Merge pull request #219553 from MicrosoftDocs/main

Publish to live, Friday 4 AM PST, 11/25

Author: ttorble

articles/active-directory/develop/single-sign-on-macos-ios.md

@@ -1,5 +1,5 @@
 ---
-title: Configure SSO on macOS and iOS 
+title: Configure SSO on macOS and iOS
 description: Learn how to configure single sign on (SSO) on macOS and iOS.
 services: active-directory
 author: henrymbuguakiarie
@@ -9,35 +9,33 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 02/03/2020
+ms.date: 11/23/2022
 ms.author: henrymbugua
-ms.reviewer: 
-ms.custom: aaddev
+ms.reviewer:
+ms.custom: aaddev, engagement-fy23
 ---
 
 # Configure SSO on macOS and iOS
 
-The Microsoft Authentication Library (MSAL) for macOS and iOS supports Single Sign-on (SSO) between macOS/iOS apps and browsers. This article covers the following SSO scenarios:
+The Microsoft Authentication Library (MSAL) for macOS and iOS supports single sign-on (SSO) between macOS/iOS apps and browsers. This article covers the following SSO scenarios:
 
 - [Silent SSO between multiple apps](#silent-sso-between-apps)
 
-This type of SSO works between multiple apps distributed by the same Apple Developer. It provides silent SSO (that is, the user isn't prompted for credentials) by reading refresh tokens written by other apps from the keychain, and exchanging them for access tokens silently.  
+This type of SSO works between multiple apps distributed by the same Apple Developer. It provides silent SSO (that is, the user isn't prompted for credentials) by reading refresh tokens written by other apps from the keychain, and exchanging them for access tokens silently.
 
 - [SSO through Authentication broker](#sso-through-authentication-broker-on-ios)
 
-> [!IMPORTANT]
-> This flow is not available on macOS.
+The SSO through authentication broker isn't available on macOS.
 
-Microsoft provides apps, called brokers, that enable SSO between applications from different vendors as long as the mobile device is registered with Azure Active Directory (AAD). This type of SSO requires a broker application be installed on the user's device.
+Microsoft provides apps called brokers, that enable SSO between applications from different vendors as long as the mobile device is registered with Azure Active Directory (Azure AD). This type of SSO requires a broker application be installed on the user's device.
 
 - **SSO between MSAL and Safari**
 
 SSO is achieved through the [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession?language=objc) class. It uses existing sign-in state from other apps and the Safari browser. It's not limited to apps distributed by the same Apple Developer, but it requires some user interaction.
 
 If you use the default web view in your app to sign in users, you'll get automatic SSO between MSAL-based applications and Safari. To learn more about the web views that MSAL supports, visit [Customize browsers and WebViews](customize-webviews.md).
 
-> [!IMPORTANT]
-> This type of SSO is currently not available on macOS. MSAL on macOS only supports WKWebView which doesn't have SSO support with Safari. 
+This type of SSO is currently not available on macOS. MSAL on macOS only supports WKWebView which doesn't have SSO support with Safari.
 
 - **Silent SSO between ADAL and MSAL macOS/iOS apps**
 
@@ -64,10 +62,9 @@ The way the Microsoft identity platform tells apps that use the same Application
 
 App1 Redirect URI: `msauth.com.contoso.mytestapp1://auth`  
 App2 Redirect URI: `msauth.com.contoso.mytestapp2://auth`  
-App3 Redirect URI: `msauth.com.contoso.mytestapp3://auth`  
+App3 Redirect URI: `msauth.com.contoso.mytestapp3://auth`
 
-> [!IMPORTANT]
-> The format of redirect URIs must be compatible with the format MSAL supports, which is documented in [MSAL Redirect URI format requirements](redirect-uris-ios.md#msal-redirect-uri-format-requirements).
+The format of redirect URIs must be compatible with the format MSAL supports, which is documented in [MSAL Redirect URI format requirements](redirect-uris-ios.md#msal-redirect-uri-format-requirements).
 
 ### Setup keychain sharing between applications
 
@@ -92,8 +89,9 @@ When you have the entitlements set up correctly, you'll see a `entitlements.plis
 #### Add a new keychain group
 
 Add a new keychain group to your project **Capabilities**. The keychain group should be:
-* `com.microsoft.adalcache` on iOS 
-* `com.microsoft.identity.universalstorage` on macOS.
+
+- `com.microsoft.adalcache` on iOS
+- `com.microsoft.identity.universalstorage` on macOS.
 
