Merge pull request #196265 from MicrosoftDocs/main

Merge Main to Live, 4 AM

Author: PMEds28

.openpublishing.redirection.defender-for-iot.json

@@ -1,5 +1,10 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-identify-required-appliances.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/ot-appliance-sizing",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/defender-for-iot/organizations/resources-manage-proprietary-protocols.md",
             "redirect_url": "/azure/defender-for-iot/organizations/overview#extend-support-to-proprietary-protocols",

articles/active-directory/fundamentals/recover-from-deletions.md

@@ -21,17 +21,17 @@ This article addresses recovering from soft and hard deletions in your Azure AD
 
 ## Monitor for deletions
 
-The [Azure AD Audit Log](../reports-monitoring/concept-audit-logs.md) contains information on all delete operations performed in your tenant. We recommend that you export these logs to a security information and event management (SIEM) tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on finding deleted items using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0. ](/graph/api/directory-deleteditems-list?view=graph-rest-1.0&tabs=http)
+The [Azure AD Audit Log](../reports-monitoring/concept-audit-logs.md) contains information on all delete operations performed in your tenant. We recommend that you export these logs to a security information and event management (SIEM) tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on finding deleted items using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0. ](/graph/api/directory-deleteditems-list?tabs=http)
 
 ### Audit log 
 
-The Audit Log always records a “Delete <object>” event when an object in the tenant is removed from an active state by either a soft or hard deletion.
+The Audit Log always records a "Delete \<object\>" event when an object in the tenant is removed from an active state by either a soft or hard deletion.
 
 [![Screenshot of audit log showing deletions](./media/recoverability/delete-audit-log.png)](./media/recoverability/delete-audit-log.png#lightbox)
 
 
 
-A delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type, it's a hard delete. Track the occurrence of hard-delete events by comparing “Delete <object>” events with the type of object that has been deleted, noting those that do not support soft-delete. In addition, note "Hard Delete <object>" events. 
+A delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type, it's a hard delete. Track the occurrence of hard-delete events by comparing "Delete \<object\>" events with the type of object that has been deleted, noting those that do not support soft-delete. In addition, note "Hard Delete \<object\>" events. 
 
 
 | Object type | Activity in log| Result |
@@ -126,7 +126,7 @@ For details on restoring users, see the following documentation:
 
 * See [Restore or permanently remove recently deleted user](active-directory-users-restore.md) for restoring in the Azure portal.
 
-* See [Restore deleted item – Microsoft Graph v1.0](%20/graph/api/directory-deleteditems-restore?view=graph-rest-1.0&tabs=http) for restoring with Microsoft Graph.
+* See [Restore deleted item – Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?tabs=http) for restoring with Microsoft Graph.
 
 ### Groups
 
@@ -139,7 +139,7 @@ For details on restoring soft deleted Microsoft 365 Groups, see the following do
 
 * To restore from the Azure portal, see [Restore a deleted Microsoft 365 group. ](../enterprise-users/groups-restore-deleted.md) 
 
-* To restore by using Microsoft Graph, see [Restore deleted item – Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?view=graph-rest-1.0&tabs=http). 
+* To restore by using Microsoft Graph, see [Restore deleted item – Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?tabs=http). 
 
 ### Applications
 
@@ -189,7 +189,7 @@ Hard deleted items must be recreated and reconfigured. It's best to avoid unwant
 
 Ensure you have a process to frequently review items in the soft delete state and restore them if appropriate. To do so, you should:
 
-* Frequently [list deleted items](/graph/api/directory-deleteditems-list?view=graph-rest-1.0&tabs=http). 
+* Frequently [list deleted items](/graph/api/directory-deleteditems-list?tabs=http). 
 
 * Ensure that you have specific criteria for what should be restored.
 

articles/active-directory/fundamentals/recoverability-overview.md

@@ -105,7 +105,7 @@ Create a process of pre-defined communications to make others aware of the issue
 
 Document the state of your tenant and its objects regularly so that in the event of a hard delete or misconfiguration you have a road map to recovery. The following tools can help you in documenting your current state.
 
