Merge pull request #226604 from MicrosoftDocs/repo_sync_working_branch

huypub · web-flow · commit 2a2bdd4033de · 2023-02-08T09:41:26.000-08:00
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)
diff --git a/articles/active-directory-b2c/identity-provider-generic-saml.md b/articles/active-directory-b2c/identity-provider-generic-saml.md
@@ -139,10 +139,10 @@ The **OutputClaims** element contains a list of claims returned by the SAML iden
 
 In the example above, *Contoso-SAML2* includes the claims returned by a SAML identity provider:
 
-* The **issuerUserId** claim is mapped to the **assertionSubjectName** claim.
+* The **assertionSubjectName** claim is mapped to the **issuerUserId** claim.
 * The **first_name** claim is mapped to the **givenName** claim.
 * The **last_name** claim is mapped to the **surname** claim.
-* The **displayName** claim is mapped to the `http://schemas.microsoft.com/identity/claims/displayname` claim.
+* The `http://schemas.microsoft.com/identity/claims/displayname` claim is mapped to the **displayName** claim.
 * The **email** claim without name mapping.
 
 The technical profile also returns claims that aren't returned by the identity provider:
@@ -237,4 +237,4 @@ If the sign-in process is successful, your browser is redirected to `https://jwt
 
 - [Configure SAML identity provider options with Azure Active Directory B2C](identity-provider-generic-saml-options.md)
 
-::: zone-end
+::: zone-end
diff --git a/articles/active-directory/conditional-access/concept-continuous-access-evaluation.md b/articles/active-directory/conditional-access/concept-continuous-access-evaluation.md
@@ -179,7 +179,7 @@ When Conditional Access policy or group membership changes need to be applied to
 Modern networks often optimize connectivity and network paths for applications differently. This optimization frequently causes variations of the routing and source IP addresses of connections, as seen by your identity provider and resource providers. You may observe this split path or IP address variation in multiple network topologies, including, but not limited to: 
 
 - On-premises and cloud-based proxies.
-- Virtual private network (VPN) implementations, like split tunneling.
+- Virtual private network (VPN) implementations, like [split tunneling](/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel).
 - Software defined wide area network (SD-WAN) deployments.
 - Load balanced or redundant network egress network topologies, like those using [SNAT](https://wikipedia.org/wiki/Network_address_translation#SNAT). 
 - Branch office deployments that allow direct internet connectivity for specific applications.
@@ -189,9 +189,10 @@ Modern networks often optimize connectivity and network paths for applications d
 In addition to IP variations, customers also may employ network solutions and services that: 
 
 - Use IP addresses that may be shared with other customers. For example, cloud-based proxy services where egress IP addresses are shared between customers.
-- Use easily varied or undefinable IP addresses. For example, topologies where there are large, dynamic sets of egress IP addresses used, like large enterprise scenarios or split VPN and local egress network traffic.
+- Use easily varied or undefinable IP addresses. For example, topologies where there are large, dynamic sets of egress IP addresses used, like large enterprise scenarios or [split VPN](/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel) and local egress network traffic.
+
+Networks where egress IP addresses may change frequently or are shared may affect Azure AD Conditional Access and Continues Access Evaluation (CAE). This variability can affect how these features work and their recommended configurations. Split Tunneling may also cause unexpected blocks when an environment is configured using [Split Tunneling VPN Best Practices](/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel). Routing [Optimized IPs](/microsoft-365/enterprise/microsoft-365-vpn-implement-split-tunnel#optimize-ip-address-ranges) through a Trusted IP/VPN may be required to prevent blocks related to "insufficient_claims" or "Instant IP Enforcement check failed".
 
-Networks where egress IP addresses may change frequently or are shared may affect Azure AD Conditional Access and Continues Access Evaluation (CAE). This variability can affect how these features work, and their recommended configurations.
 
 The following table summarizes Conditional Access and CAE feature behaviors and recommendations for different types of network deployments: 
 
diff --git a/articles/active-directory/develop/active-directory-optional-claims.md b/articles/active-directory/develop/active-directory-optional-claims.md
@@ -234,7 +234,7 @@ Within the SAML tokens, these claims will be emitted with the following URI form
 
 ## Configuring groups optional claims
 
-This section covers the configuration options under optional claims for changing the group attributes used in group claims from the default group objectID to attributes synced from on-premises Windows Active Directory. You can configure groups optional claims for your application through the UI or application manifest.
+This section covers the configuration options under optional claims for changing the group attributes used in group claims from the default group objectID to attributes synced from on-premises Windows Active Directory. You can configure groups optional claims for your application through the UI or application manifest. Group optional claims are only emitted in the JWT for **user principals**. **Service principals** _will not_ have group optional claims emitted in the JWT.
 
