Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

articles/active-directory/manage-apps/v2-howto-app-gallery-listing.md

@@ -30,6 +30,7 @@ To publish your application in the gallery, you must first read and agree to spe
 - Implement support for *single sign-on* (SSO). To learn more about supported options, see [Plan a single sign-on deployment](plan-sso-deployment.md).
     - For password SSO, make sure that your application supports form authentication so that password vaulting can be used.
 	- For federated applications (OpenID and SAML/WS-Fed), the application must support the [software-as-a-service (SaaS) model](https://azure.microsoft.com/overview/what-is-saas/). Enterprise gallery applications must support multiple user configurations and not any specific user.
+	- For federated applications (OpenID and SAML/WS-Fed), the application can be single **or** multitenanted
 	- For Open ID Connect, the application must be multitenanted and the [Azure AD consent framework](../develop/consent-framework.md) must be correctly implemented.
 - Provisioning is optional yet highly recommended. To learn more about Azure AD SCIM, see [build a SCIM endpoint and configure user provisioning with Azure AD](../app-provisioning/use-scim-to-provision-users-and-groups.md).
 

articles/aks/azure-cni-overlay.md

@@ -7,7 +7,7 @@ ms.service: azure-kubernetes-service
 ms.subservice: aks-networking
 ms.topic: how-to
 ms.custom: references_regions
-ms.date: 02/03/2023
+ms.date: 02/07/2023
 ---
 
 # Configure Azure CNI Overlay networking in Azure Kubernetes Service (AKS)
@@ -17,12 +17,12 @@ The traditional [Azure Container Networking Interface (CNI)](./configure-azure-c
 With Azure CNI Overlay, the cluster nodes are deployed into an Azure Virtual Network (VNet) subnet, whereas pods are assigned IP addresses from a private CIDR logically different from the VNet hosting the nodes. Pod and node traffic within the cluster use an overlay network, and Network Address Translation (using the node's IP address) is used to reach resources outside the cluster. This solution saves a significant amount of VNet IP addresses and enables you to seamlessly scale your cluster to very large sizes. An added advantage is that the private CIDR can be reused in different AKS clusters, truly extending the IP space available for containerized applications in AKS.
 
 > [!NOTE]
-> Azure CNI Overlay is currently available only in the following regions:
-> - North Central US
-> - West Central US
-> - East US
-> - UK South
-> - Australia East
+> Azure CNI Overlay is currently **_unavailable_** in the following regions:
+> - East US 2
+> - South Central US
+> - West US
+> - West US 2
+
 
 ## Overview of overlay networking
 
@@ -42,13 +42,13 @@ Ingress connectivity to the cluster can be achieved using an ingress controller
 
 Like Azure CNI Overlay, Kubenet assigns IP addresses to pods from an address space logically different from the VNet but has scaling and other limitations. The below table provides a detailed comparison between Kubenet and Azure CNI Overlay. If you do not want to assign VNet IP addresses to pods due to IP shortage, then Azure CNI Overlay is the recommended solution.
 
-| Area | Azure CNI Overlay | Kubenet |
-| -- | -- | -- |
-| Cluster scale | 1000 nodes and 250 pods/node | 400 nodes and 250 pods/node |
-| Network configuration | Simple - no additional configuration required for pod networking | Complex - requires route tables and UDRs on cluster subnet for pod networking |
-| Pod connectivity performance | Performance on par with VMs in a VNet | Additional hop adds minor latency |
-| Kubernetes Network Policies | Azure Network Policies, Calico | Calico |
-| OS platforms supported | Linux and Windows | Linux only |
+| Area                         | Azure CNI Overlay                                                | Kubenet                                                                       |
+|------------------------------|------------------------------------------------------------------|-------------------------------------------------------------------------------|
+| Cluster scale                | 1000 nodes and 250 pods/node                                     | 400 nodes and 250 pods/node                                                   |
+| Network configuration        | Simple - no additional configuration required for pod networking | Complex - requires route tables and UDRs on cluster subnet for pod networking |
+| Pod connectivity performance | Performance on par with VMs in a VNet                            | Additional hop adds minor latency                                             |
+| Kubernetes Network Policies  | Azure Network Policies, Calico                                   | Calico                                                                        |
+| OS platforms supported       | Linux and Windows                                                | Linux only                                                                    |
 
 ## IP address planning
 

articles/applied-ai-services/form-recognizer/faq.yml

@@ -7,7 +7,7 @@ metadata:
   ms.service: applied-ai-services
   ms.subservice: forms-recognizer
   ms.topic: faq
-  ms.date: 10/20/2022
+  ms.date: 02/07/2023
   ms.author: lajanuar
   monikerRange: '>=form-recog-2.1.0'
   recommendations: false
@@ -386,7 +386,7 @@ sections:
       - question: |
             How can I move my trained models from one environment (like beta) to another (like production)?
         answer: |
-            The Copy API enables this scenario by allowing you to copy custom models from one Form Recognizer account or into others, which can exist in any supported geographical region. Follow [this document](disaster-recovery.md) for detailed instructions. The copy operation is limited to copying models within the specific cloud environment the model was trained in. For instance, copying models from the public cloud to the Azure Government clod isn't supported.
+            The Copy API enables this scenario by allowing you to copy custom models from one Form Recognizer account or into others, which can exist in any supported geographical region. Follow [this document](disaster-recovery.md) for detailed instructions. The copy operation is limited to copying models within the specific cloud environment the model was trained in. For instance, copying models from the public cloud to the Azure Government cloud isn't supported.
 
