Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-mto-sync-graph-troubleshooting

Author: rolyon

articles/azure-resource-manager/managed-applications/key-vault-access.md

@@ -3,7 +3,7 @@ title: Use Azure Key Vault when deploying Managed Applications
 description: Shows how to access secrets in Azure Key Vault when deploying Managed Applications.
 ms.custom: subject-rbac-steps
 ms.topic: conceptual
-ms.date: 10/04/2022
+ms.date: 04/14/2023
 ---
 
 # Access Key Vault secret when deploying Azure Managed Applications
@@ -19,19 +19,19 @@ This article describes how to configure the Key Vault to work with Managed Appli
 
    :::image type="content" source="./media/key-vault-access/open-key-vault.png" alt-text="Screenshot of the Azure home page to open a key vault using search or by selecting key vault.":::
 
-1. Select **Access policies**.
+1. Select **Access configuration**.
 
-   :::image type="content" source="./media/key-vault-access/select-access-policies.png" alt-text="Screenshot of the key vault setting to select access policies.":::
+   :::image type="content" source="./media/key-vault-access/select-access-configuration.png" alt-text="Screenshot of the key vault setting to select access configuration.":::
 
-1. Select **Azure Resource Manager for template deployment**. Then, select **Save**.
+1. Select **Azure Resource Manager for template deployment**. Then, select **Apply**.
 
-   :::image type="content" source="./media/key-vault-access/enable-template.png" alt-text="Screenshot of the key vault's access policies that enable Azure Resource Manager for template deployment.":::
+   :::image type="content" source="./media/key-vault-access/enable-template.png" alt-text="Screenshot of the key vault's access configuration that enables Azure Resource Manager for template deployment.":::
 
 ## Add service as contributor
 
-Assign the **Contributor** role to the **Appliance Resource Provider** user at the key vault scope. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+Assign the **Contributor** role to the **Appliance Resource Provider** user at the key vault scope. For detailed steps, go to [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
 
-The **Appliance Resource Provider** is a service principal in your Azure Active Directory's tenant. From the Azure portal, you can see if it's registered by going to **Azure Active Directory** > **Enterprise applications** and change the search filter to **Microsoft Applications**. Search for _Appliance Resource Provider_. If it's not found, [register](../troubleshooting/error-register-resource-provider.md) the `Microsoft.Solutions` resource provider.
+The **Appliance Resource Provider** is a service principal in your Azure Active Directory's tenant. From the Azure portal, you can verify if it's registered by going to **Azure Active Directory** > **Enterprise applications** and change the search filter to **Microsoft Applications**. Search for _Appliance Resource Provider_. If it's not found, [register](../troubleshooting/error-register-resource-provider.md) the `Microsoft.Solutions` resource provider.
 
 ## Reference Key Vault secret
 
@@ -78,7 +78,7 @@ To pass a secret from a Key Vault to a template in your Managed Application, you
   "resources": [
     {
       "type": "Microsoft.Resources/deployments",
-      "apiVersion": "2021-04-01",
+      "apiVersion": "2022-09-01",
       "name": "dynamicSecret",
       "properties": {
         "mode": "Incremental",
@@ -105,7 +105,7 @@ To pass a secret from a Key Vault to a template in your Managed Application, you
           "resources": [
             {
               "type": "Microsoft.Sql/servers",
-              "apiVersion": "2022-02-01-preview",
+              "apiVersion": "2022-05-01-preview",
               "name": "[variables('sqlServerName')]",
               "location": "[parameters('location')]",
               "properties": {
@@ -149,7 +149,7 @@ To pass a secret from a Key Vault to a template in your Managed Application, you
 
 You've configured your Key Vault to be accessible during deployment of a Managed Application.
 
-- For information about passing a value from a Key Vault as a template parameter, see [Use Azure Key Vault to pass secure parameter value during deployment](../templates/key-vault-parameter.md).
-- To learn more about key vault security, see [Azure Key Vault security](../../key-vault/general/security-features.md) and [Authentication in Azure Key Vault](../../key-vault/general/authentication.md).
-- For managed application examples, see [Sample projects for Azure managed applications](sample-projects.md).
-- To learn how to create a UI definition file for a managed application, see [Get started with CreateUiDefinition](create-uidefinition-overview.md).
+- For information about passing a value from a Key Vault as a template parameter, go to [Use Azure Key Vault to pass secure parameter value during deployment](../templates/key-vault-parameter.md).
+- To learn more about key vault security, go to [Azure Key Vault security](../../key-vault/general/security-features.md) and [Authentication in Azure Key Vault](../../key-vault/general/authentication.md).
+- For managed application examples, go to [Sample projects for Azure managed applications](sample-projects.md).
+- To learn how to create a UI definition file for a managed application, go to [Get started with CreateUiDefinition](create-uidefinition-overview.md).

articles/azure-resource-manager/managed-applications/media/key-vault-access/enable-template.png

@@ -4,7 +4,7 @@ description: Learn how to isolate and restrict the restore permissions for conti
 author: kanshiG
 ms.service: cosmos-db
 ms.topic: how-to
-ms.date: 02/17/2023
+ms.date: 03/31/2023
 ms.author: govindk
 ms.reviewer: mjbrown
 ms.custom: subject-rbac-steps, ignite-2022, devx-track-azurecli
@@ -13,15 +13,15 @@ ms.custom: subject-rbac-steps, ignite-2022, devx-track-azurecli
 # Manage permissions to restore an Azure Cosmos DB account
 [!INCLUDE[NoSQL, MongoDB, Gremlin, Table](includes/appliesto-nosql-mongodb-gremlin-table.md)]
 