 > [!IMPORTANT]
 > Azure AD limits the number of groups emitted in a token to 150 for SAML assertions and 200 for JWT, including nested groups.  For more information on group limits and important caveats for group claims from on-premises attributes, see [Configure group claims for applications with Azure AD](../hybrid/how-to-connect-fed-group-claims.md).
diff --git a/articles/aks/api-server-vnet-integration.md b/articles/aks/api-server-vnet-integration.md
@@ -130,17 +130,20 @@ az group create -l <location> -n <resource-group>
 ```azurecli-interactive
 # Create the virtual network
 az network vnet create -n <vnet-name> \
+    -g <resource-group> \
     -l <location> \
     --address-prefixes 172.19.0.0/16
 
 # Create an API server subnet
-az network vnet subnet create --vnet-name <vnet-name> \
+az network vnet subnet create -g <resource-group> \
+    --vnet-name <vnet-name> \
     --name <apiserver-subnet-name> \
     --delegations Microsoft.ContainerService/managedClusters \
     --address-prefixes 172.19.0.0/28
 
 # Create a cluster subnet
-az network vnet subnet create --vnet-name <vnet-name> \
+az network vnet subnet create -g <resource-group> \
+    --vnet-name <vnet-name> \
     --name <cluster-subnet-name> \
     --address-prefixes 172.19.1.0/24
 ```
@@ -149,7 +152,7 @@ az network vnet subnet create --vnet-name <vnet-name> \
 
 ```azurecli-interactive
 # Create the identity
-az identity create -n <managed-identity-name> -l <location>
+az identity create -g <resource-group> -n <managed-identity-name> -l <location>
 
 # Assign Network Contributor to the API server subnet
 az role assignment create --scope <apiserver-subnet-resource-id> \
diff --git a/articles/aks/azure-cni-overlay.md b/articles/aks/azure-cni-overlay.md
@@ -47,7 +47,7 @@ Like Azure CNI Overlay, Kubenet assigns IP addresses to pods from an address spa
 | Cluster scale                | 1000 nodes and 250 pods/node                                     | 400 nodes and 250 pods/node                                                   |
 | Network configuration        | Simple - no additional configuration required for pod networking | Complex - requires route tables and UDRs on cluster subnet for pod networking |
 | Pod connectivity performance | Performance on par with VMs in a VNet                            | Additional hop adds minor latency                                             |
-| Kubernetes Network Policies  | Azure Network Policies, Calico                                   | Calico                                                                        |
+| Kubernetes Network Policies  | Azure Network Policies, Calico, Cilium                           | Calico                                                                        |
 | OS platforms supported       | Linux and Windows                                                | Linux only                                                                    |
 
 ## IP address planning
diff --git a/articles/aks/configure-azure-cni.md b/articles/aks/configure-azure-cni.md
@@ -26,6 +26,7 @@ This article shows you how to use Azure CNI networking to create and use a virtu
 * The cluster identity used by the AKS cluster must have at least [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor) permissions on the subnet within your virtual network. If you wish to define a [custom role](../role-based-access-control/custom-roles.md) instead of using the built-in Network Contributor role, the following permissions are required:
   * `Microsoft.Network/virtualNetworks/subnets/join/action`
   * `Microsoft.Network/virtualNetworks/subnets/read`
+  * `Microsoft.Authorization/roleAssignments/write`
 * The subnet assigned to the AKS node pool cannot be a [delegated subnet](../virtual-network/subnet-delegation-overview.md).
 * AKS doesn't apply Network Security Groups (NSGs) to its subnet and will not modify any of the NSGs associated with that subnet. If you provide your own subnet and add NSGs associated with that subnet, you must ensure the security rules in the NSGs allow traffic within the node CIDR range. For more details, see [Network security groups][aks-network-nsg].
 
diff --git a/articles/aks/custom-node-configuration.md b/articles/aks/custom-node-configuration.md
@@ -134,7 +134,7 @@ Create a `linuxosconfig.json` file with the following contents:
 Create a new cluster specifying the kubelet and OS configurations using the JSON files created in the previous step. 
 
 > [!NOTE]
-> When you create a cluster, you can specify the kubelet configuration, OS configuration, or both. If you specify a configuration when creating a cluster, only the nodes in the initial node pool will have that configuration applied. Any settings not configured in the JSON file will retain the default value.
+> When you create a cluster, you can specify the kubelet configuration, OS configuration, or both. If you specify a configuration when creating a cluster, only the nodes in the initial node pool will have that configuration applied. Any settings not configured in the JSON file will retain the default value. CustomKubeletConfig or CustomLinuxOsConfig isn't supported for OS type: Windows.
 
