Merge pull request #159053 from MicrosoftDocs/master

5/17 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -230,10 +230,13 @@
       "redirect_url": "/previous-versions/azure/virtual-machines/windows/tutorial-govern-resources",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/container-registry/container-registry-diagnostics-audit-logs.md",
+      "redirect_url": "/azure/container-registry/monitor-service",
+    },
     {
       "source_path": "articles/confidential-computing/how-to-fortanix-enclave-manager.md",
       "redirect_url": "/azure/confidential-computing/how-to-fortanix-confidential-computing-manager-node-agent",
-      "redirect_document_id": false
     },
     {
       "source_path": "articles/azure-percept/advanced-development-cloud.md",
@@ -23282,27 +23285,22 @@
     },
     {
       "source_path_from_root": "/articles/iot-central/howto-version-devicetemplate.md",
-      "redirect_url": "/azure/iot-central/core/howto-version-device-template",
-      "redirect_document_id": true
-    },
-    {
-      "source_path_from_root": "/articles/iot-central/core/howto-version-device-template-pnp.md",
-      "redirect_url": "/azure/iot-central/core/howto-version-device-template/",
+      "redirect_url": "/azure/iot-central/core/howto-edit-device-template",
       "redirect_document_id": false
     },
     {
-      "source_path_from_root": "/articles/iot-central/howto-version-device-template.md",
-      "redirect_url": "/azure/iot-central/core/howto-version-device-template/",
+      "source_path_from_root": "/articles/iot-central/core/howto-version-device-template-pnp.md",
+      "redirect_url": "/azure/iot-central/core/howto-edit-device-template",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/iot-central/howto-version-device-template-pnp.md",
-      "redirect_url": "/azure/iot-central/core/howto-version-device-template/",
+      "redirect_url": "/azure/iot-central/core/howto-edit-device-template",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/iot-central/preview/howto-version-device-template.md",
-      "redirect_url": "/azure/iot-central/core/howto-version-device-template/",
+      "redirect_url": "/azure/iot-central/core/howto-edit-device-template",
       "redirect_document_id": false
     },
     {
@@ -24050,6 +24048,11 @@
       "redirect_url": "/azure/iot-central/",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/iot-central/core/howto-version-device-template.md",
+      "redirect_url": "/azure/iot-central/core/howto-edit-device-template",
+      "redirect_document_id": true
+    },
     {
       "source_path_from_root": "/articles/iot-hub/iot-hub-arduino-huzzah-esp8266-get-started.md",
       "redirect_url": "/azure/iot-hub/",

articles/active-directory/app-proxy/what-is-application-proxy.md

@@ -179,7 +179,7 @@ Up to this point, we've focused on using Application Proxy to publish on-premise
 
 * **Securely publish REST APIs**. When you have business logic or APIs running on-premises or hosted on virtual machines in the cloud, Application Proxy provides a public endpoint for API access. API endpoint access lets you control authentication and authorization without requiring incoming ports. It provides additional security through Azure AD Premium features such as multi-factor authentication and device-based Conditional Access for desktops, iOS, MAC, and Android devices using Intune. To learn more, see [How to enable native client applications to interact with proxy applications](../manage-apps/application-proxy-configure-native-client-application.md) and [Protect an API by using OAuth 2.0 with Azure Active Directory and API Management](../../api-management/api-management-howto-protect-backend-with-aad.md).
 * **Remote Desktop Services** **(RDS)**. Standard RDS deployments require open inbound connections. However, the [RDS deployment with Application Proxy](../manage-apps/application-proxy-integrate-with-remote-desktop-services.md) has a permanent outbound connection from the server running the connector service. This way, you can offer more applications to end users by publishing on-premises applications through Remote Desktop Services. You can also reduce the attack surface of the deployment with a limited set of two-step verification and Conditional Access controls to RDS.
-* **Publish applications that connect using WebSockets**. Support with [Qlik Sense](../manage-apps/application-proxy-qlik.md) is in Public Preview and will be expanded to other apps in the future.
+* **Publish applications that connect using WebSockets**. Support with [Qlik Sense](/azure/active-directory/app-proxy/application-proxy-qlik) is in Public Preview and will be expanded to other apps in the future.
 * **Enable native client applications to interact with proxy applications**. You can use Azure AD Application Proxy to publish web apps, but it also can be used to publish [native client applications](../manage-apps/application-proxy-configure-native-client-application.md) that are configured with the Azure AD Authentication Library (ADAL). Native client applications differ from web apps because they're installed on a device, while web apps are accessed through a browser.
 
