Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into afdhttpssupport

Author: duongau

.openpublishing.publish.config.json

@@ -908,6 +908,7 @@
     ".openpublishing.redirection.azure-percept.json",
     ".openpublishing.redirection.azure-productivity.json",
     ".openpublishing.redirection.azure-australia.json",
+    ".openpublishing.redirection.iot-hub-device-update.json",
     "articles/azure-fluid-relay/.openpublishing.redirection.fluid-relay.json",
     "articles/azure-netapp-files/.openpublishing.redirection.azure-netapp-files.json",
     "articles/azure-relay/.openpublishing.redirection.relay.json",

.openpublishing.redirection.iot-hub-device-update.json

@@ -0,0 +1,9 @@
+{
+    "redirections": [
+        {
+            "source_path_from_root": "/articles/iot-hub-device-update/migration-pp-to-ppr.md",
+            "redirect_url": "/azure/iot-hub-device-update/migration-public-preview-refresh-to-ga",
+            "redirect_document_id": true
+        }
+      ]
+}

articles/active-directory-b2c/TOC.yml

@@ -249,9 +249,8 @@
             - name: Authentication options
               href: enable-authentication-in-node-web-app-with-api-options.md
           - name: Secure access to Web API (ASP.NET Core and Node.js)
-            displayName: REST API
-          - name: Enable authentication in your web API
             href: enable-authentication-web-api.md
+            displayName: REST API
           - name: Secure API Management API
             href: secure-api-management.md
             displayName: api, api management, migrate, b2clogin.com 

articles/active-directory-b2c/index.yml

@@ -87,7 +87,7 @@ productDirectory:
 
 ## BAND 3 - CONCEPTUAL CONTENT #############################################################################################################################
 conceptualContent:
-  title: Quickly access to Azure AD B2C documentation 
+  title: Quick access to Azure AD B2C documentation 
   summary: Get quick access to our guides and tutorials for your most common scenarios. 
   items:
     ## CARD 1 ######################

articles/active-directory/authentication/howto-mfa-app-passwords.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: how-to
-ms.date: 06/20/2022
+ms.date: 11/01/2022
 
 ms.author: justinha
 author: justinha
@@ -24,7 +24,7 @@ Modern authentication is supported for the Microsoft Office 2013 clients and lat
 This article shows you how to use app passwords for legacy applications that don't support multi-factor authentication prompts.
 
 >[!NOTE]
-> App passwords don't work with Conditional Access based multi-factor authentication policies and modern authentication.
+> App passwords don't work with Conditional Access based multi-factor authentication policies and modern authentication. App passwords only work with legacy authentication protocols such as IMAP and SMTP.
 
 ## Overview and considerations
 

articles/active-directory/develop/whats-new-docs.md

@@ -5,7 +5,7 @@ services: active-directory
 author: henrymbuguakiarie
 manager: CelesteDG
 
-ms.date: 09/03/2022
+ms.date: 11/01/2022
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: reference
@@ -18,6 +18,25 @@ ms.custom: has-adal-ref
 
 Welcome to what's new in the Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
 
+## October 2022
+
+### Updated articles
+
+- [Access Azure AD protected resources from an app in Google Cloud](workload-identity-federation-create-trust-gcp.md)
+- [Configure an app to trust an external identity provider](workload-identity-federation-create-trust.md)
+- [Configure a user-assigned managed identity to trust an external identity provider (preview)](workload-identity-federation-create-trust-user-assigned-managed-identity.md)
+- [Configuration requirements and troubleshooting tips for Xamarin Android with MSAL.NET](msal-net-xamarin-android-considerations.md)
+- [Customize claims emitted in tokens for a specific app in a tenant](active-directory-claims-mapping.md)
+- [Desktop app that calls web APIs: Acquire a token using Device Code flow](scenario-desktop-acquire-token-device-code-flow.md)
+- [Desktop app that calls web APIs: Acquire a token using integrated Windows authentication](scenario-desktop-acquire-token-integrated-windows-authentication.md)
+- [Desktop app that calls web APIs: Acquire a token using Username and Password](scenario-desktop-acquire-token-username-password.md)
+- [Making your application multi-tenant](howto-convert-app-to-be-multi-tenant.md)
+- [Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md)
+- [Prompt behavior with MSAL.js](msal-js-prompt-behavior.md)
+- [Quickstart: Register an application with the Microsoft identity platform](quickstart-register-app.md)
+- [Tutorial: Sign in users and call the Microsoft Graph API from a JavaScript single-page application](tutorial-v2-javascript-spa.md)
+- [Tutorial: Sign in users and call the Microsoft Graph API from a React single-page app (SPA) using auth code flow](tutorial-v2-react.md)
+
 ## September 2022
 
