Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-mto-provisioning-logs-error-codes

Author: rolyon

articles/azure-netapp-files/configure-customer-managed-keys.md

@@ -13,7 +13,7 @@ ms.workload: storage
 ms.tgt_pltfrm: na
 ms.topic: how-to
 ms.custom: references_regions 
-ms.date: 03/07/2023
+ms.date: 03/31/2023
 ms.author: anfdocs
 ---
 
@@ -39,8 +39,7 @@ The following diagram demonstrates how customer-managed keys work with Azure Net
 > Customer-managed keys for Azure NetApp Files volume encryption is currently in preview. You need to submit a waitlist request for accessing the feature through the **[Customer-managed keys for Azure NetApp Files volume encryption](https://aka.ms/anfcmkpreviewsignup)** page. Customer-managed keys feature is expected to be enabled within a week from submitting waitlist request.
 
 * Customer-managed keys can only be configured on new volumes. You can't migrate existing volumes to customer-managed key encryption. 
-* To create a volume using customer-managed keys, you must select the *Standard* network features. You can't use customer-managed key volumes with volume configured using Basic network features. Follow instructions in to [Set the Network Features option](configure-network-features.md#set-the-network-features-option) in the volume creation page.
-* Switching from user-assigned identity to the system-assigned identity isn't currently supported.
+* To create a volume using customer-managed keys, you must select the *Standard* network features. You can't use customer-managed key volumes with volume configured using Basic network features. Follow instructions in [Set the Network Features option](configure-network-features.md#set-the-network-features-option) to create a volume. 
 * MSI Automatic certificate renewal isn't currently supported.  
 * The MSI certificate has a lifetime of 90 days. It becomes eligible for renewal after 46 days. **After 90 days, the certificate is no longer be valid and the customer-managed key volumes under the NetApp account will go offline.**
     * To renew, you need to call the NetApp account operation `renewCredentials` if eligible for renewal. If it's not eligible, an error message will communicate the date of eligibility. 
@@ -100,7 +99,10 @@ Before creating your first customer-managed key volume, you must have set up:
     * The key vault must have soft delete and purge protection enabled. 
     * The key must be of type RSA. 
 * The key vault must have an [Azure Private Endpoint](../private-link/private-endpoint-overview.md).
+    * You need a private endpoint in each VNet you intend on using for Azure NetApp Files volumes
     * The private endpoint must reside in a different subnet than the one delegated to Azure NetApp Files. The subnet must be in the same VNet as the one delegated to Azure NetApp.  
+    * The network security group on the Azure NetApp Files delegated subnet must allow incoming traffic from the subnet where the VM mounting Azure NetApp Files volumes is located.
+    * The network security group on the Azure NetApp Files delegated subnet must also allow outgoing traffic to the subnet where the private endpoint is located.
 
 For more information about Azure Key Vault and Azure Private Endpoint, refer to:
 * [Quickstart: Create a key vault ](../key-vault/general/quick-create-portal.md) 
@@ -142,7 +144,7 @@ For more information about Azure Key Vault and Azure Private Endpoint, refer to:
       * `Microsoft.KeyVault/vaults/keys/decrypt/action`
     The user-assigned identity you select is added to your NetApp account. Due to the customizable nature of role-based access control (RBAC), the Azure portal doesn't configure access to the key vault. See [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](../key-vault/general/rbac-guide.md) for details on configuring Azure Key Vault. 
 
-1. After selecting **Save** button, you'll receive a notification communicating the status of the operation. If the operation was not successful, an error message displays. Refer to [error messages and troubleshooting](#error-messages-and-troubleshooting) for assistance in resolving the error.  
+1. After selecting the **Save** button, you'll receive a notification communicating the status of the operation. If the operation was not successful, an error message displays. Refer to [error messages and troubleshooting](#error-messages-and-troubleshooting) for assistance in resolving the error.  
 
 ## Use role-based access control
 

articles/azure-resource-manager/management/manage-resource-groups-cli.md

@@ -3,15 +3,20 @@ title: Manage resource groups - Azure CLI
 description: Use Azure CLI to manage your resource groups through Azure Resource Manager. Shows how to create, list, and delete resource groups.
 author: mumian
 ms.topic: conceptual
-ms.date: 09/10/2021
-ms.author: jgao
+ms.date: 03/31/2023
 ms.custom: devx-track-azurecli
 ---
 
 # Manage Azure Resource Groups by using Azure CLI
 
 Learn how to use Azure CLI with [Azure Resource Manager](overview.md) to manage your Azure resource groups. For managing Azure resources, see [Manage Azure resources by using Azure CLI](manage-resources-cli.md).
 
