Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into us370875-cli-posh-nat

asudbring · asudbring · commit 5d2eb0a12dd3 · 2025-02-12T17:35:06.000-06:00
diff --git a/articles/operator-nexus/howto-cluster-managed-identity-user-provided-resources.md b/articles/operator-nexus/howto-cluster-managed-identity-user-provided-resources.md
@@ -94,6 +94,8 @@ The following steps should be followed for using UAMIs with Nexus Clusters and a
 
 When creating or updating a Cluster with a user assigned managed identity, use the `--mi-user-assigned` parameter along with the resource ID of the UAMI. If you wish to specify multiple UAMIs, list the UAMIs' resources IDs with a space between them. Each UAMI that's used for a Key Vault, LAW, or Storage Account must be provided in this list.
 
+When creating the Cluster, you can specify the UAMIs in `--mi-user-assigned` and also define the resource settings. When updating a Cluster to change a UAMI, you should first update the Cluster to set the `--mi-user-assigned` values and then update the Cluster to modify the resource settings to use it.
+
 #### Storage Account settings
 
 The `--command-output-settings` data construct is used to define the Storage Account where run command output is written. It consists of the following fields:
@@ -160,41 +162,68 @@ az networkcloud cluster create --name "clusterName" -g "resourceGroupName" \
 
 #### Cluster update examples
 
-Updating a Cluster follows the same pattern as create. If you need to change the UAMI for a resource, you must include it in both the `--mi-user-assigned` field and corresponding `--identity-resource-id` for the Storage Account, LAW or Key Vault. If there are multiple UAMIs in use, the full list of UAMIs must be specified in the `--mi-user-assigned` field when updating.
+Updating a Cluster is a two step process. If you need to change the UAMI for a resource, you must first update the cluster to include it in the `--mi-user-assigned` field and then update the corresponding `--identity-resource-id` for the Storage Account, LAW, or Key Vault.
 
-For LAW and Key Vault, transitioning from the existing data constructs to the new constructs that use UAMI can be done via a Cluster Update.
+If there are multiple UAMIs in use, the full list of UAMIs must be specified in the `--mi-user-assigned` field when updating. If a SAMI is in use on the Cluster and you're adding a UAMI, you must include `--mi-system-assigned` in the update command. Failure to include existing managed identities causes them to be removed.
 
-> [!CAUTION]
-> Changing the LAW settings might cause a brief disruption in sending metrics to the LAW as the extensions which use the LAW might need to be reinstalled.
+For LAW and Key Vault, transitioning from the existing data constructs to the new constructs that use managed identities can be done via a Cluster Update.
+
+_Example 1:_ Add a UAMI to a Cluster. Then assign the UAMI to the secret archive settings (Key Vault). If this Cluster had a SAMI defined, the SAMI would be removed.
 
-_Example 1:_ Add user assigned identity and command output settings (Storage Account) to a Cluster.
+Cluster update to add the UAMI `myUAMI`.
 
 ```azurecli-interactive
 az networkcloud cluster update --name "clusterName" --resource-group "resourceGroupName" \
-    --mi-user-assigned "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAMI" \
-    --command-output-settings identity-type="UserAssignedIdentity" \
+   --mi-user-assigned "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAMI" \
+```
+
+Cluster update to assign `myUAMI` to the secret archive settings.
+
+```azurecli-interactive
+az networkcloud cluster update --name "clusterName" --resource-group "resourceGroupName" \
+    --secret-archive-settings identity-type="UserAssignedIdentity" \
     identity-resource-id="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAMI" \
+    vault-uri="https://keyvaultname.vault.azure.net/"
+```
+
+_Example 2:_ Add UAMI `mySecondUAMI` to a Cluster that already has `myFirstUAMI` which is retained. Then update the Cluster to assign `mySecondUAMI` to the command output settings (Storage Account).
+
+Cluster update to add the UAMI `mySecondUAMI` while keeping `myFirstUAMI`.
+
+```azurecli-interactive
+az networkcloud cluster update --name "clusterName" --resource-group "resourceGroupName" \
+   --mi-user-assigned "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myFirstUAMI" "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mySecondUAMI" \
+```
+
+Cluster update to assign `mySecondUAMI` to the command output settings.
+
+```azurecli-interactive
+az networkcloud cluster update --name "clusterName" --resource-group "resourceGroupName" \
+    --command-output-settings identity-type="UserAssignedIdentity" \
+    identity-resource-id="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mySecondUAMI" \
     container-url="https://myaccount.blob.core.windows.net/mycontainer?restype=container"
 ```
 
