Merge pull request #217483 from MicrosoftDocs/main

11/07 PM Publish

Author: huypub

articles/active-directory/develop/TOC.yml

@@ -183,6 +183,8 @@
           href: app-resilience-continuous-access-evaluation.md
         - name: Claims challenges and requests
           href: claims-challenge.md
+        - name: Configure app instance property lock
+          href: howto-configure-app-instance-property-locks.md
     - name: Test
       items:
         - name: Build a test environment

articles/active-directory/develop/howto-configure-app-instance-property-locks.md

@@ -0,0 +1,54 @@
+---
+title: "How to configure app instance property lock in your applications"
+description: How to increase app security by configuring property modification locks for sensitive properties of the application.
+services: active-directory
+manager: saumadan
+ms.service: active-directory
+ms.subservice: develop
+ms.topic: conceptual
+ms.workload: identity
+ms.date: 11/03/2022
+author: madansr7
+ms.author: saumadan
+ms.reviewer:
+# Customer intent: As an application developer, I want to learn how to protect properties of my application instance of being modified.
+---
+# How to configure app instance property lock for your applications (Preview)
+
+Application instance lock is a feature in Azure Active Directory (Azure AD) that allows sensitive properties of a multi-tenant application object to be locked for modification after the application is provisioned in another tenant. 
+This feature provides application developers with the ability to lock certain properties if the application doesn't support scenarios that require configuring those properties.  
+
+
+## What are sensitive properties?
+
+The following property usage scenarios are considered as sensitive:
+
+- Credentials (`keyCredentials`, `passwordCredentials`) where usage type is `Sign`. This is a scenario where your application supports a SAML flow.
+- Credentials (`keyCredentials`, `passwordCredentials`) where usage type is `Verify`. In this scenario, your application supports an OIDC client credentials flow.
+- `TokenEncryptionKeyId` which specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key to which this property points. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user.
+
+## Configure an app instance lock
+
+To configure an app instance lock using the Azure portal:
+
+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.
+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration you want to configure. 
+1. Search for and select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations**, and then select the application you want to configure.
+1. Select **Authentication**, and then select **Configure** under the *App instance property lock* section.
+
+   :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-overview.png" alt-text="Screenshot of an app registration's app instance lock in the Azure portal.":::
+
+2. In the **App instance property lock** pane, enter the settings for the lock. The table following the image describes each setting and their parameters.
+
+   :::image type="content" source="media/howto-configure-app-instance-property-locks/app-instance-lock-configure-properties.png" alt-text="Screenshot of an app registration's app instance property lock context pane in the Azure portal.":::
+
+   | Field                                    | Description                                                                                                                                                                                                                                                                                                       |
+   | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+   | **Enable property lock**                 | Specifies if the property locks are enabled.    | 
+   | **All properties**                 | Locks all sensitive properties without needing to select each property scenario. |
+   | **Credentials used for verification**                                | Locks the ability to add or update credential properties (`keyCredentials`, `passwordCredentials`) where usage type is `verify`. | 
+   | **Credentials used for signing tokens**                                | Locks the ability to add or update credential properties (`keyCredentials`, `passwordCredentials`) where usage type is `sign`. | 
+   | **Token Encryption KeyId**                                | Locks the ability to change the `tokenEncryptionKeyId` property.  | 
+
+3. Select **Save** to save your changes.

articles/active-directory/develop/media/howto-configure-app-instance-property-locks/app-instance-lock-configure-overview.png

@@ -67,7 +67,7 @@ Use the following steps to create a pre-hire workflow that will generate a TAP a
 
      :::image type="content" source="media/tutorial-lifecycle-workflows/configure-scope.png" alt-text="Screenshot of selecting a configuration scope." lightbox="media/tutorial-lifecycle-workflows/configure-scope.png":::
 
-   8.  Next, you will configure the scope. The scope determines which users this workflow will run against.  In this case, it will be on all users in the Sales department.  On the configure scope screen, under **Rule** add the following settings and then select **Next: Review tasks**
+   8.  Next, you will configure the scope. The scope determines which users this workflow will run against.  In this case, it will be on all users in the Sales department.  On the configure scope screen, under **Rule** add the following settings and then select **Next: Review tasks**. For a full list of supported user properties, see: [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)
 
        :::image type="content" source="media/tutorial-lifecycle-workflows/review-tasks.png" alt-text="Screenshot of selecting review tasks." lightbox="media/tutorial-lifecycle-workflows/review-tasks.png":::
 

articles/active-directory/develop/media/howto-configure-app-instance-property-locks/app-instance-lock-configure-properties.png

