Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

.openpublishing.redirection.json

@@ -25215,7 +25215,7 @@
     },
     {
       "source_path_from_root": "/articles/azure-sql/managed-instance/azure-app-sync-network-configuration.md",
-      "redirect_url": "/azure/azure-sql/managed-instance/index.yml",
+      "redirect_url": "/azure/azure-sql/managed-instance/",
       "redirect_document_id": false
     },    
     {

articles/active-directory-b2c/partner-bindid.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 07/26/2021
+ms.date: 03/16/2022
 
 ms.author: justinha
 author: justinha
@@ -48,7 +48,7 @@ [email protected],1234567,2234567abcdef2234567abcdef,60,Contoso,HardwareKey
 ```  
 
 > [!NOTE]
-> Make sure you include the header row in your CSV file. If a UPN has a single quote, escape it with another single quote. For example, if the UPN is my’[email protected], change it to my’’[email protected] when uploading the file.
+> Make sure you include the header row in your CSV file. 
 
 Once properly formatted as a CSV file, a Global Administrator can then sign in to the Azure portal, navigate to **Azure Active Directory > Security > MFA > OATH tokens**, and upload the resulting CSV file.
 

articles/active-directory/authentication/concept-authentication-oath-tokens.md

@@ -104,28 +104,10 @@ Run the [IdFix tool](/office365/enterprise/prepare-directory-attributes-for-sync
 
 2. The PowerShell execution policy on the local server must be set to Undefined or RemoteSigned.
 
-3. If there's a firewall between your servers and Azure AD, configure the following items:
-    - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
-
-      | Port number | How it's used |
-      | --- | --- |
-      | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate.  |
-      | **443** | Handles all outbound communication with the service. |
-      | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |
-
-    - If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
-    - If your firewall or proxy allows you to specify safe suffixes, add connections to \*.msappproxy.net and \*.servicebus.windows.net. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
-   - If you are installing against the **US government** cloud, and your firewall or proxy allows you to specify safe suffixes, add connections to:
-       - *.microsoftonline.us
-       - *.microsoft.us
-       - *.msappproxy.us 
-       - *.windowsazure.us
-    
-    - Your agents need access to login.windows.net and login.microsoftonline.com for initial registration. Open your firewall for those URLs as well.
-    - For certificate validation, unblock the following URLs: mscrl.microsoft.com:80, crl.microsoft.com:80, ocsp.msocsp.com:80, and www\.microsoft.com:80. These URLs are used for certificate validation with other Microsoft products, so you might already have these URLs unblocked.
-
-    >[!NOTE]
-    > Installing the cloud provisioning agent on Windows Server Core is not supported.
+3. If there's a firewall between your servers and Azure AD, configure see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.  
+
+>[!NOTE]
+> Installing the cloud provisioning agent on Windows Server Core is not supported.
 
 ### Additional requirements
 
@@ -150,6 +132,47 @@ To enable TLS 1.2, follow these steps.
     ```
 
 1. Restart the server.
+
+## Firewall and Proxy requirements
+If there's a firewall between your servers and Azure AD, configure the following items:
+
+- Ensure that agents can make *outbound* requests to Azure AD over the following ports:
+
+   | Port number | How it's used |
+   | --- | --- |
+   | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate.  |
+   | **443** | Handles all outbound communication with the service. |
+   | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |
+ 
+- If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
+- If your firewall or proxy allows you to specify safe suffixes, add connections: 
+
+#### [Public Cloud](#tab/public-cloud)
+
+
+  |URL |How it's used|
+  |-----|-----|
+  |&#42;.msappproxy.net</br>&#42;.servicebus.windows.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
+  |&#42;.microsoftonline.com</br>&#42;.microsoft.com</br>&#42;.msappproxy.com</br>&#42;.windowsazure.com|The agent uses these URLs to communicate with the Azure AD cloud service. |
+   |`mscrl.microsoft.com:80` </br>`crl.microsoft.com:80` </br>`ocsp.msocsp.com:80` </br>`www.microsoft.com:80`| The agent uses these URLs to verify certificates.|
+   |login.windows.net</br>|The agent uses these URLs during the registration process.
+
+
+
+#### [U.S. Government Cloud](#tab/us-government-cloud)
+
+ |URL |How it's used|
+ |-----|-----|
+ |&#42;.msappproxy.us</br>&#42;.servicebus.usgovcloudapi.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
+ |`mscrl.microsoft.us:80` </br>`crl.microsoft.us:80` </br>`ocsp.msocsp.us:80` </br>`www.microsoft.us:80`| The agent uses these URLs to verify certificates.|
+ |login.windows.us </br>secure.aadcdn.microsoftonline-p.com </br>&#42;.microsoftonline.us </br>&#42;.microsoftonline-p.us </br>&#42;.msauth.net </br>&#42;.msauthimages.net </br>&#42;.msecnd.net</br>&#42;.msftauth.net </br>&#42;.msftauthimages.net</br>&#42;.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctldl.windowsupdate.us:80| The agent uses these URLs during the registration process.
