Merge pull request #262019 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

articles/app-service/overview-managed-identity.md

@@ -432,9 +432,9 @@ The **IDENTITY_ENDPOINT** is a local URL from which your app can request tokens.
 > | resource          | Query  | The Microsoft Entra resource URI of the resource for which a token should be obtained. This could be one of the [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) or any other resource URI.    |
 > | api-version       | Query  | The version of the token API to be used. Use `2019-08-01`.                                                                                                                                                                                                                                                                 |
 > | X-IDENTITY-HEADER | Header | The value of the IDENTITY_HEADER environment variable. This header is used to help mitigate server-side request forgery (SSRF) attacks.                                                                                                                                                                                                    |
-> | client_id         | Query  | (Optional) The client ID of the user-assigned identity to be used. Cannot be used on a request that includes `principal_id`, `mi_res_id`, or `object_id`. If all ID parameters  (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used.                                             |
-> | principal_id      | Query  | (Optional) The principal ID of the user-assigned identity to be used. `object_id` is an alias that may be used instead. Cannot be used on a request that includes client_id, mi_res_id, or object_id. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`)  are omitted, the system-assigned identity is used. |
-> | mi_res_id         | Query  | (Optional) The Azure resource ID of the user-assigned identity to be used. Cannot be used on a request that includes `principal_id`, `client_id`, or `object_id`. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `mi_res_id`) are omitted, the system-assigned identity is used.                                      |
+> | client_id         | Query  | (Optional) The client ID of the user-assigned identity to be used. Cannot be used on a request that includes `principal_id`, `msi_res_id`, or `object_id`. If all ID parameters  (`client_id`, `principal_id`, `object_id`, and `msi_res_id`) are omitted, the system-assigned identity is used.                                             |
+> | principal_id      | Query  | (Optional) The principal ID of the user-assigned identity to be used. `object_id` is an alias that may be used instead. Cannot be used on a request that includes client_id, msi_res_id, or object_id. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `msi_res_id`)  are omitted, the system-assigned identity is used. |
+> | msi_res_id         | Query  | (Optional) The Azure resource ID of the user-assigned identity to be used. Cannot be used on a request that includes `principal_id`, `client_id`, or `object_id`. If all ID parameters (`client_id`, `principal_id`, `object_id`, and `msi_res_id`) are omitted, the system-assigned identity is used.                                      |
 
 > [!IMPORTANT]
 > If you are attempting to obtain tokens for user-assigned identities, you must include one of the optional properties. Otherwise the token service will attempt to obtain a token for a system-assigned identity, which may or may not exist.

articles/azure-monitor/logs/cross-workspace-query.md

@@ -4,7 +4,7 @@ description: Query and correlated data from multiple Log Analytics workspaces, a
 ms.topic: how-to
 author: guywi-ms
 ms.author: guywild
-ms.date: 05/30/2023
+ms.date: 12/28/2023
 # Customer intent: As a data analyst, I want to write KQL queries that correlate data from multiple Log Analytics workspaces, applications, or resources, to enable my analysis.
 
 ---

articles/azure-monitor/logs/log-analytics-overview.md

@@ -2,7 +2,7 @@
 title: Overview of Log Analytics in Azure Monitor
 description: This overview describes Log Analytics, which is a tool in the Azure portal used to edit and run log queries for analyzing data in Azure Monitor logs.
 ms.topic: conceptual
-ms.date: 06/28/2022
+ms.date: 12/28/2023
 
 ---
 

articles/azure-monitor/logs/log-analytics-workspace-insights-overview.md

@@ -5,8 +5,8 @@ services: azure-monitor
 ms.topic: conceptual
 author: guywild
 ms.author: guywild
-ms.reviewer: noakuper
-ms.date: 06/27/2022
+ms.reviewer: osalzberg
+ms.date: 12/28/2023
 
 ---
 

articles/azure-monitor/logs/queries.md

@@ -5,8 +5,8 @@ ms.subservice: logs
 ms.topic: article
 author: guywild
 ms.author: guywild
-ms.reviewer: roygal
-ms.date: 06/22/2022
+ms.reviewer: ilanawaitser
+ms.date: 12/28/2023
 ---
 