+## Prerequisites
+
+* Azure CLI. For more information, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
+
+* After installing, sign in for the first time. For more information, see [How to sign into the Azure CLI](/cli/azure/get-started-with-azure-cli#how-to-sign-into-the-azure-cli).
+
 ## What is a resource group
 
 A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to add resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
@@ -54,18 +59,44 @@ For more information about how Azure Resource Manager orders the deletion of res
 
 You can deploy Azure resources by using Azure CLI, or by deploying an Azure Resource Manager (ARM) template or Bicep file.
 
+### Deploy resources by using storage operations
+
 The following example creates a storage account. The name you provide for the storage account must be unique across Azure.
 
 ```azurecli-interactive
 az storage account create --resource-group exampleGroup --name examplestore --location westus --sku Standard_LRS --kind StorageV2
 ```
 
+### Deploy resources by using an ARM template or Bicep file
+
 To deploy an ARM template or Bicep file, use [az deployment group create](/cli/azure/deployment/group#az-deployment-group-create).
 
 ```azurecli-interactive
 az deployment group create --resource-group exampleGroup --template-file storage.bicep
 ```
 
+The following example shows the Bicep file named `storage.bicep` that you're deploying:
+
+```bicep
+@minLength(3)
+@maxLength(11)
+param storagePrefix string
+
+var uniqueStorageName = concat(storagePrefix, uniqueString(resourceGroup().id))
+
+resource uniqueStorage 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+  name: uniqueStorageName
+  location: 'eastus'
+  sku: {
+    name: 'Standard_LRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    supportsHttpsTrafficOnly: true
+  }
+}
+```
+
 For more information about deploying an ARM template, see [Deploy resources with Resource Manager templates and Azure CLI](../templates/deploy-cli.md).
 
 For more information about deploying a Bicep file, see [Deploy resources with Bicep and Azure CLI](../bicep/deploy-cli.md).

articles/azure-resource-manager/management/manage-resource-groups-powershell.md

@@ -3,15 +3,20 @@ title: Manage resource groups - Azure PowerShell
 description: Use Azure PowerShell to manage your resource groups through Azure Resource Manager. Shows how to create, list, and delete resource groups.
 author: mumian
 ms.topic: conceptual
-ms.date: 09/10/2021
-ms.author: jgao 
+ms.date: 03/31/2023
 ms.custom: devx-track-azurepowershell
 
 ---
 # Manage Azure Resource Groups by using Azure PowerShell
 
 Learn how to use Azure PowerShell with [Azure Resource Manager](overview.md) to manage your Azure resource groups. For managing Azure resources, see [Manage Azure resources by using Azure PowerShell](manage-resources-powershell.md).
 
+## Prerequisites
+
+* Azure PowerShell. For more information, see [Install the Azure Az PowerShell module](/powershell/azure/install-az-ps).
+
+* After installing, sign in for the first time. For more information, see [Sign in](/powershell/azure/install-az-ps#sign-in).
+
 ## What is a resource group
 
 A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to add resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
@@ -54,18 +59,44 @@ For more information about how Azure Resource Manager orders the deletion of res
 
 You can deploy Azure resources by using Azure PowerShell, or by deploying an Azure Resource Manager (ARM) template or Bicep file.
 
+### Deploy resources by using storage operations
+
 The following example creates a storage account. The name you provide for the storage account must be unique across Azure.
 
 ```azurepowershell-interactive
 New-AzStorageAccount -ResourceGroupName exampleGroup -Name examplestore -Location westus -SkuName "Standard_LRS"
 ```
 
+### Deploy resources by using an ARM template or Bicep file
+
 To deploy an ARM template or Bicep file, use [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment).
 
 ```azurepowershell-interactive
 New-AzResourceGroupDeployment -ResourceGroupName exampleGroup -TemplateFile storage.bicep
 ```
 
+The following example shows the Bicep file named `storage.bicep` that you're deploying:
+
+```bicep
+@minLength(3)
+@maxLength(11)
+param storagePrefix string
+
+var uniqueStorageName = concat(storagePrefix, uniqueString(resourceGroup().id))
+
+resource uniqueStorage 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+  name: uniqueStorageName
+  location: 'eastus'
+  sku: {
+    name: 'Standard_LRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    supportsHttpsTrafficOnly: true
+  }
+}
+```
+
 For more information about deploying an ARM template, see [Deploy resources with ARM templates and Azure PowerShell](../templates/deploy-powershell.md).
 
