Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into nat-over-fresh

asudbring · asudbring · commit 0b65a3ec1cc5 · 2022-12-06T09:51:39.000-08:00
diff --git a/articles/active-directory/conditional-access/workload-identity.md b/articles/active-directory/conditional-access/workload-identity.md
@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
 ---
 # Conditional Access for workload identities 
 
-Conditional Access policies have histroically applied only to users when they access apps and services like SharePoint online or the Azure portal. We are now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability  Conditional Access for workload identities. 
+Conditional Access policies have historically applied only to users when they access apps and services like SharePoint online or the Azure portal. We are now extending support for Conditional Access policies to be applied to service principals owned by the organization. We call this capability  Conditional Access for workload identities. 
 
 A [workload identity](../develop/workload-identities-overview.md) is an identity that allows an application or service principal access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they:
 
diff --git a/articles/azure-functions/configure-monitoring.md b/articles/azure-functions/configure-monitoring.md
@@ -416,7 +416,7 @@ To configure these values at App settings level (and avoid redeployment on just
 | Host.json path | App setting |
 |----------------|-------------|
 | logging.logLevel.default  | AzureFunctionsJobHost__logging__logLevel__default  |
-| logging.logLevel.Host.Aggregator | AzureFunctionsJobHost__logging__logLevel__Host__Aggregator |
+| logging.logLevel.Host.Aggregator | AzureFunctionsJobHost__logging__logLevel__Host.Aggregator |
 | logging.logLevel.Function | AzureFunctionsJobHost__logging__logLevel__Function |
 | logging.logLevel.Function.Function1 | AzureFunctionsJobHost__logging__logLevel__Function.Function1 |
 | logging.logLevel.Function.Function1.User | AzureFunctionsJobHost__logging__logLevel__Function.Function1.User |
diff --git a/articles/azure-functions/functions-develop-vs-code.md b/articles/azure-functions/functions-develop-vs-code.md
@@ -113,7 +113,7 @@ The Functions extension lets you create a function app project, along with your
 
     :::image type="content" source="./media/functions-develop-vs-code/create-function-auth.png" alt-text="Screenshot for creating function authorization.":::
 
-1. From the dropdown list, select **Add to workplace**.
+1. From the dropdown list, select **Add to workspace**.
 
     :::image type="content" source="./media/functions-develop-vs-code/add-to-workplace.png" alt-text=" Screenshot for selectIng Add to workplace.":::
 
diff --git a/articles/cosmos-db/introduction.md b/articles/cosmos-db/introduction.md
@@ -45,7 +45,7 @@ You can [Try Azure Cosmos DB for Free](https://azure.microsoft.com/try/cosmosdb/
 Gain unparalleled [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) speed and throughput, fast global access, and instant elasticity.
 
 - Real-time access with fast read and write latencies globally, and throughput and consistency all backed by [SLAs](https://azure.microsoft.com/support/legal/sla/cosmos-db)
-- Multi-region writes and data distribution to any Azure region with the just a button.
+- Multi-region writes and data distribution to any Azure region with just a button.
 - Independently and elastically scale storage and throughput across any Azure region – even during unpredictable traffic bursts – for unlimited scale worldwide.
 
 ### Simplified application development
diff --git a/articles/defender-for-cloud/attack-path-reference.md b/articles/defender-for-cloud/attack-path-reference.md
@@ -32,7 +32,7 @@ Prerequisite: For a list of prerequisites see the [Availability](how-to-manage-a
 | VM has high severity vulnerabilities and read permission to a Key Vault | Virtual machine '\[MachineName]' has high severity vulnerabilities \[RCE] and \[IdentityDescription] with read permission to Key Vault '\[KVName]' |
 | VM has high severity vulnerabilities and read permission to a data store | Virtual machine '\[MachineName]' has high severity vulnerabilities \[RCE] and \[IdentityDescription] with read permission to \[DatabaseType] '\[DatabaseName]' |
 
-### AWS VMs
+### AWS Instances
 
 Prerequisite: [Enable agentless scanning](enable-vulnerability-assessment-agentless.md).
 