 # Use queries in Log Analytics
@@ -107,4 +107,4 @@ The queries that are available when you open Log Analytics are determined by the
 
 ## Next steps
 
-[Get started with KQL queries](get-started-queries.md)
+[Get started with KQL queries](get-started-queries.md)

articles/azure-monitor/logs/scope.md

@@ -4,7 +4,8 @@ description: Describes the scope and time range for a log query in Azure Monitor
 ms.topic: conceptual
 author: guywi-ms
 ms.author: guywild
-ms.date: 10/20/2021
+ms.reviewer: ilanawaitser
+ms.date: 12/28/2023
 
 ---
 
@@ -85,4 +86,4 @@ If the query uses **app** to retrieve data from a classic Application Insights a
 ## Next steps
 
 - Walk through a [tutorial on using Log Analytics in the Azure portal](../logs/log-analytics-tutorial.md).
-- Walk through a [tutorial on writing queries](../logs/get-started-queries.md).
+- Walk through a [tutorial on writing queries](../logs/get-started-queries.md).

articles/cosmos-db/burst-capacity-faq.yml

@@ -51,19 +51,14 @@ sections:
       - question: |
           How can I enable burst capacity on an account programatically?
         answer: |
-          You can use the [Azure Cosmos DB Resource Provider REST API version `2023-03-15-preview`](/rest/api/cosmos-db-resource-provider/2023-03-15-preview/database-accounts/create-or-update) or a [Resource Manager template with API version `2023-03-01-preview`](/azure/templates/microsoft.documentdb/2023-03-01-preview/databaseaccounts) to set the property `enableBurstCapacity` to true.
+          You can use the [Azure Cosmos DB Resource Provider REST API version `2023-09-15` or later](/rest/api/cosmos-db-resource-provider/database-accounts/create-or-update) or a [Resource Manager template with API version `2023-03-01-preview`](/azure/templates/microsoft.documentdb/2023-03-01-preview/databaseaccounts) to set the property `enableBurstCapacity` to true.
           You can also use the Azure CLI or PowerShell.
 
           #### [PowerShell](#tab/azure-powershell)
 
           ```azurepowershell
-          // Add the preview extension 2.0.5-preview or higher
-          $installParameters = @{
-              Name = "Az.CosmosDB"
-              AllowPrerelease = $true
-              Force = $true
-          }
-          Install-Module @installParameters
+          // Add Azure Cosmos DB extension 1.13.0 or higher
+          Install-Module -Name Az.CosmosDB -RequiredVersion 1.13.0
 
           // Enable burst capacity on an account
           $parameters = @{
@@ -77,9 +72,6 @@ sections:
           #### [Azure CLI](#tab/azure-cli)
 
           ```azurecli
-          // Add the preview extension version 0.24.0 or higher
-          az extension add --name cosmosdb-preview --version 0.24.0
-
           // Enable burst capacity on an account
           az cosmosdb update  \
           --resource-group '<resource-group-name>' \

articles/cosmos-db/burst-capacity.md

@@ -22,7 +22,7 @@ Burst capacity applies only to Azure Cosmos DB accounts using provisioned throug
 ## How burst capacity works
 
 > [!NOTE]
-> The current implementation of burst capacity is subject to change in the future. Usage of burst capacity is subject to system resource availability and is not guaranteed. Azure Cosmos DB may also use burst capacity for background maintenance tasks. If your workload requires consistent throughput beyond what you have provisioned, it's recommended to provision your RU/s accordingly without relying on burst capacity. Before enabling burst capacity, it is also recommended to evaluate if your partition layout can be [merged](merge.md) to permanently give more RU/s per physical partition without relying on burst capacity.
+> The current implementation of burst capacity is subject to change in the future. Usage of burst capacity is subject to system resource availability and is **not guaranteed**. Azure Cosmos DB may also use burst capacity for background maintenance tasks. If your workload requires consistent throughput beyond what you have provisioned, it's recommended to provision your RU/s accordingly without relying on burst capacity. Before enabling burst capacity, it is also recommended to evaluate if your partition layout can be [merged](merge.md) to permanently give more RU/s per physical partition without relying on burst capacity.
 
