Merge pull request #269394 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Taojunshen

articles/azure-vmware/upgrade-hcx-azure-vmware-solutions.md

@@ -27,7 +27,9 @@ You can update HCX Connector and HCX Cloud systems during separate maintenance w
 
 - As part of HCX update planning, and to ensure that HCX components are updated successfully, review the service update considerations and requirements. For planning HCX upgrade, see [Planning for HCX Updates](https://docs.vmware.com/en/VMware-HCX/4.5/hcx-user-guide/GUID-61F5CED2-C347-4A31-8ACB-A4553BFC62E3.html). 
 
-- Ensure that you have a backup and snapshot of HCX connector in the on-premises environment, if applicable. 
+- Ensure that you have a backup and snapshot of HCX connector in the on-premises environment, if applicable.
+- For more information, see the [HCX support policy for legacy vSphere environment](https://kb.vmware.com/s/article/82702).
+- Check that you are using the [latest VMware HCX version validated with Azure VMware Solution](introduction.md#vmware-software-versions).
 
 ### Backup HCX 
 - Azure VMware Solution backs up HCX Cloud Manager configuration daily.

articles/key-vault/general/overview-vnet-service-endpoints.md

@@ -65,6 +65,7 @@ Here's a list of trusted services that are allowed to access a key vault if the
 | Azure Disk Encryption volume encryption service|Allow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. This enables [Azure Disk Encryption](../../security/fundamentals/encryption-overview.md).|
 | Azure Disk Storage | When configured with a Disk Encryption Set (DES). For more information, see [Server-side encryption of Azure Disk Storage using customer-managed keys](../../virtual-machines/disk-encryption.md#customer-managed-keys).|
 | Azure Event Hubs|[Allow access to a key vault for customer-managed keys scenario](../../event-hubs/configure-customer-managed-key.md)|
+| Azure ExpressRoute | [When using MACsec with ExpressRoute Direct](../../expressroute/expressroute-howto-macsec.md)|
 | Azure Firewall Premium| [Azure Firewall Premium certificates](../../firewall/premium-certificates.md)|
 | Azure Front Door Classic|[Using Key Vault certificates for HTTPS](../../frontdoor/front-door-custom-domain-https.md#prepare-your-key-vault-and-certificate)
 | Azure Front Door Standard/Premium|[Using Key Vault certificates for HTTPS](../../frontdoor/standard-premium/how-to-configure-https-custom-domain.md#prepare-your-key-vault-and-certificate)

articles/sentinel/sap/deploy-sap-btp-solution.md

@@ -25,11 +25,7 @@ Before you begin, verify that:
 - Your organization uses SAP BTP (in a Cloud Foundry environment) to streamline interactions with SAP applications and other business applications.
 - You have an SAP BTP account (which supports BTP accounts in the Cloud Foundry environment). You can also use a [SAP BTP trial account](https://cockpit.hanatrial.ondemand.com/).
 - You have the SAP BTP auditlog-management service and service key (see [Set up the BTP account and solution](#set-up-the-btp-account-and-solution)).
-- You can create an [Azure function app](../../azure-functions/functions-overview.md) by using the Microsoft.Web/Sites, Microsoft.Web/ServerFarms, Microsoft.Insights/Components, and Microsoft.Storage/StorageAccounts permissions.
-- You can create [data collection rules and endpoints](../../azure-monitor/essentials/data-collection-rule-overview.md) by using these permissions:
-  - Microsoft.Insights/DataCollectionEndpoints and Microsoft.Insights/DataCollectionRules.
-  - Assign the Monitoring Metrics Publisher role to the function app.
-- You have an [Azure Key Vault](../../key-vault/general/overview.md) to hold the SAP BTP client secret.
+- You have the Microsoft Sentinel Contributor role on the target Microsoft Sentinel workspace.
 
