Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-rbac-elevate-access-list-role-assignments-root-scope

Author: rolyon

articles/ai-services/language-service/native-document-support/use-native-documents.md

@@ -28,15 +28,15 @@ ms.author: lajanuar
 
 Azure AI Language is a cloud-based service that applies Natural Language Processing (NLP) features to text-based data. The native document support capability enables you to send API requests asynchronously, using an HTTP POST request body to send your data and HTTP GET request query string to retrieve the processed data.
 
-A native document refers to the file format used to create the original document such as Microsoft Word (docx) or a portable document file (pdf). Native document support eliminates the need for text preprocessing prior to using Azure AI Language resource capabilities.  Currently, native document support is available for the following capabilities:
+A native document refers to the file format used to create the original document such as Microsoft Word (docx) or a portable document file (pdf). Native document support eliminates the need for text preprocessing before using Azure AI Language resource capabilities. Currently, native document support is available for the following capabilities:
 
 * [Personally Identifiable Information (PII)](../personally-identifiable-information/overview.md). The PII detection feature can identify, categorize, and redact sensitive information in unstructured text. The `PiiEntityRecognition` API supports native document processing.
 
 * [Document summarization](../summarization/overview.md). Document summarization uses natural language processing to generate extractive (salient sentence extraction) or abstractive (contextual word extraction) summaries for documents. Both `AbstractiveSummarization` and `ExtractiveSummarization` APIs support native document processing.
 
 ## Supported document formats
 
- Applications use native file formats to create, save, or open native documents.  Currently **PII** and **Document summarization** capabilities supports the following native document formats:
+ Applications use native file formats to create, save, or open native documents. Currently **PII** and **Document summarization** capabilities supports the following native document formats:
 
 |File type|File extension|Description|
 |---------|--------------|-----------|
@@ -69,7 +69,7 @@ A native document refers to the file format used to create the original document
 
     > [!NOTE]
     > The cURL package is pre-installed on most Windows 10 and Windows 11 and most macOS and Linux distributions. You can check the package version with the following commands:
-    > Windows: `curl.exe -V`.
+    > Windows: `curl.exe -V`
     > macOS `curl -V`
     > Linux: `curl --version`
 
@@ -78,7 +78,7 @@ A native document refers to the file format used to create the original document
   * [Windows](https://curl.haxx.se/windows/).
   * [Mac or Linux](https://learn2torials.com/thread/how-to-install-curl-on-mac-or-linux-(ubuntu)-or-windows).
 
-* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/).  If you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).
+* An active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/). If you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).
 
 * An [**Azure Blob Storage account**](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM). You also need to [create containers](#create-azure-blob-storage-containers) in your Azure Blob Storage account for your source and target files:
 
@@ -128,7 +128,7 @@ Your Language resource needs granted access to your storage account before it ca
 
 * [**Shared access signature (SAS) tokens**](shared-access-signatures.md). User delegation SAS tokens are secured with Microsoft Entra credentials. SAS tokens provide secure, delegated access to resources in your Azure storage account.
 
-* [**Managed identity role-based access control (RBAC)**](managed-identities.md). Managed identities for Azure resources are service principals that create a Microsoft Entra identity and specific permissions for Azure managed resources
+* [**Managed identity role-based access control (RBAC)**](managed-identities.md). Managed identities for Azure resources are service principals that create a Microsoft Entra identity and specific permissions for Azure managed resources.
 
 For this project, we authenticate access to the `source location` and `target location` URLs with Shared Access Signature (SAS) tokens appended as query strings. Each token is assigned to a specific blob (file).
 
