Merge pull request #193310 from MicrosoftDocs/main

3/29 PM Publish

Author: huypub

.openpublishing.redirection.media-services.json

@@ -628,12 +628,12 @@
           {
             "source_path_from_root": "/articles/media-services/latest/asset-create-asset-upload-portal-quickstart.md",
             "redirect_url": "/azure/media-services/latest/video-on-demand-simple-portal-quickstart",
-            "redirect_document_id": true
+            "redirect_document_id": false
           },
           {
             "source_path_from_root": "/articles/media-services/latest/architecture-design-multi-drm-system.md",
             "redirect_url": "/azure/media-services/latest/drm-content-protection-concept",
-            "redirect_document_id": true
+            "redirect_document_id": false
           },
           {
             "source_path_from_root": "/articles/media-services/latest/job-create-cli-how-to.md",
@@ -644,7 +644,7 @@
             "source_path_from_root": "/articles/media-services/latest/transform-subclip-video-dotnet-how-to.md",
             "redirect_url": "/azure/media-services/latest/transform-subclip-video-how-to",
             "redirect_document_id": false
-          }, 
+          },
           {
             "source_path_from_root": "/articles/media-services/latest/transform-subclip-video-rest-how-to.md",
             "redirect_url": "/azure/media-services/latest/transform-subclip-video-how-to",
@@ -659,12 +659,12 @@
             "source_path_from_root": "/articles/media-services/latest/transform-generate-thumbnails-dotnet-how-to.md",
             "redirect_url": "/azure/media-services/latest/transform-generate-thumbnails-how-to",
             "redirect_document_id": false
-          },   
+          },
           {
             "source_path_from_root": "/articles/media-services/latest/crop-howto.md",
             "redirect_url": "/azure/media-services/latest/transform-crop-how-to",
             "redirect_document_id": false
-          },  
+          },
           {
             "source_path_from_root": "/articles/media-services/latest/transform-custom-preset-cli-how-to.md",
             "redirect_url": "/azure/media-services/latest/transform-custom-transform-how-to",
@@ -694,6 +694,6 @@
           "source_path_from_root": "/articles/media-services/video-indexer/upload-index-video.md",
           "redirect_url": "/azure/azure-video-analyzer/video-analyzer-for-media-docs/upload-index-video",
           "redirect_document_id": false
-        }        
+        }
     ]
 }

CODEOWNERS

@@ -5,9 +5,9 @@
 # NOTE: The people you choose as code owners must have _write_ permissions for the repository. When the code owner is a team, that team must be _visible_ and it must have _write_ permissions, even if all the individual members of the team already have write permissions directly, through organization membership, or through another team membership.
 
 # Azure Policy: Samples and Compliance Controls
-/articles/**/policy-reference.md @DCtheGeek
-/articles/**/security-controls-policy.md @DCtheGeek
-/includes/policy/ @DCtheGeek
+/articles/**/policy-reference.md @timwarner
+/articles/**/security-controls-policy.md @timwarner
+/includes/policy/ @timwarner
 
 # Azure Monitor
 articles/azure-monitor/* @bwren
@@ -57,7 +57,7 @@ articles/service-health @rboucher
 /articles/container-registry/ @dlepow @mimckitt
 
 # Governance
-/articles/governance/ @DCtheGeek
+/articles/governance/ @timwarner
 
 # Security
 /articles/security/fundamentals/feature-availability.md @msmbaldwin @terrylanfear

articles/active-directory/conditional-access/concept-continuous-access-evaluation.md

@@ -194,7 +194,7 @@ CAE only has insight into [IP-based named locations](../conditional-access/locat
 
 ### Named location limitations
 
-When the sum of all IP ranges specified in location policies exceeds 5,000 for policies that will be enforced on the Resource provider, user change location flow isn't enforced. In this case, Azure AD will issue a one-hour CAE token and won't enforce client location change; security is improved compared to traditional one-hour tokens since we're still evaluating the [other events](#critical-event-evaluation) besides client location change events.
+When the sum of all IP ranges specified in location policies exceeds 5,000, user change location flow won't be enforced by CAE in real time. In this case, Azure AD will issue a one-hour CAE token. CAE will continue enforcing [all other events and policies](#critical-event-evaluation) besides client location change events. With this change, you still maintain stronger security posture compared to traditional one-hour tokens, since [other events](#critical-event-evaluation) will be evaluated in near real time.
 
