Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into erdirectportal

Author: duongau

articles/application-gateway/tutorial-protect-application-gateway.md

@@ -16,7 +16,7 @@ ms.custom: template tutorial
 This article helps you create an Azure Application Gateway with a DDoS protected virtual network. Azure DDoS Protection Standard enables enhanced DDoS mitigation capabilities such as adaptive tuning, attack alert notifications, and monitoring to protect your application gateways from large scale DDoS attacks.
 
 > [!IMPORTANT]
-> Azure DDoS protection Standard incurs a cost per public IP address in the virtual network where you enable the service. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](/azure/ddos-protection/ddos-protection-overview).
+> Azure DDoS protection Standard incurs a cost per public IP address in the virtual network where you enable the service. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing](https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](/azure/ddos-protection/ddos-protection-overview).
 
 In this tutorial, you learn how to:
 

articles/bastion/tutorial-protect-bastion-host.md

@@ -18,7 +18,7 @@ In this tutorial, you deploy Bastion using the Standard SKU tier and adjust host
 Azure Bastion is a PaaS service that's maintained for you, not a bastion host that you install on one of your VMs and maintain yourself. For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)
 
 > [!IMPORTANT]
-> Azure DDoS protection Standard incurs a cost per public IP address in the virtual network where you enable the service. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](/azure/ddos-protection/ddos-protection-overview).
+> Azure DDoS protection Standard incurs a cost per public IP address in the virtual network where you enable the service. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing](https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](/azure/ddos-protection/ddos-protection-overview).
 
 In this tutorial, you'll learn how to:
 

articles/defender-for-cloud/continuous-export.md

@@ -248,6 +248,10 @@ Continuous export can be helpful in to prepare for BCDR scenarios where the targ
 
 Learn more in [Azure Event Hubs - Geo-disaster recovery](../event-hubs/event-hubs-geo-dr.md).
 
+### What is the minimum SAS policy permissions required when exporting data to Azure Event Hub?
+
+**Send** is the minimum SAS policy permissions required. For step-by-step instructions, see **Step 1. Create an Event Hubs namespace and event hub with send permissions** in [this article](./export-to-splunk-or-qradar.md#step-1-create-an-event-hubs-namespace-and-event-hub-with-send-permissions).
+
 ## Next steps
 
 In this article, you learned how to configure continuous exports of your recommendations and alerts. You also learned how to download your alerts data as a CSV file.

articles/healthcare-apis/iot/deploy-new-bicep-powershell-cli.md

@@ -5,7 +5,7 @@ author: msjasteppe
 ms.service: healthcare-apis
 ms.subservice: fhir
 ms.topic: quickstart
-ms.date: 12/16/2022
+ms.date: 12/27/2022
 ms.author: jasteppe
 ---
 
@@ -168,15 +168,15 @@ When deployment is completed, the following resources and access roles are creat
 
 - Azure Event Hubs namespace and device message event hub. In this deployment, the device message event hub is named *devicedata*.
 
-- An event hub consumer group. In this deployment, the consumer group is named *$Default*.
+  - An event hub consumer group. In this deployment, the consumer group is named *$Default*.
 
-- The Azure Event Hubs Data Sender role. In this deployment, the sender role is named *devicedatasender*.
+  - An Azure Event Hubs Data Sender role. In this deployment, the sender role is named *devicedatasender* and can be used to provide access to the device event hub using a shared access signature (SAS). To learn more about authorizing access using a SAS, see [Authorizing access to Event Hubs resources using Shared Access Signatures](/azure/event-hubs/authorize-access-shared-access-signature). 
 
 - A Health Data Services workspace.
 
 - A Health Data Services Fast Healthcare Interoperability Resources (FHIR®) service.
 
-- An instance of the MedTech service for Health Data Services, with the required [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) roles:
+- A Health Data Services MedTech service with the required [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) roles:
 
   - For the device message event hub, the Azure Events Hubs Data Receiver role is assigned in the [Access control section (IAM)](../../role-based-access-control/overview.md) of the device message event hub.
 

articles/healthcare-apis/iot/deploy-new-button.md

@@ -5,7 +5,7 @@ author: msjasteppe
 ms.service: healthcare-apis
 ms.subservice: fhir
 ms.topic: quickstart
-ms.date: 12/16/2022
+ms.date: 12/27/2022
 ms.author: jasteppe
 ---
 
@@ -98,15 +98,15 @@ When deployment is completed, the following resources and access roles are creat
 
 - Azure Event Hubs namespace and device message event hub. In this deployment, the device message event hub is named *devicedata*.
 
