Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-aadroles-protected-actions-policy-not-satisfied

Author: rolyon

articles/active-directory/devices/howto-manage-local-admin-passwords.md

@@ -6,11 +6,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: devices
 ms.topic: how-to
-ms.date: 04/20/2023
+ms.date: 04/21/2023
 
 ms.author: sandeo
 author: sandeo-MSFT
 ms.reviewer: joflore
+ms.custom: references_regions
 
 ms.collection: M365-identity-device-management
 ---
@@ -72,7 +73,7 @@ LAPS is supported on Azure AD joined or hybrid Azure AD joined devices only. Azu
 
 LAPS is available to all customers with Azure AD Free or higher licenses. Other related features like administrative units, custom roles, Conditional Access, and Intune have other licensing requirements.
 
-## Required roles or permission
+### Required roles or permission
 
 Other than the built-in Azure AD roles of Cloud Device Administrator, Intune Administrator, and Global Administrator that are granted *device.LocalCredentials.Read.All*, you can use [Azure AD custom roles](/azure/active-directory/roles/custom-create) or administrative units to authorize local administrator password recovery. For example,
 
@@ -117,7 +118,7 @@ Conditional Access policies can be scoped to the built-in roles like Cloud Devic
 > [!NOTE]  
 > Other role types including administrative unit-scoped roles and custom roles aren't supported
 
-## Frequently Asked Questions
+## Frequently asked questions
 
 ### Is Windows LAPS with Azure AD management configuration supported using Group Policy Objects (GPO)?
 

articles/azure-monitor/toc.yml

@@ -378,8 +378,7 @@ items:
     - name: Data collector API
       items:
       - name: Overview
-        href: logs/data-collector-api.md
-      - name: Log Analytics Data collector API
+        displayName: data collector api
         href: logs/data-collector-api.md
       - name: Log Analytics Data Collector API Pipeline example
         href: logs/create-pipeline-datacollector-api.md

articles/dms/known-issues-azure-sql-migration-azure-data-studio.md

@@ -15,7 +15,7 @@ ms.custom: seo-lt-2019
 Known issues and troubleshooting steps associated with the Azure SQL Migration extension for Azure Data Studio.
 
 > [!IMPORTANT]
-> The latest version of Integration Runtime (5.28.8488) prevents access to a network file share on a local host. This security measure will lead to failures when performing the pre-migration validation using Azure Data Studio as a client. Please ensure you run Integration Runtime on a different machine than the network share hosting.
+> The latest version of Integration Runtime (5.28.8488) prevents access to a network file share on a local host. This security measure will lead to failures when performing migrations to Azure SQL using DMS. Please ensure you run Integration Runtime on a different machine than the network share hosting.
 
 ## Error code: 2007 - CutoverFailedOrCancelled 
 
@@ -215,6 +215,18 @@ WHERE STEP in (3,4,6);
 
 - **Recommendation**: For more troubleshooting steps, see [Troubleshoot Azure Data Factory and Synapse pipelines](../data-factory/data-factory-troubleshoot-guide.md#error-code-2108). 
 
+
+## Error code: 2049 - FileShareTestConnectionFailed
+
+- **Message**: `The value of the property '' is invalid: 'Access to <share path> is denied, resolved IP address is <IP address>, network type is OnPremise'.`
+
+- **Cause**: The network share where the database backups are stored is in the same machine as the self-hosted Integration Runtime (SHIR).
+
+- **Recommendation**: The latest version of Integration Runtime (**5.28.8488**) prevents access to a network file share on a local host. Please ensure you run Integration Runtime on a different machine than the network share hosting. If hosting the self-hosted Integration Runtime and the network share on different machines is not possible with your current migration setup, you can use the option to opt-out using ```DisableLocalFolderPathValidation```. 
+    > [!NOTE]
+    > For more information, see [Set up an existing self-hosted IR via local PowerShell](../data-factory/create-self-hosted-integration-runtime.md#set-up-an-existing-self-hosted-ir-via-local-powershell). Use the disabling option with discretion as this is less secure.
+
+
 ## Error code: 2056 - SqlInfoValidationFailed
 
