Merge branch 'main' into release-cleanup-scopedrootincludes

Author: v-alje

articles/ai-services/openai/concepts/models.md

@@ -4,7 +4,7 @@ titleSuffix: Azure OpenAI
 description: Learn about the different model capabilities that are available with Azure OpenAI.
 ms.service: azure-ai-openai
 ms.topic: conceptual
-ms.date: 06/19/2024
+ms.date: 06/25/2024
 ms.custom: references_regions, build-2023, build-2023-dataai, refefences_regions
 manager: nitinme
 author: mrbullwinkle #ChrisHMSFT
@@ -297,18 +297,18 @@ The following Embeddings models are available with [Azure Government](/azure/azu
 
 For Assistants you need a combination of a supported model, and a supported region. Certain tools and capabilities require the latest models. The following models are available in the Assistants API, SDK, Azure AI Studio and Azure OpenAI Studio. The following table is for pay-as-you-go. For information on Provisioned Throughput Unit (PTU) availability, see [provisioned throughput](./provisioned-throughput.md). 
 
-| Region | `gpt-35-turbo (0613)` | `gpt-35-turbo (1106)`| `fine tuned gpt-3.5-turbo-0125` | `gpt-4 (0613)` | `gpt-4 (1106)` | `gpt-4 (0125)` |
-|-----|---|---|---|---|---|---|
-| Australia East | ✅ | ✅ | | ✅ |✅ | |
-| East US  | ✅ | | | | | ✅ |
-| East US 2 | ✅ |  | ✅ | ✅ |✅ | |
-| France Central  | ✅ | ✅ | | ✅ |✅ |  |
-| Japan East | ✅ |  | | | | | 
-| Norway East | |  | | | ✅ |  |
-| Sweden Central  | ✅ |✅ | ✅ |✅ |✅| |
-| UK South | ✅  | ✅ | | | ✅ | ✅ |  
-| West US |  | ✅ | | | ✅ | | 
-| West US 3 |  |  | | |✅ | | 
+| Region | `gpt-35-turbo (0613)` | `gpt-35-turbo (1106)`| `fine tuned gpt-3.5-turbo-0125` | `gpt-4 (0613)` | `gpt-4 (1106)` | `gpt-4 (0125)` | `gpt-4o (2024-05-13)` |
+|-----|:---:|:---:|:---:|:---:|:---:|:---:|:---:|
+| Australia East | ✅ | ✅ | | ✅ |✅ | | |
+| East US  | ✅ | | | | | ✅ | ✅ |
+| East US 2 | ✅ |  | ✅ | ✅ |✅ | |✅|
+| France Central  | ✅ | ✅ | | ✅ |✅ |  | |
+| Japan East | ✅ |  | | | | | |
+| Norway East | |  | | | ✅ |  | |
+| Sweden Central | ✅ |✅ | ✅ |✅ |✅| |✅|
+| UK South | ✅  | ✅ | | | ✅ | ✅ |  |
+| West US |  | ✅ | | | ✅ | |✅|
+| West US 3 |  |  | | |✅ | |✅|
 
 ## Model retirement
 

articles/ai-services/speech-service/includes/cognitive-services-speech-service-rest-auth.md

@@ -13,13 +13,15 @@ Each request requires an authorization header. This table illustrates which head
 | `Ocp-Apim-Subscription-Key` | Yes | Yes |
 | `Authorization: Bearer` | Yes | Yes |
 
-When you're using the `Ocp-Apim-Subscription-Key` header, you're only required to provide your resource key. For example:
+When you're using the `Ocp-Apim-Subscription-Key` header, only your resource key must be provided. For example:
 
 ```http
 'Ocp-Apim-Subscription-Key': 'YOUR_SUBSCRIPTION_KEY'
 ```
 
-When you're using the `Authorization: Bearer` header, you're required to make a request to the `issueToken` endpoint. In this request, you exchange your resource key for an access token that's valid for 10 minutes.
+When you're using the `Authorization: Bearer` header, you need to make a request to the `issueToken` endpoint. In this request, you exchange your resource key for an access token that's valid for 10 minutes.
+
+Another option is to use Microsoft Entra authentication that also uses the `Authorization: Bearer` header, but with a token issued via Microsoft Entra ID. See [Use Microsoft Entra authentication](#use-microsoft-entra-authentication).
 
