Merge pull request #195297 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: ttorble

.openpublishing.publish.config.json

@@ -801,19 +801,19 @@
       "branch": "main",
       "branch_mapping": {}
     },
-    {  
+    {
       "path_to_root": "active-directory-b2c-msal-node-sign-in-sign-out-webapp",
       "url": "https://github.com/Azure-Samples/active-directory-b2c-msal-node-sign-in-sign-out-webapp",
       "branch": "main",
       "branch_mapping": {}
     },
-    {  
+    {
       "path_to_root": "active-directory-b2c-javascript-nodejs-webapi",
       "url": "https://github.com/Azure-Samples/active-directory-b2c-javascript-nodejs-webapi",
       "branch": "master",
       "branch_mapping": {}
     },
-    {  
+    {
       "path_to_root": "ms-identity-dotnetcore-b2c-account-management",
       "url": "https://github.com/Azure-Samples/ms-identity-dotnetcore-b2c-account-management",
       "branch": "master",
@@ -899,7 +899,6 @@
     ".openpublishing.redirection.healthcare-apis.json",
     ".openpublishing.redirection.iot-hub.json",
     ".openpublishing.redirection.key-vault.json",
-    ".openpublishing.redirection.media-services.json",
     ".openpublishing.redirection.security-benchmark.json",
     ".openpublishing.redirection.sql-database.json",
     "articles/synapse-analytics/.openpublishing.redirection.synapse-analytics.json",

.openpublishing.redirection.healthcare-apis.json

@@ -486,6 +486,11 @@
         "source_path_from_root": "/articles/healthcare-apis/data-transformation/convert-data.md",
         "redirect_url": "/azure/healthcare-apis/fhir/convert-data",
         "redirect_document_id": true
+    },
+    {
+        "source_path_from_root": "/articles/healthcare-apis/fhir/bulk-importing-fhir-data.md",
+        "redirect_url": "/azure/healthcare-apis/fhir/configure-import-data",
+        "redirect_document_id": true
     }
   ]
 }

.openpublishing.redirection.json

@@ -21,7 +21,7 @@ The feature lets you specify a deletion threshold, above which an admin
 needs to explicitly choose to allow the deletions to be processed.
 
 > [!NOTE]
-> Accidental deletions are not supported for our Workday / SuccessFactors integrations. It is also not supported for changes in scoping (e.g. changing a scoping filter or changing from "sync all users and groups" to "sync assigned users and groups". Until the accidental deletions prevention feature is fully released, you will need to access the Azure portal using this URL: https://aka.ms/AccidentalDeletionsPreview
+> Accidental deletions are not supported for our Workday / SuccessFactors integrations. It is also not supported for changes in scoping (e.g. changing a scoping filter or changing from "sync all users and groups" to "sync assigned users and groups"). Until the accidental deletions prevention feature is fully released, you'll need to access the Azure portal using this URL: https://aka.ms/AccidentalDeletionsPreview
 
 
 ## Configure accidental deletion prevention
@@ -30,18 +30,18 @@ To enable accidental deletion prevention:
 2.  Select **Enterprise applications** and then select your app.
 3.  Select **Provisioning** and then on the provisioning page select **Edit provisioning**.
 4. Under **Settings**, select the **Prevent accidental deletions** checkbox and specify a deletion 
-threshold. Also, be sure the notification email address is completed. If the deletion threshold his met and email will be sent.
+threshold. Also, be sure the notification email address is completed. If the deletion threshold is met an email will be sent.
 5. Select **Save**, to save the changes.
 
 When the deletion threshold is met, the job will go into quarantine and a notification email will be sent. The quarantined job can then be allowed or rejected. To learn more about quarantine behavior, see [Application provisioning in quarantine status](application-provisioning-quarantine-status.md).
 
