Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into patricka-supported-platforms

Author: PatAltimore

articles/active-directory-b2c/partner-akamai-secure-hybrid-access.md

@@ -40,7 +40,7 @@ To get started, you'll need:
 
 - An application that uses headers for authentication. In this sample, we'll use an application that displays headers [docker header-demo-app](https://hub.docker.com/r/mistermik/header-demo-app).
 
-- **OR** an OpenID Connect (OIDC) application. In this sample, we'll use an [ASP.NET MVC web app](https://learn.microsoft.com/azure/active-directory/develop/tutorial-v2-asp-webapp) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.
+- **OR** an OpenID Connect (OIDC) application. In this sample, we'll use an [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.
 
 ## Scenario description
 
@@ -111,9 +111,9 @@ Akamai Enterprise Application Access supports SAML federation with cloud IdPs li
 
 2. Create a signing certificate for Azure AD B2C to sign the SAML response sent to Akamai Enterprise Application Access:
 
-   a. [**Obtain a certificate**](https://learn.microsoft.com/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy#obtain-a-certificate). If you don't already have a certificate, you can use a self-signed certificate.
+   a. [**Obtain a certificate**](saml-service-provider.md?tabs=windows&pivots=b2c-custom-policy#obtain-a-certificate). If you don't already have a certificate, you can use a self-signed certificate.
 
-   b. [**Upload the certificate**](https://learn.microsoft.com/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy#upload-the-certificate) in your Azure AD B2C tenant. Take note of the name as it will be needed in the `TechnicalProfile` mentioned in the next steps.
+   b. [**Upload the certificate**](./saml-service-provider.md?tabs=windows&pivots=b2c-custom-policy#upload-the-certificate) in your Azure AD B2C tenant. Take note of the name as it will be needed in the `TechnicalProfile` mentioned in the next steps.
 
 3. Enable your policy to connect with a SAML application.
 
@@ -398,7 +398,7 @@ Once the Application is deployed in a private environment and a connector is cap
 
 #### Option 2: OpenID Connect
 
-In this sample, we'll use a [ASP.NET MVC web app](https://learn.microsoft.com/azure/active-directory/develop/tutorial-v2-asp-webapp) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.
+In this sample, we'll use a [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.
 
 1. Configure the OIDC to SAML bridging in the **AZURE AD B2C SAML IdP** created with the previous steps.
 
@@ -422,7 +422,7 @@ In this sample, we'll use a [ASP.NET MVC web app](https://learn.microsoft.com/az
 
    [ ![Screenshot shows the akamai oidc app claim settings.](./media/partner-akamai-secure-hybrid-access/akamai-oidc-claims-settings.png)](./media/partner-akamai-secure-hybrid-access/akamai-oidc-claims-settings.png#lightbox)
 
-7. Replace startup class with the following code in the [ASP.NET MVC web app](https://learn.microsoft.com/azure/active-directory/develop/tutorial-v2-asp-webapp).
+7. Replace startup class with the following code in the [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md).
 
    These few changes configure the Authorization code flow grant, the authorization code will be redeemed for tokens at the token endpoint for the application, and it introduces the Metadata Address to set the discovery endpoint for obtaining metadata from Akamai.
 
@@ -496,7 +496,7 @@ In this sample, we'll use a [ASP.NET MVC web app](https://learn.microsoft.com/az
 
 8. In the `web.config` file add the Metadata address, replace clientId, clientsecret, authority, redirectUri and PostLogoutRedirectUri with the values from the Akamai application in `appSettings`.
 
-   You can find these values in the previous step 5 in the  OpenID tab for the HTTP Akamai Application, where you created `Discovery URL=MetadataAddress`. `redirectUri` is the local address for the Akamai connector to resolve to the local OIDC application. `Authority` is the authorization_endpoint you can find from your `.well-known/openid-configuration` [document](https://learn.microsoft.com/azure/active-directory/develop/v2-protocols-oidc).
+   You can find these values in the previous step 5 in the  OpenID tab for the HTTP Akamai Application, where you created `Discovery URL=MetadataAddress`. `redirectUri` is the local address for the Akamai connector to resolve to the local OIDC application. `Authority` is the authorization_endpoint you can find from your `.well-known/openid-configuration` [document](../active-directory/develop/v2-protocols-oidc.md).
 
    Discovery URL: `https://fabrikam.login.go.akamai-access.com/.well-known/openid-configuration`
 
@@ -532,8 +532,8 @@ In this sample, we'll use a [ASP.NET MVC web app](https://learn.microsoft.com/az
 
 - [Akamai Enterprise Application Access getting started documentation](https://techdocs.akamai.com/eaa/docs/welcome-guide)
 
-- [Custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview)
+- [Custom policies in Azure AD B2C](custom-policy-overview.md)
 
-- [Get started with custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started?tabs=applications)
+- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
 
-- [Register a SAML application in Azure AD B2C](https://learn.microsoft.com/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy)
+- [Register a SAML application in Azure AD B2C](saml-service-provider.md?tabs=windows&pivots=b2c-custom-policy)

articles/active-directory/manage-apps/assign-app-owners.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: app-mgmt
 ms.topic: how-to
-ms.date: 12/02/2021
+ms.date: 12/05/2022
 ms.author: saibandaru
 #Customer intent: As an Azure AD administrator, I want to assign owners to enterprise applications.
 

articles/active-directory/manage-apps/overview-assign-app-owners.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: app-mgmt
 ms.topic: conceptual
-ms.date: 02/11/2022
+ms.date: 12/05/2022
 ms.author: saibandaru
 
 #Customer intent: As an Azure AD administrator, I want to learn about enterprise application ownership.
@@ -32,7 +32,11 @@ If you have an ownerless application in your tenant, you can access the audit lo
 
 You may also see other users who have scoped permissions on the application by navigating to “Roles and Administrators” tab. Once you find the right person to own the application, a user with a highly privileged administrative role in the organization can assign the new owner for the application. See [Assign enterprise application owners](assign-app-owners.md).
 