@@ -50,7 +50,7 @@ Use the following steps to create a scheduled leaver workflow that will configur
  7. Next, you will configure the basic information about the workflow.  This information includes when the workflow will trigger, known as **Days from event**.  So in this case, the workflow will trigger seven days after the employee's leave date.  On the post-offboarding of an employee screen, add the following settings and then select **Next: Configure Scope**. 
    :::image type="content" source="media/tutorial-lifecycle-workflows/leaver-basics.png" alt-text="Screenshot of leaver template basics information for a workflow." lightbox="media/tutorial-lifecycle-workflows/leaver-basics.png":::
 
- 8. Next, you will configure the scope. The scope determines which users this workflow will run against.  In this case, it will be on all users in the Marketing department.  On the configure scope screen, under **Rule** add the following and then select **Next: Review tasks**.
+ 8. Next, you will configure the scope. The scope determines which users this workflow will run against.  In this case, it will be on all users in the Marketing department.  On the configure scope screen, under **Rule** add the following and then select **Next: Review tasks**. For a full list of supported user properties, see: [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta#supported-user-properties-and-query-parameters)
    :::image type="content" source="media/tutorial-lifecycle-workflows/leaver-scope.png" alt-text="Screenshot of reviewing scope details for a leaver workflow." lightbox="media/tutorial-lifecycle-workflows/leaver-scope.png":::
 
  9. On the following page, you may inspect the tasks if desired but no additional configuration is needed. Select **Next: Select users** when you are finished.

articles/active-directory/governance/tutorial-onboard-custom-workflow-portal.md

@@ -55,7 +55,7 @@ The SLA attainment is truncated at three places after the decimal. Numbers are n
 | July      | 99.999% | 99.999% |
 | August    | 99.999% | 99.999% |
 | September | 99.999% | 99.998% |
-| October   | 99.999% |         |
+| October   | 99.999% | 99.999% |
 | November  | 99.998% |         |
 | December  | 99.978% |         |
 

articles/active-directory/governance/tutorial-scheduled-leaver-portal.md

@@ -91,11 +91,21 @@ sections:
         answer: |
           Azure AD may redact part of an IP address in the sign-in logs to protect user privacy when a user may not belong to the tenant viewing the logs. This action happens in two cases: first, during cross tenant sign ins, such as when a CSP technician signs into a tenant that CSP manages. Second, when our service wasn't able to determine the user's identity with sufficient confidence to be sure the user belongs to the tenant viewing the logs.
 
+      - question: |
+          I selected the **Load More** button in the Azure portal sign-in logs, but no more results appeared. Why is that happening?
+        answer: |
+          This is a known issue with a fix on the way from Azure AD engineering, where if during a 24h period in the results of your query has no sign-ins, no sign-ins will appear when you click **Load More**. If your tenant is impacted by this issue, select the **Load More** button multiple times. You can also work around this issue by increasing the scope of your query so that each 24h period in your response has sign-ins.
+
       - question: |
           I see "PII Removed" in the Device Details of a user in my sign-in logs. Why is that happening?
         answer: |
           Azure AD redacts Personally Identifiable Information (PII) generated by devices that do not belong to your tenant to ensure customer data does not spread beyond tenant boundaries without user and data owner consent.
 
+      - question: |
+          I clicked the Load More button in the Azure portal Sign-in logs blade, but no more results appeared. Why is that happening?
+        answer: |
+          This is a known issue with a fix on the way from Azure AD engineering where if a 24h period in the results of your query has no sign-ins, no sign-ins will appear when you click Load More. If your tenant is impacted by this issue, you can load more results by clicking the Load More button multiple times. You can also work around this issue by increasing the scope of your query so that each 24h period in your response has sign-ins.
+
       - question: |
           I see duplicate sign-in entries / multiple sign-in events per requestID. Why is that happening?
         answer: |

articles/active-directory/reports-monitoring/reference-azure-ad-sla-performance.md

@@ -10,9 +10,10 @@ ms.custom: fasttrack-edit
 # Network concepts for applications in Azure Kubernetes Service (AKS)
 
 In a container-based, microservices approach to application development, application components work together to process their tasks. Kubernetes provides various resources enabling this cooperation:
-* You can connect to and expose applications internally or externally. 
-* You can build highly available applications by load balancing your applications. 
-* For your more complex applications, you can configure ingress traffic for SSL/TLS termination or routing of multiple components. 
+
+* You can connect to and expose applications internally or externally.
+* You can build highly available applications by load balancing your applications.
+* For your more complex applications, you can configure ingress traffic for SSL/TLS termination or routing of multiple components.
 * For security reasons, you can restrict the flow of network traffic into or between pods and nodes.
 
 This article introduces the core concepts that provide networking to your applications in AKS:
@@ -27,9 +28,11 @@ This article introduces the core concepts that provide networking to your applic
 To allow access to your applications or between application components, Kubernetes provides an abstraction layer to virtual networking. Kubernetes nodes connect to a virtual network, providing inbound and outbound connectivity for pods. The *kube-proxy* component runs on each node to provide these network features.
 
