Merge pull request #252455 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Taojunshen

articles/active-directory-b2c/troubleshoot.md

@@ -29,12 +29,12 @@ This error occurs when the [self-service password reset experience](add-password
 
 There are 2 solutions to this problem:  
   - Respond back with a new authentication request using Azure AD B2C password reset user flow.
-  - Use recommended [self service password resect (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended).  
+  - Use recommended [self service password reset (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended).  
 
 
 ## User canceled the operation
 Azure AD B2C service can also return an error to your application when a user cancels an operation. The following are examples of scenarios where a user performs a cancel operation: 
--  A user policy uses the recommended [self service password resect (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended) with a consumer local account. The user selects the **Forgot your password?** link , and then selects **Cancel** button before the user flow experience completes. In this case, Azure AD B2C service returns error code `AADB2C90091` to your application. 
+-  A user policy uses the recommended [self service password reset (SSPR) experience](add-password-reset-policy.md#self-service-password-reset-recommended) with a consumer local account. The user selects the **Forgot your password?** link , and then selects **Cancel** button before the user flow experience completes. In this case, Azure AD B2C service returns error code `AADB2C90091` to your application. 
 - A user chooses to authenticate with an external identity provider such as [LinkedIn](identity-provider-linkedin.md). The user select **Cancel** button before authenticating to the identity provider itself. In this case, Azure AD B2C service returns error code `AADB2C90273` to your application. Learn more about [error codes Azure Active Directory B2C service return](error-codes.md).
 
 To handle this error, fetch the **error description** for the user and respond back with a new authentication request using the same user flow. 

articles/active-directory/develop/custom-extension-get-started.md

@@ -408,7 +408,7 @@ The following JSON snippet demonstrates how to configure these properties.
 
 ## Step 4: Assign a custom claims provider to your app
 
-For tokens to be issued with claims incoming from the custom authentication extension, you must assign a custom claims provider to your application. The custom claims provider relies on the custom authentication extension configured with the **token issuance start** event listener. You can choose whether all, or a subset of claims, from the custom claims provider are mapped into the token.
+For tokens to be issued with claims incoming from the custom authentication extension, you must assign a custom claims provider to your application. This is based on the token audience, so the provider must be assgined to the client application to receive claims in an ID token, and to the resource application to receive claims in an access token. The custom claims provider relies on the custom authentication extension configured with the **token issuance start** event listener. You can choose whether all, or a subset of claims, from the custom claims provider are mapped into the token.
 
 Follow these steps to connect the *My Test application* with your custom authentication extension:
 

articles/active-directory/workload-identities/workload-identity-federation.md

@@ -28,7 +28,7 @@ Watch this video to learn why you would use workload identity federation.
 
 Typically, a software workload (such as an application, service, script, or container-based application) needs an identity in order to authenticate and access resources or communicate with other services.  When these workloads run on Azure, you can use [managed identities](../managed-identities-azure-resources/overview.md) and the Azure platform manages the credentials for you.  You can only use managed identities, however, for software workloads running in Azure.  For a software workload running outside of Azure, you need to use application credentials (a secret or certificate) to access Microsoft Entra ID protected resources (such as Azure, Microsoft Graph, Microsoft 365, or third-party resources).  These credentials pose a security risk and have to be stored securely and rotated regularly. You also run the risk of service downtime if the credentials expire.
 
-You use workload identity federation to configure an [user-assigned managed identity](../managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) or [app registration](../develop/app-objects-and-service-principals.md) in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as GitHub or Google. The user-assigned managed identity or app registration in Microsoft Entra ID becomes an identity for software workloads running, for example, in on-premises Kubernetes or GitHub Actions workflows. Once that trust relationship is created, your external software workload exchanges trusted tokens from the external IdP for access tokens from Microsoft identity platform.  Your software workload uses that access token to access the Microsoft Entra ID protected resources to which the workload has been granted access. You eliminate the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.
+You use workload identity federation to configure a [user-assigned managed identity](../managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) or [app registration](../develop/app-objects-and-service-principals.md) in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as GitHub or Google. The user-assigned managed identity or app registration in Microsoft Entra ID becomes an identity for software workloads running, for example, in on-premises Kubernetes or GitHub Actions workflows. Once that trust relationship is created, your external software workload exchanges trusted tokens from the external IdP for access tokens from Microsoft identity platform.  Your software workload uses that access token to access the Microsoft Entra ID protected resources to which the workload has been granted access. You eliminate the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.
 
 ## Supported scenarios
 

articles/ai-services/computer-vision/whats-new.md

@@ -17,6 +17,15 @@ ms.author: pafarley
 
 Learn what's new in the service. These items may be release notes, videos, blog posts, and other types of information. Bookmark this page to stay up to date with new features, enhancements, fixes, and documentation updates.
 