 ## Known limitations
 There are two key limitations to be aware of and are actively working to address:
-- HR-driven provisioning from Workday and SuccessFactors do not support the accidental deletions feature. 
-- Changes to your provisioning configuration (e.g. changing scoping) is not supported by the accidental deletions feature. 
+- HR-driven provisioning from Workday and SuccessFactors don't support the accidental deletions feature. 
+- Changes to your provisioning configuration (e.g. changing scoping) isn't supported by the accidental deletions feature. 
 
 ## Recovering from an accidental deletion
-If you encounter an accidental deletion you will see it on the provisioning status page.  It will say **Provisioning has been quarantined. See quarantine details for more information.**.
+If you encounter an accidental deletion you'll see it on the provisioning status page.  It will say **Provisioning has been quarantined. See quarantine details for more information.**.
 
 You can click either **Allow deletes** or **View provisioning logs**.
 
@@ -51,20 +51,20 @@ The **Allow deletes** action will delete the objects that triggered the accident
 
 1. Select **Allow deletes**.
 2. Click **Yes** on the confirmation to allow the deletions.
-3. You will see confirmation that the deletions were accepted and the status will return to healthy with the next cycle.
+3. You'll see confirmation that the deletions were accepted and the status will return to healthy with the next cycle.
 
 ### Rejecting deletions
 
-If you do not want to allow the deletions, you need to do the following:
+If you don't want to allow the deletions, you need to do the following:
 - Investigate the source of the deletions. You can use the provisioning logs for details.
 - Prevent the deletion by assigning the user / group to the app again, restoring the user / group, or updating your provisioning configuration.
-- Once you've made the necessary changes to prevent the user / group from being deleted, restart provisioning. Please do not restart provisioning until you've made the necessary changes to prevent the users / groups from being deleted. 
+- Once you've made the necessary changes to prevent the user / group from being deleted, restart provisioning. Please don't restart provisioning until you've made the necessary changes to prevent the users / groups from being deleted. 
 
 
 ### Test deletion prevention
 You can test the feature by triggering disable / deletion events by setting the threshold to a low number, for example 3, and then changing scoping filters, un-assigning users, and deleting users from the directory (see common scenarios in next section). 
 
-Let the provisioning job run (20 – 40 mins) and navigate back to the provisioning page. You will see the provisioning job in quarantine and can choose to allow the deletions or review the provisioning logs to understand why the deletions occurred.
+Let the provisioning job run (20 – 40 mins) and navigate back to the provisioning page. You'll see the provisioning job in quarantine and can choose to allow the deletions or review the provisioning logs to understand why the deletions occurred.
 
 ## Common de-provisioning scenarios to test
 - Delete a user / put them into the recycle bin.
@@ -83,7 +83,7 @@ application could include: unassigning the user from the application and soft /
 evaluated for deletion count towards the deletion threshold. In addition to deletions, the same functionality also works for disables.
 
 ### What is the interval that the deletion threshold is evaluated on?
-It is evaluated each cycle. If the number of deletions does not exceed the threshold during a 
+It is evaluated each cycle. If the number of deletions doesn't exceed the threshold during a 
 single cycle, the “circuit breaker” won’t be triggered. If multiple cycles are needed to reach a 
 steady state, the deletion threshold will be evaluated per cycle.
 

.openpublishing.redirection.media-services.json

@@ -119,8 +119,8 @@ items:
         href: workday-attribute-reference.md
       - name: Provisioning Agent version history
         href: provisioning-agent-release-version-history.md
-      - name: Migrate connector from MIM Sync
-        href: on-premises-migrate-microsoft-identity-manager.md
+    - name: Migrate connector from MIM Sync
+      href: on-premises-migrate-microsoft-identity-manager.md
   - name: Resources
     items:
     - name: Support and help options for developers
@@ -136,4 +136,4 @@ items:
     - name: Stack Overflow
       href: https://stackoverflow.com/questions/tagged/azure-active-directory
     - name: Videos
-      href: https://azure.microsoft.com/documentation/videos/index/?services=active-directory
+      href: https://azure.microsoft.com/documentation/videos/index/?services=active-directory