-- The [Microsoft Graph APIs](https://docs.microsoft.com/graph/overview?view=graph-rest-1.0) can be used to export the current state of many Azure AD configurations.
+- The [Microsoft Graph APIs](/graph/overview) can be used to export the current state of many Azure AD configurations.
 
 - You can use the [Azure AD Exporter](https://github.com/microsoft/azureadexporter) to regularly export your configuration settings. 
 
@@ -126,13 +126,13 @@ Graph APIs are highly customizable based on your organizational needs. To implem
 
 | Resource types| Reference links |
 | - | - | 
-| Users, groups, and other directory objects| [directoryObject API](/graph/api/resources/directoryObject?view=graph-rest-1.0) |
-| Directory roles| [directoryRole API](/graph/api/resources/directoryrole?view=graph-rest-1.0) |
-| Conditional Access policies| [Conditional Access policy API](/graph/api/resources/conditionalaccesspolicy?view=graph-rest-1.0) |
-| Devices| [devices API](/graph/api/resources/device?view=graph-rest-1.0) |
-| Domains| [domains API](/graph/api/domain-list?view=graph-rest-1.0&tabs=http) |
-| Administrative Units| [administrativeUnit API)](/graph/api/resources/administrativeunit?view=graph-rest-1.0) |
-| Deleted Items*| [deletedItems API](/graph/api/resources/directory?view=graph-rest-1.0) |
+| Users, groups, and other directory objects| [directoryObject API](/graph/api/resources/directoryObject) |
+| Directory roles| [directoryRole API](/graph/api/resources/directoryrole) |
+| Conditional Access policies| [Conditional Access policy API](/graph/api/resources/conditionalaccesspolicy) |
+| Devices| [devices API](/graph/api/resources/device) |
+| Domains| [domains API](/graph/api/domain-list?tabs=http) |
+| Administrative Units| [administrativeUnit API)](/graph/api/resources/administrativeunit) |
+| Deleted Items*| [deletedItems API](/graph/api/resources/directory) |
 
 
 Securely store these configuration exports with access provided to a limited number of admins. 
@@ -167,24 +167,24 @@ The deletion of some objects can cause a ripple effect due to dependencies. For
 
 ## Monitoring and data retention
 
-The [Azure AD Audit Log](../reports-monitoring/concept-audit-logs.md) contains information on all delete and configuration operations performed in your tenant. We recommend that you export these logs to a security information and event management (SIEM) tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes, and build a custom solution to monitor differences over time. For more information on finding deleted items using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0 ](/graph/api/directory-deleteditems-list?view=graph-rest-1.0&tabs=http)
+The [Azure AD Audit Log](../reports-monitoring/concept-audit-logs.md) contains information on all delete and configuration operations performed in your tenant. We recommend that you export these logs to a security information and event management (SIEM) tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes, and build a custom solution to monitor differences over time. For more information on finding deleted items using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0 ](/graph/api/directory-deleteditems-list?tabs=http)
 
 ### Audit logs
 
-The Audit Log always records a “Delete <object>” event when an object in the tenant is removed from an active state (either from active to soft-deleted or active to hard-deleted).
+The Audit Log always records a "Delete \<object\>" event when an object in the tenant is removed from an active state (either from active to soft-deleted or active to hard-deleted).
 
 :::image type="content" source="media/recoverability/deletions-audit-log.png" alt-text="Screenshot of audit log detail." lightbox="media/recoverability/deletions-audit-log.png":::
 
 A Delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type it's a hard delete.
 
-| | Activity in log| Result |
+| Object Type | Activity in log| Result |
 | - | - | - |
 | Application| Delete application| Soft deleted |
 | Application| Hard delete application| Hard deleted |
 | User| Delete user| Soft deleted |
 | User| Hard delete user| Hard deleted |
 | Microsoft 365 Groups| Delete group| Soft deleted |
-| Microsoft 365 Group| Hard delete group| Hard deleted |
+| Microsoft 365 Groups| Hard delete group| Hard deleted |
 | All other objects| Delete “objectType”| Hard deleted |
 
 > [!NOTE]
@@ -203,7 +203,6 @@ There are several Azure Monitor workbooks that can help you to monitor configura
 - Directory role and group membership updates for service principals
 - Modified federation settings
 
-
 The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing, and which applications I your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.
 