-- An event hub consumer group. In this deployment, the consumer group is named *$Default*.
+  - An event hub consumer group. In this deployment, the consumer group is named *$Default*.
 
-- The Azure Event Hubs Data Sender role. In this deployment, the sender role is named *devicedatasender*.
+  - An Azure Event Hubs Data Sender role. In this deployment, the sender role is named *devicedatasender* and can be used to provide access to the device event hub using a shared access signature (SAS). To learn more about authorizing access using a SAS, see [Authorizing access to Event Hubs resources using Shared Access Signatures](/azure/event-hubs/authorize-access-shared-access-signature).
 
 - A Health Data Services workspace.
 
 - A Health Data Services Fast Healthcare Interoperability Resources (FHIR®) service.
 
-- An instance of the MedTech service for Health Data Services, with the required [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) roles:
+- A Health Data Services MedTech service with the required [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) roles:
 
   - For the device message event hub, the Azure Events Hubs Data Receiver role is assigned in the [Access control section (IAM)](../../role-based-access-control/overview.md) of the device message event hub.
 

articles/healthcare-apis/iot/deploy-new-powershell-cli.md

@@ -5,7 +5,7 @@ author: msjasteppe
 ms.service: healthcare-apis
 ms.subservice: fhir
 ms.topic: quickstart
-ms.date: 12/16/2022
+ms.date: 12/27/2022
 ms.author: jasteppe
 ---
 
@@ -161,15 +161,15 @@ When deployment is completed, the following resources and access roles are creat
 
 - Azure Event Hubs namespace and device message event hub. In this deployment, the device message event hub is named *devicedata*.
 
-- An event hub consumer group. In this deployment, the consumer group is named *$Default*.
+  - An event hub consumer group. In this deployment, the consumer group is named *$Default*.
 
-- The Azure Event Hubs Data Sender role. In this deployment, the sender role is named *devicedatasender*.
+  - An Azure Event Hubs Data Sender role. In this deployment, the sender role is named *devicedatasender* and can be used to provide access to the device event hub using a shared access signature (SAS). To learn more about authorizing access using a SAS, see [Authorizing access to Event Hubs resources using Shared Access Signatures](/azure/event-hubs/authorize-access-shared-access-signature).
 
 - A Health Data Services workspace.
 
 - A Health Data Services Fast Healthcare Interoperability Resources (FHIR®) service.
 
-- An instance of the MedTech service for Health Data Services, with the required [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) roles:
+- A Health Data Services MedTech service with the required [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) roles:
 
   - For the device message event hub, the Azure Events Hubs Data Receiver role is assigned in the [Access control section (IAM)](../../role-based-access-control/overview.md) of the device message event hub.
 

articles/healthcare-apis/iot/device-data-through-iot-hub.md

@@ -6,7 +6,7 @@ author: msjasteppe
 ms.service: healthcare-apis
 ms.subservice: iomt
 ms.topic: tutorial 
-ms.date: 12/22/2022
+ms.date: 12/27/2022
 ms.author: jasteppe
 ---
 
@@ -117,9 +117,9 @@ When deployment is completed, the following resources and access roles are creat
 
 - An Azure Event Hubs namespace and a device message event hub. In this deployment, the event hub is named *devicedata*.
 
-- An event hub consumer group. In this deployment, the consumer group is named *$Default*.
+  - An event hub consumer group. In this deployment, the consumer group is named *$Default*.
 
-- An Azure Event Hubs Data Sender role. In this deployment, the role is named *devicedatasender*. The Azure Event Hubs Data Sender role isn't used in this tutorial.
+  - An Azure Event Hubs Data Sender role. In this deployment, the sender role is named *devicedatasender* and can be used to provide access to the device event hub using a shared access signature (SAS). To learn more about authorizing access using a SAS, see [Authorizing access to Event Hubs resources using Shared Access Signatures](/azure/event-hubs/authorize-access-shared-access-signature). The Azure Event Hubs Data Sender role isn't used in this tutorial.
 
 - An Azure IoT Hub with [message routing](../../iot-hub/iot-hub-devguide-messages-d2c.md) configured to send device messages to the device message event hub.
 