 - **Message**: CollationMismatch: `Source database collation <CollationOptionSource> is not the same as the target database <CollationOptionTarget>. Source database: <SourceDatabaseName> Target database: <TargetDatabaseName>.`

articles/expressroute/expressroute-locations-providers.md

@@ -67,7 +67,7 @@ The following table shows connectivity locations and the service providers for e
 | **Dallas** | [Equinix DA3](https://www.equinix.com/locations/americas-colocation/united-states-colocation/dallas-data-centers/da3/) | 1 | n/a | Supported | Aryaka Networks, AT&T NetBond, Cologix, Cox Business Cloud Port, Equinix, Intercloud, Internet2, Level 3 Communications, Megaport, Neutrona Networks, Orange, PacketFabric, Telmex Uninet, Telia Carrier, Transtelco, Verizon, Zayo|
 | **Denver** | [CoreSite DE1](https://www.coresite.com/data-centers/locations/denver/de1) | 1 | West Central US | Supported | CoreSite, Megaport, PacketFabric, Zayo |
 | **Doha** | [MEEZA MV2](https://www.meeza.net/services/data-centre-services/) | 3 | Qatar Central | Supported | Ooredoo Cloud Connect, Vodafone |
-| **Doha2** | [Ooredoo](https://www.ooredoo.qa/portal/OoredooQatar/b2b-data-centre) | 3 | Qatar Central | Supported | Ooredoo Cloud Connect |
+| **Doha2** | [Ooredoo](https://www.ooredoo.qa/) | 3 | Qatar Central | Supported | Ooredoo Cloud Connect |
 | **Dubai** | [PCCS](http://www.pacificcontrols.net/cloudservices/) | 3 | UAE North | Supported | Etisalat UAE |
 | **Dubai2** | [du datamena](http://datamena.com/solutions/data-centre) | 3 | UAE North | n/a | DE-CIX, du datamena, Equinix, GBI, Megaport, Orange, Orixcom |
 | **Dublin** | [Equinix DB3](https://www.equinix.com/locations/europe-colocation/ireland-colocation/dublin-data-centers/db3/) | 1 | North Europe | Supported | CenturyLink Cloud Connect, Colt, eir, Equinix, GEANT, euNetworks, Interxion, Megaport, Zayo|
@@ -190,7 +190,7 @@ If you're remote and don't have fiber connectivity or want to explore other conn
 
 * Intelsat
 * [SES](https://www.ses.com/networks/signature-solutions/signature-cloud/ses-and-azure-expressroute)
-* [Viasat](http://www.directcloud.viasatbusiness.com/)
+* [Viasat](https://news.viasat.com/newsroom/press-releases/viasat-introduces-direct-cloud-connect-a-new-service-providing-fast-secure-private-connections-to-business-critical-cloud-services)
 
 | Location | Exchange | Connectivity providers |
 | --- | --- | --- |

articles/expressroute/expressroute-locations.md

@@ -172,7 +172,7 @@ The following table shows locations by service provider. If you want to view ava
 | **UOLDIVEO** |Supported |Supported | Sao Paulo |
 | **[UIH](https://www.uih.co.th/en/network-solutions/global-network/cloud-direct-for-microsoft-azure-expressroute)** | Supported | Supported | Bangkok |
 | **[Verizon](https://enterprise.verizon.com/products/network/application-enablement/secure-cloud-interconnect/)** |Supported |Supported | Amsterdam, Chicago, Dallas, Hong Kong SAR, London, Mumbai, Silicon Valley, Singapore, Sydney, Tokyo, Toronto, Washington DC |
-| **[Viasat](http://www.directcloud.viasatbusiness.com/)** | Supported | Supported | Washington DC2 |
+| **[Viasat](https://news.viasat.com/newsroom/press-releases/viasat-introduces-direct-cloud-connect-a-new-service-providing-fast-secure-private-connections-to-business-critical-cloud-services)** | Supported | Supported | Washington DC2 |
 | **[Vocus Group NZ](https://www.vocus.co.nz/business/cloud-data-centres)** | Supported | Supported | Auckland, Sydney |
 | **Vodacom** |Supported |Supported | Cape Town, Johannesburg|
 | **[Vodafone](https://www.vodafone.com/business/global-enterprise/global-connectivity/vodafone-ip-vpn-cloud-connect)** |Supported |Supported | Amsterdam2, Doha, London, Milan, Singapore |
@@ -243,7 +243,7 @@ If you're remote and don't have fiber connectivity, or you want to explore other
 
