Merge pull request #253068 from MicrosoftDocs/repo_sync_working_branch

Taojunshen · web-flow · commit 05327bcd3677 · 2023-09-28T05:53:26.000+08:00
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)
diff --git a/articles/active-directory/develop/test-throttle-service-limits.md b/articles/active-directory/develop/test-throttle-service-limits.md
@@ -55,7 +55,7 @@ The following table lists Microsoft Entra throttling limits to consider when run
 | Limit type | Resource unit quota | Write quota |
 |-------------------|----------------|----------------|
 | application+tenant pair | S: 3500, M:5000, L:8000 per 10 seconds | 3000 per 2 minutes and 30 seconds |
-| application | 150,000 per 20 seconds | 70,000 per 5 minutes |
+| application | 150,000 per 20 seconds | 35,000 per 5 minutes |
 | tenant | Not Applicable | 18,000 per 5 minutes |
 
 The application + tenant pair limit varies based on the number of users in the tenant requests are run against. The tenant sizes are defined as follows: S - under 50 users, M - between 50 and 500 users, and L - above 500 users.
diff --git a/articles/active-directory/fundamentals/security-defaults.md b/articles/active-directory/fundamentals/security-defaults.md
@@ -92,11 +92,13 @@ After registration is finished, the following administrator roles will be requir
 - Global Administrator
 - Application Administrator
 - Authentication Administrator
+- Authentication Policy Administrator
 - Billing Administrator
 - Cloud Application Administrator
 - Conditional Access Administrator
 - Exchange Administrator
 - Helpdesk Administrator
+- Identity Governance Administrator
 - Password Administrator
 - Privileged Authentication Administrator
 - Privileged Role Administrator
diff --git a/articles/traffic-manager/traffic-manager-configure-subnet-routing-method.md b/articles/traffic-manager/traffic-manager-configure-subnet-routing-method.md
@@ -190,9 +190,9 @@ Add the two VMs running the IIS servers - *myIISVMEastUS* & *myIISVMWEurope* to
     | Name           | myTestWebSiteEndpoint                                        |
     | Target resource type           | Public IP Address                          |
     | Target resource          | **Choose a Public IP address** to show the listing of resources with Public IP addresses under the same subscription. In **Resource**, select the public IP address named *myIISVMEastUS-ip*. This is the public IP address of the IIS server VM in East US.|
-    |  Subnet routing settings    |   Add the IP address of *myVMEastUS* test VM. Any user query originating from this VM will be directed to the *myTestWebSiteEndpoint*.    |
+    |  Subnet routing settings    |   Add the IP address of the recursive DNS resolver used by *myVMEastUS* test VM. Any user query originating from this VM will be directed to the *myTestWebSiteEndpoint*.    |
 
-4. Repeat steps 2 and 3 to add another endpoint named *myProductionEndpoint* for the public IP address *myIISVMWEurope-ip* that is associated with the IIS server VM named *myIISVMWEurope*. For **Subnet routing settings**, add the IP address of the test VM - *myVMWestEurope*. Any user query from this test VM will be routed to the endpoint - *myProductionWebsiteEndpoint*.
+4. Repeat steps 2 and 3 to add another endpoint named *myProductionEndpoint* for the public IP address *myIISVMWEurope-ip* that is associated with the IIS server VM named *myIISVMWEurope*. For **Subnet routing settings**, add the IP address of the recursive DNS resolver used by test VM - *myVMWestEurope*. Any user query from this test VM via its DNS resolver will be routed to the endpoint - *myProductionWebsiteEndpoint*.
 5. When the addition of both endpoints is complete, they are displayed in **Traffic Manager profile** along with their monitoring status as **Online**.
 
     ![Add a Traffic Manager endpoint](./media/traffic-manager-subnet-routing-method/customize-endpoint-with-subnet-routing-eastus.png)
diff --git a/articles/vs-azure-tools-storage-explorer-blobs.md b/articles/vs-azure-tools-storage-explorer-blobs.md
@@ -221,6 +221,15 @@ The following steps illustrate how to manage the blobs (and virtual directories)
      1. Select the blob you wish to delete.
      2. On the main pane's toolbar, select **Delete**.
      3. Select **Yes** to the confirmation dialog.
+   
+   * **Delete a blob along with snapshots**
+   
+     1. Select the blob you wish to delete.
+     2. On the main pane's toolbar, select **Delete**.
+     3. Select **Yes** to the confirmation dialog.
+     4. Under Activities the deletion of the blob will be skipped now click on retry.
+     5. Retry Azcopy window will open and from Snapshot select Delete blobs with snapshots option from dropdown then 
+        select Retry selected.
 