 ### New articles
@@ -47,20 +66,3 @@ Welcome to what's new in the Microsoft identity platform documentation. This art
 - [Protected web API: Code configuration](scenario-protected-web-api-app-configuration.md)
 - [Provide optional claims to your app](active-directory-optional-claims.md)
 - [Using directory extension attributes in claims](active-directory-schema-extensions.md)
-
-## July 2022
-
-### New articles
-
-- [Configure SAML app multi-instancing for an application in Azure Active Directory](reference-app-multi-instancing.md)
-
-### Updated articles
-
-- [Application and service principal objects in Azure Active Directory](app-objects-and-service-principals.md)
-- [Application configuration options](msal-client-application-configuration.md)
-- [A web API that calls web APIs: Code configuration](scenario-web-api-call-api-app-configuration.md)
-- [Claims mapping policy type](reference-claims-mapping-policy-type.md)
-- [Customize claims issued in the SAML token for enterprise applications](active-directory-saml-claims-customization.md)
-- [Microsoft identity platform access tokens](access-tokens.md)
-- [Single-page application: Sign-in and Sign-out](scenario-spa-sign-in.md)
-- [Tutorial: Add sign-in to Microsoft to an ASP.NET web app](tutorial-v2-asp-webapp.md)

articles/active-directory/external-identities/whats-new-docs.md

@@ -15,6 +15,25 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory External Identities documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the External Identities service, see [What's new in Azure Active Directory](../fundamentals/whats-new.md).
 
+## October 2022
+
+### Updated articles
+
+- [Tutorial: Bulk invite Azure AD B2B collaboration users](tutorial-bulk-invite.md)
+- [Quickstart: Add a guest user and send an invitation](b2b-quickstart-add-guest-users-portal.md)
+- [Define custom attributes for user flows](user-flow-add-custom-attributes.md)
+- [Create dynamic groups in Azure Active Directory B2B collaboration](use-dynamic-groups.md)
+- [Properties of an Azure Active Directory B2B collaboration user](user-properties.md)
+- [Authentication and Conditional Access for External Identities](authentication-conditional-access.md)
+- [Leave an organization as an external user](leave-the-organization.md)
+- [Azure Active Directory External Identities: What's new](whats-new-docs.md)
+- [Federation with SAML/WS-Fed identity providers for guest users](direct-federation.md)
+- [Example: Configure SAML/WS-Fed based identity provider federation with AD FS](direct-federation-adfs.md)
+- [The elements of the B2B collaboration invitation email - Azure Active Directory](invitation-email-elements.md)
+- [Configure Microsoft cloud settings for B2B collaboration (Preview)](cross-cloud-settings.md)
+- [Add Microsoft account (MSA) as an identity provider for External Identities](microsoft-account.md)
+- [How users in your organization can invite guest users to an app](add-users-information-worker.md)
+
 ## September 2022
 
 ### Updated articles
@@ -51,15 +70,3 @@ Welcome to what's new in Azure Active Directory External Identities documentatio
 - [Overview: Cross-tenant access with Azure AD External Identities](cross-tenant-access-overview.md)
 - [Configure cross-tenant access settings for B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md)
 - [Azure Active Directory External Identities: What's new](whats-new-docs.md)
-
-## July 2022
-
-### Updated articles
-
-- [Configure cross-tenant access settings for B2B collaboration](cross-tenant-access-settings-b2b-collaboration.md)
-- [Configure cross-tenant access settings for B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md)
-- [Add Google as an identity provider for B2B guest users](google-federation.md)
-- [Azure Active Directory External Identities: What's new](whats-new-docs.md)
-- [Overview: Cross-tenant access with Azure AD External Identities](cross-tenant-access-overview.md)
-- [B2B direct connect overview](b2b-direct-connect-overview.md)
-- [Azure Active Directory B2B collaboration invitation redemption](redemption-experience.md)