 ```azurecli
 az aks create --name myAKSCluster --resource-group myResourceGroup --kubelet-config ./kubeletconfig.json --linux-os-config ./linuxosconfig.json
diff --git a/articles/aks/web-app-routing.md b/articles/aks/web-app-routing.md
@@ -223,6 +223,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: aks-helloworld  
+  namespace: hello-web-app-routing
 spec:
   replicas: 1
   selector:
@@ -252,6 +253,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: aks-helloworld
+  namespace: hello-web-app-routing
 spec:
   type: ClusterIP
   ports:
@@ -524,4 +526,4 @@ When the Web Application Routing add-on is disabled, some Kubernetes resources m
 [kubectl-delete]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#delete
 [kubectl-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs
 [ingress]: https://kubernetes.io/docs/concepts/services-networking/ingress/
-[ingress-resource]: https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource
+[ingress-resource]: https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource
diff --git a/articles/batch/batch-automatic-scaling.md b/articles/batch/batch-automatic-scaling.md
@@ -197,19 +197,25 @@ You can use these predefined **functions** when defining an autoscale formula.
 | Function | Return type | Description |
 | --- | --- | --- |
 | avg(doubleVecList) |double |Returns the average value for all values in the doubleVecList. |
+| ceil(double) |double |Returns the smallest integer value not less than the double. |
+| ceil(doubleVecList) |doubleVec |Returns the component-wise `ceil` of the doubleVecList. |
+| floor(double) |double |Returns the largest integer value not greater than the double. |
+| floor(doubleVecList) |doubleVec |Returns the component-wise `floor` of the doubleVecList. |
 | len(doubleVecList) |double |Returns the length of the vector that is created from the doubleVecList. |
 | lg(double) |double |Returns the log base 2 of the double. |
-| lg(doubleVecList) |doubleVec |Returns the component-wise log base 2 of the doubleVecList. A vec(double) must be explicitly passed for the parameter. Otherwise, the double lg(double) version is assumed. |
+| lg(doubleVecList) |doubleVec |Returns the component-wise `lg` of the doubleVecList. |
 | ln(double) |double |Returns the natural log of the double. |
-| ln(doubleVecList) |doubleVec |Returns the natural log of the double. |
+| ln(doubleVecList) |doubleVec |Returns the component-wise `ln` of the doubleVecList. |
 | log(double) |double |Returns the log base 10 of the double. |
-| log(doubleVecList) |doubleVec |Returns the component-wise log base 10 of the doubleVecList. A vec(double) must be explicitly passed for the single double parameter. Otherwise, the double log(double) version is assumed. |
+| log(doubleVecList) |doubleVec |Returns the component-wise `log` of the doubleVecList. |
 | max(doubleVecList) |double |Returns the maximum value in the doubleVecList. |
 | min(doubleVecList) |double |Returns the minimum value in the doubleVecList. |
 | norm(doubleVecList) |double |Returns the two-norm of the vector that is created from the doubleVecList. |
 | percentile(doubleVec v, double p) |double |Returns the percentile element of the vector v. |
 | rand() |double |Returns a random value between 0.0 and 1.0. |
 | range(doubleVecList) |double |Returns the difference between the min and max values in the doubleVecList. |
+| round(double) |double |Returns the nearest integer value to the double (in floating-point format), rounding halfway cases away from zero. |
+| round(doubleVecList) |doubleVec |Returns the component-wise `round` of the doubleVecList. |
 | std(doubleVecList) |double |Returns the sample standard deviation of the values in the doubleVecList. |
 | stop() | |Stops evaluation of the autoscaling expression. |
 | sum(doubleVecList) |double |Returns the sum of all the components of the doubleVecList. |
diff --git a/articles/cosmos-db/role-based-access-control.md b/articles/cosmos-db/role-based-access-control.md
@@ -118,4 +118,4 @@ Update-AzCosmosDBAccount -ResourceGroupName [ResourceGroupName] -Name [CosmosDBA
 - [What is Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md)
 - [Azure custom roles](../role-based-access-control/custom-roles.md)
 - [Azure Cosmos DB resource provider operations](../role-based-access-control/resource-provider-operations.md#microsoftdocumentdb)
-- [Configure role-based access control for your Azure Cosmso DB for MongoDB](mongodb/how-to-setup-rbac.md)
+- [Configure role-based access control for your Azure Cosmos DB for MongoDB](mongodb/how-to-setup-rbac.md)
diff --git a/articles/defender-for-cloud/defender-for-storage-introduction.md b/articles/defender-for-cloud/defender-for-storage-introduction.md
@@ -23,6 +23,13 @@ Defender for Storage doesn't access the Storage account data and has no impact o
 You can learn more by watching this video from the Defender for Cloud in the Field video series:
 - [Defender for Storage in the field](episode-thirteen.md)
 