 ![keychain example](media/single-sign-on-macos-ios/keychain-example.png)
 
@@ -109,7 +107,7 @@ Objective-C:
 NSError *error = nil;
 MSALPublicClientApplicationConfig *configuration = [[MSALPublicClientApplicationConfig alloc] initWithClientId:@"<my-client-id>"];
 configuration.cacheConfig.keychainSharingGroup = @"my.keychain.group";
-    
+
 MSALPublicClientApplication *application = [[MSALPublicClientApplication alloc] initWithConfiguration:configuration error:&error];
 ```
 
@@ -136,48 +134,48 @@ That's it! The Microsoft identity SDK will now share credentials across all your
 
 ## SSO through Authentication broker on iOS
 
-MSAL provides support for brokered authentication with Microsoft Authenticator. Microsoft Authenticator provides SSO for AAD registered devices, and also helps your application follow Conditional Access policies.
+MSAL provides support for brokered authentication with Microsoft Authenticator. Microsoft Authenticator provides SSO for Azure AD registered devices, and also helps your application follow Conditional Access policies.
 
 The following steps are how you enable SSO using an authentication broker for your app:
 
 1. Register a broker compatible Redirect URI format for the application in your app's Info.plist. The broker compatible Redirect URI format is `msauth.<app.bundle.id>://auth`. Replace `<app.bundle.id>`` with your application's bundle ID. For example:
 
-    ```xml
-    <key>CFBundleURLSchemes</key>
-    <array>
-        <string>msauth.<app.bundle.id></string>
-    </array>
-    ```
+   ```xml
+   <key>CFBundleURLSchemes</key>
+   <array>
+       <string>msauth.<app.bundle.id></string>
+   </array>
+   ```
 
 1. Add following schemes to your app's Info.plist under `LSApplicationQueriesSchemes`:
 
-    ```xml
-    <key>LSApplicationQueriesSchemes</key>
-    <array>
-         <string>msauthv2</string>
-         <string>msauthv3</string>
-    </array>
-    ```
+   ```xml
+   <key>LSApplicationQueriesSchemes</key>
+   <array>
+        <string>msauthv2</string>
+        <string>msauthv3</string>
+   </array>
+   ```
 
 1. Add the following to your `AppDelegate.m` file to handle callbacks:
 
-    Objective-C:
-    
-    ```objc
-    - (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<NSString *,id> *)options
-    {
-        return [MSALPublicClientApplication handleMSALResponse:url sourceApplication:options[UIApplicationOpenURLOptionsSourceApplicationKey]];
-    }
-    ```
-    
-    Swift:
-    
-    ```swift
-    func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any] = [:]) -> Bool {
-        return MSALPublicClientApplication.handleMSALResponse(url, sourceApplication: options[UIApplication.OpenURLOptionsKey.sourceApplication] as? String)
-    }
-    ```
-    
+   Objective-C:
+
+   ```objc
+   - (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<NSString *,id> *)options
+   {
+       return [MSALPublicClientApplication handleMSALResponse:url sourceApplication:options[UIApplicationOpenURLOptionsSourceApplicationKey]];
+   }
+   ```
+
+   Swift:
+
+   ```swift
+   func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any] = [:]) -> Bool {
+       return MSALPublicClientApplication.handleMSALResponse(url, sourceApplication: options[UIApplication.OpenURLOptionsKey.sourceApplication] as? String)
+   }
+   ```
+
 **If you are using Xcode 11**, you should place MSAL callback into the `SceneDelegate` file instead.
 If you support both UISceneDelegate and UIApplicationDelegate for compatibility with older iOS, MSAL callback would need to be placed into both files.
 
@@ -189,7 +187,7 @@ Objective-C:
      UIOpenURLContext *context = URLContexts.anyObject;
      NSURL *url = context.URL;
      NSString *sourceApplication = context.options.sourceApplication;
-     
+
      [MSALPublicClientApplication handleMSALResponse:url sourceApplication:sourceApplication];
  }
 ```
@@ -198,14 +196,14 @@ Swift:
 
 ```swift
 func scene(_ scene: UIScene, openURLContexts URLContexts: Set<UIOpenURLContext>) {
-        
+
         guard let urlContext = URLContexts.first else {
             return
         }
-        
+
         let url = urlContext.url
         let sourceApp = urlContext.options.sourceApplication
-        
+
         MSALPublicClientApplication.handleMSALResponse(url, sourceApplication: sourceApp)
     }
 ```

articles/backup/backup-azure-enhanced-soft-delete-about.md

@@ -3,7 +3,7 @@ title: Overview of enhanced soft delete for Azure Backup (preview)
 description: This article gives an overview of enhanced soft delete for Azure Backup.
 ms.topic: conceptual
 ms.custom: references_regions
-ms.date: 10/13/2022
+ms.date: 11/24/2022
 author: v-amallick
 ms.service: backup
 ms.author: v-amallick
@@ -55,7 +55,7 @@ The key benefits of enhanced soft delete are:
 
 ## Supported regions
 
-Enhanced soft delete is currently available in the following regions: West Central US, Australia East, and North Europe.
+Enhanced soft delete is currently available in the following regions: East US, West US, West US 2, West Central US, Japan East, , Brazil South, Australia East, and North Europe.
 