articles/app-service/configure-vnet-integration-routing.md

@@ -1,6 +1,6 @@
 ---
-title: Configure virtual network integration with application routing.
-description: This how-to article walks you through configuring app routing on a regional virtual network integration.
+title: Configure virtual network integration with application and configuration routing.
+description: This how-to article walks you through configuring routing on a regional virtual network integration.
 author: madsd
 ms.author: madsd
 ms.topic: how-to
@@ -9,13 +9,17 @@ ms.date: 10/20/2021
 
 # Manage Azure App Service virtual network integration routing
 
-When you configure application routing, you can either route all traffic or only private traffic (also known as [RFC1918](https://datatracker.ietf.org/doc/html/rfc1918#section-3) traffic) into your Azure virtual network (VNet). This article describes how to configure application routing.
+Through application routing or configuration routing options, you can configure what traffic will be sent through the virtual network integration. See the [overview section](./overview-vnet-integration.md#routes) for more details.
 
 ## Prerequisites
 
-Your app is already integrated using the regional VNet integration feature.
+Your app is already integrated using the regional virtual network integration feature.
 
-## Configure in the Azure portal
+## Configure application routing
+
+Application routing defines what traffic is routed from your app and into the virtual network. We recommend that you use the **Route All** site setting to enable routing of all traffic. Using the configuration setting allows you to audit the behavior with [a built-in policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F33228571-70a4-4fa1-8ca1-26d0aba8d6ef). The existing `WEBSITE_VNET_ROUTE_ALL` app setting can still be used, and you can enable all traffic routing with either setting.
+
+### Configure in the Azure portal
 
 Follow these steps to disable **Route All** in your app through the portal.
 
@@ -28,26 +32,38 @@ Follow these steps to disable **Route All** in your app through the portal.
 
 1. Select **Yes** to confirm.
 
-## Configure with the Azure CLI
+### Configure with the Azure CLI
+
+You can also configure **Route All** by using the Azure CLI.
+
+```azurecli-interactive
+az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --properties.vnetRouteAllEnabled [true|false]
+```
+
+## Configure configuration routing
+
+When you're using virtual network integration, you can configure how parts of the configuration traffic are managed. By default, configuration traffic will go directly over the public route, but for the mentioned individual components, you can actively configure it to be routed through the virtual network integration.
+
+### Container image pull
 
-You can also configure **Route All** by using the Azure CLI. The minimum az version required is 2.27.0.
+Routing container image pull over virtual network integration can be configured using the Azure CLI.
 
 ```azurecli-interactive
-az webapp config set --resource-group <group-name> --name <app-name> --vnet-route-all-enabled [true|false]
+az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --properties.vnetImagePullEnabled [true|false]
 ```
 
-## Configure with Azure PowerShell
+We recommend that you use the site property to enable routing image pull traffic through the virtual network integration. Using the configuration setting allows you to audit the behavior with Azure Policy. The existing `WEBSITE_PULL_IMAGE_OVER_VNET` app setting with the value `true` can still be used, and you can enable routing through the virtual network with either setting.
 
-```azurepowershell
-# Parameters
-$siteName = '<app-name>'
-$resourceGroupName = '<group-name>'
+### Content storage
 