 ## Conclusion

articles/active-directory/authentication/concept-authentication-passwordless.md

@@ -143,7 +143,7 @@ The following providers offer FIDO2 security keys of different form factors that
 > [!NOTE]
 > If you purchase and plan to use NFC-based security keys, you need a supported NFC reader for the security key. The NFC reader isn't an Azure requirement or limitation. Check with the vendor for your NFC-based security key for a list of supported NFC readers.
 
-If you're a vendor and want to get your device on this list of supported devices, contact [Fido2Request@Microsoft.com](mailto:Fido2Request@Microsoft.com).
+If you're a vendor and want to get your device on this list of supported devices, check out our guidance on how to [become a Microsoft-compatible FIDO2 security key vendor](https://docs.microsoft.com/security/zero-trust/isv/fido2-hardware-vendor).
 
 To get started with FIDO2 security keys, complete the following how-to:
 

articles/active-directory/reports-monitoring/howto-download-logs.md

@@ -12,7 +12,7 @@ ms.service: active-directory
 ms.topic: how-to
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 05/05/2021
+ms.date: 05/14/2021
 ms.author: markvi
 ms.reviewer: besiler 
 
@@ -57,6 +57,8 @@ This article explains how to download activity logs in Azure AD.
 
 The option to download the data of an activity log is available in all editions of Azure AD.
 
+You can also download activity logs using Microsoft Graph; however, downloading logs grammatically requires a premium incense.
+
 
 ## Who can do it?
 

articles/aks/cluster-container-registry-integration.md

@@ -147,7 +147,7 @@ nginx0-deployment-669dfc4d4b-xdpd6   1/1     Running   0          20s
 
 ### Troubleshooting
 * Run the [az aks check-acr](/cli/azure/aks#az_aks_check_acr) command to validate that the registry is accessible from the AKS cluster.
-* Learn more about [ACR Diagnostics](../container-registry/container-registry-diagnostics-audit-logs.md)
+* Learn more about [ACR Monitoring](../container-registry/monitor-service.md)
 * Learn more about [ACR Health](../container-registry/container-registry-check-health.md)
 
 <!-- LINKS - external -->

articles/api-management/api-management-howto-policies.md

@@ -72,7 +72,7 @@ See [Policy samples](./policy-reference.md) for more code examples.
 