@@ -177,7 +177,7 @@ For this quickstart, you need a **source document** uploaded to your **source co
                 "language": "en-US",
                 "id": "Output-excel-file",
                 "source": {
-                    "location": "{your-source-container-with-SAS-URL}"
+                    "location": "{your-source-blob-with-SAS-URL}"
                 },
                 "target": {
                     "location": "{your-target-container-with-SAS-URL}"
@@ -189,8 +189,8 @@ For this quickstart, you need a **source document** uploaded to your **source co
         {
             "kind": "PiiEntityRecognition",
             "parameters":{
-                "excludePiiCategoriesredac" : ["PersonType", "Category2", "Category3"],
-                "redactionPolicy": "UseEntityTypeName" 
+                "excludePiiCategories" : ["PersonType", "Category2", "Category3"],
+                "redactionPolicy": "UseRedactionCharacterWithRefId" 
             }
         }
     ]
@@ -344,7 +344,7 @@ For this project, you need a **source document** uploaded to your **source conta
         "documents":[
             {
           "source":{
-            "location":"{your-source-container-SAS-URL}"
+            "location":"{your-source-blob-SAS-URL}"
           },
           "targets":
             {

articles/aks/TOC.yml

@@ -595,7 +595,7 @@
               - name: Bring your own keys for disks
                 href: azure-disk-customer-managed-keys.md
               - name: Azure Container Storage 
-                href: ../storage/container-storage/container-storage-introduction.md
+                href: ../storage/container-storage/container-storage-introduction.md?toc=/azure/aks/toc.json&bc=/azure/aks/breadcrumb/toc.json
         - name: Shared file storage
           items:
             - name: Azure Files storage

articles/aks/app-routing.md

@@ -1,5 +1,5 @@
 ---
-title: Azure Kubernetes Service (AKS) managed nginx Ingress with the application routing add-on 
+title: Azure Kubernetes Service (AKS) managed NGINX ingress with the application routing add-on 
 description: Use the application routing add-on to securely access applications deployed on Azure Kubernetes Service (AKS).
 ms.subservice: aks-networking
 ms.custom: devx-track-azurecli
@@ -9,17 +9,17 @@ ms.date: 11/21/2023
 ms.author: allensu
 ---
 
-# Managed nginx Ingress with the application routing add-on 
+# Managed NGINX ingress with the application routing add-on
 
-One way to route Hypertext Transfer Protocol (HTTP) and secure (HTTPS) traffic to applications running on an Azure Kubernetes Service (AKS) cluster is to use the [Kubernetes Ingress object][kubernetes-ingress-object-overview]. When you create an Ingress object that uses the application routing add-on nginx Ingress classes, the add-on creates, configures, and manages one or more Ingress controllers in your AKS cluster.
+One way to route Hypertext Transfer Protocol (HTTP) and secure (HTTPS) traffic to applications running on an Azure Kubernetes Service (AKS) cluster is to use the [Kubernetes Ingress object][kubernetes-ingress-object-overview]. When you create an Ingress object that uses the application routing add-on NGINX Ingress classes, the add-on creates, configures, and manages one or more Ingress controllers in your AKS cluster.
 
 This article shows you how to deploy and configure a basic Ingress controller in your AKS cluster.
 
-## Application routing add-on with nginx features
+## Application routing add-on with NGINX features
 
-The application routing add-on with nginx delivers the following:
+The application routing add-on with NGINX delivers the following:
 
-* Easy configuration of managed nginx Ingress controllers based on [Kubernetes nginx Ingress controller][kubernetes-nginx-ingress].
+* Easy configuration of managed NGINX Ingress controllers based on [Kubernetes NGINX Ingress controller][kubernetes-nginx-ingress].
 * Integration with [Azure DNS][azure-dns-overview] for public and private zone management
 * SSL termination with certificates stored in Azure Key Vault.
 
@@ -38,7 +38,7 @@ With the retirement of [Open Service Mesh][open-service-mesh-docs] (OSM) by the
 - The application routing add-on supports up to five Azure DNS zones.
 - All global Azure DNS zones integrated with the add-on have to be in the same resource group.
 - All private Azure DNS zones integrated with the add-on have to be in the same resource group.
-- Editing any resources in the `app-routing-system` namespace, including the Ingress-nginx ConfigMap isn't supported.
+- Editing any resources in the `app-routing-system` namespace, including the Ingress-nginx ConfigMap, isn't supported.
 
 ## Enable application routing using Azure CLI
 
@@ -67,7 +67,7 @@ az aks approuting enable -g <ResourceGroupName> -n <ClusterName>
 
 The following add-ons are required to support this configuration:
 
-* **open-service-mesh**:  If you require encrypted intra cluster traffic (recommended) between the nginx Ingress and your services, the Open Service Mesh add-on is required which provides mutual TLS (mTLS).
+* **open-service-mesh**:  If you require encrypted intra cluster traffic (recommended) between the NGINX Ingress and your services, the Open Service Mesh add-on is required which provides mutual TLS (mTLS).
 
