Merge pull request #205383 from MicrosoftDocs/repo_sync_working_branch

TimShererWithAquent · web-flow · commit 51f9454fe0e4 · 2022-07-20T22:06:29.000Z
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)
diff --git a/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md b/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
@@ -399,6 +399,20 @@ Another MFA-related error message is the one described previously: "Your credent
 
 ![Screenshot of the message that says your credentials didn't work.](./media/howto-vm-sign-in-azure-ad-windows/your-credentials-did-not-work.png)
 
+If you've configured a legacy per-user **Enabled/Enforced Azure AD Multi-Factor Authentication** setting and you see the error above, you can resolve the problem by removing the per-user MFA setting through these commands:
+
+```
+# Get StrongAuthenticationRequirements configure on a user
+(Get-MsolUser -UserPrincipalName username@contoso.com).StrongAuthenticationRequirements
+ 
+# Clear StrongAuthenticationRequirements from a user
+$mfa = @()
+Set-MsolUser -UserPrincipalName username@contoso.com -StrongAuthenticationRequirements $mfa
+ 
+# Verify StrongAuthenticationRequirements are cleared from the user
+(Get-MsolUser -UserPrincipalName username@contoso.com).StrongAuthenticationRequirements
+```
+
 If you haven't deployed Windows Hello for Business and if that isn't an option for now, you can configure a Conditional Access policy that excludes the Azure Windows VM Sign-In app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business/hello-identity-verification).
 
 > [!NOTE]
diff --git a/articles/active-directory/fundamentals/5-secure-access-b2b.md b/articles/active-directory/fundamentals/5-secure-access-b2b.md
@@ -84,6 +84,8 @@ Some organizations use a list of known ‘bad actor’ domains provided by their
 
 You can control both inbound and outbound access using Cross Tenant Access Settings. In addition, you can trust MFA, Compliant device, and hybrid Azure Active Directory joined device (HAADJ) claims from all or a subset of external Azure AD tenants. When you configure an organization specific policy, it applies to the entire Azure AD tenant and will cover all users from that tenant regardless of the user’s domain suffix. 
 
+You can enable collaboration across Microsoft clouds such as Microsoft Azure China 21Vianet or Microsoft Azure Government with additional configuration. Determine if any of your collaboration partners reside in a different Microsoft cloud. If so, you should [enable collaboration with these partners using Cross Tenant Access Settings](/azure/active-directory/external-identities/cross-cloud-settings).
+
 If you wish to allow inbound access to only specific tenants (allowlist), you can set the default policy to block access and then create organization policies to granularly allow access on a per user, group, and application basis.
 
 If you wish to block access to specific tenants (blocklist), you can set the default policy as allow and then create organization policies that block access to those specific tenants. 
@@ -254,4 +256,4 @@ See the following articles on securing external access to resources. We recommen
 
 8. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md)
 
-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
+9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
diff --git a/articles/application-gateway/configuration-http-settings.md b/articles/application-gateway/configuration-http-settings.md
@@ -46,6 +46,12 @@ This setting combined with HTTPS in the listener supports [end-to-end TLS](ssl-o
 
 This setting specifies the port where the back-end servers listen to traffic from the application gateway. You can configure ports ranging from 1 to 65535.
 
+## Trusted root certificate 
+
+If you select HTTPS as the back-end protocol, the Application Gateway requires a trusted root certificate to trust the back-end pool for end-to-end SSL. By default, the **Use well known CA certificate** option is set to **No**. If you plan to use a self-signed certificate, or a certificate signed by an internal Certificate Authority, then you must provide the Application Gateway the matching public certificate that the back-end pool will be using. This certificate must be uploaded directly to the Application Gateway in .CER format.
+
+If you plan to use a certificate on the back-end pool that is signed by a trusted public Certificate Authority, then you can set the **Use well known CA certificate** option to **Yes** and skip uploading a public certificate.
+
 ## Request timeout
 
 This setting is the number of seconds that the application gateway waits to receive a response from the back-end server.
diff --git a/articles/application-gateway/overview-v2.md b/articles/application-gateway/overview-v2.md
@@ -85,6 +85,7 @@ The following table compares the features available with each SKU.
 | WebSocket support                                 | &#x2713; | &#x2713; |
 | HTTP/2 support                                    | &#x2713; | &#x2713; |
 | Connection draining                               | &#x2713; | &#x2713; |
+| Proxy NTML authentication                         | &#x2713; |          |
 
