Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-rbac-custom-roles-management-group-scope-ga

Author: rolyon

articles/active-directory/manage-apps/configure-admin-consent-workflow.md

@@ -22,7 +22,7 @@ In this article, you'll learn how to configure the admin consent workflow to ena
 
 The admin consent workflow gives admins a secure way to grant access to applications that require admin approval. When a user tries to access an application but is unable to provide consent, they can send a request for admin approval. The request is sent via email to admins who have been designated as reviewers. A reviewer takes action on the request, and the user is notified of the action.
 
-To approve requests, a reviewer must be a global administrator, cloud application administrator, or application administrator. The reviewer must already have one of these admin roles assigned; simply designating them as a reviewer doesn't elevate their privileges.
+To approve requests, a reviewer must have the [permissions required](grant-admin-consent.md#prerequisites) to grant admin consent for the application requested. Simply designating them as a reviewer doesn't elevate their privileges.
 
 ## Prerequisites
 
@@ -53,7 +53,7 @@ To enable the admin consent workflow and choose reviewers:
 1. Select **Save**. It can take up to an hour for the workflow to become enabled.
 
 > [!NOTE]
-> You can add or remove reviewers for this workflow by modifying the **Who can review admin consent requests** list. A current limitation of this feature is that a reviewer can retain the ability to review requests that were made while they were designated as a reviewer.
+> You can add or remove reviewers for this workflow by modifying the **Who can review admin consent requests** list. A current limitation of this feature is that a reviewer retains the ability to review requests that were made while they were designated as a reviewer. Additionally, new reviewers will not be assigned to requests that were created before they were set as a reviewer.
 
 ## Configure the admin consent workflow using Microsoft Graph
 

articles/active-directory/manage-apps/user-admin-consent-overview.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: overview
-ms.date: 09/28/2022
+ms.date: 04/04/2023
 ms.author: jomondi
 ms.reviewer: phsignor
 ms.collection: M365-identity-device-management
@@ -48,13 +48,13 @@ For most organizations, one of the built-in options will be appropriate. Some ad
 
 ## Admin consent
 
-During admin consent, a Privileged Administrator may grant an application access on behalf of other users (usually, on behalf of the entire organization). Also during admin consent, applications or services provide direct access to an API, which can be used by the application if there's no signed-in user.
+During admin consent, a Privileged Administrator may grant an application access on behalf of other users (usually, on behalf of the entire organization). Also during admin consent, applications or services provide direct access to an API, which can be used by the application if there's no signed-in user. The specific role needed to grant admin consent differs based on the permissions requested, which are outlined [here.](grant-admin-consent.md#prerequisites)
 
 When your organization purchases a license or subscription for a new application, you might proactively want to set up the application so that all users in the organization can use it. To avoid the need for user consent, an administrator can grant consent for the application on behalf of all users in the organization.
 
 After an administrator grants admin consent on behalf of the organization, users aren't usually prompted for consent for that application. In certain cases, a user might be prompted for consent even after consent was granted by an administrator. An example might be if an application requests another permission that the administrator hasn't already granted.
 
-Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of the organization's data, or the permission to do highly privileged operations. Examples of such operations might be role management, full access to all mailboxes or all sites, and full user impersonation.
+Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of the organization's data, or the permission to do highly privileged operations. Examples of such operations might be role management, full access to all mailboxes or all sites, and full user impersonation. 
 
 Before you grant tenant-wide admin consent, ensure that you trust the application and the application publisher, for the level of access you're granting. If you aren't confident that you understand who controls the application and why the application is requesting the permissions, do *not* grant consent.
 