 ### How to get an access token
 
@@ -154,3 +156,42 @@ Connection: Keep-Alive
 
 // Message body here...
 ```
+
+### Use Microsoft Entra authentication
+
+To use Microsoft Entra authentication with the Speech to text REST API for short audio, you need to create an access token.
+The steps to obtain the access token consisting of Resource ID and  Microsoft Entra access token are the same as when using the Speech SDK.
+Follow the steps here [Use Microsoft Entra authentication](../how-to-configure-azure-ad-auth.md)
+
+> [!div class="checklist"]
+>
+> - Create a Speech resource
+> - Configure the Speech resource for Microsoft Entra authentication
+> - Get a Microsoft Entra access token
+> - Get the Speech resource ID
+
+After the resource ID and the Microsoft Entra access token were obtained, the actual access token can be constructed following this format:
+```http
+"aad#YOUR_RESOURCE_ID#YOUR_MICROSOFT_ENTRA_ACCESS_TOKEN";
+```
+You need to include the "aad#" prefix and the "#" (hash) separator between resource ID and the access token.
+
+Here's a sample HTTP request to the Speech to text REST API for short audio:
+
+```http
+POST /cognitiveservices/v1 HTTP/1.1
+Authorization: Bearer YOUR_ACCESS_TOKEN
+Host: westus.stt.speech.microsoft.com
+Content-type: application/ssml+xml
+Content-Length: 199
+Connection: Keep-Alive
+
+// Message body here...
+```
+
+To learn more about Microsoft Entra access tokens, including token lifetime, visit [Access tokens in the Microsoft identity platform](/azure/active-directory/develop/access-tokens).
+
+
+
+
+

articles/aks/long-term-support.md

@@ -127,9 +127,6 @@ To carry out an in-place upgrade to the latest LTS version, you need to specify
 ```azurecli
 az aks upgrade --resource-group myResourceGroup --name myAKSCluster --kubernetes-version 1.32.2
 ```
-> [!NOTE]
->If you use any programming/scripting logic to list and select a minor version of Kubernetes before creating clusters with the `ListKubernetesVersions` API, note that starting from Kubernetes v1.27, the API returns `SupportPlan` as `[KubernetesOfficial, AKSLongTermSupport]`. Please ensure you update any logic to exclude `AKSLongTermSupport` versions to avoid any breaks and choose `KubernetesOfficial` support plan versions.  Otherwise, if LTS is indeed your path forward please first opt-into the Premium tier and the `AKSLongTermSupport` support plan versions from the `ListKubernetesVersions` API before creating clusters.
-
 > [!NOTE]
 > The next Long Term Support Version after 1.27 is to be determined. However Customers will get a minimum 6 months of overlap between 1.27 LTS and the next LTS version to plan upgrades.  
 > Kubernetes 1.32.2 is used as an example version in this article. Check the [AKS release tracker](release-tracker.md) for available Kubernetes releases.

articles/aks/use-kms-etcd-encryption.md

@@ -4,7 +4,7 @@ description: Learn how to use Key Management Service (KMS) etcd encryption with
 ms.topic: article
 ms.subservice: aks-security
 ms.custom: devx-track-azurecli
-ms.date: 06/19/2024
+ms.date: 06/26/2024
 ---
 
 # Add Key Management Service etcd encryption to an Azure Kubernetes Service cluster
@@ -191,7 +191,7 @@ After you change the key ID (including changing either the key name or the key v
 > [!WARNING]
 > Remember to update all secrets after key rotation. If you don't update all secrets, the secrets are inaccessible if the keys that were created earlier don't exist or no longer work.
 >
-> After you rotate the key, the previous key (key1) is still cached and shouldn't be deleted. If you want to delete the previous key (key1) immediately, you need to rotate the key twice. Then key2 and key3 are cached, and key1 can be deleted without affecting the existing cluster.
+> KMS uses 2 keys at the same time. After the first key rotation, you need to ensure both the old and new keys are valid (not expired) until the next key rotation. After the second key rotation, the oldest key can be safely removed/expired
 
 ```azurecli-interactive
 az aks update --name myAKSCluster --resource-group MyResourceGroup  --enable-azure-keyvault-kms --azure-keyvault-kms-key-vault-network-access "Public" --azure-keyvault-kms-key-id $NEW_KEY_ID 

