Merge pull request #263403 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Taojunshen

articles/active-directory-b2c/openid-connect.md

@@ -94,7 +94,7 @@ Error responses can also be sent to the `redirect_uri` parameter so that the app
 ```http
 GET https://jwt.ms/#
 error=access_denied
-&error_description=the+user+canceled+the+authentication
+&error_description=AADB2C90091%3a+The+user+has+cancelled+entering+self-asserted+information.%0d%0aCorrelation+ID%3a+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx%0d%0aTimestamp%3a+xxxx-xx-xx+xx%3a23%3a27Z%0d%0a
 &state=arbitrary_data_you_can_receive_in_the_response
 ```
 
@@ -202,8 +202,8 @@ Error responses look like:
 
 ```json
 {
-    "error": "access_denied",
-    "error_description": "The user revoked access to the app."
+    "error": "invalid_grant",
+    "error_description": "AADB2C90080: The provided grant has expired. Please re-authenticate and try again. Current time: xxxxxxxxxx, Grant issued time: xxxxxxxxxx, Grant expiration time: xxxxxxxxxx\r\nCorrelation ID: xxxxxxxx-xxxx-xxxX-xxxx-xxxxxxxxxxxx\r\nTimestamp: xxxx-xx-16 xx:10:52Z\r\n"
 }
 ```
 
@@ -279,8 +279,8 @@ Error responses look like:
 
 ```json
 {
-    "error": "access_denied",
-    "error_description": "The user revoked access to the app.",
+    "error": "invalid_grant",
+    "error_description": "AADB2C90129: The provided grant has been revoked. Please reauthenticate and try again.\r\nCorrelation ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\r\nTimestamp: xxxx-xx-xx xx:xx:xxZ\r\n",
 }
 ```
 
@@ -318,4 +318,4 @@ To set the required ID Token in logout requests, see [Configure session behavior
 
 ## Next steps
 
-- Learn more about [Azure AD B2C session](session-behavior.md).
+- Learn more about [Azure AD B2C session](session-behavior.md).

articles/aks/workload-identity-deploy-cluster.md

@@ -66,16 +66,16 @@ az aks update -g "${RESOURCE_GROUP}" -n myAKSCluster --enable-oidc-issuer --enab
 To get the OIDC Issuer URL and save it to an environmental variable, run the following command. Replace the default value for the arguments `-n`, which is the name of the cluster:
 
 ```bash
-export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" -otsv)"
+export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" -o tsv)"
 ```
 
 The variable should contain the Issuer URL similar to the following example:
 
 ```output
-https://eastus.oic.prod-aks.azure.com/00000000-0000-0000-0000-000000000000/00000000-0000-0000-0000-000000000000/
+https://eastus.oic.prod-aks.azure.com/00000000-0000-0000-0000-000000000000/11111111-1111-1111-1111-111111111111/
 ```
 
-By default, the Issuer is set to use the base URL `https://{region}.oic.prod-aks.azure.com/{uuid}`, where the value for `{region}` matches the location the AKS cluster is deployed in. The value `{uuid}` represents the OIDC key.
+By default, the Issuer is set to use the base URL `https://{region}.oic.prod-aks.azure.com/{tenant_id}/{uuid}`, where the value for `{region}` matches the location the AKS cluster is deployed in. The value `{uuid}` represents the OIDC key.
 
 ## Create a managed identity
 
@@ -88,7 +88,7 @@ az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${R
 Next, let's create a variable for the managed identity ID.
 
 ```bash
-export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"
+export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -o tsv)"
 ```
 
 ## Create Kubernetes service account
@@ -116,7 +116,7 @@ EOF
 The following output resembles successful creation of the identity:
 
 ```output
-Serviceaccount/workload-identity-sa created
+serviceaccount/workload-identity-sa created
 ```
 