 > [!NOTE]
 > The autoscaling v2 SKU now supports [default health probes](application-gateway-probe-overview.md#default-health-probe) to automatically monitor the health of all resources in its back-end pool and highlight those backend members that are considered unhealthy. The default health probe is automatically configured for backends that don't have any custom probe configuration. To learn more, see [health probes in application gateway](application-gateway-probe-overview.md).
diff --git a/articles/application-gateway/private-link-configure.md b/articles/application-gateway/private-link-configure.md
@@ -51,6 +51,7 @@ The Private link configuration defines the infrastructure used by Application Ga
    - **Frontend IP Configuration**: The frontend IP address that private link should forward traffic to on Application Gateway.
    - **Private IP address settings**: specify at least one IP address
 1. Select **Add**.
+1. Within your **Application Gateways** properties blade, obtain and make a note of the **Resource ID**, you will require this if setting up a Private Endpoint within a diffrerent Azure AD tenant
 
 **Configure Private Endpoint**
 
@@ -67,6 +68,9 @@ A private endpoint is a network interface that uses a private IP address from th
 > [!Note]
 > If the public or private IP configuration resource is missing when trying to select a _Target sub-resource_ on the _Resource_ tab of private endpoint creation, please ensure a listener is actively utilizing the respected frontend IP configuration. Frontend IP configurations without an associated listener will not be shown as a _Target sub-resource_.
 
+> [!Note]
+> If you are setting up the **Private Endpoint** from within another tenant, you will need to utilise the Azure Application Gateway Resource ID, along with sub-resource as either _appGwPublicFrontendIp_ or _appGwPrivateFrontendIp_, depending upon your Azure Application Gateway Private Link Frontend IP Configuration.
+
 # [Azure PowerShell](#tab/powershell)
 
 To configure Private link on an existing Application Gateway via Azure PowerShell, the following commands can be referenced:
diff --git a/articles/application-gateway/quick-create-cli.md b/articles/application-gateway/quick-create-cli.md
@@ -153,7 +153,8 @@ az network application-gateway create \
   --public-ip-address myAGPublicIPAddress \
   --vnet-name myVNet \
   --subnet myAGSubnet \
-  --servers "$address1" "$address2"
+  --servers "$address1" "$address2" \
+  --priority 100
 ```
 
 It can take up to 30 minutes for Azure to create the application gateway. After it's created, you can view the following settings in the **Settings** section of the **Application gateway** page:
diff --git a/articles/healthcare-apis/fhir/using-rest-client.md b/articles/healthcare-apis/fhir/using-rest-client.md
@@ -53,7 +53,7 @@ The line starting with `@name` contains a variable that captures the HTTP respon
 
 ```
 ### Get access token 
-@name getAADToken 
+# @name getAADToken 
 POST https://login.microsoftonline.com/{{tenantid}}/oauth2/token
 Content-Type: application/x-www-form-urlencoded
 
diff --git a/articles/machine-learning/how-to-configure-network-isolation-with-v2.md b/articles/machine-learning/how-to-configure-network-isolation-with-v2.md
@@ -100,11 +100,15 @@ ws.update(v1_legacy_mode=false)
 
 # [Azure CLI extension v1](#tab/azurecliextensionv1)
 
-The Azure CLI [extension v1 for machine learning](reference-azure-machine-learning-cli.md) provides the [az ml workspace update](/cli/azure/ml(v1)/workspace#az-ml(v1)-workspace-update) command. To enable the parameter for a workspace, add the parameter `--v1-legacy-mode true`.
+The Azure CLI [extension v1 for machine learning](reference-azure-machine-learning-cli.md) provides the [az ml workspace update](/cli/azure/ml(v1)/workspace#az-ml(v1)-workspace-update) command. To disable the parameter for a workspace, add the parameter `--v1-legacy-mode False`.
 
 > [!IMPORTANT]
 > The `v1-legacy-mode` parameter is only available in version 1.41.0 or newer of the Azure CLI extension for machine learning v1 (`azure-cli-ml`). Use the `az version` command to view version information.
 
+```azurecli
+az ml workspace update -g <myresourcegroup> -w <myworkspace> --v1-legacy-mode False
+```
+
 The return value of the `az ml workspace update` command may not show the updated value. To view the current state of the parameter, use the following command:
  