articles/app-service/environment/side-by-side-migrate.md

@@ -4,7 +4,7 @@ description: Learn how to migrate your App Service Environment v2 to App Service
 author: seligj95
 ms.topic: tutorial
 ms.custom: devx-track-azurecli, references_regions
-ms.date: 6/13/2024
+ms.date: 6/26/2024
 ms.author: jordanselig
 ---
 # Migration to App Service Environment v3 using the side-by-side migration feature
@@ -20,7 +20,9 @@ App Service can automate migration of your App Service Environment v1 and v2 to
 The side-by-side migration feature automates your migration to App Service Environment v3. The side-by-side migration feature creates a new App Service Environment v3 with all of your apps in a different subnet. Your existing App Service Environment isn't deleted until you initiate its deletion at the end of the migration process. Because of this process, there's a rollback option if you need to cancel your migration. This migration option is best for customers who want to migrate to App Service Environment v3 with zero downtime and can support using a different subnet for their new environment. If you need to use the same subnet and can support about one hour of application downtime, see the [in-place migration feature](migrate.md). For manual migration options that allow you to migrate at your own pace, see [manual migration options](migration-alternatives.md).
 
 > [!IMPORTANT]
-> It is recommended to use this feature for dev environments first before migrating any production environments to ensure there are no unexpected issues. Please provide any feedback related to this article or the feature using the buttons at the bottom of the page.
+> If you fail to complete all steps described in this tutorial, you'll experience downtime. For example, if you don't update all dependent resources with the new IP addresses or you don't allow access to/from your new subnet, such as the case for your custom domain suffix key vault, you'll experience downtime until that's addressed.
+> 
+> It's recommended to use this feature for dev environments first before migrating any production environments to rehearse the process and ensure there are no unexpected issues. Please provide any feedback related to this article or the feature using the buttons at the bottom of the page.
 >
 
 ## Supported scenarios
@@ -327,7 +329,7 @@ For related commands to check if your subscription or resource group has locks,
 If your existing App Service Environment uses a custom domain suffix, you need to [configure one for your new App Service Environment v3 resource during the migration process](#add-a-custom-domain-suffix-optional). Migration fails if you don't configure a custom domain suffix and are using one currently. For more information on App Service Environment v3 custom domain suffixes, including requirements, step-by-step instructions, and best practices, see [Custom domain suffix for App Service Environments](./how-to-custom-domain-suffix.md).
 
 > [!NOTE]
-> If you're configuring a custom domain suffix, when you're adding the network permissions on your Azure key vault, be sure that your key vault allows access from your App Service Environment v3's new subnet. If you're accessing your key vault using a private endpoint, ensure you've configured private access correctly with the new subnet.
+> If you're configuring a custom domain suffix, when you're adding the network permissions on your Azure key vault, be sure that your key vault allows access from your App Service Environment v3's new subnet. If you're accessing your key vault using a private endpoint, ensure you've configured private access correctly with the new subnet. You experience downtime if you fail to correctly set this access prior to migration.
 >
 
 You can make your new App Service Environment v3 zone redundant if your existing environment is in a [region that supports zone redundancy](./overview.md#regions). Zone redundancy can be configured by setting the `zoneRedundant` property to `true`. Zone redundancy is an optional configuration. This configuration can only be set during the creation of your new App Service Environment v3 and can't be removed at a later time.

articles/automation/quickstarts/dsc-configuration.md

@@ -14,6 +14,9 @@ ms.custom: mvc, mode-other
 > [!CAUTION]
 > This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the [CentOS End Of Life guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).
 
+> [!NOTE]
+> Before you enable Azure Automation DSC, we would like you to know that a newer version of DSC is now generally available, managed by a feature of Azure Policy named [Azure Machine Configuration](../../governance/machine-configuration/overview.md). The Azure Machine Configuration service combines features of DSC Extension, Azure Automation State Configuration, and the most commonly requested features from customer feedback. Azure Machine Configuration also includes hybrid machine support through [Arc-enabled servers](../../azure-arc/servers/overview.md).
+
 By enabling Azure Automation State Configuration, you can manage and monitor the configurations of your Windows and Linux servers using Desired State Configuration (DSC). Configurations that drift from a desired configuration can be identified or auto-corrected. This quickstart steps through enabling an Azure Linux VM and deploying a LAMP stack using Azure Automation State Configuration.
 
 ## Prerequisites

articles/azure-arc/kubernetes/extensions-release.md

@@ -116,7 +116,18 @@ For more information, see [Tutorial: Deploy applications using GitOps with Flux
 The most recent version of the Flux v2 extension and the two previous versions (N-2) are supported. We generally recommend that you use the most recent version of the extension.
 