 ## Establish federated identity credential
@@ -139,33 +139,21 @@ cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: Pod
 metadata:
-  name: quick-start
+  name: your-pod
   namespace: "${SERVICE_ACCOUNT_NAMESPACE}"
   labels:
     azure.workload.identity/use: "true"
 spec:
   serviceAccountName: "${SERVICE_ACCOUNT_NAME}"
+  containers:
+    - image: <your image>
+      name: <containerName>
 EOF
 ```
 
 > [!IMPORTANT]
 > Ensure your application pods using workload identity have added the following label `azure.workload.identity/use: "true"` to your pod spec, otherwise the pods fail after their restarted.
 
-```bash
-kubectl apply -f <your application>
-```
-
-To check whether all properties are injected properly by the webhook, use the [kubectl describe][kubectl-describe] command:
-
-```bash
-kubectl describe pod containerName
-```
-
-To verify that pod is able to get a token and access the resource, use the kubectl logs command:
-
-```bash
-kubectl logs containerName
-```
 
 ## Optional - Grant permissions to access Azure Key Vault
 
@@ -181,20 +169,82 @@ You can retrieve this information using the Azure CLI command: [az keyvault list
 1. Set an access policy for the managed identity to access secrets in your Key Vault by running the following commands:
 
     ```azurecli-interactive
-    export RESOURCE_GROUP="myResourceGroup"
-    export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
+    export KEYVAULT_RESOURCE_GROUP="myResourceGroup"
     export KEYVAULT_NAME="myKeyVault"
-    export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"
+    export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -o tsv)"
 
     az keyvault set-policy --name "${KEYVAULT_NAME}" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"
     ```
 
+2. Create a secret in Key Vault:
+
+    ```azurecli-interactive
+    export KEYVAULT_SECRET_NAME="my-secret"
+
+    az keyvault secret set --vault-name "${KEYVAULT_NAME}" \
+       --name "${KEYVAULT_SECRET_NAME}" \
+       --value "Hello\!"
+    ```
+
+3. Export Key Vault URL:
+    ```azurecli-interactive
+    export KEYVAULT_URL="$(az keyvault show -g ${KEYVAULT_RESOURCE_GROUP} -n ${KEYVAULT_NAME} --query properties.vaultUri -o tsv)"
+    ```
+
+4. Deploy a pod that references the service account and Key Vault URL above:
+
+    ```yml
+    cat <<EOF | kubectl apply -f -
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: quick-start
+      namespace: ${SERVICE_ACCOUNT_NAMESPACE}
+      labels:
+        azure.workload.identity/use: "true"
+    spec:
+      serviceAccountName: ${SERVICE_ACCOUNT_NAME}
+      containers:
+        - image: ghcr.io/azure/azure-workload-identity/msal-go
+          name: oidc
+          env:
+          - name: KEYVAULT_URL
+            value: ${KEYVAULT_URL}
+          - name: SECRET_NAME
+            value: ${KEYVAULT_SECRET_NAME}
+      nodeSelector:
+        kubernetes.io/os: linux
+    EOF
+    ```
+
+To check whether all properties are injected properly by the webhook, use the [kubectl describe][kubectl-describe] command:
+
+```bash
+kubectl describe pod quick-start | grep "SECRET_NAME:"
+```
+
+If successful, the output should be similar to the following:  
+```bash
+      SECRET_NAME:                 ${KEYVAULT_SECRET_NAME}
+```
+
+To verify that pod is able to get a token and access the resource, use the kubectl logs command:
+
+```bash
+kubectl logs quick-start
+```
+
+If successful, the output should be similar to the following:  
+```bash
+I0114 10:35:09.795900       1 main.go:63] "successfully got secret" secret="Hello\\!"
+```
+
 ## Disable workload identity
 
 To disable the Microsoft Entra Workload ID on the AKS cluster where it's been enabled and configured, you can run the following command:
 
 ```azurecli-interactive
-az aks update --resource-group myResourceGroup --name myAKSCluster --disable-workload-identity
+az aks update --resource-group "${RESOURCE_GROUP}" --name myAKSCluster --disable-workload-identity
 ```
 
 ## Next steps

articles/azure-monitor/app/convert-classic-resource.md

@@ -130,7 +130,7 @@ Use the following script to identify your Application Insights resources by inge
 #### Example
 
 ```azurecli
-Get-AzApplicationInsights -SubscriptionId '1234abcd-5678-efgh-9012-ijklmnopqrst' | Format-Table -Property Name, IngestionMode, Id, @{label='Type';expression={
+Get-AzApplicationInsights -SubscriptionId 'Your Subscription ID' | Format-Table -Property Name, IngestionMode, Id, @{label='Type';expression={
     if ([string]::IsNullOrEmpty($_.IngestionMode)) {
         'Unknown'
     } elseif ($_.IngestionMode -eq 'LogAnalytics') {

articles/communication-services/concepts/service-limits.md

@@ -193,6 +193,18 @@ The following timeouts apply to the Communication Services Calling SDKs:
 
 For more information about the voice and video calling SDK and service, see the [calling SDK overview](./voice-video-calling/calling-sdk-features.md) page or [known issues](./known-issues.md).
 
+## Job Router
+When sending or receiving a high volume of requests, you might receive a ```ThrottleLimitExceededException``` error. This error indicates you're hitting the service limitations, and your requests will be dropped until the token of bucket to handle requests is replenished after a certain time.
+
+Rate Limits for Job Router:
+
+|Operation|Scope|Timeframe (seconds)| Limit (number of requests) | Timeout in seconds|
+|---------|-----|-------------|-------------------|-------------------------|
+|General Requests|Per Resource|10|1000|10|
+
+### Action to take
+If you need to send a volume of messages that exceeds the rate limits, email us at [email protected].
+
 ## Teams Interoperability and Microsoft Graph
 Using a Teams interoperability scenario, you'll likely use some Microsoft Graph APIs to create [meetings](/graph/cloud-communications-online-meetings).  
 

articles/communication-services/how-tos/event-grid/local-testing-event-grid.md

@@ -20,12 +20,17 @@ Testing Event Grid triggered Azure Functions locally can be complicated. You don
 - Install [Postman](https://www.postman.com/downloads/).
 - Have a running Azure Function that can be triggered by Event Grid. If you don't have one, you can follow the [quickstart](../../../azure-functions/functions-bindings-event-grid-trigger.md?tabs=in-process%2Cextensionv3&pivots=programming-language-javascript) to create one.
 