+## September 2023
+
+### Deprecation of outdated Computer Vision API versions
+
+Computer Vision API versions 1.0, 2.0, 3.0, and 3.1 will be retired on September 13, 2026. Developers won’t be able to make API calls to these APIs after that date.
+We recommend that all affected customers migrate their workloads to the generally available Computer Vision 3.2 API by following this [QuickStart](/azure/ai-services/computer-vision/quickstarts-sdk/image-analysis-client-library?tabs=linux%2Cvisual-studio&pivots=programming-language-rest-api) at their earliest convenience. Customers should also consider migrating to [Image Analysis 4.0 API (preview)](/azure/ai-services/computer-vision/quickstarts-sdk/image-analysis-client-library-40?tabs=visual-studio%2Clinux&pivots=programming-language-python), which has our latest and greatest Image Analysis capabilities. 
+
+Visit our [Q&A](/answers/tags/127/azure-computer-vision) for any questions.
+
 ## May 2023
 
 ### Image Analysis 4.0 Product Recognition (public preview)

articles/azure-vmware/migrate-sql-server-standalone-cluster.md

@@ -11,7 +11,7 @@ ms.custom: engagement-fy23
 
 # Migrate a SQL Server standalone instance to Azure VMware Solution
 
-In this article, you learn how to migrate a SQL Server Standalone to Azure VMware Solution. 
+In this article, you learn how to migrate a SQL Server standalone instance to Azure VMware Solution. 
 
 When migrating a SQL Server standalone instance to Azure VMware Solution, VMware HCX offers two migration profiles:
 
@@ -39,7 +39,7 @@ This scenario was validated using the following editions and configurations:
 - Remove all cluster node VMs from any Distributed Resource Scheduler (DRS) groups and rules. 
 
 - Configure VMware HCX between your on-premises datacenter and the Azure VMware Solution private cloud that runs the migrated workloads. For more information about configuring VMware HCX, see [Azure VMware Solution documentation](install-vmware-hcx.md).
-- Ensure that all the network segments in use by the SQL Server are extended into your Azure VMware Solution private cloud. To verify this step in the procedure, see [Configure VMware HCX network extension](configure-hcx-network-extension.md).
+- Ensure that all the network segments in use by the SQL Server and workloads using it are extended into your Azure VMware Solution private cloud. To verify this step in the process, see [Configure VMware HCX network extension](configure-hcx-network-extension.md).
 
 Either VMware HCX over VPN or ExpressRoute connectivity can be used as the networking configuration for the migration. 
 
@@ -52,7 +52,7 @@ Further downtime considerations are discussed in the next section.
 ## Downtime considerations
 
 Downtime during a migration depends on the size of the database to be migrated and the speed of the private network connection to Azure cloud.
-Migration of the Microsoft SQL Server Standalone instance using the VMware HCX vMotion mechanism is intended to minimize the solution downtime, however we still recommend the migration take place during off-peak hours with a pre-approved change window.
+Migration of a  SQL Server standalone instance using the VMware HCX vMotion mechanism is intended to minimize the solution downtime, however we still recommend the migration take place during off-peak hours within an pre-approved change window.
 
 This table indicates the estimated downtime for migration of each SQL Server topology.
 

articles/azure-vmware/toc.yml

@@ -191,11 +191,11 @@ items:
     href: deploy-vsan-stretched-clusters.md
   - name: Migrate Microsoft SQL Server workloads
     items:
-    - name: Migrate Microsoft SQL Server Standalone to Azure VMware Solution
+    - name: Migrate a SQL Server standalone instance to Azure VMware Solution
       href: migrate-sql-server-standalone-cluster.md
     - name: Migrate SQL Server failover cluster to Azure VMware Solution
       href: migrate-sql-server-failover-cluster.md
-    - name: Migrate Microsoft SQL Server Always-On cluster to Azure VMware Solution
+    - name: Migrate Microsoft SQL Server Always-On Availability Group to Azure VMware Solution
       href: migrate-sql-server-always-on-availability-group.md
   - name: Move resources
     items:

articles/service-fabric/how-to-managed-cluster-vmss-extension.md

@@ -14,6 +14,7 @@ ms.date: 07/11/2022
 Each node type in a Service Fabric managed cluster is backed by a virtual machine scale set. This enables you to add [virtual machine scale set extensions](../virtual-machines/extensions/overview.md) to your Service Fabric managed cluster node types. Extensions are small applications that provide post-deployment configuration and automation on Azure VMs. The Azure platform hosts many extensions covering VM configuration, monitoring, security, and utility applications. Publishers take an application, wrap it into an extension, and simplify the installation. All you need to do is provide mandatory parameters. 
 