 * Intelsat
 * [SES](https://www.ses.com/networks/signature-solutions/signature-cloud/ses-and-azure-expressroute)
-* [Viasat](http://www.directcloud.viasatbusiness.com/)
+* [Viasat](https://news.viasat.com/newsroom/press-releases/viasat-introduces-direct-cloud-connect-a-new-service-providing-fast-secure-private-connections-to-business-critical-cloud-services)
 
 ## Connectivity through additional service providers
 
@@ -324,7 +324,7 @@ If you're remote and don't have fiber connectivity, or you want to explore other
 | **[Flexential](https://www.flexential.com/connectivity/cloud-connect-microsoft-azure-expressroute)** | IX Reach, Megaport, PacketFabric |
 | **[QTS Data Centers](https://www.qtsdatacenters.com/hybrid-solutions/connectivity/azure-cloud )** | Megaport, PacketFabric |
 | **[Stream Data Centers](https://www.streamdatacenters.com/products-services/network-cloud/)** | Megaport |
-| **[RagingWire Data Centers](https://www.ragingwire.com/wholesale/wholesale-data-centers-worldwide-nexcenters)** | IX Reach, Megaport, PacketFabric |
+| **RagingWire Data Centers** | IX Reach, Megaport, PacketFabric |
 | **[T5 Datacenters](https://t5datacenters.com/)** | IX Reach |
 | **vXchnge** | IX Reach, Megaport |
 

articles/expressroute/expressroute-monitoring-metrics-alerts.md

@@ -64,7 +64,9 @@ Metrics explorer supports SUM, MAX, MIN, AVG and COUNT as [aggregation types](..
 | [Count of routes advertised to peer](#advertisedroutes) | Availability | Count | Maximum | Count Of Routes Advertised To Peer by ExpressRouteGateway | roleInstance | Yes | 
 | [Count of routes learned from peer](#learnedroutes)| Availability | Count | Maximum | Count Of Routes Learned From Peer by ExpressRouteGateway | roleInstance | Yes | 
 | [Frequency of routes changed](#frequency) | Availability | Count | Total | Frequency of Routes change in ExpressRoute Gateway | roleInstance | Yes | 
-| [Number of VMs in virtual network](#vm) | Availability | Count | Maximum | Number of VMs in the Virtual Network | No Dimensions | Yes | 
+| [Number of VMs in virtual network](#vm) | Availability | Count | Maximum | Number of VMs in the Virtual Network | No Dimensions | Yes |
+| [Active flows](#activeflows) | Scalability | Count | Average | Number of active flows on ExpressRoute Gateway | roleInstance | Yes |
+| [Max flows created per second](#maxflows) | Scalability | FlowsPerSecond | Maximum | Maximum number of flows created per second on ExpressRoute Gateway | roleInstance, direction | Yes |
 
 ### ExpressRoute Gateway connections
 
@@ -223,7 +225,9 @@ When you deploy an ExpressRoute gateway, Azure manages the compute and functions
 * Count of routes advertised to peers
 * Count of routes learned from peers
 * Frequency of routes changed
-* Number of VMs in the virtual network  
+* Number of VMs in the virtual network
+* Count of active flows
+* Max flows created per second
 
 It's highly recommended you set alerts for each of these metrics so that you're aware of when your gateway could be seeing performance issues.
 
