Merge branch 'main' into release-migrate-new-structure

Author: v-alje

articles/application-gateway/tutorial-ingress-controller-add-on-existing.md

@@ -57,6 +57,9 @@ To configure more parameters for the above command, see [az aks create](/cli/azu
 >[!NOTE]
 >If you are planning on using AGIC with an AKS cluster using CNI Overlay, specify the parameter `--aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AppGatewayWithOverlayPreview` to configure AGIC to handle connectivity to the CNI Overlay enabled cluster.
 
+>[!WARNING]
+>This document assumes Azure CNI is installed in the AKS cluster. If you are planning on using CNI Overlay, you must ensure Application Gateway and the AKS cluster are part of the same virtual network.
+
 ## Deploy a new application gateway 
 
 You'll now deploy a new application gateway, to simulate having an existing application gateway that you want to use to load balance traffic to your AKS cluster, **myCluster**. The name of the application gateway will be **myApplicationGateway**, but you'll need to first create a public IP resource, named **myPublicIp**, and a new virtual network called **myVnet** with address space 10.0.0.0/16, and a subnet with address space 10.0.0.0/24 called **mySubnet**, and deploy your application gateway in **mySubnet** using **myPublicIp**. 

articles/azure-functions/functions-bindings-signalr-service-input.md

@@ -149,7 +149,7 @@ The following table explains the properties of the `SignalRConnectionInfoInput`
 |**HubName**| Required. The hub name.  |
 |**ConnectionStringSetting**| The name of the app setting or settings collection that contains the SignalR Service connection string, which defaults to `AzureSignalRConnectionString`. |
 |**UserId**| Optional. The user identifier of a SignalR connection. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query.  |
-|**IdToken**| Optional. A JWT token whose claims will be added to the user claims. It should be used together with **ClaimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
+|**IdToken**| Optional. A JWT whose claims will be added to the user claims. It should be used together with **ClaimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
 |**ClaimTypeList**| Optional. A list of claim types, which filter the claims in **IdToken** . |
 
 # [In-process model](#tab/in-process)
@@ -161,7 +161,7 @@ The following table explains the properties of the `SignalRConnectionInfo` attri
 |**HubName**| Required. The hub name.  |
 |**ConnectionStringSetting**| The name of the app setting or settings collection that contains the SignalR Service connection string, which defaults to `AzureSignalRConnectionString`. |
 |**UserId**| Optional. The user identifier of a SignalR connection. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query.  |
-|**IdToken**| Optional. A JWT token whose claims will be added to the user claims. It should be used together with **ClaimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
+|**IdToken**| Optional. A JWT whose claims will be added to the user claims. It should be used together with **ClaimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
 |**ClaimTypeList**| Optional. A list of claim types, which filter the claims in **IdToken** . |
 
 ---
@@ -179,7 +179,7 @@ The following table explains the supported settings for the `SignalRConnectionIn
 |**hubName**| Required. The hub name.  |
 |**connectionStringSetting**| The name of the app setting or settings collection that contains the SignalR Service connection string, which defaults to `AzureSignalRConnectionString`. |
 |**userId**| Optional. The user identifier of a SignalR connection. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query.  |
-|**idToken**| Optional. A JWT token whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
+|**idToken**| Optional. A JWT whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
 |**claimTypeList**| Optional. A list of claim types, which filter the claims in **idToken** . |
 
 ::: zone-end
@@ -196,7 +196,7 @@ The following table explains the supported settings for the `SignalRConnectionIn
 |**hubName**| Required. The hub name.  |
 |**connectionStringSetting**| The name of the app setting or settings collection that contains the SignalR Service connection string, which defaults to `AzureSignalRConnectionString`. |
 |**userId**| Optional. The user identifier of a SignalR connection. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query.  |
-|**idToken**| Optional. A JWT token whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
+|**idToken**| Optional. A JWT whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
 |**claimTypeList**| Optional. A list of claim types, which filter the claims in **idToken** . |
 
 ::: zone-end
@@ -213,7 +213,7 @@ The following table explains the binding configuration properties that you set i
 |**hubName**| Required. The hub name.  |
 |**connectionStringSetting**| The name of the app setting or settings collection that contains the SignalR Service connection string, which defaults to `AzureSignalRConnectionString`. |
 |**userId**| Optional. The user identifier of a SignalR connection. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query.  |
-|**idToken**| Optional. A JWT token whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
+|**idToken**| Optional. A JWT whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
 |**claimTypeList**| Optional. A list of claim types, which filter the claims in **idToken** . |
 