articles/active-directory/app-provisioning/accidental-deletions.md

@@ -42,11 +42,13 @@ Advisor considers resizing virtual machines when it's possible to fit the curren
 - The last 7 days of utilization data are considered
 - Metrics are sampled every 30 seconds, aggregated to 1 min and then further aggregated to 30 mins (we take the average of max values while aggregating to 30 mins)
 - An appropriate SKU is determined based on the following criteria:
-  - Performance of the workloads on the new SKU should not be impacted. This is achieved by: 
-    - For user-facing workloads: P95 of the CPU and Outbound Network utilization, and P100 of Memory utilization don’t go above 80% on the new SKU 
-    - For non user-facing workloads: 
-      - P95 of CPU and Outbound Network utilization don’t go above 40% on the recommended SKU 
-      - P100 of Memory utilization doesn’t go above 60% on the recommended SKU
+  - Performance of the workloads on the new SKU should not be impacted. 
+    - Target for user-facing workloads: 
+      - P95 of CPU and Outbound Network utilization at 40% or lower on the recommended SKU 
+      - P100 of Memory utilization at 60% or lower on the recommended SKU
+    - Target for non user-facing workloads: 
+      - P95 of the CPU and Outbound Network utilization at 80% or lower on the new SKU
+      - P100 of Memory utilization at 80% or lower on the new SKU 
   - The new SKU has the same Accelerated Networking and Premium Storage capabilities 
   - The new SKU is supported in the current region of the Virtual Machine with the recommendation
   - The new SKU is less expensive 

articles/active-directory/app-provisioning/toc.yml

@@ -176,7 +176,7 @@ For example, say you have the following header rewrite rule for the header `"Acc
 Here, with only header rewrite configured, the WAF evaluation will be done on `"Accept" : "text/html"`. But when you configure URL rewrite or host header rewrite, then the WAF evaluation will be done on `"Accept" : "image/png"`.
 
 >[!NOTE]
-> URL rewrite operations are expected to cause a minor increase in the CPU utilization of your WAF Application Gateway. It is recommended that you monitor the [CPU utilization metric](high-traffic-support.md) for a brief period of time after enabling the URL rewrite rules on your WAF Application Gateway.
+> URL rewrite operations may cause a minor increase in the compute utilization of your WAF Application Gateway. In application gateway v1 deployments, it is recommended that you monitor the [CPU utilization metric](high-traffic-support.md) for a brief period of time after enabling the URL rewrite rules on your WAF Application Gateway.
 
 ### Common scenarios for header rewrite
 

articles/advisor/advisor-cost-recommendations.md

@@ -5,7 +5,7 @@ ms.service: automanage
 ms.workload: infrastructure
 ms.topic: conceptual
 ms.date: 11/05/2020
-ms.custom: devx-track-azurepowershell, devx-track-azurecli
+ms.custom: devx-track-azurepowershell, devx-track-azurecli, subject-rbac-steps
 ---
 
 # Repair an Automanage Account
@@ -65,12 +65,24 @@ If you're using an ARM template or the Azure CLI, you'll need the Principal ID (
 - Azure portal: Go to **Azure Active Directory** and search for your Automanage Account by name. Under **Enterprise Applications**, select the Automanage Account name when it appears.
 
 ### Azure portal
+
 1. Under **Subscriptions**, go to the subscription that contains your automanaged VMs.
-1. Go to **Access control (IAM)**.
-1. Select **Add role assignments**.
-1. Select the **Contributor** role and enter the name of your Automanage Account.
-1. Select **Save**.
-1. Repeat steps 3 through 5, this time with the **Resource Policy Contributor** role.
+
+1. Select **Access control (IAM)**.
+
+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.
+
+1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
+
+    | Setting | Value |
+    | --- | --- |
+    | Role | Contributor |
+    | Assign access to | User, group, or service principal |
+    | Members | \<Name of your Automanage account> |
+
+    ![Screenshot showing Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
+
+1. Repeat steps 2 through 4, selecting the **Resource Policy Contributor** role.
 