 For more information about deploying a Bicep file, see [Deploy resources with Bicep and Azure PowerShell](../bicep/deploy-powershell.md).
@@ -86,6 +117,13 @@ To get the locks for a resource group, use [Get-AzResourceLock](/powershell/modu
 Get-AzResourceLock -ResourceGroupName exampleGroup
 ```
 
+To delete a lock, use [Remove-AzResourceLock](/powershell/module/az.resources/remove-azresourcelock).
+
+```azurepowershell-interactive
+$lockId = (Get-AzResourceLock -ResourceGroupName exampleGroup).LockId
+Remove-AzResourceLock -LockId $lockId
+```
+
 For more information, see [Lock resources with Azure Resource Manager](lock-resources.md).
 
 ## Tag resource groups

articles/governance/policy/concepts/remediation-structure.md

@@ -0,0 +1,126 @@
+---
+title: Details of the policy remediation task structure
+description: Describes the policy remediation task definition used by Azure Policy to bring resources into compliance.
+ms.date: 11/03/2022
+ms.topic: conceptual
+ms.author: kenieva
+author: kenieva
+---
+# Azure Policy remediation task structure
+
+The Azure Policy remediation task feature is used to bring resources into compliance established from a definition and assignment. Resources that are non-compliant to a [modify](./effects.md#modify) or [deployIfNotExist](./effects.md#deployifnotexists) definition assignment, can be brought into compliance using a remediation task. Remediation task deploys the deployIFNotExist template or the modify operations to the selected non-compliant resources using the identity specified in the assignment. See  [policy assignment structure](./assignment-structure.md#identity). to understand how the identity is define and [remediate non-compliant resources tutorial](../how-to/remediate-resources.md#configure-the-managed-identity) to configure the identity.
+
+> [!NOTE]
+> Remediation tasks remediate exisiting resources that are not compliant. Resources that are newly created or updated that are applicable to a deployIfNotExist or modify definition assignment are automatically remediated. 
+
+You use JavaScript Object Notation (JSON) to create a policy remediation task. The policy remediation task contains elements for:
+
+- [display name](#display-name-and-description)
+- [description](#display-name-and-description)
+- [policy assignment](#policy-assignment-id)
+- [policy definitions within an initiative](#policy-definition-id)
+- [resource count and parallel deployments](#resource-count-and-parallel-deployments)
+- [failure threshold](#failure-threshold)
+- [remediation filters](#remediation-filters)
+- [resource discovery mode](#resource-discovery-mode)
+- [provisioning state and deployment summary](#provisioning-state-and-deployment-summary)
+
+
+For example, the following JSON shows a policy remediation task for policy definition named `requiredTags` a part of
+an initiative assignment named `resourceShouldBeCompliantInit` with all default settings. 
+
+```json
+{
+    "id": "/subscriptions/{subId}/resourceGroups/ExemptRG/providers/Microsoft.PolicyInsights/remediations/remediateNotCompliant",
+    "apiVersion": "2021-10-01",
+    "name": "remediateNotCompliant",
+    "type": "Microsoft.PolicyInsights/remediations",
+    "properties": {
+        "policyAssignmentId": "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyAssignments/resourceShouldBeCompliantInit",
+        "policyDefinitionReferenceIds":  "requiredTags",
+        "resourceCount": 42,
+        "parallelDeployments": 6,
+        "failureThreshold": {
+            "percentage": 0.1
+        }
+    }
+}
+```
+Steps on how to trigger a remediation task at [how to remediate non-compliant resources guide](../how-to/remediate-resources.md)
+
+> [!NOTE]
+> These settings cannot be changed once the remediation task has started.
+
+
+## Display name and description
+
+You use **displayName** and **description** to identify the policy remediation task and provide context for
+its use. **displayName** has a maximum length of _128_ characters and
+**description** a maximum length of _512_ characters. 
+
+## Policy assignment ID
+
+This field must be the full path name of either a policy assignment or an initiative assignment.
+`policyAssignmentId` is a string and not an array. This property defines which assignment the parent
+resource hierarchy or individual resource to remediate.
+
+## Policy definition ID
+
+If the `policyAssignmentId` is for an initiative assignment, the **policyDefinitionReferenceId** property must be used to specify which policy definition(s) in the initiative the subject resource(s) are to be remediated. As a remediation can only remediation in a scope of one definition,
+this property is a _string_. The value must match the value in the initiative definition in the
+`policyDefinitions.policyDefinitionReferenceId` field.
+
+## Resource count and parallel deployments