 ### Apply policies specified at different scopes
 
-If you have a policy at the global level and a policy configured for an API, then whenever that particular API is used both policies will be applied. API Management allows for deterministic ordering of combined policy statements via the base element. 
+If you have a policy at the global level and a policy configured for an API, then whenever that particular API is used both policies will be applied. API Management allows for deterministic ordering of combined policy statements via the `base` element. 
 
 ```xml
 <policies>

articles/api-management/api-management-howto-use-managed-service-identity.md

@@ -11,7 +11,7 @@ ms.service: api-management
 ms.workload: integration
 ms.topic: article
 ms.date: 03/09/2021
-ms.author: apimpm 
+ms.author: apimpm
 ms.custom: devx-track-azurepowershell
 ---
 
@@ -40,7 +40,7 @@ To set up a managed identity in the Azure portal, you'll first create an API Man
 
 [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
 
-The following steps walk you through creating an API Management instance and assigning it an identity by using Azure PowerShell. 
+The following steps walk you through creating an API Management instance and assigning it an identity by using Azure PowerShell.
 
 1. If needed, install Azure PowerShell by using the instructions in the [Azure PowerShell guide](/powershell/azure/install-az-ps). Then run `Connect-AzAccount` to create a connection with Azure.
 
@@ -294,7 +294,7 @@ To set up a managed identity in the portal, you'll first create an API Managemen
 
 [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
 
-The following steps walk you through creating an API Management instance and assigning it an identity by using Azure PowerShell. 
+The following steps walk you through creating an API Management instance and assigning it an identity by using Azure PowerShell.
 
 1. If needed, install the Azure PowerShell by using the instructions in the [Azure PowerShell guide](/powershell/azure/install-az-ps). Then run `Connect-AzAccount` to create a connection with Azure.
 
@@ -368,7 +368,7 @@ For example, a complete Azure Resource Manager template might look like the foll
                 "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]": {}
              }
         },
-         "dependsOn": [       
+         "dependsOn": [
           "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]"
         ]
     }]
@@ -397,7 +397,7 @@ The `principalId` property is a unique identifier for the identity that's used f
 ## Supported scenarios using User Assigned Managed Identity
 
 ### <a name="use-ssl-tls-certificate-from-azure-key-vault-ua"></a>Obtain a custom TLS/SSL certificate for the API Management instance from Azure Key Vault
-You can use any user-assigned identity to establish trust between an API Management instance and KeyVault. This trust can then be used to retrieve custom TLS/SSL certificates stored in Azure Key Vault. You can then assign these certificates to custom domains in the API Management instance. 
+You can use any user-assigned identity to establish trust between an API Management instance and KeyVault. This trust can then be used to retrieve custom TLS/SSL certificates stored in Azure Key Vault. You can then assign these certificates to custom domains in the API Management instance.
 
 Keep these considerations in mind:
 
@@ -407,7 +407,7 @@ Keep these considerations in mind:
 > [!Important]
 > If you don't provide the object version of the certificate, API Management will automatically obtain the newer version of the certificate within four hours after it's updated in Key Vault.
 
-For the complete template, see [API Management with KeyVault based SSL using User Assigned Identity](https://github.com/Azure/azure-quickstart-templates/blob/master/101-api-management-key-vault-create/azuredeploy.json).
+For the complete template, see [API Management with KeyVault based SSL using User Assigned Identity](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.apimanagement/api-management-key-vault-create/azuredeploy.json).
 
 In this template, you will deploy:
 

articles/app-service/app-service-ip-restrictions.md

@@ -141,11 +141,11 @@ As part of any rule, you can add additional http header filters. The following h
 * X-Azure-FDID
 * X-FD-HealthProbe
 
-For each header name you can add up to 8 values separated by comma. The http header filters are evaluated after the rule itself and both conditions must be true for the rule to apply.
+For each header name, you can add up to eight values separated by comma. The http header filters are evaluated after the rule itself and both conditions must be true for the rule to apply.
 
 ### Multi-source rules
 
-Multi-source rules allow you to combine up to 8 IP ranges or 8 Service Tags in a single rule. You might use this if you have more than 512 IP ranges or you want to create logical rules where multiple IP ranges are combined with a single http header filter.
+Multi-source rules allow you to combine up to eight IP ranges or eight Service Tags in a single rule. You might use this if you have more than 512 IP ranges or you want to create logical rules where multiple IP ranges are combined with a single http header filter.
 
 Multi-source rules are defined the same way you define single-source rules, but with each range separated with comma.
 
@@ -196,6 +196,9 @@ You can add access restrictions programmatically by doing either of the followin
     --rule-name 'IP example rule' --action Allow --ip-address 122.133.144.0/24 --priority 100
   ```
 
+   > [!NOTE]
+   > Working with service tags, http headers or multi-source rules in Azure CLI requires at least version 2.23.0. You can verify the version of the installed module with: ```az version```
+
 * Use [Azure PowerShell](/powershell/module/Az.Websites/Add-AzWebAppAccessRestrictionRule). For example:
 
 
@@ -204,7 +207,7 @@ You can add access restrictions programmatically by doing either of the followin
       -Name "Ip example rule" -Priority 100 -Action Allow -IpAddress 122.133.144.0/24
   ```
    > [!NOTE]
-   > Working with service tags, http headers or multi-source rules requires at least version 5.7.0. You can verify the version of the installed module with: **Get-InstalledModule -Name Az**
+   > Working with service tags, http headers or multi-source rules in Azure PowerShell requires at least version 5.7.0. You can verify the version of the installed module with: ```Get-InstalledModule -Name Az```
 
 You can also set values manually by doing either of the following:
 

articles/app-service/deploy-resource-manager-template.md

@@ -49,7 +49,7 @@ You deploy resources in the following order:
 
 Typically, your solution includes only some of these resources and tiers. For missing tiers, map lower resources to the next-higher tier.
 
-The following example shows part of a template. The value of the connection string configuration depends on the MSDeploy extension. The MSDeploy extension depends on the web app and database. 
+The following example shows part of a template. The value of the connection string configuration depends on the MSDeploy extension. The MSDeploy extension depends on the web app and database.
 