@@ -287,6 +291,27 @@ This metric shows the number of virtual machines that are using the ExpressRoute
 > To maintain reliability of the service, Microsoft often performs platform or OS maintenance on the gateway service. During this time, this metric may fluctuate and report inaccurately.
 >
 
+## <a name = "activeflows"></a>Active flows
+
+Aggregation type: *Avg*
+
+Split by: Gateway Instance
+
+
+This metric displays a count of the total number of active flows on the ExpressRoute Gateway. Through split at instance level, you can see active flow count per gateway instance. For more information, see [understand network flow limits](../virtual-network/virtual-machine-network-throughput.md#network-flow-limits).
+
+:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/active-flows.png" alt-text="Screenshot of number of active flows per second metrics dashboard.":::
+
+## <a name = "maxflows"></a>Max flows created per second
+
+Aggregation type: *Max*
+
+Split by: Gateway Instance and Direction (Inbound/Outbound)
+
+This metric display maximum number of flows created per second on the ExpressRoute Gateway. Through split at instance level and direction, you can see max flow creation rate per gateway instance and inbound/outbound direction respectively. For more information, see [understand network flow limits](../virtual-network/virtual-machine-network-throughput.md#network-flow-limits).
+
+:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/max-flows-per-second.png" alt-text="Screenshot of the maximum number of flows created per second metrics dashboard.":::
+
 ## <a name = "connectionbandwidth"></a>ExpressRoute gateway connections in bits/seconds
 
 Aggregation type: *Avg*

articles/expressroute/media/expressroute-monitoring-metrics-alerts/active-flows.png

@@ -1,11 +1,10 @@
 ---
 title: Safe deployment of Azure Policy assignments
 description: Learn how to apply the safe deployment practices (SDP) framework to your Azure Policy assignments.
-author: timwarner-msft
-ms.date: 11/14/2022
+ms.date: 04/21/2023
 ms.topic: conceptual
-ms.author: timwarner
 ---
+
 # Safe deployment of Azure Policy assignments
 
 As your environment expands, so does the demand for a controlled continuous deployment (CD)
@@ -30,77 +29,78 @@ Policy assignments that use the `deny` or `append` policy effects.
 > [!NOTE]
 > To learn more about Azure policy effects, see [Understand how effects work](../concepts/effects.md).
 
-:::image type="content" source="safe-deployment-practices-flowchart-1.png" alt-text="Flowchart with steps one through eight showing safe deployment practices deployment of a new Azure Policy definition." border="true":::
+:::image type="content" source="../media/policy-safe-deployment-practices/safe-deployment-practices-flowchart-1.png" alt-text="Flowchart with steps one through eight showing safe deployment practices deployment of a new Azure Policy definition." border="true":::
+
+Flowchart step numbers: 
 
-1. Begin the release by creating a policy definition at the highest designated Azure management scope.
-We recommend storing Azure Policy definitions at the management group scope for maximum flexibility.
+1. Begin the release by creating a policy definition at the highest designated Azure management scope. We recommend storing Azure Policy definitions at the management group scope for maximum flexibility.
 
 2. Once you've created your policy definition, assign the policy at the highest-level scope inclusive
 of all deployment rings. Apply _resource selectors_ to narrow the applicability to the least
 critical ring by using the `"kind": "resource location"` property. Configure the `audit` effect type
-by using _assignment overrides_. Sample selector with eastUS location and effect as audit
+by using _assignment overrides_. Sample selector with `eastUS` location and effect as `audit`:
 
- ```json
+    ```json
     "resourceSelectors": [{ 
-        "name": "SDPRegions", 
-        "selectors": [{
-            "kind": "resourceLocation",
-            "in": [ "eastUS" ] 
-        }]
+      "name": "SDPRegions", 
+      "selectors": [{
+          "kind": "resourceLocation",
+          "in": [ "eastUS" ] 
+      }]
     }], 
     "overrides":[{ 
-        "kind": "policyEffect", 
-        "value": "Audit" 
+      "kind": "policyEffect", 
+      "value": "Audit" 
     }] 
-  ```
+    ```
 
 3. Once the assignment is deployed and the initial compliance scan has completed,
 validate that the compliance result is as expected.
 
