Merge branch 'main' of https://github.com/microsoftdocs/azure-docs-pr into 0912-bicep-purview

Author: mumian

.openpublishing.redirection.azure-monitor.json

@@ -515,6 +515,11 @@
             "source_path_from_root": "/articles/azure-monitor/containers/container-insights-transition-hybrid.md" ,
             "redirect_url": "/azure/azure-monitor/containers/container-insights-onboard",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/containers/container-insights-livedata-deployments.md" ,
+            "redirect_url": "/azure/azure-monitor/containers/container-insights-overview",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory-domain-services/policy-reference.md

@@ -1,7 +1,7 @@
 ---
 title: Built-in policy definitions for Azure Active Directory Domain Services
 description: Lists Azure Policy built-in policy definitions for Azure Active Directory Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 08/16/2022
+ms.date: 09/12/2022
 ms.service: active-directory
 ms.subservice: domain-services
 author: justinha

articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md

@@ -133,6 +133,7 @@ Because the policy is applied to the Azure management portal and API, services,
 - SQL Managed Instance 
 - Azure Synapse 
 - Visual Studio subscriptions administrator portal 
+- [Microsoft IoT Central](https://apps.azureiotcentral.com/)
 
 > [!NOTE]
 > The Microsoft Azure Management application applies to [Azure PowerShell](/powershell/azure/what-is-azure-powershell), which calls the [Azure Resource Manager API](../../azure-resource-manager/management/overview.md). It does not apply to [Azure AD PowerShell](/powershell/azure/active-directory/overview), which calls the [Microsoft Graph API](/graph/overview).

articles/active-directory/conditional-access/concept-conditional-access-conditions.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 04/27/2022
+ms.date: 09/12/2022
 
 ms.author: joflore
 author: MicrosoftGuyJFlo

articles/active-directory/governance/workflows-faqs.md

@@ -31,12 +31,12 @@ Yes, key user properties like employeeHireDate and employeeType are supported fo
 
 ### How do I see more details and parameters of tasks and the attributes that are being updated? 
 
-Some tasks do update existing attributes; however, we don’t currently share those specific details. As these tasks are updating attributes related to other Azure AD features, so you can find that info in those docs. For temporary access pass, we’re writing to the appropriate attributes listed [here](/graph/api/temporaryaccesspassauthenticationmethod-post?view=graph-rest-beta&tabs=csharp#request-body). 
+Some tasks do update existing attributes; however, we don’t currently share those specific details. As these tasks are updating attributes related to other Azure AD features, so you can find that info in those docs. For temporary access pass, we’re writing to the appropriate attributes listed [here](/graph/api/resources/temporaryaccesspassauthenticationmethod). 
 
 ### Is it possible for me to create new tasks and how? For example, triggering other graph APIs/web hooks?
 
 We currently don’t support the ability to create new tasks outside of the set of tasks supported in the task templates. As an alternative, you may accomplish this by setting up a logic app and then creating a logic apps task in Lifecycle Workflows with the URL. For more information, see [Trigger Logic Apps based on custom task extensions (preview)](trigger-custom-task.md)
 
 ## Next steps
 
-- [What are Lifecycle workflows? (Preview)](what-are-lifecycle-workflows.md)
+- [What are Lifecycle workflows? (Preview)](what-are-lifecycle-workflows.md)

