Merge pull request #222279 from MicrosoftDocs/main

12/22 PM Publish

Author: huypub

articles/active-directory/fundamentals/security-operations-infrastructure.md

@@ -212,7 +212,7 @@ For information on what and how to monitor configuration information refer to:
 | What to monitor| Risk level| Where| Filter/sub-filter| Notes |
 | - | - | - | - | - |
 | Scheduler changes|High | PowerShell| Set-ADSyncScheduler| Look for modifications to schedule |
-| Changes to scheduled tasks| High | Azure AD Audit logs| Activity = 4699(S): A scheduled task was deleted<br>-or-<br>Activity = 4701(s): A scheduled task was disabled<br>-or-<br>Activity = 4701(s): A scheduled task was updated| Monitor all |
+| Changes to scheduled tasks| High | Azure AD Audit logs| Activity = 4699(S): A scheduled task was deleted<br>-or-<br>Activity = 4701(s): A scheduled task was disabled<br>-or-<br>Activity = 4702(s): A scheduled task was updated| Monitor all |
 
 * For more information on logging PowerShell script operations, see [Enabling Script Block Logging](/powershell/module/microsoft.powershell.core/about/about_logging_windows), which is part of the PowerShell reference documentation.
 

articles/active-directory/standards/configure-cmmc-level-1-controls.md

@@ -48,7 +48,7 @@ The following table provides a list of control IDs and associated customer respo
 | *Control* | *Guidance* |
 | - | - |
 | IA.L1-3.5.1 | Azure AD uniquely identifies users, processes (service principal/workload identities), and devices via the ID property on the respective directory objects. You can filter log files to help with your assessment using the following links. Use the following reference to meet assessment objectives.<br><br>Filtering logs by user properties<li>[User resource type: ID Property](/graph/api/resources/user?view=graph-rest-1.0&preserve-view=true)<br><br>Filtering logs by service properties<li>[ServicePrincipal resource type: ID Property](/graph/api/resources/serviceprincipal?view=graph-rest-1.0&preserve-view=true)<br><br>Filtering logs by device properties<li>[Device resource type: ID Property](/graph/api/resources/device?view=graph-rest-1.0&preserve-view=true) |
-IA.L1-3.5.2 | Azure AD uniquely authenticates or verifies each user, process acting on behalf of user, or device as a prerequisite to system access. Use the following reference to meet assessment objectives.<br><br>Provision user accounts<li>[What is Azure Active Directory authentication?](../authentication/overview-authentication.md)<br><br>[Configure Azure Active Directory to meet NIST authenticator assurance levels](../standards/nist-overview.md)<br><br>Provision service principal accounts<li>[Service principal authentication](../fundamentals/service-accounts-principal.md)<br><br>Provision Device accounts<li>[What is a device identity?](../devices/overview.md)<li>[How it works: Device registration](../devices/device-registration-how-it-works.md)<li>[What is a Primary Refresh Token?](../devices/concept-primary-refresh-token.md)<li>What does the PRT contain ---**needs link** |
+IA.L1-3.5.2 | Azure AD uniquely authenticates or verifies each user, process acting on behalf of user, or device as a prerequisite to system access. Use the following reference to meet assessment objectives.<br><br>Provision user accounts<li>[What is Azure Active Directory authentication?](../authentication/overview-authentication.md)<br><br>[Configure Azure Active Directory to meet NIST authenticator assurance levels](../standards/nist-overview.md)<br><br>Provision service principal accounts<li>[Service principal authentication](../fundamentals/service-accounts-principal.md)<br><br>Provision Device accounts<li>[What is a device identity?](../devices/overview.md)<li>[How it works: Device registration](../devices/device-registration-how-it-works.md)<li>[What is a Primary Refresh Token?](../devices/concept-primary-refresh-token.md)<li>[What does the Primary Refresh Token (PRT) contain?](/azure/active-directory/devices/concept-primary-refresh-token#what-does-the-prt-contain)|
 
 ## System and Information Integrity (SI) domain
 

articles/azure-arc/data/includes/azure-arc-data-preview-release.md

@@ -6,25 +6,22 @@ ms.topic: include
 ms.date: 12/7/2022
 ---
 
-
+<!---
 At this time, a test or preview build is not available for the next release.
+--->
 