@@ -90,4 +90,4 @@ After the admin consent workflow is enabled, users can request admin approval fo
 ## Next steps
 
 - [Configure user consent settings](configure-user-consent.md)
-- [Configure the admin consent workflow](configure-admin-consent-workflow.md)
+- [Configure the admin consent workflow](configure-admin-consent-workflow.md)

articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql.md

@@ -111,7 +111,7 @@ using Microsoft.Data.SqlClient;
 try
 {
 //
-// Open a connection to the server using Active Direcotry Managed Identity authentication.
+// Open a connection to the server using Active Directory Managed Identity authentication.
 //
 string connectionString = "Data Source=<AZURE-SQL-SERVERNAME>; Initial Catalog=<DATABASE>; Authentication=Active Directory Managed Identity; Encrypt=True";
 SqlConnection conn = new SqlConnection(connectionString);

articles/active-directory/reports-monitoring/howto-manage-inactive-user-accounts.md

@@ -36,24 +36,24 @@ The last successful sign-in provides potential insights into a user's continued
 
 You detect inactive accounts by evaluating the **lastSignInDateTime** property exposed by the **signInActivity** resource type of the **Microsoft Graph** API. The **lastSignInDateTime** property shows the last time a user made a successful interactive sign-in to Azure AD. Using this property, you can implement a solution for the following scenarios:
 
-- **Users by name**: In this scenario, you search for a specific user by name, which enables you to evaluate the lastSignInDateTime: `https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivity`
+- **Users by name**: In this scenario, you search for a specific user by name, which enables you to evaluate the lastSignInDateTime: `https://graph.microsoft.com/v1.0/users?$filter=startswith(displayName,'markvi')&$select=displayName,signInActivity`
 
-- **Users by date**: In this scenario, you request a list of users with a lastSignInDateTime before a specified date: `https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z`
+- **Users by date**: In this scenario, you request a list of users with a lastSignInDateTime before a specified date: `https://graph.microsoft.com/v1.0/users?$filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z`
 
 > [!NOTE]
 > There may be the need to generate a report of the last sign in date of all users, if so you can use the following scenario.
-> **Last Sign In Date and Time for All Users**: In this scenario, you request a list of all users, and the last lastSignInDateTime for each respective user: `https://graph.microsoft.com/beta/users?$select=displayName,signInActivity` 
+> **Last Sign In Date and Time for All Users**: In this scenario, you request a list of all users, and the last lastSignInDateTime for each respective user: `https://graph.microsoft.com/v1.0/users?$select=displayName,signInActivity` 
 
 ## What you need to know
 
 This section lists what you need to know about the lastSignInDateTime property.
 
 ### How can I access this property?
 
-The **lastSignInDateTime** property is exposed by the [signInActivity resource type](/graph/api/resources/signinactivity?view=graph-rest-beta&preserve-view=true) of the [Microsoft Graph API](/graph/overview#whats-in-microsoft-graph).   
+The **lastSignInDateTime** property is exposed by the [signInActivity resource type](/graph/api/resources/signinactivity) of the [Microsoft Graph API](/graph/overview#whats-in-microsoft-graph).   
 
 > [!NOTE]
-> The signInActivity resource type is available only on the Microsoft Graph `beta` endpoint and isn't yet supported in US Government GCC High environments.
+> The signInActivity resource type isn't yet supported in US Government GCC High environments.
 
 ### Is the lastSignInDateTime property available through the Get-AzureAdUser cmdlet?
 
@@ -65,10 +65,11 @@ To access this property, you need an Azure Active Directory Premium edition.
 
 ### What permission do I need to read the property?
 
-To read this property, you need to grant the following rights: 
+To read this property, you need to grant the app the following Microsoft Graph permissions: 
 
 - AuditLog.Read.All
 - Directory.Read.All  
+- User.Read.All
 
 
 ### When does Azure AD update the property?

articles/aks/aks-planned-maintenance-weekly-releases.md

@@ -9,11 +9,11 @@ author: kaarthis
 
 ---
 
-# Use Planned Maintenance window for scheduling exclusive Azure Kubernetes Service (AKS) weekly releases (Preview)
+# Use Planned Maintenance pre-created configurations to schedule Azure Kubernetes Service (AKS) weekly releases (preview)
 
- Planned Maintenance allows you to schedule weekly maintenance windows that will ensure the weekly releases [releases] are controlled. Maintenance Windows are configured using the Azure CLI, allowing you to select from a set of pre-available configurations.
+Planned Maintenance allows you to schedule weekly maintenance windows that ensure the weekly [releases] are controlled. You can select from the set of pre-created configurations and use the Azure CLI to configure your maintenance windows.
 