 ## Operational security 

articles/app-service/configure-language-dotnetcore.md

@@ -124,12 +124,23 @@ namespace SomeNamespace
 
 If you configure an app setting with the same name in App Service and in *appsettings.json*, for example, the App Service value takes precedence over the *appsettings.json* value. The local *appsettings.json* value lets you debug the app locally, but the App Service value lets your run the app in production with production settings. Connection strings work in the same way. This way, you can keep your application secrets outside of your code repository and access the appropriate values without changing your code.
 
+::: zone pivot="platform-linux"
+> [!NOTE]
+> Note the [hierarchical configuration data](/aspnet/core/fundamentals/configuration/#hierarchical-configuration-data) in *appsettings.json* is accessed using the `__` (double underscore) delimiter that's standard on Linux to .NET Core. To override a specific hierarchical configuration setting in App Service, set the app setting name with the same delimited format in the key. you can run the following example in the [Cloud Shell](https://shell.azure.com):
+
+```azurecli-interactive
+az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings My__Hierarchical__Config__Data="some value"
+```
+::: zone-end
+
+::: zone pivot="platform-windows"
 > [!NOTE]
 > Note the [hierarchical configuration data](/aspnet/core/fundamentals/configuration/#hierarchical-configuration-data) in *appsettings.json* is accessed using the `:` delimiter that's standard to .NET Core. To override a specific hierarchical configuration setting in App Service, set the app setting name with the same delimited format in the key. you can run the following example in the [Cloud Shell](https://shell.azure.com):
 
 ```azurecli-interactive
 az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings My:Hierarchical:Config:Data="some value"
 ```
+::: zone-end
 
 ## Deploy multi-project solutions
 

articles/app-service/environment/networking.md

@@ -77,7 +77,9 @@ The normal app access ports inbound are as follows:
 
 You can set route tables without restriction. You can tunnel all of the outbound application traffic from your App Service Environment to an egress firewall device, such as Azure Firewall. In this scenario, the only thing you have to worry about is your application dependencies.
 
-You can put your web application firewall devices, such as Azure Application Gateway, in front of inbound traffic. Doing so exposes specific apps on that App Service Environment. If you want to customize the outbound address of your applications on an App Service Environment, you can add a NAT gateway to your subnet.
+You can put your web application firewall devices, such as Azure Application Gateway, in front of inbound traffic. Doing so allows you to expose specific apps on that App Service Environment.
+
+Your application will use one of the default outbound addresses for egress traffic to public endpoints. If you want to customize the outbound address of your applications on an App Service Environment, you can add a NAT gateway to your subnet.
 
 ## Private endpoint
 

articles/app-service/overview-managed-identity.md

@@ -294,7 +294,9 @@ This response is the same as the [response for the Azure AD service-to-service a
 > [!NOTE]
 > When connecting to Azure SQL data sources with [Entity Framework Core](/ef/core/), consider [using Microsoft.Data.SqlClient](/sql/connect/ado-net/sql/azure-active-directory-authentication), which provides special connection strings for managed identity connectivity. For an example, see [Tutorial: Secure Azure SQL Database connection from App Service using a managed identity](tutorial-connect-msi-sql-database.md).
 
