Merge remote-tracking branch 'upstream/main'

Author: Justinha

articles/active-directory/authentication/concept-authentication-authenticator-app.md

@@ -26,7 +26,7 @@ To use the Authenticator app at a sign-in prompt rather than a username and pass
 
 > [!NOTE]
 > - Users don't have the option to register their mobile app when they enable SSPR. Instead, users can register their mobile app at [https://aka.ms/mfasetup](https://aka.ms/mfasetup) or as part of the combined security info registration at [https://aka.ms/setupsecurityinfo](https://aka.ms/setupsecurityinfo).
-> - The Authenticator app may not be supported on beta versions of iOS and Android.
+> - The Authenticator app may not be supported on beta versions of iOS and Android. In addition, starting October 20th, 2023 the authenticator app on Android will no longer support older verisons of the Android Company Portal. Android users with Company Portal versions below 2111 (5.0.5333.0) will not be able to re-register or register new instances of the authenticator app until they update their Company Portal application to a newer version.
 
 ## Passwordless sign-in
 

articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md

@@ -47,14 +47,14 @@ Now we'll walk through each step:
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-alt.png" alt-text="Screenshot of the Sign-in if FIDO2 is also enabled.":::
 
-1. Once the user selects certificate-based authentication, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) for Azure Global. For [Azure Government](../../azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us).  
+1. Once the user selects certificate-based authentication, the client is redirected to the certauth endpoint, which is [https://certauth.login.microsoftonline.com](https://certauth.login.microsoftonline.com) or [`https://t<tenant id>.certauth.login.microsoftonline.com`](`https://t<tenant id>.certauth.login.microsoftonline.com`) for Azure Global. For [Azure Government](../../azure-government/compare-azure-government-global-azure.md#guidance-for-developers), the certauth endpoint is [https://certauth.login.microsoftonline.us](https://certauth.login.microsoftonline.us).  
 
    The endpoint performs TLS mutual authentication, and requests the client certificate as part of the TLS handshake. You'll see an entry for this request in the Sign-ins log.
 
    :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the Sign-ins log in Azure AD." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png":::
 
    >[!NOTE]
-   >The network administrator should allow access to the User sign-in page and certauth endpoint for the customer’s cloud environment. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.
+   >The network administrator should allow access to the User sign-in page and certauth endpoint *.certauth.login.microsoftonline.com for the customer’s cloud environment. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.
 
    Click the log entry to bring up **Activity Details** and click **Authentication Details**. You'll see an entry for the X.509 certificate.
 

articles/active-directory/governance/entitlement-management-access-package-assignments.md

@@ -70,7 +70,7 @@ You can perform this query in PowerShell with the `Get-MgEntitlementManagementAs
 ```powershell
 Connect-MgGraph -Scopes "EntitlementManagement.Read.All"
 $accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayName eq 'Marketing Campaign'"
-$assignments = Get-MgEntitlementManagementAssignment -AccessPackageId $accesspackage.Id -ExpandProperty target -All -ErrorAction Stop
+$assignments = @(Get-MgEntitlementManagementAssignment -AccessPackageId $accesspackage.Id -ExpandProperty target -All -ErrorAction Stop)
 $assignments | ft Id,state,{$_.Target.id},{$_.Target.displayName}
 ```
 