 ## Set up the BTP account and solution
 
@@ -69,14 +65,14 @@ To set up the BTP account and the solution:
 1. Select the resource group and the Microsoft Sentinel workspace in which to deploy the solution.
 1. Select **Next** until you pass validation, and then select **Create**.
 1. When the solution deployment is finished, return to your Microsoft Sentinel workspace and select **Data connectors**.
-1. In the search bar, enter **BTP**, and then select **SAP BTP (using Azure Function)**.
+1. In the search bar, enter **BTP**, and then select **SAP BTP**.
 1. Select **Open connector page**.
-1. On the connector page, make sure that you meet the required prerequisites and complete the configuration steps. In step 2 of the data connector configuration, specify the parameters that you defined in step 4 in this section.
+1. On the connector page, make sure that you meet the required prerequisites listed and complete the configuration steps. When you're ready, select **Add account**.
+1. Specify the parameters that you defined earlier during the configuration. The subaccount name specified is projected as a column in the `SAPBTPAuditLog_CL` table, and can be used to filter the logs when you have multiple subaccounts.
 
     > [!NOTE]
     > Retrieving audits for the global account doesn't automatically retrieve audits for the subaccount. Follow the connector configuration steps for each of the subaccounts you want to monitor, and also follow these steps for the global account. Review these [account auditing configuration considerations](#consider-your-account-auditing-configurations).
 
-1. Complete all configuration steps, including the function app deployment and the Azure Key Vault access policy configuration.
 1. Make sure that BTP logs are flowing into the Microsoft Sentinel workspace:
 
     1. Sign in to your BTP subaccount and run a few activities that generate logs, such as sign-ins, adding users, changing permissions, and changing settings.
@@ -105,6 +101,61 @@ You also can retrieve the logs via the UI:
 1. In the new instance, create a service key.
 1. View the service key and retrieve the required parameters from step 4 of the configuration instructions in the data connector UI (**url**, **uaa.url**, **uaa.clientid**, and **uaa.clientsecret**).
 
+## Rotate the BTP client secret
+
+We recommend that you periodically rotate the BPT subaccount client secrets. The following sample script demonstrates the process of updating an existing data connector with a new secret fetched from Azure Key Vault.
+
+Before you start, collect the values you'll need for the scripts parameters, including:
+
+ - The subscription ID, resource group, and workspace name for your Microsoft Sentinel workspace.
+ - The key vault and the name of the key vault secret.
+ - The name of the data connector you want to update with a new secret.  To identify the data connector name, open the SAP BPT data connector in the Microsoft Sentinel data connectors page. The data connector name has the following syntax: *BTP_{connector name}*
+
+
+```powershell
+param(
+    [Parameter(Mandatory = $true)] [string]$subscriptionId,
+    [Parameter(Mandatory = $true)] [string]$workspaceName,
+    [Parameter(Mandatory = $true)] [string]$resourceGroupName,
+    [Parameter(Mandatory = $true)] [string]$connectorName,
+    [Parameter(Mandatory = $true)] [string]$clientId,
+    [Parameter(Mandatory = $true)] [string]$keyVaultName,
+    [Parameter(Mandatory = $true)] [string]$secretName
+)
+
+# Import the required modules
+Import-Module Az.Accounts
+Import-Module Az.KeyVault
+
+try {
+    # Login to Azure
+    Login-AzAccount
+
+    # Retrieve BTP client secret from Key Vault
+    $clientSecret = (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $secretName).SecretValue
+    if (!($clientSecret)) {
+        throw "Failed to retrieve the client secret from Azure Key Vault"
+    }
+
+    # Get the connector from data connectors API
+    $path = "/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.OperationalInsights/workspaces/{2}/providers/Microsoft.SecurityInsights/dataConnectors/{3}?api-version=2024-01-01-preview" -f $subscriptionId, $resourceGroupName, $workspaceName, $connectorName
+    $connector = (Invoke-AzRestMethod -Path $path -Method GET).Content | ConvertFrom-Json
+    if (!($connector)) {
+        throw "Failed to retrieve the connector"
+    }
+
+    # Add the updated client ID and client secret to the connector
+    $connector.properties.auth | Add-Member -Type NoteProperty -Name "clientId" -Value $clientId
+    $connector.properties.auth | Add-Member -Type NoteProperty -Name "clientSecret" -Value ($clientSecret | ConvertFrom-SecureString -AsPlainText)
+
+    # Update the connector with the new auth object
+    Invoke-AzRestMethod -Path $path -Method PUT -Payload ($connector | ConvertTo-Json -Depth 10)
+}
+catch {
+    Write-Error "An error occurred: $_"
+}
+```
+
 ## Related content
 
 - [Learn how to enable the security content](../sentinel-solutions-deploy.md#analytics-rule)