 Let's take an example of a physical partition that has 100 RU/s of provisioned throughput and is idle for 5 minutes. With burst capacity, it can accumulate a maximum of 100 RU/s * 300 seconds = 30,000 RU of burst capacity. The capacity can be consumed at a maximum rate of 3000 RU/s, so if there's a sudden spike in request volume, the partition can burst up to 3000 RU/s for up 30,000 RU / 3000 RU/s = 10 seconds. Without burst capacity, any requests that are consumed beyond the provisioned 100 RU/s would have been rate limited (429).
 

articles/cosmos-db/nosql/sdk-java-spark-v3.md

@@ -32,14 +32,20 @@ If you have any feedback or ideas on how to improve your experience create an is
 ## Version compatibility
 * [Version compatibility for Spark 3.1](https://aka.ms/azure-cosmos-spark-3-1-version-compatibility)
 * [Version compatibility for Spark 3.2](https://aka.ms/azure-cosmos-spark-3-2-version-compatibility)
+* [Version compatibility for Spark 3.3](https://aka.ms/azure-cosmos-spark-3-3-version-compatibility)
+* [Version compatibility for Spark 3.4](https://aka.ms/azure-cosmos-spark-3-4-version-compatibility)
 
 ## Release notes
 * [Release notes for Spark 3.1](https://aka.ms/azure-cosmos-spark-3-1-changelog)
 * [Release notes for Spark 3.2](https://aka.ms/azure-cosmos-spark-3-2-changelog)
+* [Release notes for Spark 3.3](https://aka.ms/azure-cosmos-spark-3-3-changelog)
+* [Release notes for Spark 3.4](https://aka.ms/azure-cosmos-spark-3-4-changelog)
 
 ## Download
 * [Download of Azure Cosmos DB Spark connector for Spark 3.1](https://aka.ms/azure-cosmos-spark-3-1-download)
 * [Download of Azure Cosmos DB Spark connector for Spark 3.2](https://aka.ms/azure-cosmos-spark-3-2-download)
+* [Download of Azure Cosmos DB Spark connector for Spark 3.3](https://aka.ms/azure-cosmos-spark-3-3-download)
+* [Download of Azure Cosmos DB Spark connector for Spark 3.4](https://aka.ms/azure-cosmos-spark-3-4-download)
 
 Azure Cosmos DB Spark connector is available on [Maven Central Repo](https://search.maven.org/search?q=g:com.azure.cosmos.spark).
 

articles/defender-for-cloud/exempt-resource.md

@@ -8,16 +8,15 @@ author: dcurwin
 ms.date: 10/29/2023
 ---
 
-# Exempt resources from recommendations 
+# Exempt resources from recommendations
 
-
-When you investigate security recommendations in Microsoft Defender for Cloud, you usually review the list of affected resources. Occasionally, a resource will be listed that you feel shouldn't be included. Or a recommendation will show in a scope where you feel it doesn't belong. For example, a resource might have been remediated by a process not tracked by Defender for Cloud, or a recommendation might be inappropriate for a specific subscription. Or perhaps your organization has decided to accept the risks related to the specific resource or recommendation.
+When you investigate security recommendations in Microsoft Defender for Cloud, you usually review the list of affected resources. Occasionally, a resource is listed that you feel shouldn't be included. Or a recommendation shows in a scope where you feel it doesn't belong. For example, a resource might be remediated by a process not tracked by Defender for Cloud, or a recommendation might be inappropriate for a specific subscription. Or perhaps your organization decided to accept the risks related to the specific resource or recommendation.
 
 In such cases, you can create an exemption to:
 
-- **Exempt a resource** to ensure it isn't listed with the unhealthy resources in the future, and doesn't impact your secure score. The resource will be listed as not applicable and the reason will be shown as "exempted" with the specific justification you select.
+- **Exempt a resource** to ensure it isn't listed with the unhealthy resources in the future, and doesn't affect your secure score. The resource will be listed as not applicable and the reason will be shown as "exempted" with the specific justification you select.
 