 ## Add a virtual machine scale set extension
+
 You can add a virtual machine scale set extension to a Service Fabric managed cluster node type using the [Add-AzServiceFabricManagedNodeTypeVMExtension](/powershell/module/az.servicefabric/add-azservicefabricmanagednodetypevmextension) PowerShell command.
 
 Alternately, you can add a virtual machine scale set extension on a Service Fabric managed cluster node type in your Azure Resource Manager template, for example:
@@ -29,22 +30,21 @@ Alternately, you can add a virtual machine scale set extension on a Service Fabr
   "location": "[resourceGroup().location]",
   "properties": {
     "isPrimary": true,
-    "vmInstanceCount": 3,
-    "dataDiskSizeGB": 100,
-    "vmSize": "Standard_D2",
-    "vmImagePublisher": "MicrosoftWindowsServer",
-    "vmImageOffer": "WindowsServer",
-    "vmImageSku": "2019-Datacenter",
-    "vmImageVersion": "latest",
+    ...
     "vmExtensions": [
       {
-        "name": "ExtensionA",
+        "name": "KvExtension",
         "properties": {
-          "publisher": "ExtensionA.Publisher",
+          "publisher": "Microsoft.Azure.KeyVault",
           "type": "KeyVaultForWindows",
-          "typeHandlerVersion": "1.0",
+          "typeHandlerVersion": "3.0",
           "autoUpgradeMinorVersion": true,
           "settings": {
+            "secretsManagementSettings": {
+              "observedCertificates": [
+                ...
+              ]
+            }
           }
         }
       }
@@ -55,6 +55,78 @@ Alternately, you can add a virtual machine scale set extension on a Service Fabr
 
 For more information on configuring Service Fabric managed cluster node types, see [managed cluster node type](/azure/templates/microsoft.servicefabric/2022-01-01/managedclusters/nodetypes).
 
+## How to provision before Service Fabric runtime
+To provision extensions before the Service Fabric runtime starts, you can use the `setupOrder` parameter with the value `BeforeSFRuntime` in the extension properties for each extension as needed. This allows you to set up the environment and dependencies before the runtime and applications begin running on the node. See the example below for clarification:
+
+>[!NOTE]
+> It's essential to note that if an extension marked with `BeforeSFRuntime` fails, it will prevent the Service Fabric runtime from starting. Consequently, the node will be down from the Service Fabric perspective. Therefore, it is crucial to maintain these extensions with correct configurations and promptly address any issues that may arise to ensure the health of nodes within the cluster.
+
+### Requirements
+Use Service Fabric API version `2023-09-01-preview` or later.
+
+### ARM Template example:
+```json
+{
+  "type": "Microsoft.ServiceFabric/managedclusters/nodetypes",
+  "apiVersion": "2023-09-01-preview",
+  "name": "[concat(parameters('clusterName'), '/', parameters('nodeTypeName'))]",
+  "properties": {
+    "isPrimary": true,
+    ...
+    "vmExtensions": [
+        {
+            "name": "KvExtension",
+            "properties": {
+                "setupOrder": [
+                    "BeforeSFRuntime"
+                ],
+                "provisionAfterExtensions" [ "GenevaMonitoringExtension" ],
+                "publisher": "Microsoft.Azure.KeyVault",
+                "type": "KeyVaultForWindows",
+                "typeHandlerVersion": "3.0",
+                "autoUpgradeMinorVersion": true,
+                "settings": {
+                "secretsManagementSettings": {
+                  "observedCertificates": [
+                    ...
+                  ]
+                }
+              }
+            }
+        },
+        {
+          "name": "GenevaMonitoringExtension",
+          "properties": {
+              "setupOrder": [
+                    "BeforeSFRuntime"
+                ],
+              "autoUpgradeMinorVersion": true,
+              "enableAutomaticUpgrade": true,
+              "publisher": "Microsoft.Azure.Geneva",
+              "type": "GenevaMonitoring",
+              "typeHandlerVersion": "2.40",
+              "settings": {
+                "configurations": [
+                  {
+                    "ServiceArguments": {
+                      ...
+                    },
+                    "UserArguments": {
+                      ...
+                    }
+                  }
+                ]
+              }
+          }
+      }
+    ]
+  }
+}
+```
+
+>[!NOTE]
+> Special handling for AzureDiskEncryption (ADE) extension: ADE needs to run before the Service Fabric runtime to ensures that the disk is decrypted after a reimage operations, allowing the Service Fabric runtime to start using it. Even if the extension is not explicitly marked with `BeforeSFRuntime`, it will run before the runtime. But note that enabling encryption at host is recommended over using ADE extension. For detailed instructions, refer to [Enable encryption at host](how-to-managed-cluster-enable-disk-encryption.md#enable-encryption-at-host).
+
 ## Next steps
 
 To learn more about Service Fabric managed clusters, see: