Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into update-access-groups-diagram

Author: Shereen-Bhar

.whatsnew/.application-management.json

@@ -17,7 +17,7 @@
     },
     "areas": [
         {
-            "name": ".",
+            "name": [ "."],
             "heading": "Azure Active Directory application management"
         }
     ]

articles/active-directory/develop/scenario-web-app-call-api-overview.md

@@ -9,9 +9,9 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 07/14/2020
+ms.date: 11/4/2022
 ms.author: jmprieur
-ms.custom: aaddev
+ms.custom: aaddev, engagement-fy23
 #Customer intent: As an application developer, I want to know how to write a web app that authenticates users and calls web APIs by using the Microsoft identity platform.
 ---
 
@@ -29,20 +29,18 @@ You add authentication to your web app so that it can sign users in and call a w
 
 ![Web app that calls web APIs](./media/scenario-webapp/web-app.svg)
 
-Web apps that call web APIs are confidential client applications.
-That's why they register a secret (an application password or certificate) with Azure Active Directory (Azure AD). This secret is passed in during the call to Azure AD to get a token.
+Web apps that call web APIs are confidential client applications. That's why they register a secret (an application password or certificate) with Azure Active Directory (Azure AD). This secret is passed in during the call to Azure AD to get a token.
 
 ## Specifics
 
-> [!NOTE]
-> Adding sign-in to a web app is about protecting the web app itself. That protection is achieved by using *middleware* libraries, not the Microsoft Authentication Library (MSAL). The preceding scenario, [Web app that signs in users](scenario-web-app-sign-user-overview.md), covered that subject.
->
-> This scenario covers how to call web APIs from a web app. You must get access tokens for those web APIs. You use MSAL libraries to acquire these tokens.
+Adding sign-in to a web app is about protecting the web app itself. That protection is achieved by using *middleware* libraries, not the Microsoft Authentication Library (MSAL). The preceding scenario, [Web app that signs in users](scenario-web-app-sign-user-overview.md), covered that subject.
 
-Development for this scenario involves these specific tasks:
+This scenario covers how to call web APIs from a web app. You must get access tokens for those web APIs. You use MSAL libraries to acquire these tokens.
 
-- During [application registration](scenario-web-app-call-api-app-registration.md), you must provide a reply URI, secret, or certificate to be shared with Azure AD. If you deploy your app to several locations, you'll provide a reply URI for each location.
-- The [application configuration](scenario-web-app-call-api-app-configuration.md) must provide the client credentials that were shared with Azure AD during application registration.
+Development for this scenario involves;
+
+- Providing a reply URI, secret, or certificate to be shared with Azure AD during [application registration](scenario-web-app-call-api-app-registration.md). If you deploy your app to several locations, you'll provide a reply URI for each location.
+- Providing the client credentials in the [application configuration](scenario-web-app-call-api-app-configuration.md). These credentials were shared with Azure AD during application registration.
 
 ## Recommended reading
 

articles/active-directory/develop/tutorial-v2-nodejs-webapp-msal.md

@@ -8,8 +8,9 @@ manager: CelesteDG
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: tutorial
-ms.date: 02/17/2021
+ms.date: 11/09/2022
 ms.author: cwerner
+ms.custom: engagement-fy23
 ---
 
 # Tutorial: Sign in users and acquire a token for Microsoft Graph in a Node.js & Express web app
@@ -26,7 +27,7 @@ Follow the steps in this tutorial to:
 > - Add code for user login
 > - Test the app
 
-For additional guidance, refer to the [sample code](https://github.com/Azure-Samples/ms-identity-node) that shows how to use MSAL Node to login, logout and acquire an access token for a protected resource such as Microsoft Graph.
+For more information, see the [sample code](https://github.com/Azure-Samples/ms-identity-node) that shows how to use MSAL Node to sign in, sign out and acquire an access token for a protected resource such as Microsoft Graph.
 