 > [!IMPORTANT]
-> Eventually, a major version update (v2.x.x) for the `microsoft.flux` extension will be released. When this happens, clusters won't be auto-upgraded to this version, since [auto-upgrade is only supported for minor version releases](extensions.md#upgrade-extension-instance). If you're still using an older API version when the next major version is released, you'll need to update your manifests to the latest API versions, perform any necessary testing, then upgrade your extension manually. For more information about the new API versions (breaking changes) and how to update your manifests, see the [Flux v2 release notes](https://github.com/fluxcd/flux2/releases/tag/v2.0.0).
+> The [Flux v2.3.0 release](https://fluxcd.io/blog/2024/05/flux-v2.3.0/) includes API changes to the HelmRelease and HelmChart APIs, with deprecated fields removed. An upcoming minor version update of Microsoft's Flux extension will include these changes, consistent with the upstream OSS Flux project.
+>
+> The [HelmRelease](https://fluxcd.io/flux/components/helm/helmreleases/) kind will be promoted from `v2beta1` to `v2` (GA). The `v2` API is backwards compatible with `v2beta1`, with the exception of these deprecated fields, which will be removed:
+>
+> - `.spec.chart.spec.valuesFile`: replaced by `.spec.chart.spec.valuesFiles`
+> - `.spec.postRenderers.kustomize.patchesJson6902`: replaced by `.spec.postRenderers.kustomize.patches`
+> - `.spec.postRenderers.kustomize.patchesStrategicMerge`: replaced by `.spec.postRenderers.kustomize.patches`
+> - `.status.lastAppliedRevision`: replaced by `.status.history.chartVersion`
+>
+> The [HelmChart](https://fluxcd.io/flux/components/source/helmcharts/) kind will be promoted from `v1beta2` to `v1` (GA). The `v1` API is backwards compatible with `v1beta2`, with the exception of the `.spec.valuesFile` field, which will be replaced by `.spec.valuesFiles`.
+>
+> To avoid issues due to breaking changes, we recommend updating your deployments by July 22, 2024, so that they stop using the fields that will be removed and use the replacement fields instead. These new fields are already available in the current version of the APIs.
 
 > [!NOTE]
 > When a new version of the `microsoft.flux` extension is released, it may take several days for the new version to become available in all regions.

articles/azure-arc/servers/prepare-extended-security-updates.md

@@ -39,10 +39,7 @@ Other Azure services through Azure Arc-enabled servers are available as well, wi
 
 * [Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md) - As part of the cloud security posture management (CSPM) pillar, it provides server protections through [Microsoft Defender for Servers](../../defender-for-cloud/plan-defender-for-servers.md) to help protect you from various cyber threats and vulnerabilities.
 * [Microsoft Sentinel](scenario-onboard-azure-sentinel.md) - Collect security-related events and correlate them with other data sources.
-
-    >[!NOTE]
-    >Activation of ESU is planned for the third quarter of 2023. Using Azure services such as Azure Update Manager and Azure Policy to support managing ESU-eligible Windows Server 2012/2012 R2 machines are also planned for the third quarter.
-
+   
 ## Prepare delivery of ESUs
 
 Plan and prepare to onboard your machines to Azure Arc-enabled servers through the installation of the [Azure Connected Machine agent](agent-overview.md) (version 1.34 or higher) to establish a connection to Azure. Windows Server 2012 Extended Security Updates supports Windows Server 2012 and R2 Standard and Datacenter editions. Windows Server 2012 Storage is not supported.

articles/azure-monitor/alerts/alerts-types.md

@@ -133,7 +133,7 @@ Log search alerts can measure two different things, which can be used for differ
 - **Table rows**: The number of rows returned can be used to work with events such as Windows event logs, Syslog, and application exceptions.
 - **Calculation of a numeric column**: Calculations based on any numeric column can be used to include any number of resources. An example is CPU percentage.
 
-You can configure if log search alerts are [stateful or stateless](alerts-overview.md#alerts-and-state). This feature is currently in preview. 
+You can configure if log search alerts are [stateful or stateless](alerts-overview.md#alerts-and-state).  
 Note that stateful log search alerts have these limitations:
 - they can trigger up to 300 alerts per evaluation.
 - you can have a maximum of 5000 alerts with the `fired` alert condition.

articles/azure-monitor/app/opentelemetry-enable.md

@@ -218,7 +218,7 @@ Point the Java virtual machine (JVM) to the jar file by adding `-javaagent:"path
 > If you develop a Spring Boot application, you can optionally replace the JVM argument by a programmatic configuration. For more information, see [Using Azure Monitor Application Insights with Spring Boot](./java-spring-boot.md).
 
 
-##### [Java-Native](#tab/java-native)
+##### [Java Native](#tab/java-native)
 
 Several automatic instrumentations are enabled through configuration changes; no code changes are required