@@ -181,7 +181,7 @@ For example, if you want to ensure all the users who are currently members of a
 
 ```powershell
 Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All,Directory.Read.All"
-$members = Get-MgGroupMember -GroupId "a34abd69-6bf8-4abd-ab6b-78218b77dc15" -All
+$members = @(Get-MgGroupMember -GroupId "a34abd69-6bf8-4abd-ab6b-78218b77dc15" -All)
 
 $accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty "assignmentPolicies"
 $policy = $accesspackage.AssignmentPolicies[0]

articles/active-directory/governance/entitlement-management-access-package-incompatible.md

@@ -182,8 +182,8 @@ $ap_w_id = "29be137f-b006-426c-b46a-0df3d4e25ccd"
 $ap_e_id = "cce10272-68d8-4482-8ba3-a5965c86cfe5"
 $apa_w_filter = "accessPackage/id eq '" + $ap_w_id + "' and state eq 'Delivered'"
 $apa_e_filter = "accessPackage/id eq '" + $ap_e_id + "' and state eq 'Delivered'"
-$apa_w = Get-MgEntitlementManagementAssignment -Filter $apa_w_filter -ExpandProperty target -All
-$apa_e = Get-MgEntitlementManagementAssignment -Filter $apa_e_filter -ExpandProperty target -All
+$apa_w = @(Get-MgEntitlementManagementAssignment -Filter $apa_w_filter -ExpandProperty target -All)
+$apa_e = @(Get-MgEntitlementManagementAssignment -Filter $apa_e_filter -ExpandProperty target -All)
 $htt = @{}; foreach ($e in $apa_e) { if ($null -ne $e.Target -and $null -ne $e.Target.Id) {$htt[$e.Target.Id] = $e} }
 foreach ($w in $apa_w) { if ($null -ne $w.Target -and $null -ne $w.Target.Id -and $htt.ContainsKey($w.Target.Id)) { write-output $w.Target.Email } }
 ```