 In Kubernetes:
-* *Services* logically group pods to allow for direct access on a specific port via an IP address or DNS name. 
-* You can distribute traffic using a *load balancer*. 
-* More complex routing of application traffic can also be achieved with *Ingress Controllers*. 
+
+* *Services* logically group pods to allow for direct access on a specific port via an IP address or DNS name.
+* You can distribute traffic using a *load balancer*.
+* More complex routing of application traffic can also be achieved with *Ingress Controllers*.
+* You can *control outbound (egress) traffic* for cluster nodes.
 * Security and filtering of the network traffic for pods is possible with Kubernetes *network policies*.
 
 The Azure platform also simplifies virtual networking for AKS clusters. When you create a Kubernetes load balancer, you also create and configure the underlying Azure load balancer resource. As you open network ports to pods, the corresponding Azure network security group rules are configured. For HTTP application routing, Azure can also configure *external DNS* as new ingress routes are configured.
@@ -158,6 +161,7 @@ The LoadBalancer only works at layer 4. At layer 4, the Service is unaware of th
 ![Diagram showing Ingress traffic flow in an AKS cluster][aks-ingress]
 
 ### Create an ingress resource
+
 In AKS, you can create an Ingress resource using NGINX, a similar tool, or the AKS HTTP application routing feature. When you enable HTTP application routing for an AKS cluster, the Azure platform creates the Ingress controller and an *External-DNS* controller. As new Ingress resources are created in Kubernetes, the required DNS A records are created in a cluster-specific DNS zone. 
 
 For more information, see [Deploy HTTP application routing][aks-http-routing].
@@ -180,11 +184,17 @@ Configure your ingress controller to preserve the client source IP on requests t
 
 If you're using client source IP preservation on your ingress controller, you can't use TLS pass-through. Client source IP preservation and TLS pass-through can be used with other services, such as the *LoadBalancer* type.
 
+## Control outbound (egress) traffic
+
+AKS clusters are deployed on a virtual network and have outbound dependencies on services outside of that virtual network. These outbound dependencies are almost entirely defined with fully qualified domain names (FQDNs). By default, AKS clusters have unrestricted outbound (egress) internet access. This allows the nodes and services you run to access external resources as needed. If desired, you can restrict outbound traffic.
+
+For more information, see [Control egress traffic for cluster nodes in AKS][limit-egress].
+
 ## Network security groups
 
 A network security group filters traffic for VMs like the AKS nodes. As you create Services, such as a LoadBalancer, the Azure platform automatically configures any necessary network security group rules. 
 
-You don't need to manually configure network security group rules to filter traffic for pods in an AKS cluster. Simply define any required ports and forwarding as part of your Kubernetes Service manifests. Let the Azure platform create or update the appropriate rules. 
+You don't need to manually configure network security group rules to filter traffic for pods in an AKS cluster. Simply define any required ports and forwarding as part of your Kubernetes Service manifests. Let the Azure platform create or update the appropriate rules.
 
 You can also use network policies to automatically apply traffic filter rules to pods.
 
@@ -237,3 +247,4 @@ For more information on core Kubernetes and AKS concepts, see the following arti
 [use-network-policies]: use-network-policies.md
 [operator-best-practices-network]: operator-best-practices-network.md
 [support-policies]: support-policies.md
+[limit-egress]: limit-egress-traffic.md

articles/active-directory/reports-monitoring/reports-faq.yml

@@ -93,8 +93,10 @@ To modify email settings:
     * **Administrator email** - the email address to receive all system notifications and other configured notifications
     * **Organization name** - the name of your organization for use in the developer portal and notifications 
     * **Originating email address** - The value of the `From` header for notifications from the API Management instance. API Management sends notifications on behalf of this originating address.
-
-        :::image type="content" source="media/api-management-howto-configure-notifications/configure-email-settings.png" alt-text="Screenshot of API Management email settings in the portal":::
+    > [!NOTE]
+    > When you change the Originating email address, some recipients may not receive the auto-generated emails from API Management or emails may get sent to the Junk/Spam folder. This happens because the email no longer passes SPF Authentication after you change the Originating email address domain. To ensure successful SPF Authentication and delivery of email, create the following TXT record in the DNS database of the domain specified in the email address. For instance, if the email address is `[email protected]`, you will need to contact the administrator of contoso.com to add the following TXT record: **"v=spf1 include:spf.protection.outlook.com include:_spf-ssg-a.microsoft.com -all"** 
+    
+      :::image type="content" source="media/api-management-howto-configure-notifications/configure-email-settings.png" alt-text="Screenshot of API Management email settings in the portal":::
 1. Select **Save**.
 
 ## Next steps