 ## Next steps
 
@@ -246,4 +255,4 @@ The following steps illustrate how to manage the blobs (and virtual directories)
 [16]: ./media/vs-azure-tools-storage-explorer-blobs/blob-upload-files-options.png
 [17]: ./media/vs-azure-tools-storage-explorer-blobs/blob-upload-folder-menu.png
 [18]: ./media/vs-azure-tools-storage-explorer-blobs/blob-upload-folder-options.png
-[19]: ./media/vs-azure-tools-storage-explorer-blobs/blob-container-open-editor-context-menu.png
+[19]: ./media/vs-azure-tools-storage-explorer-blobs/blob-container-open-editor-context-menu.png
diff --git a/articles/web-application-firewall/shared/application-ddos-protection.md b/articles/web-application-firewall/shared/application-ddos-protection.md
@@ -27,7 +27,7 @@ Azure WAF has many features that can be used to mitigate many different types of
 
 * Use bot protection managed rule set to protect against known bad bots. For more information, see [Configuring bot protection](../afds/waf-front-door-policy-configure-bot-protection.md).
 
-* Apply rate limit to prevent IP addresses from calling your service too frequently. For more information, see [Rate limiting](../afds/waf-front-door-rate-limit.md).
+* Apply rate limits to prevent IP addresses from calling your service too frequently. For more information, see [Rate limiting](../afds/waf-front-door-rate-limit.md).
 
 * Block IP addresses, and ranges that you identify as malicious. For more information, see [IP restrictions](../afds/waf-front-door-configure-ip-restriction.md).
 
@@ -49,6 +49,8 @@ Application Gateway WAF SKUs can be used to mitigate many L7 DDoS attacks:
 
 * Use bot protection managed rule set provides protection against known bad bots. For more information, see [Configuring bot protection](../ag/bot-protection.md).
 
+* Apply rate limits to prevent IP addresses from calling your service too frequently. For more information, see [Configuring Rate limiting custom rules](../ag/rate-limiting-configure.md).
+
 * Block IP addresses, and ranges that you identify as malicious. For more information, see examples at [Create and use v2 custom rules](../ag/create-custom-waf-rules.md).
 
 * Block or redirect to a static web page any traffic from outside a defined geographic region, or within a defined region that doesn't fit the application traffic pattern. For more information, see examples at [Create and use v2 custom rules](../ag/create-custom-waf-rules.md).
@@ -65,9 +67,9 @@ Application Gateway WAF SKUs can be used to mitigate many L7 DDoS attacks:
 
 * You can bypass the WAF for known legitimate traffic by creating Match Custom Rules with the action of Allow to reduce false positive. These rules should be configured with a high priority (lower numeric value) than other block and rate limit rules.
 
-* Depending on your traffic pattern, create a preventive rate limit rule (only applies to Azure Front Door). For example, you can configure a rate limit rule to not allow any single *Client IP address* to send more than XXX traffic per window to your site. Azure Front Door supports two fixed windows for tracking requests, 1 and 5 minutes. It's recommended to use the 5-minute window for better mitigation of HTTP Flood attacks. For example, **Configure a Rate Limit Rule**, which blocks any *Source IP* that exceeds 100 requests in a 5-minute window. This rule should be the lowest priority rule (priority is ordered with 1 being the highest priority), so that more specific Rate Limit rules or Match rules can be created to match before this rule.
+* At a minimum, you should have a rate limit rule that blocks high rate of requests from any single IP address. For example, you can configure a rate limit rule to not allow any single *Client IP address* to send more than XXX traffic per window to your site. Azure WAF supports two windows for tracking requests, 1 and 5 minutes. It's recommended to use the 5-minute window for better mitigation of HTTP Flood attacks. This rule should be the lowest priority rule (priority is ordered with 1 being the highest priority), so that more specific Rate Limit rules or Match rules can be created to match before this rule.  If you are using Application Gateway WAF v2, you can make use of additional rate limiting configurations to track and block clients by methods other than Client IP.  More information on Rate Limits on Application Gateway waf can be found at [Rate limiting overview](../ag/rate-limiting-overview.md).
 
-    The following Log Analytics query can be helpful in determining the threshold you should use for the above rule.
+    The following Log Analytics query can be helpful in determining the threshold you should use for the above rule.  For a similar query but with Application Gateway, replace "FrontdoorAccessLog" with "ApplicationGatewayAccessLog".
 
     ```
     AzureDiagnostics