 ## Supported scenarios
 

articles/data-factory/TOC.yml

@@ -1199,6 +1199,9 @@ items:
       - name: Dynamics 365, Dataverse (Common Data Service), and Dynamics CRM
         href: connector-troubleshoot-dynamics-dataverse.md
         displayName: troubleshooting
+      - name: File System
+        href: connector-troubleshoot-file-system.md
+        displayName: troubleshooting        
       - name: FTP, SFTP, and HTTP
         href: connector-troubleshoot-ftp-sftp-http.md
         displayName: troubleshooting

articles/data-factory/connector-file-system.md

@@ -7,7 +7,7 @@ ms.service: data-factory
 ms.subservice: data-movement
 ms.custom: synapse
 ms.topic: conceptual
-ms.date: 12/13/2021
+ms.date: 11/10/2022
 ms.author: jianleishen
 ---
 
@@ -34,13 +34,10 @@ This file system connector is supported for the following capabilities:
 
 Specifically, this file system connector supports:
 
-- Copying files from/to local machine or network file share. To use a Linux file share, install [Samba](https://www.samba.org/) on your Linux server.
+- Copying files from/to network file share. To use a Linux file share, install [Samba](https://www.samba.org/) on your Linux server.
 - Copying files using **Windows** authentication.
 - Copying files as-is or parsing/generating files with the [supported file formats and compression codecs](supported-file-formats-and-compression-codecs.md).
 
-> [!NOTE]
-> Mapped network drive is not supported when loading data from a network file share. Use the actual path instead e.g. ` \\server\share`.
-
 ## Prerequisites
 
 [!INCLUDE [data-factory-v2-integration-runtime-requirements](includes/data-factory-v2-integration-runtime-requirements.md)]
@@ -91,12 +88,15 @@ The following properties are supported for file system linked service:
 
 | Scenario | "host" in linked service definition | "folderPath" in dataset definition |
 |:--- |:--- |:--- |
-| Local folder on Integration Runtime machine: <br/><br/>Examples: D:\\\* or D:\folder\subfolder\\* |In JSON: `D:\\`<br/>On UI: `D:\` |In JSON: `.\\` or `folder\\subfolder`<br>On UI: `.\` or `folder\subfolder` |
 | Remote shared folder: <br/><br/>Examples: \\\\myserver\\share\\\* or \\\\myserver\\share\\folder\\subfolder\\* |In JSON: `\\\\myserver\\share`<br/>On UI: `\\myserver\share` |In JSON: `.\\` or `folder\\subfolder`<br/>On UI: `.\` or `folder\subfolder` |
 
 >[!NOTE]
 >When authoring via UI, you don't need to input double backslash (`\\`) to escape like you do via JSON, specify single backslash.
 