 ```azurecli
@@ -116,4 +120,4 @@ az ml workspace show -g <myresourcegroup> -w <myworkspace> --query v1LegacyMode
 ## Next steps
 
 * [Use a private endpoint with Azure Machine Learning workspace](how-to-configure-private-link.md).
-* [Create private link for managing Azure resources](../azure-resource-manager/management/create-private-link-access-portal.md).
+* [Create private link for managing Azure resources](../azure-resource-manager/management/create-private-link-access-portal.md).
diff --git a/articles/machine-learning/how-to-network-security-overview.md b/articles/machine-learning/how-to-network-security-overview.md
@@ -121,7 +121,7 @@ In this section, you learn how to secure the training environment in Azure Machi
 To secure the training environment, use the following steps:
 
 1. Create an Azure Machine Learning [compute instance and computer cluster in the virtual network](how-to-secure-training-vnet.md#compute-cluster) to run the training job.
-1. If your compute cluster or compute instance does not use a public IP address, you must [Allow inbound communication](how-to-secure-training-vnet.md#required-public-internet-access) so that management services can submit jobs to your compute resources. 
+1. If your compute cluster or compute instance uses a public IP address, you must [Allow inbound communication](how-to-secure-training-vnet.md#required-public-internet-access) so that management services can submit jobs to your compute resources. 
 
     > [!TIP]
     > Compute cluster and compute instance can be created with or without a public IP address. If created with a public IP address, you get a load balancer with a public IP to accept the inbound access from Azure batch service and Azure Machine Learning service. You need to configure User Defined Routing (UDR) if you use a firewall. If created without a public IP, you get a private link service to accept the inbound access from Azure batch service and Azure Machine Learning service without a public IP.
diff --git a/articles/machine-learning/how-to-train-distributed-gpu.md b/articles/machine-learning/how-to-train-distributed-gpu.md
@@ -255,55 +255,66 @@ run = Experiment(ws, 'experiment_name').submit(run_config)
 
 [PyTorch Lightning](https://pytorch-lightning.readthedocs.io/en/stable/) is a lightweight open-source library that provides a high-level interface for PyTorch. Lightning abstracts away many of the lower-level distributed training configurations required for vanilla PyTorch. Lightning allows you to run your training scripts in single GPU, single-node multi-GPU, and multi-node multi-GPU settings. Behind the scene, it launches multiple processes for you similar to `torch.distributed.launch`.
 
-For single-node training (including single-node multi-GPU), you can run your code on Azure ML without needing to specify a `distributed_job_config`. For multi-node training, Lightning requires the following environment variables to be set on each node of your training cluster:
+For single-node training (including single-node multi-GPU), you can run your code on Azure ML without needing to specify a `distributed_job_config`. 
+To run an experiment using multiple nodes with multiple GPUs, there are 2 options:
 
-- MASTER_ADDR
-- MASTER_PORT
-- NODE_RANK
+- Using PyTorch configuration (recommended): Define `PyTorchConfiguration` and specify `communication_backend="Nccl"`, `node_count`, and `process_count` (note that this is the total number of processes, ie, `num_nodes * process_count_per_node`). In Lightning Trainer module, specify both `num_nodes` and `gpus` to be consistent with `PyTorchConfiguration`. For example, `num_nodes = node_count` and `gpus = process_count_per_node`.
 
-To run multi-node Lightning training on Azure ML, follow the [per-node-launch](#per-node-launch) guidance, but note that currently, the `ddp` strategy works only when you run an experiment using multiple nodes, with one GPU per node.
+- Using MPI Configuration: 
 
-To run an experiment using multiple nodes with multiple GPUs:
-
-- Define `MpiConfiguration` and specify `node_count`. Don't specify `process_count` because Lightning internally handles launching the worker processes for each node.
-- For PyTorch jobs, Azure ML handles setting the MASTER_ADDR, MASTER_PORT, and NODE_RANK environment variables that Lightning requires:
+   - Define `MpiConfiguration` and specify both `node_count` and `process_count_per_node`. In Lightning Trainer, specify both `num_nodes` and `gpus` to be respectively the same as `node_count` and `process_count_per_node` from `MpiConfiguration`. 
+   - For multi-node training with MPI, Lightning requires the following environment variables to be set on each node of your training cluster:
+      - MASTER_ADDR
+      - MASTER_PORT
+      - NODE_RANK
+      - LOCAL_RANK
+      
+      Manually set these environment variables that Lightning requires in the main training scripts:
 
    ```python
    import os
+   from argparse import ArgumentParser
 
-   def set_environment_variables_for_nccl_backend(single_node=False, master_port=6105):
-       if not single_node:
-           master_node_params = os.environ["AZ_BATCH_MASTER_NODE"].split(":")
-           os.environ["MASTER_ADDR"] = master_node_params[0]
-
-           # Do not overwrite master port with that defined in AZ_BATCH_MASTER_NODE
-           if "MASTER_PORT" not in os.environ:
-               os.environ["MASTER_PORT"] = str(master_port)
+   def set_environment_variables_for_mpi(num_nodes, gpus_per_node, master_port=54965):
+       if num_nodes > 1:
+           os.environ["MASTER_ADDR"], os.environ["MASTER_PORT"] = os.environ["AZ_BATCH_MASTER_NODE"].split(":")
        else:
            os.environ["MASTER_ADDR"] = os.environ["AZ_BATCHAI_MPI_MASTER_NODE"]
-           os.environ["MASTER_PORT"] = "54965"
+           os.environ["MASTER_PORT"] = str(master_port)
 
-       os.environ["NCCL_SOCKET_IFNAME"] = "^docker0,lo"
        try:
-           os.environ["NODE_RANK"] = os.environ["OMPI_COMM_WORLD_RANK"]
+           os.environ["NODE_RANK"] = str(int(os.environ.get("OMPI_COMM_WORLD_RANK")) // gpus_per_node)
            # additional variables
            os.environ["MASTER_ADDRESS"] = os.environ["MASTER_ADDR"]
            os.environ["LOCAL_RANK"] = os.environ["OMPI_COMM_WORLD_LOCAL_RANK"]
            os.environ["WORLD_SIZE"] = os.environ["OMPI_COMM_WORLD_SIZE"]
        except:
            # fails when used with pytorch configuration instead of mpi
            pass
+           
+   if __name__ == "__main__":
+       parser = ArgumentParser()
+       parser.add_argument("--num_nodes", type=int, required=True)
+       parser.add_argument("--gpus_per_node", type=int, required=True)
+       args = parser.parse_args()
+       set_environment_variables_for_mpi(args.num_nodes, args.gpus_per_node)
+       
+       trainer = Trainer(
+        num_nodes=args.num_nodes,
+        gpus=args.gpus_per_node
+    )
    ```
 
-- Lightning handles computing the world size from the Trainer flags `--gpus` and `--num_nodes` and manages rank and local rank internally:
+     Lightning handles computing the world size from the Trainer flags `--gpus` and `--num_nodes`.
 
    ```python
    from azureml.core import ScriptRunConfig, Experiment
    from azureml.core.runconfig import MpiConfiguration
 
    nnodes = 2
-   args = ['--max_epochs', 50, '--gpus', 2, '--accelerator', 'ddp_spawn', '--num_nodes', nnodes]
-   distr_config = MpiConfiguration(node_count=nnodes)
+   gpus_per_node = 4
+   args = ['--max_epochs', 50, '--gpus_per_node', gpus_per_node, '--accelerator', 'ddp', '--num_nodes', nnodes]
+   distr_config = MpiConfiguration(node_count=nnodes, process_count_per_node=gpus_per_node)
 
    run_config = ScriptRunConfig(
      source_directory='./src',
diff --git a/articles/service-fabric/service-fabric-reliable-actors-enumerate.md b/articles/service-fabric/service-fabric-reliable-actors-enumerate.md
@@ -10,7 +10,7 @@ ms.date: 07/11/2022
 ---
 
 # Enumerate Service Fabric Reliable Actors
-The Reliable Actors service allows a client to enumerate metadata about the actors that the service is hosting. Because the actor service is a partitioned stateful service, enumeration is performed per partition. Because each partition might contain many actors, the enumeration is returned as a set of paged results. The pages are looped over until all pages are read. The following example shows how to create a list of all active actors in one partition of an actor service:
+The Reliable Actors service allows a client to enumerate metadata about the actors that the service is hosting. Because the actor service is a partitioned stateful service, enumeration is performed per partition. Because each partition might contain many actors, the enumeration is returned as a set of paged results. The pages are looped over until all pages are read. The following example shows how to create a list of all [active](service-fabric-reliable-actors-lifecycle.md) actors in one partition of an actor service:
 