   - name: Storage account
     questions:

articles/azure-app-configuration/pull-key-value-devops-pipeline.md

@@ -19,7 +19,7 @@ The [Azure App Configuration](https://marketplace.visualstudio.com/items?itemNam
 - App Configuration store - create one for free in the [Azure portal](https://portal.azure.com).
 - Azure DevOps project - [create one for free](https://go.microsoft.com/fwlink/?LinkId=2014881)
 - Azure App Configuration task - download for free from the [Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=AzureAppConfiguration.azure-app-configuration-task#:~:text=Navigate%20to%20the%20Tasks%20tab,the%20Azure%20App%20Configuration%20instance.). 
-- [Node 10](https://nodejs.org/en/blog/release/v10.21.0/) - for users running the task on self-hosted agents. 
+- [Node 16](https://nodejs.org/en/blog/release/v16.16.0/) - for users running the task on self-hosted agents. 
 
 ## Create a service connection
 

articles/azure-app-configuration/push-kv-devops-pipeline.md

@@ -19,7 +19,7 @@ The [Azure App Configuration Push](https://marketplace.visualstudio.com/items?it
 - App Configuration resource - create one for free in the [Azure portal](https://portal.azure.com).
 - Azure DevOps project - [create one for free](https://go.microsoft.com/fwlink/?LinkId=2014881)
 - Azure App Configuration Push task - download for free from the [Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=AzureAppConfiguration.azure-app-configuration-task-push).
-- [Node 10](https://nodejs.org/en/blog/release/v10.21.0/) - for users running the task on self-hosted agents.
+- [Node 16](https://nodejs.org/en/blog/release/v16.16.0/) - for users running the task on self-hosted agents.
 
 ## Create a service connection
 

articles/azure-arc/resource-bridge/overview.md

@@ -84,7 +84,9 @@ If you are deploying on Azure Stack HCI, the x32 Azure CLI installer can be used
 
 ### Supported regions
 
-Arc resource bridge currently supports the following Azure regions:
+In order to use Arc resource bridge in a region, Arc resource bridge and the private cloud product must be supported in the region. For example, to use Arc resource bridge with Azure Stack HCI in East US, Arc resource bridge and Azure Stack HCI must be supported in East US. Please check with the private cloud product for their region availability - it is typically called out in their deployment instructions of Arc resource bridge. There are instances where Arc Resource Bridge may be available in a region where private cloud support is not yet available.
+
+Arc resource bridge supports the following Azure regions:
 
 * East US
 * West Europe

articles/azure-fluid-relay/how-tos/azure-function-token-provider.md

@@ -4,7 +4,7 @@ description: How to write a custom token provider as an Azure Function and deplo
 services: azure-fluid
 author: hickeys
 ms.author: hickeys
-ms.date: 10/05/2021
+ms.date: 02/05/2023
 ms.topic: article
 ms.service: azure-fluid
 fluid.url: https://fluidframework.com/docs/build/tokenproviders/
@@ -30,7 +30,7 @@ The complete solution has two pieces:
 
 ### Create an endpoint for your TokenProvider using Azure Functions
 
-Using [Azure Functions](../../azure-functions/functions-overview.md) is a fast way to create such an HTTPS endpoint. The example below implements that pattern in a class called [AzureFunctionTokenProvider](https://fluidframework.com/docs/apis/azure-client/azurefunctiontokenprovider-class). It accepts the URL to your Azure Function, `userId` and`userName`. 
+Using [Azure Functions](../../azure-functions/functions-overview.md) is a fast way to create such an HTTPS endpoint.
 
 This example demonstrates how to create your own **HTTPTrigger Azure Function** that fetches the token by passing in your tenant key.
 
@@ -98,7 +98,7 @@ TokenProviders can be implemented in many ways, but must implement two separate
 
 To ensure that the tenant secret key is kept secure, it's stored in a secure backend location and is only accessible from within the Azure Function. To retrieve tokens, you need to make a `GET` or `POST` request to your deployed Azure Function, providing the `tenantID` and `documentId`, and `userID`/`userName`. The Azure Function is responsible for the mapping between the tenant ID and a tenant key secret to appropriately generate and sign the token.
 