+>[!NOTE]
+>Copying files from local machine is not supported under Azure Integration Runtime.<br>
+>Refer to the command line from [here](create-self-hosted-integration-runtime.md#set-up-an-existing-self-hosted-ir-via-local-powershell) to enable the access to the local machine under Self-hosted integration runtime. By default, it's disabled.
+
 **Example:**
 
 ```json

articles/data-factory/connector-troubleshoot-file-system.md

@@ -0,0 +1,39 @@
+---
+title: Troubleshoot the file system connector
+titleSuffix: Azure Data Factory & Azure Synapse
+description: Learn how to troubleshoot issues with the file system connector in Azure Data Factory and Azure Synapse Analytics. 
+author: jianleishen
+ms.service: data-factory
+ms.subservice: data-movement
+ms.topic: troubleshooting
+ms.date: 11/23/2022
+ms.author: jianleishen
+ms.custom: has-adal-ref, synapse
+---
+
+# Troubleshoot the file system connector in Azure Data Factory and Azure Synapse
+
+[!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
+
+This article provides suggestions to troubleshoot common problems with the file system connector in Azure Data Factory and Azure Synapse.
+
+## Error code: AccessToOnPremFileSystemDenied
+
+- **Message**: `Access to '%path;' is not allowed.`
+
+- **Cause**: Copying files from local machine is not supported under Azure Integration Runtime. For Self-hosted Integration Runtime (versions >= 5.22.8297.1) , Azure Data Factory is introducing a new security control to allow or disallow local SHIR file system access through the connector.  By default, it's disabled.
+
+- **Recommendation**: Using command line from [Set up an existing self-hosted IR via local PowerShell](create-self-hosted-integration-runtime.md#set-up-an-existing-self-hosted-ir-via-local-powershell) , you could allow or disallow local SHIR file system access.
+
+
+## Next steps
+
+For more troubleshooting help, try these resources:
+
+- [Connector troubleshooting guide](connector-troubleshoot-guide.md)
+- [Data Factory blog](https://azure.microsoft.com/blog/tag/azure-data-factory/)
+- [Data Factory feature requests](/answers/topics/azure-data-factory.html)
+- [Azure videos](https://azure.microsoft.com/resources/videos/index/?sort=newest&services=data-factory)
+- [Microsoft Q&A page](/answers/topics/azure-data-factory.html)
+- [Stack Overflow forum for Data Factory](https://stackoverflow.com/questions/tagged/azure-data-factory)
+- [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)

articles/data-factory/create-self-hosted-integration-runtime.md

@@ -199,6 +199,8 @@ Here are details of the application's actions and arguments:
 |`-ssa`,<br/>`-SwitchServiceAccount`|"`<domain\user>`" ["`<password>`"]|Set DIAHostService to run as a new account. Use the empty password "" for system accounts and virtual accounts.|
 |`-elma`,<br/>`-EnableLocalMachineAccess`|| Enable local machine access (localhost, private IP) on the current self-hosted IR node. In self-hosted IR High Availability scenario, the action needs to be invoked on every self-hosted IR node.|
 |`-dlma`,<br/>`-DisableLocalMachineAccess`|| Disable local machine access (localhost, private IP) on the current self-hosted IR node. In self-hosted IR High Availability scenario, the action needs to be invoked on every self-hosted IR node.|
+|`-DisableLocalFolderPathValidation`|| Disable security validation to enable access to file system of the local machine.|
+|`-EnableLocalFolderPathValidation`||  Enable security validation to disable access to file system of the local machine. |
 
 ## Install and register a self-hosted IR from Microsoft Download Center
 

articles/data-factory/media/connector-file-system/configure-file-system-linked-service.png

@@ -30,7 +30,7 @@ This article shows how to create a Rule Set and your first set of rules using th
     > [!NOTE]
     > * To delete a condition or action from a rule, use the trash can on the right-hand side of the specific condition or action.
     > * To create a rule that applies to all incoming traffic, do not specify any conditions.
-    > * To stop evaluating remaining rules if a specific rule is met, check **Stop evaluating remaining rule**. If this option is checked then all remaining rules in the Rule Set will not be executed regardless if the matching conditions were met.
+    > * To stop evaluating remaining rules if a specific rule is met, check **Stop evaluating remaining rule**. If this option is checked then all remaining rules in that Rule Set as well as all the remaining Rule Sets associated with the route will not be executed regardless of the matching conditions being met.
     > * All paths in Rules Engine are case sensitive.
     > * Header names should adhere to [RFC 7230](https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6).
 

articles/frontdoor/standard-premium/how-to-configure-rule-set.md

@@ -108,13 +108,10 @@ Here is an example of configuring pglogical at the provider database server and
    \C myDB
    CREATE EXTENSION pglogical;
    ```
-2. If the replication user is other than the server administration user (who created the server), make sure that you assign `azure_pg_admin` and `replication` privileges to the user. Alternatively, you can grant the administrator user to the replication user. See [pglogical documentation](https://github.com/2ndQuadrant/pglogical#limitations-and-restrictions) for details.
+2. If the replication user is other than the server administration user (who created the server), make sure that you grant membership in a role `azure_pg_admin` to the user and assign REPLICATION and LOGIN attributes to the user. See [pglogical documentation](https://github.com/2ndQuadrant/pglogical#limitations-and-restrictions) for details.
    ```SQL
-   GRANT azure_pg_admin, replication to myUser;
-   ```
-   or
-   ```SQL
-   GRANT myAdminUser to myUser;
+   GRANT azure_pg_admin to myUser;
+   ALTER ROLE myUser REPLICATION LOGIN;
    ```
 2. At the **provider** (source/publisher) database server, create the provider node.
    ```SQL