 ### Office and Web Account Manager settings
 

articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md

@@ -117,7 +117,7 @@ To configure a Conditional Access policy in report-only mode:
 In order to access the workbook, you need the proper Azure AD permissions as well as Log Analytics workspace permissions. To test whether you have the proper workspace permissions by running a sample log analytics query:
 
 1. Sign in to the **Azure portal**.
-1. Browse to **Azure Active Directory** > **Logs**.
+1. Browse to **Azure Active Directory** > **Log Analytics**.
 1. Type `SigninLogs` into the query box and select **Run**.
 1. If the query does not return any results, your workspace may not have been configured correctly. 
 

articles/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 11/05/2021
+ms.date: 03/28/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -29,13 +29,17 @@ Conditional Access policies are powerful tools, we recommend excluding the follo
 
 * **Emergency access** or **break-glass** accounts to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant take steps to recover access.
    * More information can be found in the article, [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).
-* **Service accounts** and **service principals**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals are not blocked by Conditional Access.
+* **Service accounts** and **service principals**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals aren't blocked by Conditional Access.
    * If your organization has these accounts in use in scripts or code, consider replacing them with [managed identities](../managed-identities-azure-resources/overview.md). As a temporary workaround, you can exclude these specific accounts from the baseline policy.
 
 ## Application exclusions
 
 Organizations may have many cloud applications in use. Not all of those applications may require equal security. For example, the payroll and attendance applications may require MFA but the cafeteria probably doesn't. Administrators can choose to exclude specific applications from their policy.
 
+### Subscription activation
+
+Organizations that use the [Subscription Activation](/windows/deployment/windows-10-subscription-activation) feature to enable users to “step-up” from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their all users all cloud apps MFA policy.
+
 ## Template deployment
 
 Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates (Preview)](concept-conditional-access-policy-common.md#conditional-access-templates-preview). 

articles/active-directory/conditional-access/howto-conditional-access-policy-compliant-device.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: how-to
-ms.date: 11/05/2021
+ms.date: 03/28/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -63,6 +63,10 @@ After confirming your settings using [report-only mode](howto-conditional-access
 
 On Windows 7, iOS, Android, macOS, and some third-party web browsers, Azure AD identifies the device using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser the user is prompted to select the certificate. The end user must select this certificate before they can continue to use the browser.
 
+#### Subscription activation
+
+Organizations that use the [Subscription Activation](/windows/deployment/windows-10-subscription-activation) feature to enable users to “step-up” from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their device compliance policy.
+
 ## Next steps
 
 [Conditional Access common policies](concept-conditional-access-policy-common.md)

articles/active-directory/develop/howto-create-self-signed-certificate.md

@@ -51,16 +51,16 @@ Use the certificate you create using this method to authenticate from an applica
 In an elevated PowerShell prompt, run the following command and leave the PowerShell console session open. Replace `{certificateName}` with the name that you wish to give to your certificate.
 
 ```powershell
-
-$cert = New-SelfSignedCertificate -Subject "CN={certificateName}" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256    ## Replace {certificateName}
+$certname = "{certificateName}"    ## Replace {certificateName}
+$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
 
 ```
 
 The **$cert** variable in the previous command stores your certificate in the current session and allows you to export it. The command below exports the certificate in `.cer` format. You can also export it in other formats supported on the Azure portal including `.pem` and `.crt`.
 
 ```powershell
 
-Export-Certificate -Cert $cert -FilePath "C:\Users\admin\Desktop\{certificateName}.cer"   ## Specify your preferred location and replace {certificateName}
+Export-Certificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.cer"   ## Specify your preferred location
 