-<!---
-December 2022 preview release is now available.
+January 2023 test release is now available.
 
 |Component|Value|
 |-----------|-----------|
-|Container images registry/repository |`mcr.microsoft.com/arcdata/preview`|
-|Container images tag |`v1.14.0_2022-12-13`|
-|CRD names and version|`datacontrollers.arcdata.microsoft.com`: v1beta1, v1 through v6<br/>`exporttasks.tasks.arcdata.microsoft.com`: v1beta1, v1, v2<br/>`kafkas.arcdata.microsoft.com`: v1beta1, v1beta2<br/>`monitors.arcdata.microsoft.com`: v1beta1, v1, v2<br/>`sqlmanagedinstances.sql.arcdata.microsoft.com`: v1beta1, v1 through v7<br/>`postgresqls.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3<br/>`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`: v1beta1, v1<br/>`failovergroups.sql.arcdata.microsoft.com`: v1beta1, v1beta2, v1 through v2<br/>`activedirectoryconnectors.arcdata.microsoft.com`: v1beta1, v1beta2, v1<br/>`sqlmanagedinstancereprovisionreplicatask.tasks.sql.arcdata.microsoft.com`: v1beta1<br/>`telemetrycollectors.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3 *use to be otelcollectors*<br/>`telemetryrouters.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3, v1beta4<br/>`sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com`: v1beta1, v1beta2<br/>|
+|Container images registry/repository |`mcr.microsoft.com/arcdata/test`|
+|Container images tag |`v1.15.0_2023-01-10 `|
+|CRD names and version|`datacontrollers.arcdata.microsoft.com`: v1beta1, v1 through v6<br/>`exporttasks.tasks.arcdata.microsoft.com`: v1beta1, v1, v2<br/>`kafkas.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3<br/>`monitors.arcdata.microsoft.com`: v1beta1, v1, v2<br/>`sqlmanagedinstances.sql.arcdata.microsoft.com`: v1beta1, v1 through v9<br/>`postgresqls.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3, v1beta4<br/>`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`: v1beta1, v1<br/>`failovergroups.sql.arcdata.microsoft.com`: v1beta1, v1beta2, v1 through v2<br/>`activedirectoryconnectors.arcdata.microsoft.com`: v1beta1, v1beta2, v1<br/>`sqlmanagedinstancereprovisionreplicatask.tasks.sql.arcdata.microsoft.com`: v1beta1<br/>`telemetrycollectors.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3 *use to be otelcollectors*<br/>`telemetryrouters.arcdata.microsoft.com`: v1beta1, v1beta2, v1beta3, v1beta4<br/>`sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com`: v1beta1, v1beta2<br/>|
 |Azure Resource Manager (ARM) API version|2022-06-15-preview|
-|`arcdata` Azure CLI extension version|1.4.9 ([Download](https://aka.ms/az-cli-arcdata-ext))|
-|Arc-enabled Kubernetes helm chart extension version|1.14.0|
+|`arcdata` Azure CLI extension version|1.4.10 ([Download](https://aka.ms/az-cli-arcdata-ext))|
+|Arc-enabled Kubernetes helm chart extension version|1.15.0|
 |Azure Arc Extension for Azure Data Studio<br/>`arc`<br/>`azcli`|*No Changes*<br/>1.7.0 ([Download](https://aka.ms/ads-arcdata-ext))</br>1.7.0 ([Download](https://aka.ms/ads-azcli-ext))|
 
 New for this release:
 
-- Arc-enabled PostgreSQL server
-  - Switch to Ubuntu based images
-
---->
+- Kafka "Separate" controller mode : This feature describes the ability to set ".spec.kraftControllerMode" to combined on a Kafka custom resource which creates two stateful sets (one for brokers and one for controllers) instead of a single "server" statefulset that houses both. This feature also ships some health checking, the ability to run multiple kafka instances in a cluster, and security improvements.

articles/azure-functions/create-first-function-vs-code-python.md

@@ -91,7 +91,7 @@ In this section, you use Visual Studio Code to create a local Azure Functions pr
 7. Replace the `app.route()` method call with the following code:
 