 ```csharp
 IActorService actorServiceProxy = ActorServiceProxy.Create(
diff --git a/articles/storage/blobs/access-tiers-overview.md b/articles/storage/blobs/access-tiers-overview.md
@@ -22,6 +22,9 @@ Data stored in the cloud grows at an exponential pace. To manage costs for your
 
 Azure storage capacity limits are set at the account level, rather than according to access tier. You can choose to maximize your capacity usage in one tier, or to distribute capacity across two or more tiers.
 
+> [!NOTE]
+> Setting the access tier is only allowed on Block Blobs. They are not supported for Append and Page Blobs.
+
 ## Online access tiers
 
 When your data is stored in an online access tier (either Hot or Cool), users can access it immediately. The Hot tier is the best choice for data that is in active use, while the Cool tier is ideal for data that is accessed less frequently, but that still must be available for reading and writing.
diff --git a/articles/synapse-analytics/spark/apache-spark-secure-credentials-with-tokenlibrary.md b/articles/synapse-analytics/spark/apache-spark-secure-credentials-with-tokenlibrary.md
diff --git a/includes/aml-create-in-portal.md b/includes/aml-create-in-portal.md
diff --git a/includes/media/aml-create-in-portal/azure-machine-learning.png b/includes/media/aml-create-in-portal/azure-machine-learning.png