-_Example 2:_ Add user assigned identity and log analytics output settings (LAW) to a Cluster.
+_Example 3:_ Update a Cluster that already has a SAMI and add a UAMI. The SAMI is retained. Then assign the UAMI to the log analytics output settings (LAW).
+
+> [!CAUTION]
+> Changing the LAW settings might cause a brief disruption in sending metrics to the LAW as the extensions which use the LAW might need to be reinstalled.
+
+Cluster update to add the UAMI `mUAMI`.
 
 ```azurecli-interactive
 az networkcloud cluster update --name "clusterName" --resource-group "resourceGroupName" \
-    --mi-user-assigned "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAMI" \
-    --analytics-output-settings analytics-workspace-id="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/microsoft.operationalInsights/workspaces/logAnalyticsWorkspaceName" \
-    identity-type="UserAssignedIdentity" \
-    identity-resource-id="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAMI"
+   --mi-user-assigned "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAMI" \
+   --mi-system-assigned
 ```
 
-_Example 3:_ Add user assigned identity and secret archive settings (Key Vault) to a Cluster.
+Cluster update to assign `myUAMI` to the log analysis output settings.
 
 ```azurecli-interactive
 az networkcloud cluster update --name "clusterName" --resource-group "resourceGroupName" \
-    --mi-user-assigned "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAMI" \
-    --secret-archive-settings identity-type="UserAssignedIdentity" \
-    identity-resource-id="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAMI" \
-    vault-uri="https://keyvaultname.vault.azure.net/"
+    --analytics-output-settings analytics-workspace-id="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/microsoft.operationalInsights/workspaces/logAnalyticsWorkspaceName" \
+    identity-type="UserAssignedIdentity" \
+    identity-resource-id="/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAMI"
 ```
 
 ### View the principal ID for the User Assigned Managed Identity
@@ -257,10 +286,18 @@ az networkcloud cluster create --name "clusterName" -g "resourceGroupName" \
     --mi-system-assigned
 ```
 
-_Example 2:_ This example updates a Cluster to specify a SAMI.
+_Example 2:_ This example updates a Cluster to add a SAMI. Any UAMIs defined on the Cluster are removed.
+
+```azurecli-interactive
+az networkcloud cluster update --name "clusterName" -g "resourceGroupName" \
+    --mi-system-assigned
+```
+
+_Example 3:_ This example updates a Cluster to add a SAMI and keeps the existing UAMI, `myUAMI`.
 
 ```azurecli-interactive
 az networkcloud cluster update --name "clusterName" -g "resourceGroupName" \
+    --mi-user-assigned "/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUAMI" \
     --mi-system-assigned
 ```
 
@@ -346,6 +383,9 @@ Updating a Cluster follows the same pattern as create. If you need to change the
 
 For LAW and Key Vault, transitioning from the existing data constructs to the new constructs that use UAMI can be done via a Cluster Update.
 
+> [!IMPORTANT]
+> When updating a Cluster with a UAMI or UAMIs in use, you must include the existing UAMIs in the `--mi-user-assigned` identity list when adding a SAMI or updating. If a SAMI is in use on the Cluster and you're adding a UAMI, you must include `--mi-system-assigned` in the update command. Failure to do so causes the respective managed identities to be removed.
+
 _Example 1:_ Add or update the command output settings (Storage Account) for a Cluster.
 