articles/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md

@@ -10,7 +10,7 @@ ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: pim
-ms.date: 08/24/2022
+ms.date: 09/12/2022
 ms.author: amsliu
 ms.reviewer: ilyal
 ms.custom: pim
@@ -160,6 +160,21 @@ Status code: 201
   "type": "Microsoft.Authorization/RoleAssignmentScheduleRequests" 
 } 
 ````
+## Activate a role with PowerShell
+
+There is also an option to activate Privileged Identity Management using PowerShell. You may find more details as documented in the article [PowerShell for Azure AD roles PIM](powershell-for-azure-ad-roles.md).
+
+The following is a sample script for how to activate Azure resource roles using PowerShell.
+
+```powershell
+$managementgroupID = "<management group ID" # Tenant Root Group
+$guid = (New-Guid)
+$startTime = Get-Date -Format o
+$userObjectID = "<user object ID"
+$RoleDefinitionID = "b24988ac-6180-42a0-ab88-20f7382dd24c" # Contributor
+$scope = "/providers/Microsoft.Management/managementGroups/$managementgroupID"
+New-AzRoleAssignmentScheduleRequest -Name $guid -Scope $scope -ExpirationDuration PT8H -ExpirationType AfterDuration -PrincipalId $userObjectID -RequestType SelfActivate -RoleDefinitionId /providersproviders/Microsoft.Management/managementGroups/$managementgroupID/providers/Microsoft.Authorization/roleDefinitions/$roledefinitionId -ScheduleInfoStartDateTime $startTime -Justification work
+```
 
 ## View the status of your requests
 

articles/active-directory/saas-apps/infor-cloudsuite-provisioning-tutorial.md

@@ -68,6 +68,14 @@ Before configuring and enabling automatic user provisioning, you should decide w
 5. To generate the bearer token, copy the **User Identifier** and **SCIM Password**. Paste them in notepad++ separated by a colon. Encode the string value by navigating to **Plugins > MIME Tools > Basic64 Encode**. 
 
 	:::image type="content" source="media/infor-cloudsuite-provisioning-tutorial/token.png" alt-text="Screenshot of a Notepad++ document. In the Plugins menu, MIME tools is highlighted. In the MIME tools menu, Base64 encode is highlighted." border="false":::
+	
+	To generate the bearer token using PowerShell instead of Notepad++, use the following commands:
+	 ```powershell
+    $Identifier = "<User Identifier>"
+	$SCIMPassword = "<SCIM Password>"
+	$bytes = [System.Text.Encoding]::UTF8.GetBytes($($Identifier):$($SCIMPassword))
+	[Convert]::ToBase64String($bytes)
+   	 ```
 
 3.	Copy the bearer token. This value will be entered in the Secret Token field in the Provisioning tab of your Infor CloudSuite application in the Azure portal.
 

articles/aks/certificate-rotation.md

@@ -3,15 +3,15 @@ title: Certificate Rotation in Azure Kubernetes Service (AKS)
 description: Learn certificate rotation in an Azure Kubernetes Service (AKS) cluster.
 services: container-service
 ms.topic: article
-ms.date: 5/10/2022
+ms.date: 09/12/2022
 ---
 
 # Certificate rotation in Azure Kubernetes Service (AKS)
 
-Azure Kubernetes Service (AKS) uses certificates for authentication with many of its components. If you have a RBAC-enabled cluster built after March 2022 it is enabled with certificate auto-rotation. Periodically, you may need to rotate those certificates for security or policy reasons. For example, you may have a policy to rotate all your certificates every 90 days.
+Azure Kubernetes Service (AKS) uses certificates for authentication with many of its components. If you have a RBAC-enabled cluster built after March 2022, it's enabled with certificate auto-rotation. Periodically, you may need to rotate those certificates for security or policy reasons. For example, you may have a policy to rotate all your certificates every 90 days.
 
 > [!NOTE]
-> Certificate auto-rotation will *only* be enabled by default for RBAC enabled AKS clusters. 
+> Certificate auto-rotation will *only* be enabled by default for RBAC enabled AKS clusters.
 
 This article shows you how certificate rotation works in your AKS cluster.
 
@@ -30,36 +30,41 @@ AKS generates and uses the following certificates, Certificate Authorities, and
 * Each node uses a Service Account (SA) token, which is signed by the Cluster CA.
 * The `kubectl` client has a certificate for communicating with the AKS cluster.
 
+Certificates mentioned above are maintained by Microsoft, except the cluster certificate, which you have to maintain.
+
 > [!NOTE]
 > AKS clusters created prior to May 2019 have certificates that expire after two years. Any cluster created after May 2019 or any cluster that has its certificates rotated have Cluster CA certificates that expire after 30 years. All other AKS certificates, which use the Cluster CA for signing, will expire after two years and are automatically rotated during an AKS version upgrade which happened after 8/1/2021. To verify when your cluster was created, use `kubectl get nodes` to see the *Age* of your node pools.
-> 
-> Additionally, you can check the expiration date of your cluster's certificate. For example, the following bash command displays the client certificate details for the *myAKSCluster* cluster in resource group *rg*
+>
+> Additionally, you can check the expiration date of your cluster's certificate. For example, the following bash command displays the client certificate details for the *myAKSCluster* cluster in resource group *rg*:
 > ```console
 > kubectl config view --raw -o jsonpath="{.users[?(@.name == 'clusterUser_rg_myAKSCluster')].user.client-certificate-data}" | base64 -d | openssl x509 -text | grep -A2 Validity
 > ```
 
-* Check expiration date of apiserver certificate
+To check expiration date of apiserver certificate, run the following command:
+
 ```console
 curl https://{apiserver-fqdn} -k -v 2>&1 |grep expire
 ```
 
-* Check expiration date of certificate on VMAS agent node
+To check the expiration date of certificate on VMAS agent node, run the following command:
+
 ```azurecli
 az vm run-command invoke -g MC_rg_myAKSCluster_region -n vm-name --command-id RunShellScript --query 'value[0].message' -otsv --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate"
 ```
 
-* Check expiration date of certificate on one virtual machine scale set agent node
+To check expiration date of certificate on one virtual machine scale set agent node, run the following command:
+
 ```azurecli
 az vmss run-command invoke -g MC_rg_myAKSCluster_region -n vmss-name --instance-id 0 --command-id RunShellScript --query 'value[0].message' -otsv --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate"
 ```
 
 ## Certificate Auto Rotation
 
-For AKS to automatically rotate non-CA certificates, the cluster must have [TLS Bootstrapping](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) which has been enabled by default in all Azure regions. 
+For AKS to automatically rotate non-CA certificates, the cluster must have [TLS Bootstrapping](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) which has been enabled by default in all Azure regions.
 
-> [!Note]
+> [!NOTE]
 > If you have an existing cluster you have to upgrade that cluster to enable Certificate Auto-Rotation.
-> Do not disable bootstrap to keep your auto-rotation enabled. 
+> Do not disable bootstrap to keep your auto-rotation enabled.
 
 For any AKS clusters created or upgraded after March 2022 Azure Kubernetes Service will automatically rotate non-CA certificates on both the control plane and agent nodes within 80% of the client certificate valid time, before they expire with no downtime for the cluster.
 
@@ -72,14 +77,14 @@ To verify if TLS Bootstrapping is enabled on your cluster browse to the followin
 
 To access agent nodes, see [Connect to Azure Kubernetes Service cluster nodes for maintenance or troubleshooting][aks-node-access] for more information.
 
-> [!Note]
+> [!NOTE]
 > The file path may change as Kubernetes version evolves in the future.
 
-Once a region is configured, create a new cluster or upgrade an existing cluster with `az aks upgrade` to set that cluster for auto-certificate rotation. A control plane and node pool upgrade is needed to enable this feature. 
+Once a region is configured, create a new cluster or upgrade an existing cluster with `az aks upgrade` to set that cluster for auto-certificate rotation. A control plane and node pool upgrade is needed to enable this feature.
 