 ::: zone-end

articles/azure-resource-manager/templates/deployment-script-template.md

@@ -61,6 +61,9 @@ For deployment script API version 2020-10-01 or later, there are two principals
             "Microsoft.Resources/deployments/*",
             "Microsoft.Resources/deploymentScripts/*"
           ],
+         "dataActions": [
+            "Microsoft.Storage/storageAccounts/fileServices/*"
+          ]
         }
       ],
       "assignableScopes": [

articles/azure-vmware/configure-azure-native-pure-storage-cloud.md

@@ -25,7 +25,7 @@ Pure Storage manages onboarding of Azure Native Pure Storage Cloud for Azure VMw
 
 For more information, see the following resources:
 
-- [Azure Native Pure Storage Cloud - Overview](https://learn.microsoft.com/azure/partner-solutions/pure-storage/overview)
+- [Azure Native Pure Storage Cloud - Overview](/azure/partner-solutions/pure-storage/overview)
 - [Azure Native Pure Storage Cloud - Deployment Guide](https://support.purestorage.com/bundle/m_azure_native_pure_storage_cloud/page/Production/Pure_Cloud_Block_Store/Azure_Native_Pure_Storage_Cloud/deployment/c_psc_deployment.html)
 - [Azure Native Pure Storage Cloud - Management Guide](https://support.purestorage.com/bundle/m_azure_native_pure_storage_cloud/page/Production/Pure_Cloud_Block_Store/Azure_Native_Pure_Storage_Cloud/management/c_psc_management.html)
 - [Azure Native Pure Storage Cloud - Troubleshooting Guide](https://support.purestorage.com/bundle/m_azure_native_pure_storage_cloud/page/Production/Pure_Cloud_Block_Store/Azure_Native_Pure_Storage_Cloud/troubleshooting/c_troubleshooting.html)

articles/azure-web-pubsub/policy-definitions.md

@@ -1,8 +1,8 @@
 ---
 title: Built-in policy definitions for Azure Web PubSub
 description: Lists Azure Policy built-in policy definitions for Azure Web PubSub. These built-in policy definitions provide common approaches to managing your Azure resources.
-author: cebundy
-ms.author: v-catherbund
+author: yjin81
+ms.author: yajin1
 ms.date: 01/03/2022
 ms.topic: reference
 ms.service: azure-web-pubsub
@@ -27,4 +27,4 @@ the link in the **Version** column to view the source on the
 
 - See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
 - Review the [Azure Policy definition structure](../governance/policy/concepts/definition-structure.md).
-- Review [Understanding policy effects](../governance/policy/concepts/effects.md).
+- Review [Understanding policy effects](../governance/policy/concepts/effects.md).

articles/communication-services/how-tos/call-automation/includes/secure-webhook-endpoint-java.md

@@ -35,9 +35,9 @@ Each mid-call webhook callback sent by Call Automation uses a signed JSON Web To
 ```
 
 4. Configure your application to validate the JWT and the configuration of your Azure Communication Services resource. You need the `audience` values as it is present in the JWT payload.
-5. Validate the issuer, audience and the JWT token.
+5. Validate the issuer, audience and the JWT.
    - The audience is your Azure Communication Services resource ID you used to set up your Call Automation client. Refer [here](../../../quickstarts/voice-video-calling/get-resource-id.md) about how to get it.
-   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT token. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
+   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
 
 This sample code demonstrates how to configure OIDC client to validate webhook payload using JWT
 

articles/communication-services/how-tos/call-automation/includes/secure-webhook-endpoint-javascript.md

@@ -26,9 +26,9 @@ npm install express jwks-rsa jsonwebtoken
 ```
 
 3. Configure your application to validate the JWT and the configuration of your Azure Communication Services resource. You need the `audience` values as it is present in the JWT payload.
-4. Validate the issuer, audience and the JWT token.
+4. Validate the issuer, audience and the JWT.
    - The audience is your Azure Communication Services resource ID you used to set up your Call Automation client. Refer [here](../../../quickstarts/voice-video-calling/get-resource-id.md) about how to get it.
-   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT token. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
+   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
 
 This sample code demonstrates how to configure OIDC client to validate webhook payload using JWT
 

articles/communication-services/how-tos/call-automation/includes/secure-webhook-endpoint-python.md