 ## Prerequisites
 
@@ -62,7 +63,7 @@ Use the [Express application generator tool](https://expressjs.com/en/starter/ge
     npm install
 ```
 
-You now have a simple Express web app. The file and folder structure of your project should look similar to the following:
+You now have a simple Express web app. The file and folder structure of your project should look similar to the following folder structure:
 
 ```
 ExpressWebApp/
@@ -102,7 +103,7 @@ The web app sample in this tutorial uses the [express-session](https://www.npmjs
 
 ## Add app registration details
 
-1. Create a *.env* file in the root of your project folder. Then add the following code:
+1. Create an *.env* file in the root of your project folder. Then add the following code:
 
 :::code language="text" source="~/ms-identity-node/App/.env":::
 
@@ -111,7 +112,7 @@ Fill in these details with the values you obtain from Azure app registration por
 - `Enter_the_Cloud_Instance_Id_Here`: The Azure cloud instance in which your application is registered.
   - For the main (or *global*) Azure cloud, enter `https://login.microsoftonline.com/` (include the trailing forward-slash).
   - For **national** clouds (for example, China), you can find appropriate values in [National clouds](authentication-national-cloud.md).
-- `Enter_the_Tenant_Info_here` should be one of the following:
+- `Enter_the_Tenant_Info_here` should be one of the following parameters:
   - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.
   - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.
   - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`.
@@ -130,17 +131,17 @@ Fill in these details with the values you obtain from Azure app registration por
 
 :::code language="js" source="~/ms-identity-node/App/authConfig.js":::
 
-## Add code for user login and token acquisition
+## Add code for user sign-in and token acquisition
 
 1. Create a new file named *auth.js* under the *router* folder and add the following code there:
 
 :::code language="js" source="~/ms-identity-node/App/routes/auth.js":::
 
-2. Next, update the *index.js* route by replacing the existing code with the following:
+2. Next, update the *index.js* route by replacing the existing code with the following code snippet:
 
 :::code language="js" source="~/ms-identity-node/App/routes/index.js":::
 
-3. Finally, update the *users.js* route by replacing the existing code with the following:
+3. Finally, update the *users.js* route by replacing the existing code with the following code snippet:
 
 :::code language="js" source="~/ms-identity-node/App/routes/users.js":::
 
@@ -166,7 +167,7 @@ Create a file named *fetch.js* in the root of your project and add the following
 
 ## Register routers and add state management
 
-In the *app.js* file in the root of the project folder, register the routes you have created earlier and add session support for tracking authentication state using the **express-session** package. Replace the existing code there with the following:
+In the *app.js* file in the root of the project folder, register the routes you've created earlier and add session support for tracking authentication state using the **express-session** package. Replace the existing code there with the following code snippet:
 
 :::code language="js" source="~/ms-identity-node/App/app.js":::
 
@@ -210,7 +211,7 @@ You've completed creation of the application and are now ready to test the app's
 
 ## How the application works
 
-In this tutorial, you instantiated an MSAL Node [ConfidentialClientApplication](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md) object by passing it a configuration object (*msalConfig*) that contains parameters obtained from your Azure AD app registration on Azure portal. The web app you created uses the [OpenID Connect protocol](./v2-protocols-oidc.md) to sign-in users and the [OAuth 2.0 Authorization code grant flow](./v2-oauth2-auth-code-flow.md) obtain access tokens.
+In this tutorial, you instantiated an MSAL Node [ConfidentialClientApplication](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md) object by passing it a configuration object (*msalConfig*) that contains parameters obtained from your Azure AD app registration on Azure portal. The web app you created uses the [OpenID Connect protocol](./v2-protocols-oidc.md) to sign-in users and the [OAuth 2.0 authorization code flow](./v2-oauth2-auth-code-flow.md) to obtain access tokens.
 
 ## Next steps
 

articles/app-service/tutorial-java-quarkus-postgresql-app.md

@@ -102,8 +102,8 @@ Follow these steps to create an Azure PostgreSQL database in your subscription.
         --resource-group $RESOURCE_GROUP \
         --name $DB_SERVER_NAME \
         --location $LOCATION \
-        --admin-user $DB_USERNAME \
-        --admin-password $DB_PASSWORD \
+        --admin-user $ADMIN_USERNAME \
+        --admin-password $ADMIN_PASSWORD \
         --sku-name GP_Gen5_2
     ```
 

articles/applied-ai-services/form-recognizer/disaster-recovery.md

@@ -36,7 +36,7 @@ If your app or business depends on the use of a Form Recognizer custom model, we
 ## Prerequisites
 
 1. Two Form Recognizer Azure resources in different Azure regions. If you don't have them, go to the Azure portal and [create a new Form Recognizer resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer).
-1. The key, endpoint URL, and subscription ID for your Form Recognizer resource. You can find these values on the resource's **Overview** tab in the [Azure portal](https://ms.portal.azure.com/#home).
+1. The key, endpoint URL, and subscription ID for your Form Recognizer resource. You can find these values on the resource's **Overview** tab in the [Azure portal](https://portal.azure.com/#home).
 
