Merge pull request #8645 from MicrosoftDocs/main

Auto push to live 2025-04-03 02:00:02

Author: Deland-Han

support/azure/.openpublishing.redirection.azure.json

@@ -6307,6 +6307,10 @@
       {
         "source_path": "azure-kubernetes/create-upgrade-delete/error-using-feature-requiring-virtual-machine-scale-set.md",
         "redirect_url": "/troubleshoot/azure/azure-kubernetes/welcome-azure-kubernetes"
+      },
+      {
+        "source_path": "azure-kubernetes/create-upgrade-delete/akscapacityerror.md",
+        "redirect_url": "/troubleshoot/azure/azure-kubernetes/error-codes/akscapacityheavyusage-error"
       }
   ]
 }

…reate-upgrade-delete/akscapacityerror.md …ror-codes/akscapacityheavyusage-error.mdsupport/azure/azure-kubernetes/create-upgrade-delete/akscapacityerror.md renamed to support/azure/azure-kubernetes/error-codes/akscapacityheavyusage-error.md support/azure/azure-kubernetes/create-upgrade-delete/akscapacityerror.md renamed to support/azure/azure-kubernetes/error-codes/akscapacityheavyusage-error.md

@@ -1,6 +1,6 @@
 ---
-title: Troubleshoot the AKSCapacityError error code
-description: Discusses how to troubleshoot the AKSCapacityError error when you create or start a Kubernetes cluster.
+title: Troubleshoot the AksCapacityHeavyUsage error code
+description: Discusses how to troubleshoot the AksCapacityHeavyUsage error when you create or start a Kubernetes cluster.
 ms.date: 05/29/2024
 author: axelgMS
 ms.author: axelg
@@ -56,6 +56,6 @@ Capacity is often reclaimed when other users stop or delete their AKS clusters.
 
     For more information about improvements that we're making toward delivering a resilient cloud supply chain, see [this September 2021 Azure Blog article](https://azure.microsoft.com/blog/advancing-reliability-through-a-resilient-cloud-supply-chain/).
 
-- [General troubleshooting of AKS cluster creation issues](troubleshoot-aks-cluster-creation-issues.md)
+- [General troubleshooting of AKS cluster creation issues](../create-upgrade-delete/troubleshoot-aks-cluster-creation-issues.md)
 
 [!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/azure/azure-kubernetes/toc.yml

@@ -368,3 +368,5 @@
       href: error-codes/vmextensionerror-vhdfilenotfound.md
   - name: UnsatisfiablePDB error
     href: error-codes/unsatisfiablepdb-error.md
+  - name: AksCapacityHeavyUsage error
+    href: error-codes/akscapacityheavyusage-error.md

support/azure/azure-storage/files/file-sync/file-sync-troubleshoot-managed-identities.md

@@ -3,7 +3,7 @@ title: Troubleshoot Azure File Sync managed identity issues
 description: Troubleshoot common issues when your Azure File Sync deployment is configured to use managed identities.
 ms.service: azure-file-storage
 ms.topic: troubleshooting
-ms.date: 11/04/2024
+ms.date: 04/02/2025
 author: khdownie
 ms.author: kendownie
 ---
@@ -32,13 +32,13 @@ Get-AzStorageSyncServer -ResourceGroupName <string> -StorageSyncServiceName <str
 Verify the `ApplicationId` property has a GUID which indicates that the server is configured to use a system-assigned managed identity. Once the server uses a system-assigned managed identity, the value of the `ActiveAuthType` property is updated to `ManagedIdentity`. If the value is `Certificate`, the server uses shared keys to authenticate to Azure file shares. 
 
 > [!NOTE]
-> Once a server is configured to use a system-assigned managed identity, it can take up to one hour before the server uses the system-assigned managed identity to authenticate to the Storage Sync Service and Azure file shares.
+> Once a server is configured to use a system-assigned managed identity, it can take up to 15 minutes before the server uses the system-assigned managed identity to authenticate to the Storage Sync Service and Azure file shares.
 
 ## Set-AzStorageSyncServiceIdentity cmdlet doesn't configure a server to use a system-assigned managed identity
 
 If running the `Set-AzStorageSyncServiceIdentity` cmdlet doesn't configure a registered server to use a system-assigned managed identity, it's likely because the server doesn't have a system-assigned managed identity.
 