-For .NET apps and functions, the simplest way to work with a managed identity is through the [Azure Identity client library for .NET](/dotnet/api/overview/azure/identity-readme?). See the respective documentation headings of the client library for information:
+For .NET apps and functions, the simplest way to work with a managed identity is through the [Azure Identity client library for .NET](/dotnet/api/overview/azure/identity-readme?). For detailed guidance, see [Tutorial: Connect to Azure databases from App Service without secrets using a managed identity](tutorial-connect-msi-azure-database.md).
+
+See the respective documentation headings of the client library for information:
 
 - [Add Azure Identity client library to your project](/dotnet/api/overview/azure/identity-readme#getting-started)
 - [Access Azure service with a system-assigned identity](/dotnet/api/overview/azure/identity-readme#authenticating-with-defaultazurecredential)
@@ -304,7 +306,9 @@ The linked examples use [`DefaultAzureCredential`](/dotnet/api/overview/azure/id
 
 # [JavaScript](#tab/javascript)
 
-For Node.js apps and JavaScript functions, the simplest way to work with a managed identity is through the [Azure Identity client library for JavaScript](/javascript/api/overview/azure/identity-readme?). See the respective documentation headings of the client library for information:
+For Node.js apps and JavaScript functions, the simplest way to work with a managed identity is through the [Azure Identity client library for JavaScript](/javascript/api/overview/azure/identity-readme?). For detailed guidance, see [Tutorial: Connect to Azure databases from App Service without secrets using a managed identity](tutorial-connect-msi-azure-database.md).
+
+See the respective documentation headings of the client library for information:
 
 - [Add Azure Identity client library to your project](/javascript/api/overview/azure/identity-readme#install-the-package)
 - [Access Azure service with a system-assigned identity](/javascript/api/overview/azure/identity-readme#authenticating-with-defaultazurecredential)
@@ -316,7 +320,9 @@ For more code examples of the Azure Identity client library for JavaScript, see
 
 # [Python](#tab/python)
 
-For Python apps and functions, the simplest way to work with a managed identity is through the [Azure Identity client library for Python](/python/api/overview/azure/identity-readme). See the respective documentation headings of the client library for information:
+For Python apps and functions, the simplest way to work with a managed identity is through the [Azure Identity client library for Python](/python/api/overview/azure/identity-readme). For detailed guidance, see [Tutorial: Connect to Azure databases from App Service without secrets using a managed identity](tutorial-connect-msi-azure-database.md).
+
+See the respective documentation headings of the client library for information:
 
 - [Add Azure Identity client library to your project](/python/api/overview/azure/identity-readme#getting-started)
 - [Access Azure service with a system-assigned identity](/python/api/overview/azure/identity-readme#authenticating-with-defaultazurecredential)
@@ -326,7 +332,9 @@ The linked examples use [`DefaultAzureCredential`](/python/api/overview/azure/id
 
 # [Java](#tab/java)
 
-For Java apps and functions, the simplest way to work with a managed identity is through the [Azure Identity client library for Java](/java/api/overview/azure/identity-readme). See the respective documentation headings of the client library for information:
+For Java apps and functions, the simplest way to work with a managed identity is through the [Azure Identity client library for Java](/java/api/overview/azure/identity-readme). For detailed guidance, see [Tutorial: Connect to Azure databases from App Service without secrets using a managed identity](tutorial-connect-msi-azure-database.md).
+
+See the respective documentation headings of the client library for information:
 
 - [Add Azure Identity client library to your project](/java/api/overview/azure/identity-readme#include-the-package)
 - [Access Azure service with a system-assigned identity](/java/api/overview/azure/identity-readme#authenticating-with-defaultazurecredential)

articles/app-service/overview-vnet-integration.md

@@ -187,6 +187,7 @@ You can't use gateway-required virtual network integration:
 * From a Linux app.
 * From a [Windows container](./quickstart-custom-container.md).
 * To access service endpoint-secured resources.
+* To resolve App Settings referencing a network protected Key Vault.
 * With a coexistence gateway that supports both ExpressRoute and point-to-site or site-to-site VPNs.
 
 ### Set up a gateway in your Azure virtual network

articles/app-service/toc.yml

@@ -78,8 +78,10 @@
           items: 
           - name: Connect to databases
             items: 
-              - name: .NET
+              - name: .NET with SQL DB
                 href: tutorial-connect-msi-sql-database.md
+              - name: Azure databases
+                href: tutorial-connect-msi-azure-database.md
           - name: Connect to services
             items:
               - name: .NET