 ```azurecli-interactive
diff --git a/articles/storage/common/redundancy-migration.md b/articles/storage/common/redundancy-migration.md
@@ -371,7 +371,7 @@ The following table provides an overview of redundancy options available for sto
 | ZRS Classic<sup>4</sup><br /><sub>(available in standard general purpose v1 accounts)</sub> | &#x2705; |  |  |  |                           |
 
 
-<sup>1</sup> Customer-initiated conversion for premium file shares can be undertaken using either [PowerShell](redundancy-migration.md?tabs=powershell#customer-initiated-conversion) or the [Azure CLI](redundancy-migration.md?tabs=azure-cli#customer-initiated-conversion). You can also [open a support request](#support-initiated-conversion).<br />
+<sup>1</sup> Customer-initiated conversion for premium file shares can be undertaken using the [Azure Portal](../common/redundancy-migration.md?tabs=portal#customer-initiated-conversion), [PowerShell](redundancy-migration.md?tabs=powershell#customer-initiated-conversion), or the [Azure CLI](redundancy-migration.md?tabs=azure-cli#customer-initiated-conversion). You can also [open a support request](#support-initiated-conversion).<br />
 <sup>2</sup> Managed disks are available for LRS and ZRS, though ZRS disks have some [limitations](/azure/virtual-machines/disks-redundancy#limitations). If an LRS disk is regional (no zone specified), it can be converted by [changing the SKU](/azure/virtual-machines/disks-convert-types). If an LRS disk is zonal, then it can only be manually migrated by following the process in [Migrate your managed disks](../../reliability/migrate-vm.md#migrate-your-managed-disks). You can store snapshots and images for standard SSD managed disks on standard HDD storage and [choose between LRS and ZRS options](https://azure.microsoft.com/pricing/details/managed-disks/). For information about integration with availability sets, see [Introduction to Azure managed disks](/azure/virtual-machines/managed-disks-overview#integration-with-availability-sets).<br />
 <sup>3</sup> If your storage account is v1, you need to upgrade it to v2 before performing a conversion. To learn how to upgrade your v1 account, see [Upgrade to a general-purpose v2 storage account](storage-account-upgrade.md).<br />
 <sup>4</sup> ZRS Classic storage accounts are deprecated. For information about converting ZRS Classic accounts, see [Converting ZRS Classic accounts](#converting-zrs-classic-accounts).<br />
@@ -436,7 +436,7 @@ You can't convert storage accounts to zone-redundancy (ZRS, GZRS, or RA-GZRS) if
 - NFSv3 protocol support is enabled for Azure Blob Storage
 - The storage account contains Azure Files NFSv4.1 shares with public endpoint access enabled
 
-Converting NFSv4.1 shares with public endpoints enabled isn't supported. To change redundancy for NFS shares with public endpoints, follow these steps in order:
+**Converting NFSv4.1 shares with public endpoints enabled isn't supported.** To change redundancy for NFS shares with public endpoints, follow these steps in order:
 
 1. [Disable access](../files/storage-files-networking-endpoints.md#restrict-public-endpoint-access) to the storage account's public endpoint.
 1. Submit the conversion request to change redundancy of the given storage account.
diff --git a/articles/storage/common/storage-redundancy.md b/articles/storage/common/storage-redundancy.md
@@ -85,18 +85,6 @@ The archive tier for Blob Storage isn't currently supported for ZRS, GZRS, or RA
 
 For more information about which regions support ZRS, see [Azure regions with availability zones](../../reliability/availability-zones-region-support.md).
 
-#### Premium file share accounts
-
-ZRS is supported for premium file shares (Azure Files) through the `FileStorage` storage account kind.
-
-For a list of regions that support zone-redundant storage (ZRS) for premium file share accounts, see [Azure Files zone-redundant storage for premium file shares](../files/redundancy-premium-file-shares.md).
-
-#### Managed disks
-
-ZRS is supported for managed disks with the following [limitations](/azure/virtual-machines/disks-redundancy#limitations).
-
-For a list of regions that support zone-redundant storage (ZRS) for managed disks, see [regional availability](/azure/virtual-machines/disks-redundancy#regional-availability).
-
 ## Redundancy in a secondary region
 
 Redundancy options can help provide high durability for your applications. In many regions, you can copy the data within your storage account to a secondary region located hundreds of miles away from the primary region. Copying your storage account to a secondary region ensures that your data remains durable during a complete regional outage or a disaster in which the primary region isn't recoverable.