     ```python
-    @app.route(route="hello", auth_level=func.AuthLevel.ANONYMOUS)
+    @app.route(route="hello", http_auth_level=func.AuthLevel.ANONYMOUS)
     ```
 
     This code enables your HTTP function endpoint to be called in Azure without having to provide an [Authorization keys](functions-bindings-http-webhook-trigger.md#authorization-keys). Local execution doesn't require authorization keys. 
@@ -100,7 +100,7 @@ In this section, you use Visual Studio Code to create a local Azure Functions pr
 
     ```python
     @app.function_name(name="HttpTrigger1")
-    @app.route(route="hello", auth_level=func.AuthLevel.ANONYMOUS)
+    @app.route(route="hello", http_auth_level=func.AuthLevel.ANONYMOUS)
     def test_function(req: func.HttpRequest) -> func.HttpResponse:
         logging.info('Python HTTP trigger function processed a request.')
 

articles/azure-monitor/essentials/data-collection-transformations-structure.md

@@ -39,6 +39,8 @@ Transformations in a [data collection rule (DCR)](data-collection-rule-overview.
 
 
 
+### Required columns
+The output of every transformation must contain a valid timestamp in a column called `TimeGenerated` of type `datetime`. Make sure to include it in the final `extend` or `project` block! Creating or updating a DCR without `TimeGenerated` in the output of a transformation will lead to an error.
 
 ## Inline reference table
 The [datatable](/azure/data-explorer/kusto/query/datatableoperator?pivots=azuremonitor) operator isn't supported in the subset of KQL available to use in transformations. This operator would normally be used in KQL to define an inline query-time table. Use dynamic literals instead to work around this limitation.
@@ -329,4 +331,4 @@ Use [Identifier quoting](/azure/data-explorer/kusto/query/schema-entities/entity
 
 ## Next steps
 
-- [Create a data collection rule](../agents/data-collection-rule-azure-monitor-agent.md) and an association to it from a virtual machine using the Azure Monitor agent.
+- [Create a data collection rule](../agents/data-collection-rule-azure-monitor-agent.md) and an association to it from a virtual machine using the Azure Monitor agent.

articles/azure-netapp-files/TOC.yml

@@ -181,8 +181,10 @@
       href: create-active-directory-connections.md
     - name: Modify Active Directory connections
       href: modify-active-directory-connections.md
-    - name: Enable AD DS LDAP authentication for NFS volumes
+    - name: Configure AD DS LDAP authentication for NFS volumes
       href: configure-ldap-over-tls.md
+    - name: Join a Linux VM to an Active Directory Domain
+      href: join-active-directory-domain.md
   - name: Manage capacity pools
     items:
     - name: Set up a capacity pool
@@ -225,6 +227,8 @@
         href: azure-netapp-files-configure-export-policy.md
       - name: Configure Unix permissions and change ownership mode
         href: configure-unix-permissions-change-ownership-mode.md
+      - name: Configure access control lists for NFSv4.1
+        href: configure-access-control-lists.md
       - name: Configure network features for a volume
         href: configure-network-features.md
       - name: Configure Virtual WAN

articles/azure-netapp-files/azure-netapp-files-create-volumes.md

@@ -143,4 +143,5 @@ This article shows you how to create an NFS volume. For SMB volumes, see [Create
 * [Configure Unix permissions and change ownership mode](configure-unix-permissions-change-ownership-mode.md). 
 * [Resource limits for Azure NetApp Files](azure-netapp-files-resource-limits.md)
 * [Learn about virtual network integration for Azure services](../virtual-network/virtual-network-for-azure-services.md)
-* [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)
+* [Configure access control lists on NFSv4.1 with Azure NetApp Files](configure-access-control-lists.md)
+* [Application resilience FAQs for Azure NetApp Files](faq-application-resilience.md)