-# Configure VNet Integration
-$webApp = Get-AzResource -ResourceType Microsoft.Web/sites -ResourceGroupName $resourceGroupName -ResourceName $siteName
-Set-AzResource -ResourceId ($webApp.Id + "/config/web") -Properties @{ vnetRouteAllEnabled = $true } -Force
+Routing content storage over virtual network integration can be configured using the Azure CLI. In addition to enabling the feature, you must also ensure that any firewall or Network Security Group configured on traffic from the subnet allow traffic to port 443 and 445.
+
+```azurecli-interactive
+az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --properties.vnetContentStorageEnabled [true|false]
 ```
 
+We recommend that you use the site property to enable content storage traffic through the virtual network integration. Using the configuration setting allows you to audit the behavior with Azure Policy. The existing `WEBSITE_CONTENTOVERVNET` app setting with the value `1` can still be used, and you can enable routing through the virtual network with either setting.
+
 ## Next steps
 
 - [Enable virtual network integration](./configure-vnet-integration-enable.md)

articles/app-service/environment/how-to-custom-domain-suffix.md

@@ -20,10 +20,10 @@ If you don't have an App Service Environment, see [How to Create an App Service
 
 The custom domain suffix defines a root domain that can be used by the App Service Environment. In the public variation of Azure App Service, the default root domain for all web apps is *azurewebsites.net*. For ILB App Service Environments, the default root domain is *appserviceenvironment.net*. However, since an ILB App Service Environment is internal to a customer's virtual network, customers can use a root domain in addition to the default one that makes sense for use within a company's internal virtual network. For example, a hypothetical Contoso Corporation might use a default root domain of *internal-contoso.com* for apps that are intended to only be resolvable and accessible within Contoso's virtual network. An app in this virtual network could be reached by accessing *APP-NAME.internal-contoso.com*.
 
-The custom domain name works for app requests but doesn't for the scm site. The scm site is only available at *APP-NAME.scm.ASE-NAME.appserviceenvironment.net*.
-
 The custom domain suffix is for the App Service Environment. This feature is different from a custom domain binding on an App Service. For more information on custom domain bindings, see [Map an existing custom DNS name to Azure App Service](../app-service-web-tutorial-custom-domain.md).
 
+If the certificate used for the custom domain suffix contains a Subject Alternate Name (SAN) entry for **.scm.CUSTOM-DOMAIN*, the scm site will then also be reachable from *APP-NAME.scm.CUSTOM-DOMAIN*. You can only access scm over custom domain using basic authentication. Single sign-on is only possible with the default root domain.
+
 ## Prerequisites
 
 - ILB variation of App Service Environment v3.
@@ -59,7 +59,7 @@ The certificate for custom domain suffix must be stored in an Azure Key Vault. A
 
 :::image type="content" source="./media/custom-domain-suffix/key-vault-networking.png" alt-text="Screenshot of a sample networking page for key vault to allow custom domain suffix feature.":::
 
-Your certificate must be a wildcard certificate for the selected custom domain name. For example, *contoso.com* would need a certificate covering **.contoso.com*.
+Your certificate must be a wildcard certificate for the selected custom domain name. For example, *internal-contoso.com* would need a certificate covering **.internal-contoso.com*. If the certificate used custom domain suffix contains a Subject Alternate Name (SAN) entry for scm, for example **.scm.internal-contoso.com*, the scm site will also available using the custom domain suffix.
 
 ::: zone pivot="experience-azp"
 
@@ -160,6 +160,7 @@ If you want to use your own DNS server, add the following records:
 1. Create a zone for your custom domain.
 1. Create an A record in that zone that points * to the inbound IP address used by your App Service Environment.
 1. Create an A record in that zone that points @ to the inbound IP address used by your App Service Environment.
+1. Optionally create a zone for scm sub-domain with a * A record that points to the inbound IP address used by your App Service Environment
 
 To configure DNS in Azure DNS private zones:
 
@@ -169,6 +170,7 @@ To configure DNS in Azure DNS private zones:
 :::image type="content" source="./media/custom-domain-suffix/custom-domain-suffix-dns-configuration.png" alt-text="Screenshot of a sample DNS configuration for your custom domain suffix.":::
 1. Link your Azure DNS private zone to your App Service Environment's virtual network.
 :::image type="content" source="./media/custom-domain-suffix/private-dns-zone-vnet-link.png" alt-text="Screenshot of a sample virtual network link for private DNS zone.":::
+1. Optionally create an A record in that zone that points *.scm to the inbound IP address used by your App Service Environment.
 
 For more information on configuring DNS for your domain, see [Use an App Service Environment](./using.md#dns-configuration).