 ```json
 {
@@ -78,7 +78,7 @@ The following example shows part of a template. The value of the connection stri
 }
 ```
 
-For a ready-to-run sample that uses the code above, see [Template: Build a simple Umbraco Web App](https://github.com/Azure/azure-quickstart-templates/tree/master/umbraco-webapp-simple).
+For a ready-to-run sample that uses the code above, see [Template: Build a simple Umbraco Web App](https://github.com/Azure/azure-quickstart-templates/tree/master/application-workloads/umbraco/umbraco-webapp-simple).
 
 ## Find information about MSDeploy errors
 

articles/app-service/networking/app-gateway-with-service-endpoints.md

@@ -40,7 +40,7 @@ You can now access the App Service through Application Gateway, but if you try t
 ![Screenshot shows the text of an Error 403 - Forbidden.](./media/app-gateway-with-service-endpoints/website-403-forbidden.png)
 
 ## Using Azure Resource Manager template
-The [Resource Manager deployment template][template-app-gateway-app-service-complete] will provision a complete scenario. The scenario consists of an App Service instance locked down with service endpoints and access restriction to only receive traffic from Application Gateway. The template includes many Smart Defaults and unique postfixes added to the resource names for it to be simple. To override them, you'll have to clone the repo or download the template and edit it. 
+The [Resource Manager deployment template][template-app-gateway-app-service-complete] will provision a complete scenario. The scenario consists of an App Service instance locked down with service endpoints and access restriction to only receive traffic from Application Gateway. The template includes many Smart Defaults and unique postfixes added to the resource names for it to be simple. To override them, you'll have to clone the repo or download the template and edit it.
 
 To apply the template you can use the Deploy to Azure button found in the description of the template, or you can use appropriate PowerShell/CLI.
 
@@ -54,7 +54,7 @@ az webapp config access-restriction add --resource-group myRG --name myWebApp --
 In the default configuration, the command will ensure both setup of the service endpoint configuration in the subnet and the access restriction in the App Service.
 
 ## Considerations for ILB ASE
-ILB ASE isn't exposed to the internet and traffic between the instance and an Application Gateway is therefore already isolated to the Virtual Network. The following [how-to guide](../environment/integrate-with-application-gateway.md) configures an ILB ASE and integrates it with an Application Gateway using Azure portal. 
+ILB ASE isn't exposed to the internet and traffic between the instance and an Application Gateway is therefore already isolated to the Virtual Network. The following [how-to guide](../environment/integrate-with-application-gateway.md) configures an ILB ASE and integrates it with an Application Gateway using Azure portal.
 
 If you want to ensure that only traffic from the Application Gateway subnet is reaching the ASE, you can configure a Network security group (NSG) which affect all web apps in the ASE. For the NSG, you are able to specify the subnet IP range and optionally the ports (80/443). Make sure you don't override the [required NSG rules](../environment/network-info.md#network-security-groups) for ASE to function correctly.
 
@@ -63,7 +63,7 @@ To isolate traffic to an individual web app you'll need to use ip-based access r
 ## Considerations for External ASE
 External ASE has a public facing load balancer like multi-tenant App Service. Service endpoints don't work for ASE, and that's why you'll have to use ip-based access restrictions using the public IP of the Application Gateway instance. To create an External ASE using the Azure portal, you can follow this [Quickstart](../environment/create-external-ase.md)
 
-[template-app-gateway-app-service-complete]: https://github.com/Azure/azure-quickstart-templates/tree/master/201-web-app-with-app-gateway-v2/ "Azure Resource Manager template for complete scenario"
+[template-app-gateway-app-service-complete]: https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-with-app-gateway-v2/ "Azure Resource Manager template for complete scenario"
 
 ## Considerations for kudu/scm site
 The scm site, also known as kudu, is an admin site, which exists for every web app. It isn't possible to reverse proxy the scm site and you most likely also want to lock it down to individual IP addresses or a specific subnet.