@@ -43,7 +43,7 @@ Prerequisite: [Enable agentless scanning](enable-vulnerability-assessment-agentl
 | Internet exposed EC2 instance has high severity vulnerabilities and read permission to S3 bucket | Option 1 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[Rolepermission]' permission via IAM policy to S3 bucket '\[BucketName]' <br> <br> Option 2 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[S3permission]' permission via bucket policy to S3 bucket '\[BucketName]' <br> <br> Option 3 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[Rolepermission]' permission via IAM policy and '\[S3permission]' permission via bucket policy to S3 bucket '\[BucketName]'|
 | Internet exposed EC2 instance has high severity vulnerabilities and read permission to a S3 bucket with sensitive data | Option 1 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[Rolepermission]' permission via IAM policy to S3 bucket '\[BucketName]' containing sensitive data <br> <br> Option 2 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[S3permission]' permission via bucket policy to S3 bucket '\[BucketName]' containing sensitive data <br> <br> Option 3 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[Rolepermission]' permission via IAM policy and '\[S3permission] permission via bucket policy to S3 bucket '\[BucketName]' containing sensitive data <br><br> . For more details, you can learn how to [prioritize security actions by data sensitivity](./information-protection.md).  |
 | Internet exposed EC2 instance has high severity vulnerabilities and read permission to a KMS | Option 1 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has high severity vulnerabilities\[RCE] and has IAM role attached with '\[Rolepermission]' permission via IAM policy to AWS Key Management Service (KMS) '\[KeyName]' <br> <br> Option 2 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has vulnerabilities allowing remote code execution and has IAM role attached with '\[Keypermission]' permission via AWS Key Management Service (KMS) policy to key '\[KeyName]' <br> <br> Option 3 <br> AWS EC2 instance '\[MachineName]' is reachable from the internet, has vulnerabilities allowing remote code execution and has IAM role attached with '\[Rolepermission]' permission via IAM policy and '\[Keypermission] permission via AWS Key Management Service (KMS) policy to key '\[KeyName]' |
-| Internet exposed EC2 instance has high severity vulnerabilities | AWS EC2 instance '\[EC2Name]' is reachable from the internet and has high severity vulnerabilities\[RCE] |
+| Internet exposed EC2 instance has high severity vulnerabilities | AWS EC2 instance '\[EC2Name]' is reachable from the internet and has high severity vulnerabilities\[RCE] | EC2 instance with high severity vulnerabilities has high privileged permissions to an account | EC2 instance '\[EC2Name]' has high severity vulnerabilities\[RCE] and has '\[Permissions]' permissions to account '\[AccountName]' | EC2 instance with high severity vulnerabilities has read permissions to a data store | Option 1 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has '\[Permissions]' permissions to database '\[DatabaseName]' <br> <br> Option 2 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy to S3 bucket '\[BucketName]' <br><br> Option 3 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[Permissions]' permissions through bucket policy to S3 bucket '\[BucketName]' <br><br> Option 4 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy and '\[Permissions]' permissions through bucket policy to S3 bucket '\[BucketName]' | EC2 instance with high severity vulnerabilities has read permissions to a data store with sensitive data | Option 1 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy to S3 bucket '\[BucketName]' containing sensitive data <br><br> Option 2 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[Permissions]' permissions through bucket policy to S3 bucket '\[BucketName]' containing sensitive data <br><br> Option 3 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy and '\[Permissions]' permissions through bucket policy to S3 bucket '\[BucketName]' containing sensitive data | EC2 instance with high severity vulnerabilities has read permissions to a KMS key | Option 1 <br> EC2 instance '\[MachineName]' has high severity vulnerabilities\[RCE] and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy to AWS Key Management Service (KMS) key '\[KeyName]' <br><br> option 2 <br> EC2 instance '\[MachineName]' has vulnerabilities allowing remote code execution and has IAM role attached which is granted with '\[KeyPermissions]' permissions through AWS Key Management Service (KMS) policy to key '\[KeyName]' <br><br> Option 3 <br> EC2 instance '\[MachineName]' has vulnerabilities allowing remote code execution and has IAM role attached which is granted with '\[RolePermissions]' permissions through IAM policy and '\[KeyPermissions]' permissions through AWS Key Management Service (KMS) policy to key '\[KeyName]' |
 
 ### Azure data
 
@@ -118,4 +118,4 @@ This section  lists all of the cloud security graph components (connections & in
 For related information, see the following:
 - [What are the cloud security graph, attack path analysis, and the cloud security explorer?](concept-attack-path.md)
 - [Identify and remediate attack paths](how-to-manage-attack-path.md)
-- [Cloud security explorer](how-to-manage-cloud-security-explorer.md)
+- [Cloud security explorer](how-to-manage-cloud-security-explorer.md)
diff --git a/articles/deployment-environments/quickstart-create-access-environments.md b/articles/deployment-environments/quickstart-create-access-environments.md
@@ -114,6 +114,20 @@ Complete the following steps in the Azure CLI to create an environment and confi
 > [!NOTE]
 > You can use `--help` to view more details about any command, accepted arguments and examples. For example, use `az devcenter dev environment create --help` to view more details about creating an environment.
 