 ### Enable on a new cluster
 
@@ -178,7 +178,7 @@ The application routing add-on uses annotations on Kubernetes Ingress objects to
         app: aks-helloworld
     ```
 
-### Create the Ingress
+### Create the Ingress object
 
 The application routing add-on creates an Ingress class on the cluster named *webapprouting.kubernetes.azure.com*. When you create an Ingress object with this class, it activates the add-on.  
 
@@ -295,7 +295,7 @@ The application routing add-on creates an Ingress class on the cluster named *we
         app: aks-helloworld
     ```
 
-### Create the Ingress
+### Create the Ingress object
 
 The application routing add-on creates an Ingress class on the cluster called *webapprouting.kubernetes.azure.com*. When you create an Ingress object with this class, it activates the add-on. The `kubernetes.azure.com/use-osm-mtls: "true"` annotation on the Ingress object creates an Open Service Mesh (OSM) [IngressBackend][ingress-backend] to configure a backend service to accept Ingress traffic from trusted sources.
 

articles/aks/operator-best-practices-identity.md

@@ -1,9 +1,9 @@
 ---
-title: Best practices for managing identity
+title: Best practices for managing authentication and authorization
 titleSuffix: Azure Kubernetes Service
 description: Learn the cluster operator best practices for how to manage authentication and authorization for clusters in Azure Kubernetes Service (AKS)
 ms.topic: conceptual
-ms.date: 04/14/2023
+ms.date: 02/16/2024
 ---
 
 # Best practices for authentication and authorization in Azure Kubernetes Service (AKS)
@@ -206,8 +206,7 @@ For more information about cluster operations in AKS, see the following best pra
 <!-- INTERNAL LINKS -->
 [aks-concepts-identity]: concepts-identity.md
 [azure-ad-integration]: managed-azure-ad.md
-[aks-aad]: azure-ad-integration-cli.md
-[managed-identities]: ../active-directory/managed-identities-azure-resources/overview.md
+[aks-aad]: enable-authentication-microsoft-entra-id.md
 [aks-best-practices-scheduler]: operator-best-practices-scheduler.md
 [aks-best-practices-advanced-scheduler]: operator-best-practices-advanced-scheduler.md
 [aks-best-practices-cluster-isolation]: operator-best-practices-cluster-isolation.md

articles/nat-gateway/manage-nat-gateway.md

@@ -6,8 +6,9 @@ author: asudbring
 ms.author: allensu
 ms.service: nat-gateway
 ms.topic: how-to
-ms.date: 03/20/2023
+ms.date: 02/16/2024
 ms.custom: template-how-to, devx-track-azurecli, devx-track-azurepowershell
+#Customer intent: As a network administrator, I want to learn how to create and remove a NAT gateway resource from a virtual network subnet. I also want to learn how to add and remove public IP addresses and prefixes used for outbound connectivity.
 ---
 
 # Manage NAT gateway

articles/route-server/expressroute-vpn-support.md

@@ -6,24 +6,29 @@ author: halkazwini
 ms.author: halkazwini
 ms.service: route-server
 ms.topic: concept-article
-ms.date: 08/15/2023
+ms.date: 02/16/2024
+
+#CustomerIntent: As an Azure administrator, I want to deploy Azure Route Server with ExpressRoute and Azure VPN so that routes can be exchanged between the two on-premises networks.
 ---
 