+
+Use **resource count** to  determine how many non-compliant resources to remediate in a given remediation task. The default value is 500, with the maximum number being 50,000. **Parallel deployments**  determines how many of those resources to remediate at the same time. The allowed range is between 1 to 30 with the default value being 10.  
+
+> [!NOTE]
+> Parallel deployments are the number of deployments within a singular remediation task with a maxmimum of 30. 100 remediation tasks can be ran simultaneously in the tenant.   
+
+## Failure threshold
+
+An optional property used to specify whether the remediation task should fail if the percentage of failures exceeds the given threshold. The **failure threshold** is represented as a percentage number from 0 to 100. By default, the failure threshold is 100%, meaning that the remediation task will continue to remediate other resources even if resources fail to remediate. 
+
+## Remediation filters 
+
+An optional property refines what resources are applicable to the remediation task. The allowed filter is resource location. Unless specified, resources from any region can be remediated. 
+
+## Resource discovery mode
+
+This property decides how to discover resources that are eligible for remediation. For a resource to be eligible, it must be non-compliant. By default, this property is set to `ExistingNonCompliant`. It could also be set to `ReEvaluateCompliance`, which will trigger a new compliance scan for that assignment and remediate any resources that are found non-compliant.  
+
+## Provisioning state and deployment summary
+
+Once a remediation task is created, **provisioning state** and **deployment summary** properties are populated. **Provisioning state** indicates the status of the remediation task. Allow values are `Running`, `Canceled`, `Cancelling`, `Failed`, `Complete`, or `Succeeded`. **Deployment summary** is an array property indicating the number of deployments along with number of successful and failed deployments. 
+
+Sample of remediation task that completed successfully: 
+
+```json
+{
+    "id": "/subscriptions/{subId}/resourceGroups/ExemptRG/providers/Microsoft.PolicyInsights/remediations/remediateNotCompliant",
+    "Type":  "Microsoft.PolicyInsights/remediations",
+    "Name":  "remediateNotCompliant",
+    "PolicyAssignmentId":  "/subscriptions/{mySubscriptionID}/providers/Microsoft.Authorization/policyAssignments/resourceShouldBeCompliantInit",
+    "policyDefinitionReferenceIds":  "requiredTags",
+    "resourceCount": 42,
+    "parallelDeployments": 6,
+    "failureThreshold": {
+        "percentage": 0.1
+    },
+    "ProvisioningState":  "Succeeded",
+    "DeploymentSummary":  {
+        "TotalDeployments":  42,
+        "SuccessfulDeployments":  42,
+        "FailedDeployments":  0
+    },
+}
+```
+
+## Next steps
+
+- Understand how to [determine causes of non-compliance](../how-to/determine-non-compliance.md).
+- Learn how to [get compliance data](../how-to/get-compliance-data.md).
+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
+- Understand how to [react to Azure Policy state change events](./event-overview.md).
+- Learn about the [policy definition structure](./definition-structure.md).
+- Learn about the [policy assignment structure](./assignment-structure.md).

articles/governance/policy/how-to/remediate-resources.md

@@ -315,14 +315,7 @@ This step is only applicable when using [Option 1](#option-1-create-a-remediatio
 
 1. If the remediation task is initiated from an initiative assignment, select the policy to remediate from the drop-down. One **deployIfNotExists** or **modify** policy can be remediated through a single Remediation task at a time.
 
-1. Optionally modify remediation settings on the **New remediation task** page:
-
-    - **Failure Threshold percentage** - Used to specify whether the remediation task should fail if the percentage of failures exceeds the given threshold. Provided as a number between 0 to 100. By default, the failure threshold is 100%.
-    - **Resource Count** - Determines how many non-compliant resources to remediate in a given remediation task. The default value is 500 (the previous limit). The maximum number is 50,000 resources.
-    - **Parallel Deployments** - Determines how many resources to remediate at the same time. The allowed values are 1 to 30 resources at a time. The default value is 10.
-
-   > [!NOTE]
-   > These settings cannot be changed once the remediation task has started.
+1. Optionally modify remediation settings on the page. For information on what each setting controls, see [remediation task structure](../concepts/remediation-structure.md).
 
 1. On the same page, filter the resources to remediate by using the **Scope**
    ellipses to pick child resources from where the policy is assigned (including down to the