-The Azure Function can be running either in Azure if you want to test it with some test events or if you want to test the entire flow locally (press `F5` in Visual Studio Code to run it locally). If you want to test the entire flow locally, you need to use [ngrok](https://ngrok.com/) to hook your locally running Azure Function. Configure ngrok by running the command:
+The Azure Function can be running either in Azure if you want to test it with some test events or if you want to test the entire flow locally (press `F5` in Visual Studio Code to run it locally). If you want to test the entire flow with an externally triggered webhook, you need to use [ngrok](https://ngrok.com/) to expose your locally running Azure Function
+to the public, allowing it to be triggered by internet sources (as an example from Azure Event WebHooks). Configure ngrok by running the command:
 
 ```bash
 
 ngrok http 7071
 
+```
+It is worth remembering that exposing development resources publicly might not be considered as secure. That is why you can also run the entire workflow locally without ngrok by invoking requests to:
+```
+http://localhost:7071/runtime/webhooks/EventGrid?functionName={functionname}
 ```
 
 ## Configure Postman

articles/communication-services/quickstarts/includes/relay-token-python.md

@@ -2,7 +2,7 @@
 title: include file
 description: include file
 services: azure-communication-services
-author: rahulva 
+author: rahulva-msft
 manager: shahen
 ms.service: azure-communication-services
 ms.subservice: azure-communication-services
@@ -65,7 +65,7 @@ Add this code inside the `try` block:
 ```python
 
 # You can find your endpoint and access token from your resource in the Azure Portal
-connection_str = "endpoint=ENDPOINT;accessKey=KEY"
+connection_string = "endpoint=ENDPOINT;accessKey=KEY"
 endpoint = "https://<RESOURCE_NAME>.communication.azure.com"
 
 # To use Azure Active Directory Authentication (DefaultAzureCredential) make sure to have
@@ -75,8 +75,8 @@ identity_client = CommunicationIdentityClient(endpoint, DefaultAzureCredential()
 relay_client = CommunicationRelayClient(endpoint, DefaultAzureCredential())
 
 #You can also authenticate using your connection string
-identity_client = CommunicationIdentityClient.from_connection_string(self.connection_string)
-relay_client = CommunicationRelayClient.from_connection_string(self.connection_string)
+identity_client = CommunicationIdentityClient.from_connection_string(connection_string)
+relay_client = CommunicationRelayClient.from_connection_string(connection_string)
 ```
 
 ## Create a user from identity 
@@ -91,7 +91,7 @@ user = identity_client.create_user()
 Call the Azure Communication token service to exchange the user access token for a TURN service token
 
 ```python
-relay_configuration = relay_client.get_relay_configuration()
+relay_configuration = relay_client.get_relay_configuration(user=user)
 
 for iceServer in relay_configuration.ice_servers:
     assert iceServer.username is not None

articles/machine-learning/how-to-use-pipeline-component.md

@@ -33,7 +33,7 @@ In this article, you'll learn how to use pipeline component in Azure Machine Lea
 
 - Understand how to use Azure Machine Learning pipeline with [CLI v2](how-to-create-component-pipelines-cli.md) and [SDK v2](how-to-create-component-pipeline-python.md).
 - Understand what is [component](concept-component.md) and how to use component in Azure Machine Learning pipeline.
-- Understand what is a [Azure Machine Learning pipeline](concept-ml-pipelines.md)
+- Understand what is an [Azure Machine Learning pipeline](concept-ml-pipelines.md)
 
 ## The difference between pipeline job and pipeline component
 

articles/mysql/flexible-server/concepts-networking-vnet.md

@@ -115,6 +115,7 @@ You can then use the Azure Database for MySQL flexible server servername (FQDN)
 
 - Public endpoint (or public IP or DNS) - An Azure Database for MySQL flexible server instance deployed to a virtual network can't have a public endpoint.
 - After the Azure Database for MySQL flexible server instance is deployed to a virtual network and subnet, you can't move it to another virtual network or subnet. You can't move the virtual network into another resource group or subscription.
+- Private DNS integration config cannot be changed once deployed.
 - Subnet size (address spaces) can't be increased once resources exist in the subnet.
 
 ## Next steps

articles/sap/monitor/provider-linux.md

@@ -47,7 +47,7 @@ For example - https://github.com/prometheus/node_exporter/releases/download/v1.6
 # Change to the directory where you want to install the node exporter.
 
 wget https://github.com/prometheus/node_exporter/releases/download/v<xxx>/node_exporter-<xxx>.linux-amd64.tar.gz
-tar xvfz node_exporter-<xxx>.linux-amd64.tar.gz
+tar xzvf node_exporter-<xxx>.linux-amd64.tar.gz
 cd node_exporter-<xxx>linux-amd64
 nohup ./node_exporter --web.listen-address=":9100" &
 ```