-To enable a system-assigned managed identity on a registered server that has the Azure File Sync v19 agent installed, perform the following steps:
+To enable a system-assigned managed identity on a registered server that has the Azure File Sync v20 agent installed, perform the following steps:
 
 - If the server is hosted outside of Azure, it must be an Azure Arc-enabled server to have a system-assigned managed identity. For more information about Azure Arc-enabled servers and how to install the Azure Connected Machine agent, see [Azure Arc-enabled servers Overview](/azure/azure-arc/servers/overview).
 

support/azure/virtual-machines/windows/windows-11-support-azure-virtual-machines.md

@@ -8,7 +8,7 @@ ms.custom: sap:VM Admin - Windows (Guest OS)
 ms.reviewer: scotro, kageorge, jarrettr, yutorigo, v-leedennis
 editor: v-jsitser
 ms.topic: upgrade-and-migration-article
-ms.date: 01/08/2025
+ms.date: 04/02/2025
 ---
 # Windows 11 support on Azure virtual machines
 
@@ -108,11 +108,11 @@ The following sections provide more detail about the three main criteria: VM gen
 
 ### VM generation
 
-VMs must be generation 2. You can't upgrade generation 1 VMs to generation 2.
+VMs must be generation 2. You can upgrade VMs from Generation 1 to Generation 2 by [upgrading to the Trusted launch security type](/azure/virtual-machines/trusted-launch-existing-vm-gen-1).
 
 ### Trusted launch
 
-VMs must be enabled for trusted launch together with secure boot and virtual TPM. Upgrading VMs from standard security to trusted launch isn't supported. Many VMs are affected by this requirement. This is because before [June 28, 2023](https://techcommunity.microsoft.com/t5/azure-confidential-computing/announcing-trusted-launch-as-default-in-azure-portal/ba-p/3854872), trusted launch wasn't the default security type option when you created a VM in the Azure portal. Also, when Windows 11 was released, trusted launch wasn't available as a feature in Windows Azure.
+VMs must be enabled for Trusted launch together with secure boot and virtual TPM. [Upgrading VMs from standard security to Trusted launch](/azure/virtual-machines/trusted-launch-existing-vm-gen-1) is supported. Many VMs are affected by this requirement. This is because before [June 28, 2023](https://techcommunity.microsoft.com/t5/azure-confidential-computing/announcing-trusted-launch-as-default-in-azure-portal/ba-p/3854872), trusted launch wasn't the default security type option when you created a VM in the Azure portal. Also, when Windows 11 was released, trusted launch wasn't available as a feature in Windows Azure.
 
 ### CPU
 

support/entra/entra-id/toc.yml

@@ -279,6 +279,15 @@
      href: app-integration/404-not-found-error-manage-objects-microsoft-graph.md
    - name: Use managed identities to call Graph APIs in VB.Net and C#
      href: users-groups-entra-apis/call-graph-api-using-managed-dentities.md
+   - name: The memberOf API returns null values for properties
+     href: users-groups-entra-apis/memberof-api-returns-null-properties.md
+   - name: Getting access denied errors (Authorization)
+     items: 
+      - name: Error "The identity of the calling application could not be established"
+        href: users-groups-entra-apis/identity-of-calling-application-not-established.md
+      - name: Add an owner to an application
+        href: users-groups-entra-apis/add-owner-for-application-microsoft-graph.md
+
 - name: Microsoft Entra User Provisioning and Synchronization
   items:
   - name: User Sign-in or password Problems

support/entra/entra-id/users-groups-entra-apis/add-owner-for-application-microsoft-graph.md