+
+
+
+
+- If you are unable to add connections, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
+
+---
 ## NTLM requirement
 
 You should not enable NTLM on the Windows Server that is running the Azure AD Connect Provisioning Agent and if it is enabled you should make sure you disable it. 

articles/active-directory/cloud-sync/how-to-prerequisites.md

@@ -24,10 +24,16 @@ The OBO flow only works for user principals at this time. A service principal ca
 
 This article describes how to program directly against the protocol in your application. When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL) instead to [acquire tokens and call secured web APIs](authentication-flows-app-scenarios.md#scenarios-and-supported-authentication-flows).  Also take a look at the [sample apps that use MSAL](sample-v2-code.md).
 
-As of May 2018, some implicit-flow derived `id_token` can't be used for OBO flow. Single-page apps (SPAs) should pass an **access** token to a middle-tier confidential client to perform OBO flows instead. For more info about which clients can perform OBO calls, see [limitations](#client-limitations).
-
 [!INCLUDE [try-in-postman-link](includes/try-in-postman-link.md)]
 
+## Client limitations
+
+As of May 2018, some implicit-flow derived `id_token` can't be used for OBO flow. Single-page apps (SPAs) should pass an **access** token to a middle-tier confidential client to perform OBO flows instead.
+
+If a client uses the implicit flow to get an id_token, and that client also has wildcards in a reply URL, the id_token can't be used for an OBO flow.  However, access tokens acquired through the implicit grant flow can still be redeemed by a confidential client even if the initiating client has a wildcard reply URL registered.
+
+Additionally, applications with custom signing keys cannot be used as middle-tier API's in the OBO flow (this includes enterprise applications configured for single sign-on). This will result in an error because tokens signed with a key controlled by the client cannot be safely accepted.
+
 ## Protocol diagram
 
 Assume that the user has been authenticated on an application using the [OAuth 2.0 authorization code grant flow](v2-oauth2-auth-code-flow.md) or another login flow. At this point, the application has an access token *for API A* (token A) with the user's claims and consent to access the middle-tier web API (API A). Now, API A needs to make an authenticated request to the downstream web API (API B).
@@ -262,10 +268,6 @@ A tenant admin can guarantee that applications have permission to call their req
 
 In some scenarios, you may only have a single pairing of middle-tier and front-end client. In this scenario, you may find it easier to make this a single application, negating the need for a middle-tier application altogether. To authenticate between the front-end and the web API, you can use cookies, an id_token, or an access token requested for the application itself. Then, request consent from this single application to the back-end resource.
 
-## Client limitations
-
-If a client uses the implicit flow to get an id_token, and that client also has wildcards in a reply URL, the id_token can't be used for an OBO flow.  However, access tokens acquired through the implicit grant flow can still be redeemed by a confidential client even if the initiating client has a wildcard reply URL registered.
-
 ## Next steps
 
 Learn more about the OAuth 2.0 protocol and another way to perform service to service auth using client credentials.

articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md

@@ -30,8 +30,13 @@ The following information describes implementation of Pass-through Authenticatio
 
 Before you deploy the Pass-through Authentication agent, verify whether a firewall exists between your servers and Azure AD. If your firewall or proxy allows Domain Name System (DNS) blocked or safe programs, add the following connections.
 
-> [!NOTE]
-> The following guidance also applies to installing the [Azure AD Application Proxy connector](../app-proxy/what-is-application-proxy.md) for Azure Government environments.
+> [!IMPORTANT]
+> The following guidance applies only to the following:
+> - the pass-through authentication agent
+> - [Azure AD Application Proxy connector](../app-proxy/what-is-application-proxy.md) 
+>
+> For information on URLS for the Azure Active Directory Connect Provisioning Agent see the [installation pre-requisites](../cloud-sync/how-to-prerequisites.md)  for cloud sync.
+
 
 |URL |How it's used|
 |-----|-----|

articles/active-directory/hybrid/reference-connect-government-cloud.md

@@ -130,6 +130,8 @@
       href: workbook-conditional-access-gap-analyzer.md
     - name: Cross-tenant access activity 
       href: workbook-cross-tenant-access-activity.md
+    - name: Sign-ins using legacy authentication  
+      href: workbook-legacy authentication.md
     - name: Risk analysis
       href: workbook-risk-analysis.md
     - name: Sensitive Operations Report 

articles/active-directory/reports-monitoring/media/workbook-legacy-authentication/filter-options.png

@@ -0,0 +1,109 @@
+---
+
+title: Sign-ins using legacy authentication workbook in Azure AD | Microsoft Docs
+description: Learn how to use the sign-ins using legacy authentication workbook.