 ```azurecli
 az aks upgrade -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME
-``` 
+```
 
 ### Limitation
 
@@ -105,35 +110,35 @@ az aks rotate-certs -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME
 > [!IMPORTANT]
 > It may take up to 30 minutes for `az aks rotate-certs` to complete. If the command fails before completing, use `az aks show` to verify the status of the cluster is *Certificate Rotating*. If the cluster is in a failed state, rerun `az aks rotate-certs` to rotate your certificates again.
 
-Verify that the old certificates are no longer valid by running a `kubectl` command. Since you have not updated the certificates used by `kubectl`, you will see an error.  For example:
+Verify that the old certificates aren't valid by running any `kubectl` command. If you haven't updated the certificates used by `kubectl`, you'll see an error similar to the following example:
 
 ```console
-$ kubectl get nodes
+kubectl get nodes
 Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ca")
 ```
 
-Update the certificate used by `kubectl` by running `az aks get-credentials`.
+To update the certificate used by `kubectl`, run the [az aks get-credentials][az-aks-get-credentials] command:
 
 ```azurecli
 az aks get-credentials -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME --overwrite-existing
 ```
 
-Verify the certificates have been updated by running a `kubectl` command, which will now succeed. For example:
+To verify the certificates have been updated, run the following [kubectl get][kubectl-get] command:
 
 ```console
 kubectl get nodes
 ```
 
 > [!NOTE]
-> If you have any services that run on top of AKS, you may need to update certificates related to those services as well.
+> If you have any services that run on top of AKS, you might need to update their certificates.
 
 ## Next steps
 
 This article showed you how to automatically rotate your cluster's certificates, CAs, and SAs. You can see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security-upgrades] for more information on AKS security best practices.
 
-
 [azure-cli-install]: /cli/azure/install-azure-cli
 [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get
 [az-extension-add]: /cli/azure/extension#az_extension_add
 [az-extension-update]: /cli/azure/extension#az_extension_update
 [aks-best-practices-security-upgrades]: operator-best-practices-cluster-security.md

articles/aks/policy-reference.md

@@ -1,7 +1,7 @@
 ---
 title: Built-in policy definitions for Azure Kubernetes Service
 description: Lists Azure Policy built-in policy definitions for Azure Kubernetes Service. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 08/16/2022
+ms.date: 09/12/2022
 ms.topic: reference
 ms.custom: subject-policy-reference
 ---

articles/aks/security-controls-policy.md

@@ -1,7 +1,7 @@
 ---
 title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS)
 description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources.
-ms.date: 08/17/2022
+ms.date: 09/12/2022
 ms.topic: sample
 ms.service: container-service
 ms.custom: subject-policy-compliancecontrols