@@ -0,0 +1,116 @@
+---
+title: Add an Owner to an Application Using Microsoft Graph
+description: Introduces how to add an owner (service principle) to an application using Microsoft Graph.
+ms.date: 04/03/2025
+ms.reviewer: willfid, v-weizhu
+ms.service: entra-id
+ms.custom: sap:Getting access denied errors (Authorization)
+---
+# Add an owner to an application using Microsoft Graph
+
+When an application is authenticated, you might want to be able to update its own properties such as the client secret or certificate. To do so, the application must be an owner of itself. You can implement this using the [Microsoft Graph API - Add owner](/graph/api/application-post-owners).
+
+This article outlines the required permission and step-by-step instructions to add a service principal associated with an application as an owner of the application using Microsoft Graph.
+
+## Required permission
+
+The least privileged permissions for adding an owner to an application are described in the [Add owner - Permissions](/graph/api/application-post-owners#permissions) table. These permissions, such as `Application.ReadWrite.OwnedBy`, allow an application to manage applications of which it is an owner.
+
+## Add an owner
+
+Application owners can be individual users, the associated service principal, or another service principal. The following sections describe how to add the related service principal to an application as an owner.
+
+### Step 1: Get the application's Object ID
+
+To get the **Object ID** of the application you want to add an owner to, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. Navigate to the Microsoft Entra admin center.
+3. Browse to **Identity** > **Applications** > **App registrations**.
+4. Locate the application and copy its **Object ID**.
+
+     :::image type="content" source="media/add-owner-for-application-microsoft-graph/application-object-id.png" alt-text="Screenshot that shows an application's Object ID.":::
+
+### Step 2: Get the owner (service principal's Object ID)
+
+To get the **Object ID** of the service principal associated with the application, follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. Navigate to the Microsoft Entra admin center.
+3. Browse to **Identity** > **Applications** > **Enterprise registrations**.
+4. Locate the application and copy its **Object ID**.
+
+    :::image type="content" source="media/add-owner-for-application-microsoft-graph/service-principle-object-id.png" alt-text="Screenshot that shows an service principal's Object ID.":::
+
+### Step 3: Add the owner to the application
+
+Here're two methods to do this:
+
+- [Method 1: Using Microsoft Graph Explorer](#method-1-using-microsoft-graph-explorer)
+- [Method 2: Using Microsoft Graph PowerShell](#method-2-using-microsoft-graph-powershell)
+
+#### Method 1: Using Microsoft Graph Explorer
+
+1. Navigate to [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+2. Sign in with a user account that has the necessary permissions to update application owners, such as a Global Administrator or Application Administrator.
+3. Use the following request:
+
+    ```msgraph-interactive
+    POST https://graph.microsoft.com/v1.0/applications/{application-object-id}/owners/$ref
+
+    Content-Type: application/json
+
+    {
+        "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{service-principal-id}"
+    }
+    ```
+
+    > [!NOTE]
+    > Replace `{application-object-id}` with the **Object ID** of your application and `{service-principal-id}` with the **Object ID** of the service principal.
+
+    Here's an example of what it looks like in Microsoft Graph Explorer:
+
+    :::image type="content" source="media/add-owner-for-application-microsoft-graph/microsoft-graph-api-call.png" alt-text="Screenshot that shows a request in Microsoft Graph Explorer." lightbox="media/add-owner-for-application-microsoft-graph/microsoft-graph-api-call.png":::
+
+
+##### Troubleshoot Forbidden (403) error
+
+You might encounter the following error during this process:
+
+```output
+"error": {
+"code": "Authorization_RequestDenied",
+"message": "Insufficient privileges to complete the operation.",
+"innerError": {
+"date": "2021-12-09T17:41:54",
+"request-id": "b1909fc0-aa5c-4b43-8a1f-xxxxxxxxxxxx",
+"client-request-id": "836e08bb-a12d-4ade-c761-xxxxxxxxxxxx"
+}
+}
+```
+
+To resolve the issue, consent to the API permission **Application.ReadWrite.All** for Microsoft Graph Explorer under the **Modify permissions** tab.
+
+:::image type="content" source="media/add-owner-for-application-microsoft-graph/modify-permissions.png" alt-text="Screenshot that shows how to modify permission in Microsoft Graph Explorer." lightbox="media/add-owner-for-application-microsoft-graph/modify-permissions.png":::
+
+#### Method 2: Using Microsoft Graph PowerShell
+
+Here's an example of Microsoft Graph PowerShell scripts to add an owner to an application:
+
+```powershell
+Connect-MgGraph -Scopes Application.ReadWrite.All
+
+# Owner
+$OwnerServicePrincipalObjectId = "96858eb3-xxxx-xxxx-xxxx-33a6b0dc2430"
+
+# Application to add owner to
+$ApplicationObjectId = "b7463aa1-xxxx-xxxx-xxxx-0963d6c00485"
+
+$Owner = @{
+ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($OwnerServicePrincipalObjectId)"
+}
+
+New-MgApplicationOwnerByRef -ApplicationId $ApplicationObjectId -BodyParameter $Owner
+```
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

support/entra/entra-id/users-groups-entra-apis/identity-of-calling-application-not-established.md

@@ -0,0 +1,44 @@
+---
+title: The Identity of the Calling Application Could Not Be Established
+description: Provides solutions to the identity of the calling application could not be established error when using Microsoft Graph.
+ms.date: 04/03/2025
+ms.service: entra-id
+ms.custom: sap:Getting access denied errors (Authorization)
+ms.reviewer: willfid, v-weizhu
+---
+# Error "The identity of the calling application could not be established"
+
+This article provides solutions to the error message "The identity of the calling application could not be established" when using Microsoft Graph.
+
+## Symptoms
+
+When using Microsoft Graph or some services that rely on it, you encounter the following error message:
+
+> The identity of the calling application could not be established
+
+## Cause
+
+This error occurs because the `oid` and `sub` claims are missing from the access token. The root cause is that the service principal doesn't exist in the tenant or the tenant isn't aware of the application.
+
+## Solution
+
+To resolve this error, add the service principal to the tenant and consent to the permissions required by the application.
+
+You can [build an admin consent URL](/entra/identity/enterprise-apps/grant-admin-consent#construct-the-url-for-granting-tenant-wide-admin-consent) like the following one:
+
+`https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}`
+
+Then, sign in with a Global Administrator account of the tenant where you are trying to access resources.
+
+> [!NOTE]
+> - Replace `{organization}` with the tenant ID, for example, aaaaaaaaaaaa-bbbb-cccc-1111-22222222.
+> - Replace `{client-id}` with the application ID, for example, dddddddddddd-eeee-ffff-3333-44444444.
+
+## References
+
+- [Understanding Microsoft Entra application consent experiences](/entra/identity-platform/application-consent-experience)
+- [Overview of permissions and consent in the Microsoft identity platform](/entra/identity-platform/permissions-consent-overview)
+- [Retire Service Principal-Less Authentication](/entra/identity-platform/retire-service-principal-less-authentication)
+
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]