+services: active-directory
+documentationcenter: ''
+author: MarkusVi
+manager: karenho
+editor: ''
+
+ms.service: active-directory
+ms.topic: reference
+ms.workload: identity
+ms.subservice: report-monitor
+ms.date: 03/16/2022
+ms.author: markvi
+ms.reviewer: besiler 
+
+ms.collection: M365-identity-device-management
+---
+
+# Sign-ins using legacy authentication workbook
+
+Have you ever wondered how you can determine whether it is safe to turn off legacy authentication in your tenant? The sign-ins using legacy authentication workbook helps you to answer this question.
+
+This article gives you an overview of this workbook.
+
+
+## Description
+
+![Workbook category](./media/workbook-risk-analysis/workbook-category.png)
+
+Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication refers to basic authentication, which was once a widely used industry-standard method for passing user name and password information through a client to an identity provider.
+
+Examples of applications that commonly or only use legacy authentication are:
+
+- Microsoft Office 2013 or older.
+
+- Apps using legacy auth with mail protocols like POP, IMAP, and SMTP AUTH.
+
+
+Single-factor authentication (for example, username and password) doesn’t provide the required level of protection for today’s computing environments. Passwords are bad as they are easy to guess and humans are bad at choosing good passwords. 
+
+
+Unfortunately, legacy authentication:
+
+- Does not support multi-factor authentication (MFA) or other strong authentication methods.
+
+- Makes it impossible for your organization to move to passwordless authentication. 
+
+To improve the security of your Azure AD tenant and experience of your users, you should disable legacy authentication. However, important user experiences in your tenant might depend on legacy authentication. Before shutting off legacy authentication, you may want to find those cases so you can migrate them to more secure authentication. 
+
+The sign-ins using legacy authentication workbook lets you see all legacy authentication sign-ins in your environment so you can find and migrate critical workflows to more secure authentication methods before you shut off legacy authentication.
+
+ 
+ 
+
+## Sections
+
+With this workbook, you can distinguish between interactive and non-interactive sign-ins. This workbook highlights which legacy authentication protocols are used throughout your tenant. 
+
+The data collection consists of three steps:
+
+1. Select a legacy authentication protocol, and then select an application to filter by users accessing that application.
+
+2. Select a user to see all their legacy authentication sign-ins to the selected app.
+
+3. View all legacy authentication sign-ins for the user to understand how legacy authentication is being used.
+
+
+
+ 
+
+
+## Filters
+
+
+This workbook supports multiple filters:
+
+
+- Time range (up to 90 days)
+
+- User principal name
+
+- Application
+
+- Status of the sign-in (success or failure)
+
+
+![Filter options](./media/workbook-legacy-authentication/filter-options.png)
+
+
+## Best practices
+
+
+- **[Enable risky sign-in policies](../identity-protection/concept-identity-protection-policies.md)** - To prompt for multi-factor authentication (MFA) on medium risk or above. Enabling the policy reduces the proportion of active real-time risk detections by allowing legitimate users to self-remediate the risk detections with MFA.
+
+- **[Enable a risky user policy](../identity-protection/howto-identity-protection-configure-risk-policies.md#user-risk-with-conditional-access)** - To enable users to securely remediate their accounts when they are high risk. Enabling the policy reduces the number of active at-risk users in your organization by returning the user’s credentials to a safe state.
+
+
+
+
+
+## Next steps
+
+- To learn more about identity protection, see [What is identity protection](../identity-protection/overview-identity-protection.md). 
+
+- For more information about Azure AD workbooks, see [How to use Azure AD workbooks](howto-use-azure-monitor-workbooks.md).
+

articles/active-directory/reports-monitoring/toc.yml

@@ -30,7 +30,7 @@ You can build and run modern, portable, microservices-based applications, using
 
 As an open platform, Kubernetes allows you to build your applications with your preferred programming language, OS, libraries, or messaging bus. Existing continuous integration and continuous delivery (CI/CD) tools can integrate with Kubernetes to schedule and deploy releases.
 
-AKS provides a managed Kubernetes service that reduces the complexity of deployment and core management tasks, like upgrade coordination. The Azure platform manages the AKS control plane, and you only pay for the AKS nodes that run your applications. AKS is built on top of the open-source Azure Kubernetes Service Engine: [aks-engine][aks-engine].
+AKS provides a managed Kubernetes service that reduces the complexity of deployment and core management tasks, like upgrade coordination. The Azure platform manages the AKS control plane, and you only pay for the AKS nodes that run your applications.
 
 ## Kubernetes cluster architecture
 
@@ -296,7 +296,6 @@ This article covers some of the core Kubernetes components and how they apply to
 - [Kubernetes / AKS scale][aks-concepts-scale]
 
 <!-- EXTERNAL LINKS -->
-[aks-engine]: https://github.com/Azure/aks-engine
 [cluster-api-provider-azure]: https://github.com/kubernetes-sigs/cluster-api-provider-azure
 [kubernetes-pods]: https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/
 [kubernetes-pod-lifecycle]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/