@@ -25,9 +25,9 @@ pip install flask pyjwt
 ```
 
 3. Configure your application to validate the JWT and the configuration of your Azure Communication Services resource. You need the `audience` values as it is present in the JWT payload.
-4. Validate the issuer, audience and the JWT token.
+4. Validate the issuer, audience and the JWT.
    - The audience is your Azure Communication Services resource ID you used to set up your Call Automation client. Refer [here](../../../quickstarts/voice-video-calling/get-resource-id.md) about how to get it.
-   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT token. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
+   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
 
 This sample code demonstrates how to configure OIDC client to validate webhook payload using JWT
 

articles/confidential-computing/skr-flow-confidential-vm-sev-snp.md

@@ -689,7 +689,7 @@ $cert | Format-List *
 # Subject              : CN=vault.azure.net, O=Microsoft Corporation, L=Redmond, S=WA, C=US
 ```
 
-The response's JWT token body looks incredibly similar to the response that you get when invoking the `get` key operation. However, the `release` operation includes the `key_hsm` property, amongst other things.
+The response's JWT body looks incredibly similar to the response that you get when invoking the `get` key operation. However, the `release` operation includes the `key_hsm` property, amongst other things.
 
 ```json
 {

articles/cost-management-billing/costs/understand-work-scopes.md

@@ -46,10 +46,10 @@ Azure supports three scopes for resource management. Each scope supports managin
 
     Resource type: [Microsoft.Resources/subscriptions](/rest/api/resources/subscriptions)
 
-- [**Resource groups**](../../azure-resource-manager/management/overview.md#resource-groups) - Logical groupings of related resources for an Azure solution that share the same lifecycle. For example resources that are deployed and deleted together.
+- **[Resource groups](../../azure-resource-manager/management/overview.md#resource-groups)** - Logical groupings of related resources for an Azure solution that share the same lifecycle. For example resources that are deployed and deleted together.
 
     Resource type: [Microsoft.Resources/subscriptions/resourceGroups](/rest/api/resources/resourcegroups)
-
+  
 Management groups allow you to organize subscriptions into a hierarchy. For example, you might create a logical organization hierarchy using management groups. Then, give teams subscriptions for production and dev/test workloads. And then create resource groups in the subscriptions to manage each subsystem or component.
 
 Creating an organizational hierarchy allows cost and policy compliance to roll up organizationally. Then, each leader can view and analyze their current costs. And then they can create budgets to curb bad spending patterns and optimize costs with Advisor recommendations at the lowest level.
@@ -78,6 +78,36 @@ Management groups are only supported if they contain up to 3,000 Enterprise Agre
 
 If you have a mix of subscriptions, move the unsupported subscriptions to a separate arm of the management group hierarchy to enable Cost Management for the supported subscriptions. As an example, create two management groups under the root management group: **Microsoft Entra ID** and **My Org**. Move your Microsoft Entra subscription to the **Microsoft Entra ID** management group and then view and manage costs using the **My Org** management group.
 
+### Managed resource groups 
+
+Managed resource groups created by certain resource providers - such as Azure Red Hat OpenShift (ARO) or Azure Databricks - can't be used as scopes for Cost Management features like budgets or exports. These resource groups typically include deny assignments that restrict modifications to protect critical resources, which can result in authorization errors. For more information on deny assignments, please refer to [List Azure deny assignments](/azure/role-based-access-control/deny-assignments?tabs=azure-portal).
+
+To avoid these issues, use a higher-level scope such as the subscription scope which contains this managed resource group when configuring budgets or exports.
+
+#### Required permissions for exports at RBAC scope
+
+- Microsoft.CostManagement/exports/Read – View exports
+
+- Microsoft.CostManagement/exports/Write – Create or update exports
+
+- Microsoft.CostManagement/exports/Delete – Delete exports
+
+- Microsoft.CostManagement/exports/Action – Run export
+
+*Note: Deny assignments can result in permission errors, so please check even with these permissions if there are any deny assignments at this scope.*
+
+#### Required permissions for budgets at RBAC scope
+
+- Microsoft.Consumption/budgets/Read – View budgets
+
+- Microsoft.Consumption/budgets/Write – Create or update budgets
+
+- Microsoft.Consumption/budgets/Delete – Delete budgets
+
+- (Optional) Microsoft.Insights/actionGroups/Read – If action groups are configured for alerts
+
+*Note: Deny assignments can result in permission errors, so please check even with these permissions if there are any deny assignments at this scope.*
+
 ### Feature behavior for each role
 
 The following table shows how Cost Management features are used by each role. The following behavior is applicable to all Azure RBAC scopes.