-This example implementation below uses the [axios](https://www.npmjs.com/package/axios) library to make HTTP requests. You can use other libraries or approaches to making an HTTP request from server code.
+The example implementation below handles making these requests to your Azure Function. It uses the [axios](https://www.npmjs.com/package/axios) library to make HTTP requests. You can use other libraries or approaches to making an HTTP request from server code.
 
 ```typescript
 import { ITokenProvider, ITokenResponse } from "@fluidframework/routerlicious-driver";
@@ -146,6 +146,19 @@ export class AzureFunctionTokenProvider implements ITokenProvider {
     }
 }
 ```
+
+### Add efficiency and error handling
+
+The `AzureFunctionTokenProvider` is a simple implementation of `TokenProvider` which should be treated as a starting point when implementing your own custom token provider. For the implementation of a production-ready token provider, you should consider various failure scenarios which the token provider needs to handle. For example, the `AzureFunctionTokenProvider` implementation fails to handle network disconnect situations because it doesn't cache the token on the client side. 
+
+When the container disconnects, the connection manager attempts to get a new token from the TokenProvider before reconnecting to the container. While the network is disconnected, the API get request made in `fetchOrdererToken` will fail and throw a non-retryable error. This in turn leads to the container being disposed and not being able to reconnect even if a network connection is re-established. 
+
+A potential solution for this disconnect issue is to cache valid tokens in [Window.localStorage](https://developer.mozilla.org/docs/Web/API/Window/localStorage). With token-caching the container will retrieve a valid stored token instead of making an API get request while the network is disconnected. Note that a locally stored token could expire after a certain period of time and you would still need to make an API request to get a new valid token. In this case, additional error handling and retry logic would be required to prevent the container from disposing after a single failed attempt. 
+
+How you choose to implement these improvements is completely up to you and the requirements of your application. Note that with the `localStorage` token solution, you'll also see performance improvements in your application because you're removing a network request on each `getContainer` call. 
+
+Token-caching with something like `localStorage` may come with security implications, and it is up to your discretion when deciding what solution is appropriate for your application. Whether or not you implement token-caching, you should add error-handling and retry logic in `fetchOrdererToken` and `fetchStorageToken` so that the container isn't disposed after a single failed call. Consider, for example, wrapping the call of `getToken` in a `try` block with a `catch` block that retries and throws an error only after a specified number of retries.
+
 ## See also
 
 - [Add custom data to an auth token](connect-fluid-azure-service.md#adding-custom-data-to-tokens)

articles/azure-fluid-relay/quickstarts/quickstart-dice-roll.md

@@ -27,7 +27,7 @@ You'll also need the following software installed on your computer.
 
 ## Getting Started Locally
 
-First, you'll need to download the sample app from GitHub. Open a new command window and navigate to the folder where you'd like to download the code and use Git to clone the [FluidHelloWorld repo](https://github.com/microsoft/FluidHelloWorld). The cloning process will create a subfolder named FluidHelloWorld with the project files in it.
+First, you'll need to download the sample app from GitHub. Open a new command window and navigate to the folder where you'd like to download the code and use Git to clone the [FluidHelloWorld repo](https://github.com/microsoft/FluidHelloWorld/tree/main-azure) and check out the `main-azure` branch. The cloning process will create a subfolder named FluidHelloWorld with the project files in it.
 
 ```cli
 git clone -b main-azure https://github.com/microsoft/FluidHelloWorld.git

articles/azure-monitor/alerts/alerts-manage-alert-instances.md

@@ -43,12 +43,11 @@ We recommend that you use [Azure Resource Graph](https://portal.azure.com/?featu
 
 You can use Resource Graph:
  - With [Azure PowerShell](/powershell/module/az.monitor/).
- - With the [Azure CLI](/cli/azure/monitor?view=azure-cli-latest&preserve-view=true).
  - In the Azure portal.
 
 You can also use the [Alert Management REST API](/rest/api/monitor/alertsmanagement/alerts) for lower-scale querying or to update fired alerts.
 
 ## Next steps
 
 - [Learn about Azure Monitor alerts](./alerts-overview.md)
-- [Create a new alert rule](alerts-log.md)
+- [Create a new alert rule](alerts-log.md)

articles/azure-vmware/concepts-networking.md

@@ -3,7 +3,7 @@ title: Concepts - Network interconnectivity
 description: Learn about key aspects and use cases of networking and interconnectivity in Azure VMware Solution.
 ms.topic: conceptual
 ms.service: azure-vmware
-ms.date: 2/4/2023
+ms.date: 2/7/2023
 ms.custom: engagement-fy23
 ---
 
@@ -41,7 +41,8 @@ The diagram below shows the basic network interconnectivity established at the t
 - Outbound access from VMs on the private cloud to Azure services.
 - Inbound access of workloads running in the private cloud.
 
-When connecting **production** Azure VMware Solution private clouds to an Azure virtual network, an ExpressRoute virtual network gateway with the Ultra Performance Gateway SKU should be used with FastPath enabled to achieve 10Gbps connectivity. Less critical environments can use the Standard or High Performance Gateway SKUs for slower network performance.
+> [!IMPORTANT]
+> When connecting **production** Azure VMware Solution private clouds to an Azure virtual network, an ExpressRoute virtual network gateway with the Ultra Performance Gateway SKU should be used with FastPath enabled to achieve 10Gbps connectivity. Less critical environments can use the Standard or High Performance Gateway SKUs for slower network performance.
 
 :::image type="content" source="media/concepts/adjacency-overview-drawing-single.png" alt-text="Diagram showing the basic network interconnectivity established at the time of an Azure VMware Solution private cloud deployment." border="false":::