 ::: moniker-end
 

articles/azure-monitor/essentials/azure-monitor-workspace-overview.md

@@ -58,7 +58,7 @@ In addition to the methods below, you may be given the option to create a new Az
 Use the following command to create an Azure Monitor workspace using Azure CLI.
 
 ```azurecli
-az resource create --resource-group divyaj-test --namespace microsoft.monitor --resource-type accounts --name testmac0929 --location westus2 --properties {}
+az resource create --resource-group <resource-group-name> --namespace microsoft.monitor --resource-type accounts --name <azure-monitor-workspace-name> --location <location> --properties {}
 ```
 
 ### [Resource Manager](#tab/resource-manager)

articles/azure-monitor/essentials/diagnostic-settings.md

@@ -5,7 +5,7 @@ author: rboucher
 ms.author: robb
 services: azure-monitor
 ms.topic: conceptual
-ms.date: 10/03/2022
+ms.date: 11/09/2022
 ms.reviewer: lualderm
 ---
 
@@ -68,15 +68,17 @@ When you use category groups, you:
 Currently, there are two category groups:
 
 - **All**: Every resource log offered by the resource.
-- **Audit**: All resource logs that record customer interactions with data or the settings of the service.
+- **Audit**: All resource logs that record customer interactions with data or the settings of the service. Note that Audit logs are an attempt by each resource provider to provide the most relevant audit data, but may not be considered sufficient from an auditing standards perspective.
 
 ### Activity log
 
 See the [Activity log settings](#activity-log-settings) section.
 
 ## Destinations
 
-Platform logs and metrics can be sent to the destinations listed in the following table.
+Platform logs and metrics can be sent to the destinations listed in the following table.  
+  
+To ensure the security of data in transit, we strongly encourage you to configure Transport Layer Security (TLS). All destination endpoints support TLS 1.2.
 
 | Destination | Description |
 |:---|:---|
@@ -117,7 +119,7 @@ The following table provides unique requirements for each destination including
 | Destination | Requirements |
 |:---|:---|
 | Log Analytics workspace | The workspace doesn't need to be in the same region as the resource being monitored.|
-| Storage account | It is not recommended to use an existing storage account that has other, non-monitoring data stored in it so that you can better control access to the data. If you're archiving the activity log and resource logs together, you might choose to use the same storage account to keep all monitoring data in a central location.<br><br>To send the data to immutable storage, set the immutable policy for the storage account as described in [Set and manage immutability policies for Azure Blob Storage](../../storage/blobs/immutable-policy-configure-version-scope.md). You must follow all steps in this linked article including enabling protected append blobs writes.<br><br>The storage account needs to be in the same region as the resource being monitored if the resource is regional.<br><br> Diagnostic settings can't access storage accounts when virtual networks are enabled. You must enable **Allow trusted Microsoft services** to bypass this firewall setting in storage accounts so that the Azure Monitor diagnostic settings service is granted access to your storage account.|
+| Storage account | Don't use an existing storage account that has other, non-monitoring data stored in it so that you can better control access to the data. If you're archiving the activity log and resource logs together, you might choose to use the same storage account to keep all monitoring data in a central location.<br><br>To send the data to immutable storage, set the immutable policy for the storage account as described in [Set and manage immutability policies for Azure Blob Storage](../../storage/blobs/immutable-policy-configure-version-scope.md). You must follow all steps in this linked article including enabling protected append blobs writes.<br><br>The storage account needs to be in the same region as the resource being monitored if the resource is regional.<br><br> Diagnostic settings can't access storage accounts when virtual networks are enabled. You must enable **Allow trusted Microsoft services** to bypass this firewall setting in storage accounts so that the Azure Monitor diagnostic settings service is granted access to your storage account.<br><br>[Azure DNS zone endpoints (preview)](/azure/storage/common/storage-account-overview#azure-dns-zone-endpoints-preview) and [Azure Premium LRS](/azure/storage/common/storage-redundancy#locally-redundant-storage) (locally redundant storage) storage accounts are not supported as a log or metric destination.|
 | Event Hubs | The shared access policy for the namespace defines the permissions that the streaming mechanism has. Streaming to Event Hubs requires Manage, Send, and Listen permissions. To update the diagnostic setting to include streaming, you must have the ListKey permission on that Event Hubs authorization rule.<br><br>The event hub namespace needs to be in the same region as the resource being monitored if the resource is regional. <br><br> Diagnostic settings can't access Event Hubs resources when virtual networks are enabled. You must enable **Allow trusted Microsoft services** to bypass this firewall setting in Event Hubs so that the Azure Monitor diagnostic settings service is granted access to your Event Hubs resources.|
 | Partner integrations | The solutions vary by partner. Check the [Azure Monitor partner integrations documentation](../../partner-solutions/overview.md) for details.
 