-Weekly releases can also be scheduled with more fine-grained control using Planned Maintenance's `default` configuration type. For more information, see [Planned Maintenance to schedule and control upgrades][planned-maintenance].
+You can also be schedule with more fine-grained control using Planned Maintenance's `default` configuration type. For more information, see [Planned Maintenance to schedule and control upgrades][planned-maintenance].
 
 ## Before you begin
 

articles/aks/planned-maintenance.md

@@ -23,6 +23,8 @@ There are currently three available configuration types: `default`, `aksManagedA
 
 We recommend using `aksManagedAutoUpgradeSchedule` for all cluster upgrade scenarios and `aksManagedNodeOSUpgradeSchedule` for all node image upgrade scenarios, while `default` is meant exclusively for weekly releases. You can port `default` configurations to `aksManagedAutoUpgradeSchedule` configurations via the `az aks maintenanceconfiguration update` command.
 
+To configure Planned Maintenance using pre-created configurations, see [Use Planned Maintenance pre-created configurations to schedule AKS weekly releases][pm-weekly].
+
 ## Before you begin
 
 This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli], [using Azure PowerShell][aks-quickstart-powershell], or [using the Azure portal][aks-quickstart-portal].

articles/application-gateway/application-gateway-private-deployment.md

@@ -6,7 +6,7 @@ services: application-gateway
 author: greg-lindsay
 ms.service: application-gateway
 ms.topic: how-to
-ms.date: 03/01/2023
+ms.date: 04/04/2023
 ms.author: greglin
 #Customer intent: As an administrator, I want to evaluate Azure Private Application Gateway
 ---
@@ -174,7 +174,7 @@ After registration into the public preview, configuration of NSG, Route Table, a
 
 ## Resource Changes
 
-After your gateway is provisioned, isn't tag is automatically assigned with the name of **EnhancedNetworkControl** and value of **True**. See the following example:
+After your gateway is provisioned, a resource tag is automatically assigned with the name of **EnhancedNetworkControl** and value of **True**. See the following example:
 
  ![View the EnhancedNetworkControl tag](./media/application-gateway-private-deployment/tags.png)
 

articles/cdn/cdn-custom-ssl.md

@@ -121,7 +121,7 @@ Register Azure CDN as an app in your Azure Active Directory.
 > * You need to have the **Global Administrator** role to run this command.
 > * The service principal name was changed from `Microsoft.Azure.Cdn` to `Microsoft.AzureFrontDoor-Cdn`.
 
-# [Azure PowerShell](#tab/powershell)
+#### Azure PowerShell
 
 1. If needed, install [Azure PowerShell](/powershell/azure/install-az-ps) on your local machine.
 
@@ -134,15 +134,15 @@ Register Azure CDN as an app in your Azure Active Directory.
 
     Secret                :
     ServicePrincipalNames : {205478c0-bd83-4e1b-a9d6-db63a3e1e1c8,
-                                https://microsoft.onmicrosoft.com/033ce1c9-f832-4658-b024-ef1cbea108b8}
+				https://microsoft.onmicrosoft.com/033ce1c9-f832-4658-b024-ef1cbea108b8}
     ApplicationId         : 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
     ObjectType            : ServicePrincipal
     DisplayName           : Microsoft.AzureFrontDoor-Cdn
     Id                    : abcdef12-3456-7890-abcd-ef1234567890
     Type                  :
     ```
 
-# [Azure CLI](#tab/cli)
+#### Azure CLI
 
 1. If needed, install [Azure CLI](/cli/azure/install-azure-cli) on your local machine.