articles/active-directory/governance/identity-governance-automation.md

@@ -171,8 +171,12 @@ $TenantId = Get-AutomationVariable -Name 'TenantId'
 $Thumbprint = Get-AutomationVariable -Name 'Thumbprint'
 $auth = Connect-MgGraph -clientId $ClientId -tenantid $TenantId -certificatethumbprint $Thumbprint
 Import-Module Microsoft.Graph.Identity.Governance
-$ap = Get-MgEntitlementManagementAccessPackage -All -ErrorAction Stop
-$ap | Select-Object -Property Id,DisplayName | ConvertTo-Json
+$ap = @(Get-MgEntitlementManagementAccessPackage -All -ErrorAction Stop)
+if ($null -eq $ap -or $ap.Count -eq 0) {
+   ConvertTo-Json @()
+} else {
+   $ap | Select-Object -Property Id,DisplayName | ConvertTo-Json -AsArray
+}
 ```
 
 2. Select **Test pane**, and select **Start**.  Wait a few seconds for the Azure Automation processing of your runbook script to complete.

articles/active-directory/hybrid/connect/reference-connect-version-history-archive.md

@@ -1213,8 +1213,8 @@ Released: February 2016
 
 * [Automatic upgrade](how-to-connect-install-automatic-upgrade.md) feature for Express settings customers.
 * Support for the Hybrid Identity Administrator by using Azure AD Multi-Factor Authentication and Privileged Identity Management in the installation wizard.
-  * You need to allow your proxy to also allow traffic to `https://secure.aadcdn.microsoftonline-p.com` if you use Multi-Factor Authentication.
-  * You need to add https://secure.aadcdn.microsoftonline-p.com to your trusted sites list for Multi-Factor Authentication to properly work.
+  * You need to allow your proxy to also allow traffic to ```https://secure.aadcdn.microsoftonline-p.com``` if you use Multi-Factor Authentication.
+  * You need to add ```https://secure.aadcdn.microsoftonline-p.com``` to your trusted sites list for Multi-Factor Authentication to properly work.
 * Allow changing the user's sign-in method after initial installation.
 * Allow [Domain and OU filtering](how-to-connect-install-custom.md#domain-and-ou-filtering) in the installation wizard. This also allows connecting to forests where not all domains are available.
 * [Scheduler](how-to-connect-sync-feature-scheduler.md) is built in to the sync engine.

articles/active-directory/saas-apps/cernercentral-provisioning-tutorial.md

@@ -92,10 +92,10 @@ In order to provision user accounts to Cerner Central, you’ll need to request
    * In the **Tenant URL** field, enter a URL in the format below, replacing "User-Roster-Realm-ID" with the realm ID you acquired in step #4.
 
     > Sandbox:
-    > https://user-roster-api.sandboxcernercentral.com/scim/v1/Realms/User-Roster-Realm-ID/ 
+    > ```https://user-roster-api.sandboxcernercentral.com/scim/v1/Realms/User-Roster-Realm-ID/```
     > 
     > Production:
-    > https://user-roster-api.cernercentral.com/scim/v1/Realms/User-Roster-Realm-ID/ 
+    > ```https://user-roster-api.cernercentral.com/scim/v1/Realms/User-Roster-Realm-ID/``` 
 
    * In the **Secret Token** field, enter the OAuth bearer token you generated in step #3 and click **Test Connection**.
 

articles/ai-services/openai/faq.yml

@@ -196,7 +196,7 @@ sections:
       - question: |
           Is there a token limit on the system message?
         answer: 
-          Yes, the token limit on the system message is 200. If the system message is more than 200 tokens, the rest of the tokens beyond the first 200 will be ignored.
+          Yes, the token limit on the system message is 400. If the system message is more than 400 tokens, the rest of the tokens beyond the first 400 will be ignored.
       - question: |
           Do the query language and the data source language need to be the same?
         answer:

articles/ai-services/speech-service/speech-services-private-link.md

@@ -326,10 +326,14 @@ Follow these steps to modify your code:
       ```
       ```python
       import azure.cognitiveservices.speech as speechsdk
-      speech_config = speechsdk.SpeechConfig(endpoint=endPoint, subscription=speechKey)
+      config = speechsdk.SpeechConfig(endpoint=endPoint, subscription=speechKey)
       ```
       ```objectivec
-      SPXSpeechConfiguration *speechConfig = [[SPXSpeechConfiguration alloc] initWithEndpoint:endPoint subscription:speechKey];
+      SPXSpeechConfiguration *config = [[SPXSpeechConfiguration alloc] initWithEndpoint:endPoint subscription:speechKey];
+      ```
+      ```javascript
+      import * as sdk from "microsoft.cognitiveservices.speech.sdk";
+      config: sdk.SpeechConfig = sdk.SpeechConfig.fromEndpoint(new URL(endPoint), speechKey);
       ```
 
 > [!TIP]

articles/azure-monitor/faq.yml

@@ -1079,7 +1079,22 @@ sections:
           [OpenCensus](https://opencensus.io/) is the precursor to [OpenTelemetry](https://opentelemetry.io/). Microsoft helped bring together [OpenTracing](https://opentracing.io/) and OpenCensus to create OpenTelemetry, a single observability standard for the world. The current [production-recommended Python SDK](app/opencensus-python.md) for Azure Monitor is based on OpenCensus. Eventually, all Azure Monitor SDKs will be based on OpenTelemetry.
 
   - name: Container insights
+  
     questions:
+      - question: |
+          Why do I see info banner "You do not have the right cluster permissions which will restrict your access to Container Insights features. Please reach out to your cluster admin to get the right permission"?
+        answer: |
+          Container Insights has historically allowed users to access the Azure portal experience based on the access permission of the Log Analytics workspace. It now checks cluster-level permission to provide access to the Azure portal experience. You may need your cluster admin to assign this permission.
+
+          For basic read-only cluster level access, assign the **Monitoring Reader** role for the following types of clusters.
+
+          - AKS without Kubernetes role-based access control (RBAC) authorization enabled
+          - AKS enabled with Azure Active Directory (Azure AD) SAML-based single sign-on
+          - AKS enabled with Kubernetes RBAC authorization
+          - AKS configured with the cluster role binding clusterMonitoringUser
+          - [Azure Arc-enabled Kubernetes clusters](https://learn.microsoft.com/azure/azure-arc/kubernetes/overview)
+
+          See [Assign role permissions to a user or group](../aks/control-kubeconfig-access.md#assign-role-permissions-to-a-user-or-group) for details on how to assign these roles for AKS and [Access and identity options for Azure Kubernetes Service (AKS)](../aks/concepts-identity.md) to learn more about role assignments.
       - question: |
           What does "Other processes" represent under the Node view?
         answer: |