+> [!NOTE]
+> Microsoft Defender for Storage customers can now choose to move to a new predictable pricing plan. The pricing model is per-storage account, where high-volume transactions may incur additional overage charges. This new pricing plan will also include all new security features and detections.
+>
+> Customers using the legacy per-transaction pricing plan need to migrate to the new per-storage account plan to access these new features and pricing. The legacy per-transaction pricing plan charges are based on the number of analyzed transactions in the storage account.
+>
+> For further details, please refer to the [Microsoft Defender for Storage FAQ](../storage/common/azure-defender-storage-configure.md#faq---microsoft-defender-for-storage-pricing).
+
 ## Availability
 
 |Aspect|Details|
@@ -114,7 +121,7 @@ To optimize costs, you might want to exclude specific Storage accounts associate
 
 ### Can I exclude a specific Azure Storage account from a protected subscription? 
 
-To exclude a specific Storage account when Defender for Storage is enabled on a subscription, follow the instructions in [Exclude a storage account from Microsoft Defender for Storage protections](defender-for-storage-exclude.md). 
+Excluding specific storage accounts from protection is only possible on the per-transaction pricing plan. The per-storage account pricing plan will support exclusion in the future. To exclude a storage account, follow instructions in [Exclude a storage account from a protected subscription in the per-transaction plan](defender-for-storage-exclude.md).
 
 ### How do I configure automatic responses for security alerts? 
 
diff --git a/articles/firewall/forced-tunneling.md b/articles/firewall/forced-tunneling.md
@@ -18,7 +18,7 @@ Some customers prefer not to expose a public IP address directly to the Internet
 Azure Firewall provides automatic SNAT for all outbound traffic to public IP addresses. Azure Firewall doesn’t SNAT when the destination IP address is a private IP address range per IANA RFC 1918. This logic works perfectly when you egress directly to the Internet. However, with forced tunneling enabled, Internet-bound traffic is SNATed to one of the firewall private IP addresses in the AzureFirewallSubnet. This hides the source address from your on-premises firewall. You can configure Azure Firewall to not SNAT regardless of the destination IP address by adding *0.0.0.0/0* as your private IP address range. With this configuration, Azure Firewall can never egress directly to the Internet. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md).
 
 > [!IMPORTANT]
-> If you deploy a Secured Virtual Hub in forced tunnel mode, advertising the default route over Express Route or VPN Gateway is not currently supported. A fix is being investigated.
+> If you deploy Azure Firewall inside of a Virtual WAN Hub (Secured Virtual Hub), advertising the default route over Express Route or VPN Gateway is not currently supported. A fix is being investigated.
 
 ## Forced tunneling configuration
 
diff --git a/articles/iot-dps/quick-create-simulated-device-tpm.md b/articles/iot-dps/quick-create-simulated-device-tpm.md
@@ -220,13 +220,12 @@ In this section, you'll build and run the TPM simulator. This simulator listens
 
     ```cmd/sh
     npm install node-gyp -g
-    npm install ffi -g
+    npm install ffi-napi -g
     ```
-
     > [!NOTE]
-    > There are some known issues to installing the above packages. To resolve these issues, run `npm install --global --production windows-build-tools` using a command prompt in **Run as administrator** mode, run `SET VCTargetsPath=C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V140` after replacing the path with your installed version, and then rerun the above installation commands.
+    > There are some known issues to installing the above packages. To resolve these issues, run `npm install --global --production windows-build-tools` using a command prompt in **Run as administrator** mode, run `SET VCTargetsPath=C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V140` after replacing the path with your installed version, and then rerun the above installation commands. 
     >
-
+    
 5. Install all required packages running the following command at your command prompt in the **registerdevice** folder:
 
     ```cmd/sh
diff --git a/articles/storage/blobs/point-in-time-restore-overview.md b/articles/storage/blobs/point-in-time-restore-overview.md
diff --git a/articles/storage/common/azure-defender-storage-configure.md b/articles/storage/common/azure-defender-storage-configure.md
diff --git a/articles/virtual-machines/disks-benchmarks.md b/articles/virtual-machines/disks-benchmarks.md
diff --git a/articles/virtual-network/virtual-network-test-latency.md b/articles/virtual-network/virtual-network-test-latency.md