@@ -129,7 +129,7 @@ When deployment is completed, the following resources and access roles are creat
 
 - A Health Data Services FHIR service.
 
-- A Health Data Services MedTech service with the required [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) access roles:
+- A Health Data Services MedTech service with the required [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) roles:
 
   - For the device message event hub, the Azure Events Hubs Data Receiver role is assigned in the [Access control section (IAM)](../../role-based-access-control/overview.md) of the device message event hub.
 

articles/key-vault/general/monitor-key-vault.md

@@ -83,6 +83,17 @@ For a list of the tables used by Azure Monitor Logs and queryable by Log Analyti
 
 Here are some queries that you can enter into the **Log search** bar to help you monitor your Key Vault resources. These queries work with the [new language](../../azure-monitor/logs/log-query-overview.md).
 
+* Are there any clients using old TLS version (<1.2)?
+
+    ```kusto
+    AzureDiagnostics
+    | where TimeGenerated > ago(90d) 
+    | where ResourceProvider =="MICROSOFT.KEYVAULT" 
+    | where isnotempty(tlsVersion_s) and strcmp(tlsVersion_s,"TLS1_2") <0
+    | project TimeGenerated,Resource, OperationName, requestUri_s, CallerIPAddress, OperationVersion,clientInfo_s,tlsVersion_s,todouble(tlsVersion_s)
+    | sort by TimeGenerated desc
+    ```
+
 * Are there any slow requests?
 
     ```Kusto

articles/key-vault/general/rbac-migration.md

@@ -27,7 +27,7 @@ Azure RBAC key benefits over vault access policies:
 Azure RBAC disadvantages:
 - Latency for role assignments - it can take several minutes for role assignments to be applied. Vault access policies are assigned instantly.
 - Limited number of role assignments - Azure RBAC allows only 2000 roles assignments across all services per subscription versus 1024 access policies per Key Vault
--Not able to fetch SSL certificates for an app service when used. [configure ssl certificate](../../app-service/configure-ssl-certificate.md)
+- Not able to fetch SSL certificates for an app service when used. [configure ssl certificate](../../app-service/configure-ssl-certificate.md)
 
 ## Access policies to Azure roles mapping
 

articles/key-vault/general/security-features.md

@@ -38,7 +38,7 @@ Azure Private Link Service enables you to access Azure Key Vault and Azure hoste
 - Despite known vulnerabilities in TLS protocol, there is no known attack that would allow a malicious agent to extract any information from your key vault when the attacker initiates a connection with a TLS version that has vulnerabilities. The attacker would still need to authenticate and authorize itself, and as long as legitimate clients always connect with recent TLS versions, there is no way that credentials could have been leaked from vulnerabilities at old TLS versions.
 
 > [!NOTE]
-> For Azure Key Vault, ensure that the application accessing the Keyvault service should be running on a platform that supports TLS 1.2 or recent version. If the application is dependent on .Net framework, it should be updated as well. You can also make the registry changes mentioned in [this article](/troubleshoot/azure/active-directory/enable-support-tls-environment) to explicitly enable the use of TLS 1.2 at OS level and for .Net framework. To meet with compliance obligations and to improve security posture, Key Vault connections via TLS 1.0 & 1.1 are considered a security risk, and any connections using old TLS protocols will be disallowed in 2023.
+> For Azure Key Vault, ensure that the application accessing the Keyvault service should be running on a platform that supports TLS 1.2 or recent version. If the application is dependent on .Net framework, it should be updated as well. You can also make the registry changes mentioned in [this article](/troubleshoot/azure/active-directory/enable-support-tls-environment) to explicitly enable the use of TLS 1.2 at OS level and for .Net framework. To meet with compliance obligations and to improve security posture, Key Vault connections via TLS 1.0 & 1.1 are considered a security risk, and any connections using old TLS protocols will be disallowed in 2023. You can monitor TLS version used by clients by monitoring Key Vault logs with sample Kusto query [here](monitor-key-vault.md#sample-kusto-queries).
 
 > [!WARNING]
 > TLS 1.0 and 1.1 is deprecated by Azure Active Directory and tokens to access key vault may not longer be issued for users or services requesting them with deprecated protocols. This may lead to loss of access to Key vaults. More information on AAD TLS support can be found in [Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment/#why-this-change-is-being-made)