articles/azure-netapp-files/configure-access-control-lists.md

@@ -0,0 +1,61 @@
+---
+title: Configure access control lists with Azure NetApp Files | Microsoft Docs
+description: This article shows you how to configure access control lists (ACLs) on NFSv4.1 with Azure NetApp Files.
+author: b-ahibbard
+ms.service: azure-netapp-files
+ms.workload: storage
+ms.topic: how-to
+ms.date: 12/20/2022
+ms.author: anfdocs
+---
+# Configure access control lists on NFSv4.1 volumes for Azure NetApp Files
+
+Azure NetApp Files supports access control lists (ACLs) on NFSv4.1 volumes. ACLs provide granular file security via NFSv4.1.
+
+ACLs contain access control entities (ACEs), which specify the permissions (read, write, etc.) of individual users or groups. When assigning user roles, provide the user email address if you're using a Linux VM joined to an Active Directory Domain. Otherwise, provide user IDs to set permissions. 
+
+## Requirements
+
+- ACLs can only be configured on NFS4.1 volumes. You can [convert a volume from NFSv3 to NFSv4.1](convert-nfsv3-nfsv41.md).
+
+- You must have two packages installed:
+    1.  `nfs-utils` to mount NFS volumes 
+    1. `nfs-acl-tools` to view and modify NFSv4 ACLs. 
+    If you do not have either, install them:
+        - On a Red Hat Enterprise Linux or SuSE Linux instance:
+        ```bash
+        sudo yum install -y nfs-utils
+        sudo yum install -y nfs4-acl-tools
+        ```
+        - On Ubuntu or Debian instance:
+        ```bash
+        sudo apt-get install nfs-common
+        sudo apt-get install nfs4-acl-tools
+        ```
+
+## Configure ACLs
+
+1. If you want to configure ACLs for a Linux VM joined to Active Directory, complete the steps in [Join a Linux VM to an Azure Active Directory Domain](join-active-directory-domain.md).
+
+1. [Mount the volume](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md).
+
+1. Use the command `nfs4_getfacl <path>` to view the existing ACL on a directory or file.
+    
+    The default NFSv4.1 ACL is a close representation of the POSIX permissions of 770.
+    - `A::OWNER@:rwaDxtTnNcCy` - owner has full (RWX) access
+    - `A:g:GROUP@:rwaDxtTnNcy` - group has full (RWX) access
+    - `A::EVERYONE@:tcy` - everyone else has no access
+
+1. To modify an ACE for a user, use the `nfs4_setfacl` command: `nfs4_setfacl -a|x A|D::<user|group>:<permissions_alias> <file>`
+    - Use `-a` to add permission. Use `-x` to remove permission.
+    - `A` creates access; `D` denies access.
+    - In an Active Directory-joined set up, enter an email address for the user. Otherwise, enter the numerical user ID.
+    - Permission aliases include read, write, append, execute, etc.
+    In the following Active Directory-joined example, user [email protected] is given read, write, and execute access to `/nfsldap/engineering`:
+    ```bash
+    nfs4_setfacl -a A::[email protected]:RWX /nfsldap/engineering
+    ```
+
+## Next steps
+
+* [Configure NFS clients](configure-nfs-clients.md)

articles/azure-netapp-files/configure-nfs-clients.md

@@ -116,7 +116,7 @@ The examples in this section use the following domain name and IP address:
 
 The following steps are optional. You need to perform the steps only if you use user mapping at the NFS client: 
 
-1. Complete all steps described in the [RHEL 8 configuration if you are using NFSv4.1 Kerberos encryption](#rhel8_nfsv41_kerberos) section.   
+1. Complete all steps described in the [RHEL 8 configuration if you are using NFSv4.1 Kerberos encryption](#rhel8_nfsv41_kerberos) section.  
 
 2. Add a static DNS record in your /etc/hosts file to use fully qualified domain name (FQDN) for your AD, instead of using the IP address in SSSD configuration file:  
 

articles/azure-netapp-files/convert-nfsv3-nfsv41.md

@@ -143,3 +143,4 @@ This section shows you how to convert the NFSv4.1 volume to NFSv3.
 
 * [Create an NFS volume for Azure NetApp Files](azure-netapp-files-create-volumes.md)
 * [Mount or unmount a volume](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md)
+* [Configure access control lists on NFSv4.1 with Azure NetApp Files](configure-access-control-lists.md)