd
@@ -9,12 +9,12 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 07/19/2021
+ms.date: 01/27/2021
 ms.author: jeedes
 
 ---
 
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Kronos Workforce Dimensions
+# Tutorial: Azure AD SSO integration with Kronos Workforce Dimensions
 
 In this tutorial, you'll learn how to integrate Kronos Workforce Dimensions with Azure Active Directory (Azure AD). When you integrate Kronos Workforce Dimensions with Azure AD, you can:
 
@@ -29,6 +29,9 @@ To get started, you need the following items:
 * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
 * Kronos Workforce Dimensions single sign-on (SSO) enabled subscription.
 
+> [!NOTE]
+> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
+
 ## Scenario description
 
 In this tutorial, you configure and test Azure AD SSO in a test environment.
@@ -132,4 +135,4 @@ In this section, you test your Azure AD single sign-on configuration with follow
 
 ## Next steps
 
-Once you configure Kronos Workforce Dimensions you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+Once you configure Kronos Workforce Dimensions you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).