-Azure Cosmos DB allows you to isolate and restrict the restore permissions for continuous backup account to a specific role or a principal. The owner of the account can trigger a restore and assign a role to other principals to perform the restore operation. These permissions can be applied at the subscription scope or more granularly at the source account scope as shown in the following image:
+Azure Cosmos DB allows you to isolate and restrict the restore permissions for continuous backup account to a specific role or a principal. These permissions can be applied at the subscription scope or more granularly at the source account scope as shown in the following image:
 
 :::image type="content" source="./media/continuous-backup-restore-permissions/restore-roles-permissions.svg" alt-text="List of roles required to perform restore operation." border="false":::
 
 Scope is a set of resources that have access, to learn more on scopes, see the [Azure RBAC](../role-based-access-control/scope-overview.md) documentation. In Azure Cosmos DB, applicable scopes are the source subscription and database account for most of the use cases. The principal performing the restore actions should have write permissions to the destination resource group.
 
 ## Assign roles for restore using the Azure portal
 
-To perform a restore, a user or a principal need the permission to restore (that is *restore/action* permission), and permission to provision a new account (that is *write* permission).  To grant these permissions, the owner can assign the `CosmosRestoreOperator` and `Cosmos DB Operator` built in roles to a principal.
+To perform a restore, a user or a principal need the permission to restore (that is *restore/action* permission), and permission to provision a new account (that is *write* permission).  To grant these permissions, the owner of the subscription can assign the `CosmosRestoreOperator` and `Cosmos DB Operator` built in roles to a principal.
 
 1. Sign into the [Azure portal](https://portal.azure.com/) and navigate to your subscription. The `CosmosRestoreOperator` role is available at subscription level.
 
@@ -83,17 +83,20 @@ Following permissions are required to perform the different activities pertainin
 Roles with permission can be assigned to different scopes to achieve granular control on who can perform the restore operation within a subscription or a given account.
 
 ### Assign capability to restore from any restorable account in a subscription
-- Assign a user write action on the specific resource group. This action is required to create a new account in the resource group.
-- Assign the `CosmosRestoreOperator` built in role to the specific restorable database account that needs to be restored. In the following command, the scope for the `RestorableDatabaseAccount` is extracted from the `ID` property of result of execution of `az cosmosdb restorable-database-account list`(if using CLI) or `Get-AzCosmosDBRestorableDatabaseAccount`(if using the PowerShell)
 
-Assign the `CosmosRestoreOperator` built-in role at subscription level
+- Assign the `CosmosRestoreOperator` built in role to the specific subscription level 
 
 ```azurecli-interactive
 az role assignment create --role "CosmosRestoreOperator" --assignee <email> --scope /subscriptions/<subscriptionId>
 ```
 
-### Assign capability to restore from a specific account
-This operation is currently not supported.
+### Assign capability to restore from a specific account  
+- Assign a user write action on the specific resource group. This action is required to create a new account in the resource group.
+- Assign the `CosmosRestoreOperator` built in role to the specific restorable database account that needs to be restored. In the following command, the scope for the `RestorableDatabaseAccount` is extracted from the `ID` property of result of execution of `az cosmosdb restorable-database-account list`(if using CLI) or `Get-AzCosmosDBRestorableDatabaseAccount`(if using the PowerShell)
+
+```azurecli-interactive
+az role assignment create --role "CosmosRestoreOperator" --assignee <email> --scope  <RestorableDatabaseAccount>
+```
 
 ### Assign capability to restore from any source account in a resource group.
 This operation is currently not supported.

articles/azure-resource-manager/managed-applications/media/key-vault-access/select-access-configuration.png

@@ -78,6 +78,8 @@
           href: how-to-use-managed-identity.md  
         - name: Set up Resource sharing (CORS)
           href: how-to-enable-cors.md
+        - name: Set up audit logs
+          href: how-to-manage-audit-logs.md
     - name: Load datasets
       href: https://github.com/Azure/osdu-data-load-tno
     - name: Convert SEG-Y to ZGY
@@ -86,8 +88,6 @@
       href: how-to-convert-segy-to-ovds.md
     - name: Generate a refresh token
       href: how-to-generate-refresh-token.md
-    - name: Set up audit logs
-      href: how-to-manage-audit-logs.md
 - name: References
   items:
   - name: REST API

articles/azure-resource-manager/managed-applications/media/key-vault-access/select-access-policies.png

@@ -1,10 +1,10 @@
 ---
 author: tfitzmac
 ms.author: tomfitz
-ms.date: 02/26/2023
+ms.date: 04/14/2023
 ms.topic: include
 ms.prod: azure
 ---
 
 > [!NOTE]
-> This article was partially generated using Azure OpenAI Service. Before publishing, an author reviewed and revised the content as needed. See [Our principles for using AI-generated content in Microsoft Learn](https://aka.ms/ai-content-principles).
+> This article was partially created with the help of artificial intelligence. Before publishing, an author reviewed and revised the content as needed. See [Our principles for using AI-generated content in Microsoft Learn](https://aka.ms/ai-content-principles).