 # Azure Route Server support for ExpressRoute and Azure VPN
 
-Azure Route Server supports not only third-party network virtual appliances (NVA) running on Azure but also seamlessly integrates with ExpressRoute and Azure VPN gateways. You don’t need to configure or manage the BGP peering between the gateway and Azure Route Server. You can enable route exchange between the gateways and Azure Route Server by enabling [branch-to-branch](quickstart-configure-route-server-portal.md#configure-route-exchange) in Azure portal. If you prefer, you can use [Azure PowerShell](quickstart-configure-route-server-powershell.md#route-exchange) or [Azure CLI](quickstart-configure-route-server-cli.md#configure-route-exchange) to enable the route exchange with the Route Server.
+Azure Route Server supports not only third-party network virtual appliances (NVA) in Azure but also seamlessly integrates with ExpressRoute and Azure VPN gateways. You don’t need to configure or manage the BGP peering between the gateway and Azure Route Server. You can enable route exchange between the gateways and Azure Route Server by enabling [branch-to-branch](quickstart-configure-route-server-portal.md#configure-route-exchange) in Azure portal. If you prefer, you can use [Azure PowerShell](quickstart-configure-route-server-powershell.md#route-exchange) or [Azure CLI](quickstart-configure-route-server-cli.md#configure-route-exchange) to enable the route exchange with the Route Server.
 
 [!INCLUDE [downtime note](../../includes/route-server-note-vng-downtime.md)]
 
 ## How does it work?
 
 When you deploy an Azure Route Server along with a virtual network gateway and an NVA in a virtual network, by default Azure Route Server doesn’t propagate the routes it receives from the NVA and virtual network gateway between each other. Once you enable **branch-to-branch** in Route Server, the virtual network gateway and the NVA exchange their routes.
 
-For example, in the following diagram:
+> [!IMPORTANT] 
+> ExpressRoute branch-to-branch connectivity is not supported. If you have two (or more) ExpressRoute circuits connected to the same ExpressRoute virtual network gateway, routes from one circuit are not advertised to the other. If you want to enable on-premises to on-premises connectivity over ExpressRoute, consider configuring ExpressRoute Global Reach. For more information, see [About Azure ExpressRoute Global Reach](../expressroute/expressroute-global-reach.md).
+
+The following diagram shows an example of using Route Server to exchange routes between an ExpressRoute and SDWAN appliance:
 
-* The SDWAN appliance receives from Azure Route Server the route of *On-premises 2*, which is connected to ExpressRoute circuit, along with the route of the virtual network.
+- The SDWAN appliance receives from Azure Route Server the route of *On-premises 2*, which is connected to ExpressRoute circuit, along with the route of the virtual network.
 
-* The ExpressRoute gateway receives from Azure Route Server the route of *On-premises 1*, which is connected to the SDWAN appliance, along with the route of the virtual network.
+- The ExpressRoute gateway receives from Azure Route Server the route of *On-premises 1*, which is connected to the SDWAN appliance, along with the route of the virtual network.
 
 :::image type="content" source="./media/expressroute-vpn-support/expressroute-with-route-server.png" alt-text="Diagram showing ExpressRoute gateway and SDWAN NVA exchanging routes through Azure Route Server.":::
 
@@ -37,10 +42,10 @@ If you enable BGP on the VPN gateway, the gateway learns *On-premises 1* routes
 :::image type="content" source="./media/expressroute-vpn-support/expressroute-and-vpn-with-route-server.png" alt-text="Diagram showing ExpressRoute and VPN gateways exchanging routes through Azure Route Server.":::
 
 > [!NOTE] 
-> When the same route is learned over ExpressRoute, Azure VPN or an SDWAN appliance, the ExpressRoute network will be preferred.
+> When the same route is learned over ExpressRoute, Azure VPN or an SDWAN appliance, the ExpressRoute network will be preferred by default. You can configure routing preference to influence Route Server route selection. For more information, see [Routing preference (preview)](hub-routing-preference.md).
 
-## Next steps
+## Related content
 
-- Learn more about [Azure Route Server](route-server-faq.md).
-- Learn how to [configure Azure Route Server](quickstart-configure-route-server-powershell.md).
-- Learn more about [Azure ExpressRoute and Azure VPN coexistence](../expressroute/how-to-configure-coexisting-gateway-portal.md).
+- [Azure Route Server frequently asked questions (FAQ)](route-server-faq.md).
+- [Configure Azure Route Server](quickstart-configure-route-server-powershell.md).
+- [Azure ExpressRoute and Azure VPN coexistence](../expressroute/how-to-configure-coexisting-gateway-portal.md?toc=/azure/route-server/toc.json).