 ### ARM template
 Run the following ARM template. You'll need the Principal ID of your Automanage Account. The steps to get it are at the start of this section. Enter the ID when you're prompted.

articles/application-gateway/rewrite-http-headers-url.md

@@ -5,7 +5,7 @@ services: automation
 ms.subservice: shared-capabilities
 ms.date: 09/10/2021
 ms.topic: how-to 
-ms.custom: devx-track-azurepowershell
+ms.custom: devx-track-azurepowershell, subject-rbac-steps
 #Customer intent: As an administrator, I want to understand permissions so that I use the least necessary set of permissions.
 ---
 
@@ -328,42 +328,26 @@ The following section shows you how to configure Azure RBAC on your Automation a
 
 ### Configure Azure RBAC using the Azure portal
 
-1. Log in to the [Azure portal](https://portal.azure.com/) and open your Automation account from the Automation Accounts page.
-2. Click on **Access control (IAM)** to open the Access control (IAM) page. You can use this page to add new users, groups, and applications to manage your Automation account and view existing roles that are configurable for the Automation account.
-3. Click the **Role assignments** tab.
+1. Sign in to the [Azure portal](https://portal.azure.com/) and open your Automation account from the **Automation Accounts** page.
 
-   ![Access button](media/automation-role-based-access-control/automation-01-access-button.png)
+1. Select **Access control (IAM)** and select a role from the list of available roles. You can choose any of the available built-in roles that an Automation account supports or any custom role you might have defined. Assign the role to a user to which you want to give permissions.
 
-#### Add a new user and assign a role
+   For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
 
-1. From the Access control (IAM) page, click **+ Add role assignment**. This action opens the Add role assignment page where you can add a user, group, or application, and assign a corresponding role.
-
-2. Select a role from the list of available roles. You can choose any of the available built-in roles that an Automation account supports or any custom role you may have defined.
-
-3. Type the name of the user that you want to give permissions to in the **Select** field. Choose the user from the list and click **Save**.
-
-   ![Add users](media/automation-role-based-access-control/automation-04-add-users.png)
-
-   Now you should see the user added to the Users page, with the selected role assigned.
-
-   ![List users](media/automation-role-based-access-control/automation-05-list-users.png)
-
-   You can also assign a role to the user from the Roles page.
+   > [!NOTE]
+   > You can only set role-based access control at the Automation account scope and not at any resource below the Automation account.
 
-4. Click **Roles** from the Access control (IAM) page to open the Roles page. You can view the name of the role and the number of users and groups assigned to that role.
+#### Remove role assignments from a user
 
-    ![Assign role from users page](media/automation-role-based-access-control/automation-06-assign-role-from-users-blade.png)
+You can remove the access permission for a user who isn't managing the Automation account, or who no longer works for the organization. The following steps show how to remove the role assignments from a user. For detailed steps, see [Remove Azure role assignments](../../articles/role-based-access-control/role-assignments-remove.md):
 
-   > [!NOTE]
-   > You can only set role-based access control at the Automation account scope and not at any resource below the Automation account.
+1. Open **Access control (IAM)** at a scope, such as management group, subscription, resource group, or resource, where you want to remove access.
 
-#### Remove a user
+1. Select the **Role assignments** tab to view all the role assignments at this scope.
 
-You can remove the access permission for a user who isn't managing the Automation account, or who no longer works for the organization. Following are the steps to remove a user:
+1. In the list of role assignments, add a checkmark next to the user with the role assignment you want to remove.
 
-1. From the Access control (IAM) page, select the user to remove and click **Remove**.
-2. Click the **Remove** button in the assignment details pane.
-3. Click **Yes** to confirm removal.
+1. Select **Remove**.
 
    ![Remove users](media/automation-role-based-access-control/automation-08-remove-users.png)