-As a best practice, we recommend proactive monitoring applications in your environment to ensure there are at least two owners, where possible, to avoid the situation of ownerless apps. Additionally, you should utilize the serviceManagementReference property on the application object to reference the team contact information from your enterprise Service or Asset Management Database. The serviceManagementReference property ensures you have team contact even if an individual leaves the organization. 
+As a best practice, we recommend proactive monitoring applications in your environment to ensure there are at least two owners, where possible, to avoid the situation of ownerless apps. Additionally, you should utilize the serviceManagementReference property on the application object to reference the team contact information from your enterprise Service or Asset Management Database. The serviceManagementReference property ensures you have team contact even if an individual leaves the organization.
+
+**How can I find enterprise applications that are ownerless or at risk of being ownerless in my organization?**
+
+To learn how to identify ownerless enterprise apps or those with only one owner using Microsoft Graph API, see [List ownerless applications](/graph/tutorial-applications-basics.md#manage-application-ownership).
 
 **How do you add yourself as an owner of an enterprise application?**
 

articles/aks/azure-ad-rbac.md

@@ -4,7 +4,7 @@ titleSuffix: Azure Kubernetes Service
 description: Learn how to use Azure Active Directory group membership to restrict access to cluster resources using Kubernetes role-based access control (Kubernetes RBAC) in Azure Kubernetes Service (AKS)
 services: container-service
 ms.topic: article
-ms.date: 03/17/2021
+ms.date: 12/07/2022
 
 ---
 
@@ -18,7 +18,34 @@ This article shows you how to control access using Kubernetes RBAC in an AKS clu
 
 This article assumes that you have an existing AKS cluster enabled with Azure AD integration. If you need an AKS cluster, see [Integrate Azure Active Directory with AKS][azure-ad-aks-cli].
 
-You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+Kubernetes RBAC is enabled by default during AKS cluster creation. If Kubernetes RBAC wasn't enabled when you originally deployed your cluster, you'll need to delete and recreate your cluster.
+
+Consider the following basic requirements before continuing:
+
+- The Azure CLI version 2.0.61 or later is installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+- If using Terraform, install [Terraform][terraform-on-azure] version 2.99.0 or later.
+
+To verify if Kubernetes RBAC is enabled, you can check from Azure portal or Azure CLI.
+
+#### [Azure portal](#tab/portal)
+
+From your browser, sign in to the [Azure portal](https://portal.azure.com).
+
+Navigate to Kubernetes services, and from the left-hand pane select **Cluster configuration**. On the page, under the section **Authentication and Authorization**, verify the option **Local accounts with Kubernetes RBAC** is shown.
+
+:::image type="content" source="./media/azure-ad-rbac/rbac-portal.png" alt-text="Example of Authentication and Authorization page in Azure portal." lightbox="./media/azure-ad-rbac/rbac-portal.png":::
+
+#### [Azure CLI](#tab/azure-cli)
+
+To verify RBAC is enabled, you can use the `az aks show` command.
+
+```azuecli
+az aks show --resource-group myResourceGroup --name myAKSCluster` 
+```
+
+The output will show that the value for `enableRbac` is `true`.
+
+---
 
 ## Create demo groups in Azure AD
 
@@ -280,7 +307,7 @@ kubectl apply -f rolebinding-sre-namespace.yaml
 
 Now, let's test the expected permissions work when you create and manage resources in an AKS cluster. In these examples, you schedule and view pods in the user's assigned namespace. Then, you try to schedule and view pods outside of the assigned namespace.
 
-First, reset the *kubeconfig* context using the [az aks get-credentials][az-aks-get-credentials] command. In a previous section, you set the context using the cluster admin credentials. The admin user bypasses Azure AD sign in prompts. Without the `--admin` parameter, the user context is applied that requires all requests to be authenticated using Azure AD.
+First, reset the *kubeconfig* context using the [az aks get-credentials][az-aks-get-credentials] command. In a previous section, you set the context using the cluster admin credentials. The admin user bypasses Azure AD sign-in prompts. Without the `--admin` parameter, the user context is applied that requires all requests to be authenticated using Azure AD.
 
 ```azurecli-interactive
 az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --overwrite-existing
@@ -292,7 +319,7 @@ Schedule a basic NGINX pod using the [kubectl run][kubectl-run] command in the *
 kubectl run nginx-dev --image=mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine --namespace dev
 ```
 
-As the sign in prompt, enter the credentials for your own `[email protected]` account created at the start of the article. Once you are successfully signed in, the account token is cached for future `kubectl` commands. The NGINX is successfully schedule, as shown in the following example output:
+As the sign-in prompt, enter the credentials for your own `[email protected]` account created at the start of the article. Once you are successfully signed in, the account token is cached for future `kubectl` commands. The NGINX is successfully schedule, as shown in the following example output:
 
 ```console
 $ kubectl run nginx-dev --image=mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine --namespace dev
@@ -435,3 +462,4 @@ For best practices on identity and resource control, see [Best practices for aut
 [az-ad-group-show]: /cli/azure/ad/group#az_ad_group_show
 [rbac-authorization]: concepts-identity.md#kubernetes-rbac
 [operator-best-practices-identity]: operator-best-practices-identity.md
+[terraform-on-azure]: /azure/developer/terraform/overview