-You should also configure automated tests that run compliance checks. A compliance check should
-encompass the following logic:
-
-- Gather compliance results
-- If compliance results are as expected, the pipeline should continue
-- If compliance results aren't as expected, the pipeline should fail and you should start debugging
-
-For example, you can configure the compliance check by using other tools within
-your particular continuous integration/continuous deployment (CI/CD) pipeline.
-
-At each rollout stage, the application health checks should confirm the stability of the service
-and impact of the policy. If the results aren't as expected due to application configuration,
-refactor the application as appropriate.
-
-4. Repeat by expanding the resource selector property values to include the next rings’
+    You should also configure automated tests that run compliance checks. A compliance check should
+    encompass the following logic:
+    
+    - Gather compliance results
+    - If compliance results are as expected, the pipeline should continue
+    - If compliance results aren't as expected, the pipeline should fail and you should start debugging
+    
+    For example, you can configure the compliance check by using other tools within
+    your particular continuous integration/continuous deployment (CI/CD) pipeline.
+    
+    At each rollout stage, the application health checks should confirm the stability of the service
+    and impact of the policy. If the results aren't as expected due to application configuration,
+    refactor the application as appropriate.
+
+4. Repeat by expanding the resource selector property values to include the next rings'
 locations and validating the expected compliance results and application health. Example selector with an added location value:
 
- ```json
+    ```json
     "resourceSelectors": [{ 
-        "name": "SDPRegions", 
-        "selectors": [{
-            "kind": "resourceLocation",
-            "in": [ "eastUS", "westUS"] 
-        }]
+      "name": "SDPRegions", 
+      "selectors": [{
+          "kind": "resourceLocation",
+          "in": [ "eastUS", "westUS"] 
+      }]
     }]
-  ```
+    ```
 
 5. Once you have successfully assigned the policy to all rings using `audit` mode,
 the pipeline should trigger a task that changes the policy effect to `deny` and reset
 the resource selectors to the location associated with _Ring 0_. Example selector with one region and effect set to deny:
 
- ```json
+    ```json
     "resourceSelectors": [{ 
-        "name": "SDPRegions", 
-        "selectors": [{
-            "kind": "resourceLocation",
-            "in": [ "eastUS" ] 
-        }]
+      "name": "SDPRegions", 
+      "selectors": [{
+          "kind": "resourceLocation",
+          "in": [ "eastUS" ] 
+      }]
     }], 
     "overrides":[{ 
-        "kind": "policyEffect", 
-        "value": "Deny" 
+      "kind": "policyEffect", 
+      "value": "Deny" 
     }] 
-  ```
+    ```
 
 6. Once the effect is changed, automated tests should check whether enforcement is taking place as
 expected.
@@ -114,7 +114,9 @@ expected.
 Steps 1-4 for policies using the `modify` or `deployIfNotExists` effects are the same as steps previously explained.
 Review the following flowchart with modified steps 5-9:
 
-:::image type="content" source="safe-deployment-practices-flowchart-2.png" alt-text="Flowchart showing steps 5 through 9 in the Azure Policy safe deployment practices workflow." border="true":::
+:::image type="content" source="../media/policy-safe-deployment-practices/safe-deployment-practices-flowchart-2.png" alt-text="Flowchart showing steps 5 through 9 in the Azure Policy safe deployment practices workflow." border="true":::
+
+Flowchart step numbers:  
 
 5. Once you've assigned the policy to all rings using `audit` mode, the pipeline should trigger
 a task that changes the policy effect to `modify` or `deployIfNotExists` and resets
@@ -131,8 +133,9 @@ as expected using compliance and application health checks.
 
 > [!NOTE]
 > For more information on Azure policy remediation tasks, read [Remediate non-compliant resources with Azure Policy](./remediate-resources.md).
+
 ## Next steps
 
-- Learn how to [programmatically create policies](./programmatically-create.md)
-- Review [Azure Policy as code workflows](../concepts/policy-as-code.md)
-- Study Microsoft's guidance concerning [safe deployment practices](/devops/operate/safe-deployment-practices)
+- Learn how to [programmatically create policies](./programmatically-create.md).
+- Review [Azure Policy as code workflows](../concepts/policy-as-code.md).
+- Study Microsoft's guidance concerning [safe deployment practices](/devops/operate/safe-deployment-practices).