 ```
 
@@ -74,8 +74,8 @@ Use this option to create a certificate and its private key if your application
 In an elevated PowerShell prompt, run the following command and leave the PowerShell console session open. Replace `{certificateName}` with name that you wish to give your certificate.
 
 ```powershell
-
-$cert = New-SelfSignedCertificate -Subject "CN={certificateName}" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256    ## Replace {certificateName}
+$certname = "{certificateName}"    ## Replace {certificateName}
+$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
 
 ```
 
@@ -84,7 +84,7 @@ The **$cert** variable in the previous command stores your certificate in the cu
 
 ```powershell
 
-Export-Certificate -Cert $cert -FilePath "C:\Users\admin\Desktop\{certificateName}.cer"   ## Specify your preferred location and replace {certificateName}
+Export-Certificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.cer"   ## Specify your preferred location
 
 ```
 
@@ -100,7 +100,7 @@ Now, using the password you stored in the `$mypwd` variable, secure, and export
 
 ```powershell
 
-Export-PfxCertificate -Cert $cert -FilePath "C:\Users\admin\Desktop\{privateKeyName}.pfx" -Password $mypwd   ## Specify your preferred location and replace {privateKeyName}
+Export-PfxCertificate -Cert $cert -FilePath "C:\Users\admin\Desktop\$certname.pfx" -Password $mypwd   ## Specify your preferred location
 
 ```
 
@@ -113,7 +113,7 @@ If you created the certificate using Option 2, you can delete the key pair from
 
 ```powershell
 
-Get-ChildItem -Path "Cert:\CurrentUser\My" | Where-Object {$_.Subject -Match "{certificateName}"} | Select-Object Thumbprint, FriendlyName    ## Replace {privateKeyName} with the name you gave your certificate
+Get-ChildItem -Path "Cert:\CurrentUser\My" | Where-Object {$_.Subject -Match "$certname"} | Select-Object Thumbprint, FriendlyName
 
 ```
 

articles/active-directory/develop/tutorial-v2-windows-desktop.md

@@ -15,7 +15,7 @@ ms.author: jmprieur
 ms.custom: aaddev, identityplatformtop40
 ---
 
-# Tutorial: Call the Microsoft Graph API from a Windows Desktop app
+# Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app
 
 In this tutorial, you build a native Windows Desktop .NET (XAML) app that signs in users and gets an access token to call the Microsoft Graph API. 
 

articles/active-directory/hybrid/how-to-connect-fed-saml-idp.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 01/21/2022
+ms.date: 03/29/2022
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -262,7 +262,6 @@ This procedure shows how to add a single user to Azure AD.
       -FirstName Elwood `
       -LastName Folk `
       -AlternateEmailAddresses "[email protected]" `
-      -LicenseAssignment "samlp2test:ENTERPRISEPACK" `
       -UsageLocation "US" 
     ```
 

articles/active-directory/manage-apps/f5-aad-integration.md

@@ -168,6 +168,8 @@ Refer to the following guided configuration tutorials using Easy Button template
 
 - [BIG-IP Easy Button for SSO to Oracle JD Edwards](f5-big-ip-oracle-jde-easy-button.md)
 
+- [BIG-IP Easy Button for SSO to SAP ERP](f5-big-ip-sap-erp-easy-button.md)
+
 ## Azure AD B2B guest access
 Azure AD B2B guest access to SHA protected applications is also possible, but some scenarios may require some additional steps not covered in the tutorials. One example is Kerberos SSO, where a BIG-IP will perform kerberos constrained delegation (KCD) to obtain a service ticket from domain contollers. Without a local representation of a guest user exisiting locally, a domain controller will fail to honour the request on the basis that the user does not exist. To support this scenario, you would need to ensure external identities are flowed down from your Azure AD tenant to the directory used by the application. See [Grant B2B users in Azure AD access to your on-premises applications](../external-identities/hybrid-cloud-to-on-premises.md) for guidance.