+### Troubleshoot permission error
+
+You must have the [Deployment Environments User](how-to-configure-deployment-environments-user.md) role, the [DevCenter Project Admin](how-to-configure-project-admin.md) role, or a [built-in role](../role-based-access-control/built-in-roles.md) that has appropriate permissions can create an environment.
+
+If you don't have the correct permissions, creation of the environment will fail, and you may receive an error message like this:
+
+```
+(EnvironmentNotFound) The environment resource was not found.
+Code: EnvironmentNotFound
+Message: The environment resource was not found.
+```
+
+To resolve the issue, assign the correct permissions: [Give project access to the development team](quickstart-create-and-configure-projects.md#give-project-access-to-the-development-team).
+
 ## Access an environment
 
 To access an environment:
@@ -122,7 +136,7 @@ To access an environment:
 
    ```azurecli
     az devcenter dev environment list --dev-center <devcenter-name> --project-name <project-name>
-    ```  
+   ```  
 
 1. View the access endpoints to various resources as defined in the ARM template outputs.
 1. Access the specific resources by using the endpoints.
diff --git a/articles/machine-learning/migrate-to-v2-execution-pipeline.md b/articles/machine-learning/migrate-to-v2-execution-pipeline.md
@@ -155,7 +155,7 @@ This article gives a comparison of scenario(s) in SDK v1 and SDK v2. In the foll
     cluster_name = "cpu-cluster"
     print(ml_client.compute.get(cluster_name))
     
-    # Import components that are defined with python function
+    # Import components that are defined with Python function
     with open("src/components.py") as fin:
         print(fin.read())
     
@@ -173,7 +173,7 @@ This article gives a comparison of scenario(s) in SDK v1 and SDK v2. In the foll
     # define a pipeline with component
     @pipeline(default_compute=cluster_name)
     def pipeline_with_python_function_components(input_data, test_data, learning_rate):
-        """E2E dummy train-score-eval pipeline with components defined via python function components"""
+        """E2E dummy train-score-eval pipeline with components defined via Python function components"""
     
         # Call component obj as function: apply given inputs & parameters to create a node in pipeline
         train_with_sample_data = train_model(
diff --git a/articles/private-link/tutorial-private-endpoint-storage-portal.md b/articles/private-link/tutorial-private-endpoint-storage-portal.md
@@ -36,7 +36,7 @@ Create a virtual network, subnet, and bastion host. The virtual network and subn
 
 The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.
 
-1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.
+1. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual network** in the search results.
 
 2. Select **+ Create**.
 
diff --git a/articles/storage/files/storage-snapshots-files.md b/articles/storage/files/storage-snapshots-files.md
@@ -1,16 +1,16 @@
 ---
 title: Overview of share snapshots for Azure Files
-description: A share snapshot is a read-only version of an Azure Files share that's taken at a point in time, as a way to back up the share.
+description: A share snapshot is a read-only version of an Azure file share that's taken at a point in time, as a way to back up the share.
 author: khdownie
 ms.service: storage
 ms.topic: conceptual
-ms.date: 06/17/2022
+ms.date: 12/06/2022
 ms.author: kendownie
 ms.subservice: files
 ---
 
 # Overview of share snapshots for Azure Files
-Azure Files provides the capability to take share snapshots of file shares. Share snapshots capture the share state at that point in time. This article describes the capabilities that file share snapshots provide and how you can take advantage of them in your custom use case.
+Azure Files provides the capability to take share snapshots of SMB file shares. Share snapshots capture the share state at that point in time. This article describes the capabilities that file share snapshots provide and how you can take advantage of them in your custom use case.
 
 ## Applies to
 | File share type | SMB | NFS |
@@ -53,7 +53,7 @@ Share snapshots persist until they are explicitly deleted. A share snapshot cann
 
 When you create a share snapshot of a file share, the files in the share's system properties are copied to the share snapshot with the same values. The base files and the file share's metadata are also copied to the share snapshot, unless you specify separate metadata for the share snapshot when you create it.
 
-You cannot delete a share that has share snapshots unless you delete all the share snapshots first.
+You can't delete a share that has share snapshots unless you delete all the share snapshots first.
 
 ## Space usage
 
@@ -71,7 +71,7 @@ The maximum number of share snapshots that Azure Files allows today is 200. Afte
 
 There is no limit to the simultaneous calls for creating share snapshots. There is no limit to amount of space that share snapshots of a particular file share can consume. 
 
-Today, it is not possible to mount share snapshots on Linux. This is because the Linux SMB client does not support mounting snapshots like Windows does.
+Taking snapshots of NFS Azure file shares isn't currently supported.
 
 ## Copying data back to a share from share snapshot
 