@@ -280,6 +282,10 @@ If you receive this error, update your deployments to replace any metric categor
 
 Diagnostic settings don't support resource IDs with non-ASCII characters. For example, consider the term Preproducción. Because you can't rename resources in Azure, your only option is to create a new resource without the non-ASCII characters. If the characters are in a resource group, you can move the resources under it to a new one. Otherwise, you'll need to re-create the resource.
 
+### Possibility of duplicated or dropped data
+
+Every effort is made to ensure all log data is sent correctly to your destinations, however it's not possible guarantee 100% data transfer of logs between endpoints. Retries and other mechanisms are in place to work around these issues and attempt to ensure log data arrives at the endpoint.
+
 ## Next step
 
 [Read more about Azure platform logs](./platform-logs-overview.md)

articles/azure-monitor/essentials/migrate-to-azure-storage-lifecycle-policy.md

@@ -6,14 +6,24 @@ ms.author: edbaynash
 ms.service: azure-monitor
 ms.topic: how-to
 ms.reviewer: lualderm
-ms.date: 07/10/2022
+ms.date: 07/27/2022
 
 #Customer intent: As a dev-ops administrator I want to migrate my retention setting from diagnostic setting retention storage to Azure Storage lifecycle management so that it continues to work after the feature has been deprecated.
 ---
 
 # Migrate from diagnostic settings storage retention to Azure Storage lifecycle management
 
-This guide walks you through migrating from using Azure diagnostic settings storage retention to using [Azure Storage lifecycle management](../../storage/blobs/lifecycle-management-policy-configure.md?tabs=azure-portal) for retention.
+The Diagnostic Settings Storage Retention feature is being deprecated. To configure retention for logs and metrics use Azure Storage Lifecycle Management.  
+
+This guide walks you through migrating from using Azure diagnostic settings storage retention to using [Azure Storage lifecycle management](/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal) for retention.
+
+> [!IMPORTANT]
+> **Deprecation Timeline.**
+> - March 31, 2023 –  The Diagnostic Settings Storage Retention feature will no longer be available to configure new retention rules for log data. If you have configured retention settings, you'll still be able to see and change them.
+> - September 30, 2023 –  You will no longer be able to use the API or Azure portal to configure retention setting unless you're changing them to *0*. Existing retention rules will still be respected.
+> - September 30, 2025 –  All retention functionality for the Diagnostic Settings Storage Retention feature will be disabled across all environments.
+
+
 
 ## Prerequisites
 

articles/cognitive-services/Anomaly-Detector/includes/quickstarts/anomaly-detector-client-library-python-multivariate.md

@@ -55,7 +55,7 @@ curl "https://github.com/Azure-Samples/AnomalyDetector/blob/master/samples-multi
 
 Multivariate Anomaly Detector requires your sample file to be stored as a .zip file in Azure Blob Storage.
 
-1. Create an <a href="https://ms.portal.azure.com/#create/Microsoft.StorageAccount-ARM" target="_blank">Azure Storage account</a>.
+1. Create an <a href="https://portal.azure.com/#create/Microsoft.StorageAccount-ARM" target="_blank">Azure Storage account</a>.
 2. From within your storage account, create a new storage container with the Public access level set to **private**.
 3. Open your container and select upload. Upload the `sample_data_5_3000.zip` file from the previous step.
     :::image type="content" source="../../media/quickstart/upload-zip.png" alt-text="Screenshot of the storage upload user experience." lightbox="../../media/quickstart/upload-zip.png":::

articles/cognitive-services/language-service/concepts/role-based-access-control.md

@@ -24,7 +24,7 @@ To use Azure RBAC, you must enable Azure Active Directory authentication. You ca
 ## Add role assignment to Language resource
 
 Azure RBAC can be assigned to a Language resource. To grant access to an Azure resource, you add a role assignment.
-1. In the [Azure portal](https://ms.portal.azure.com/), select **All services**. 
+1. In the [Azure portal](https://portal.azure.com/), select **All services**. 
 1. Select **Cognitive Services**, and navigate to your specific Language resource. 
    > [!NOTE]
    > You can also set up Azure RBAC for whole resource groups, subscriptions, or management groups. Do this by selecting the desired scope level and then navigating to the desired item. For example, selecting **Resource groups** and then navigating to a specific resource group.