-- **Exempt a subscription or management group** to ensure that the recommendation doesn't impact your secure score and won't be shown for the subscription or management group in the future. This relates to existing resources and any you create in the future. The recommendation will be marked with the specific justification you select for the scope that you selected.
+- **Exempt a subscription or management group** to ensure that the recommendation doesn't affect your secure score and won't be shown for the subscription or management group in the future. This relates to existing resources and any you create in the future. The recommendation will be marked with the specific justification you select for the scope that you selected.
 
 For the scope you need, you can create an exemption rule to:
 
@@ -26,17 +25,17 @@ For the scope you need, you can create an exemption rule to:
 
 ## Before you start
 
-This feature is in preview. [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)] This is a premium Azure Policy capability that's offered at no additional cost for customers with Microsoft Defender for Cloud's enhanced security features enabled. For other users, charges might apply in the future.
+This feature is in preview. [!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)] This is a premium Azure Policy capability offered at no extra cost for customers with Microsoft Defender for Cloud's enhanced security features enabled. For other users, charges might apply in the future.
 
 - You need the following permissions to make exemptions:
-    - **Owner** or **Security Admin** or **Resource Policy Contributor** to create an exemption
-    - To create a rule, you need permissions to edit policies in Azure Policy. [Learn more](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy).
+  - **Owner** or **Security Admin** or **Resource Policy Contributor** to create an exemption
+  - To create a rule, you need permissions to edit policies in Azure Policy. [Learn more](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy).
 
 - You can create exemptions for recommendations included in Defender for Cloud's default [Microsoft cloud security benchmark](/security/benchmark/azure/introduction) standard, or any of the supplied regulatory standards.
 - Custom recommendations can't be exempted.
+- If a recommendation is disabled, all of its subrecommendations are exempted.
 - In addition to working in the portal, you can create exemptions using the Azure Policy API. Learn more [Azure Policy exemption structure](../governance/policy/concepts/exemption-structure.md).
 
-
 ## Define an exemption
 
 To create an exemption rule:
@@ -49,7 +48,7 @@ To create an exemption rule:
 
 1. In the **Exempt** pane:
     1. Select the scope for the exemption.
-        - If you select a management group, the recommendation will be exempted from all subscriptions within that group
+        - If you select a management group, the recommendation is exempted from all subscriptions within that group
         - If you're creating this rule to exempt one or more resources from the recommendation, choose "Selected resources" and select the relevant ones from the list
 
     1. Enter a name for the exemption rule.
@@ -60,20 +59,19 @@ To create an exemption rule:
             > [!NOTE]
             > When you exempt a recommendation as mitigated, you aren't given points towards your secure score. But because points aren't *removed* for the unhealthy resources, the result is that your score will increase.
 
-        - **Risk accepted (waiver)** – if you’ve decided to accept the risk of not mitigating this recommendation
+        - **Risk accepted (waiver)** – if you decided to accept the risk of not mitigating this recommendation
     1. Enter a description.
     1. Select **Create**.
     :::image type="content" source="media/exempt-resource/defining-recommendation-exemption.png" alt-text="Steps to create an exemption rule to exempt a recommendation from your subscription or management group."  lightbox="media/exempt-resource/defining-recommendation-exemption.png":::
 
-
 ## After creating the exemption
 
-After creating the exemption it can take up to 30 minutes to take effect. After it takes effect:
- 
+After creating the exemption, it can take up to 30 minutes to take effect. After it takes effect:
+
 - The recommendation or resources won't impact your secure score.
-- If you've exempted specific resources, they'll be listed in the **Not applicable** tab of the recommendation details page.
-- If you've exempted a recommendation, it will be hidden by default on Defender for Cloud's recommendations page. This is because the default options of the **Recommendation status** filter on that page are to exclude **Not applicable** recommendations. The same is true if you exempt all recommendations in a security control.
+- If you exempted specific resources, they'll be listed in the **Not applicable** tab of the recommendation details page.
+- If you exempted a recommendation, it will be hidden by default on Defender for Cloud's recommendations page. This is because the default options of the **Recommendation status** filter on that page are to exclude **Not applicable** recommendations. The same is true if you exempt all recommendations in a security control.
 
 ## Next steps
 
-[Review exempted resources](review-exemptions.md) in Defender for Cloud. 
+[Review exempted resources](review-exemptions.md) in Defender for Cloud.