Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into fixPrac

roygara · roygara · commit 638abd3f42a8 · 2025-04-21T14:50:38.000-07:00
diff --git a/articles/azure-functions/functions-bindings-signalr-service-input.md b/articles/azure-functions/functions-bindings-signalr-service-input.md
@@ -149,7 +149,7 @@ The following table explains the properties of the `SignalRConnectionInfoInput`
 |**HubName**| Required. The hub name.  |
 |**ConnectionStringSetting**| The name of the app setting or settings collection that contains the SignalR Service connection string, which defaults to `AzureSignalRConnectionString`. |
 |**UserId**| Optional. The user identifier of a SignalR connection. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query.  |
-|**IdToken**| Optional. A JWT token whose claims will be added to the user claims. It should be used together with **ClaimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
+|**IdToken**| Optional. A JWT whose claims will be added to the user claims. It should be used together with **ClaimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
 |**ClaimTypeList**| Optional. A list of claim types, which filter the claims in **IdToken** . |
 
 # [In-process model](#tab/in-process)
@@ -161,7 +161,7 @@ The following table explains the properties of the `SignalRConnectionInfo` attri
 |**HubName**| Required. The hub name.  |
 |**ConnectionStringSetting**| The name of the app setting or settings collection that contains the SignalR Service connection string, which defaults to `AzureSignalRConnectionString`. |
 |**UserId**| Optional. The user identifier of a SignalR connection. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query.  |
-|**IdToken**| Optional. A JWT token whose claims will be added to the user claims. It should be used together with **ClaimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
+|**IdToken**| Optional. A JWT whose claims will be added to the user claims. It should be used together with **ClaimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
 |**ClaimTypeList**| Optional. A list of claim types, which filter the claims in **IdToken** . |
 
 ---
@@ -179,7 +179,7 @@ The following table explains the supported settings for the `SignalRConnectionIn
 |**hubName**| Required. The hub name.  |
 |**connectionStringSetting**| The name of the app setting or settings collection that contains the SignalR Service connection string, which defaults to `AzureSignalRConnectionString`. |
 |**userId**| Optional. The user identifier of a SignalR connection. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query.  |
-|**idToken**| Optional. A JWT token whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
+|**idToken**| Optional. A JWT whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
 |**claimTypeList**| Optional. A list of claim types, which filter the claims in **idToken** . |
 
 ::: zone-end
@@ -196,7 +196,7 @@ The following table explains the supported settings for the `SignalRConnectionIn
 |**hubName**| Required. The hub name.  |
 |**connectionStringSetting**| The name of the app setting or settings collection that contains the SignalR Service connection string, which defaults to `AzureSignalRConnectionString`. |
 |**userId**| Optional. The user identifier of a SignalR connection. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query.  |
-|**idToken**| Optional. A JWT token whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
+|**idToken**| Optional. A JWT whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
 |**claimTypeList**| Optional. A list of claim types, which filter the claims in **idToken** . |
 
 ::: zone-end
@@ -213,7 +213,7 @@ The following table explains the binding configuration properties that you set i
 |**hubName**| Required. The hub name.  |
 |**connectionStringSetting**| The name of the app setting or settings collection that contains the SignalR Service connection string, which defaults to `AzureSignalRConnectionString`. |
 |**userId**| Optional. The user identifier of a SignalR connection. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query.  |
-|**idToken**| Optional. A JWT token whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
+|**idToken**| Optional. A JWT whose claims will be added to the user claims. It should be used together with **claimTypeList**. You can use a [binding expression](#binding-expressions-for-http-trigger) to bind the value to an HTTP request header or query. |
 |**claimTypeList**| Optional. A list of claim types, which filter the claims in **idToken** . |
 
 ::: zone-end
diff --git a/articles/azure-resource-manager/templates/deployment-script-template.md b/articles/azure-resource-manager/templates/deployment-script-template.md
@@ -61,6 +61,9 @@ For deployment script API version 2020-10-01 or later, there are two principals
             "Microsoft.Resources/deployments/*",
             "Microsoft.Resources/deploymentScripts/*"
           ],
+         "dataActions": [
+            "Microsoft.Storage/storageAccounts/fileServices/*"
+          ]
         }
       ],
       "assignableScopes": [
diff --git a/articles/azure-vmware/configure-azure-native-pure-storage-cloud.md b/articles/azure-vmware/configure-azure-native-pure-storage-cloud.md
@@ -25,7 +25,7 @@ Pure Storage manages onboarding of Azure Native Pure Storage Cloud for Azure VMw
 
 For more information, see the following resources:
 
-- [Azure Native Pure Storage Cloud - Overview](https://learn.microsoft.com/azure/partner-solutions/pure-storage/overview)
+- [Azure Native Pure Storage Cloud - Overview](/azure/partner-solutions/pure-storage/overview)
 - [Azure Native Pure Storage Cloud - Deployment Guide](https://support.purestorage.com/bundle/m_azure_native_pure_storage_cloud/page/Production/Pure_Cloud_Block_Store/Azure_Native_Pure_Storage_Cloud/deployment/c_psc_deployment.html)
 - [Azure Native Pure Storage Cloud - Management Guide](https://support.purestorage.com/bundle/m_azure_native_pure_storage_cloud/page/Production/Pure_Cloud_Block_Store/Azure_Native_Pure_Storage_Cloud/management/c_psc_management.html)
 - [Azure Native Pure Storage Cloud - Troubleshooting Guide](https://support.purestorage.com/bundle/m_azure_native_pure_storage_cloud/page/Production/Pure_Cloud_Block_Store/Azure_Native_Pure_Storage_Cloud/troubleshooting/c_troubleshooting.html)
diff --git a/articles/azure-web-pubsub/policy-definitions.md b/articles/azure-web-pubsub/policy-definitions.md
@@ -1,8 +1,8 @@
 ---
 title: Built-in policy definitions for Azure Web PubSub
 description: Lists Azure Policy built-in policy definitions for Azure Web PubSub. These built-in policy definitions provide common approaches to managing your Azure resources.
-author: cebundy
-ms.author: v-catherbund
+author: yjin81
+ms.author: yajin1
 ms.date: 01/03/2022
 ms.topic: reference
 ms.service: azure-web-pubsub
@@ -27,4 +27,4 @@ the link in the **Version** column to view the source on the
 
 - See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
 - Review the [Azure Policy definition structure](../governance/policy/concepts/definition-structure.md).
-- Review [Understanding policy effects](../governance/policy/concepts/effects.md).
+- Review [Understanding policy effects](../governance/policy/concepts/effects.md).
diff --git a/articles/communication-services/how-tos/call-automation/includes/secure-webhook-endpoint-java.md b/articles/communication-services/how-tos/call-automation/includes/secure-webhook-endpoint-java.md
@@ -35,9 +35,9 @@ Each mid-call webhook callback sent by Call Automation uses a signed JSON Web To
 ```
 
 4. Configure your application to validate the JWT and the configuration of your Azure Communication Services resource. You need the `audience` values as it is present in the JWT payload.
-5. Validate the issuer, audience and the JWT token.
+5. Validate the issuer, audience and the JWT.
    - The audience is your Azure Communication Services resource ID you used to set up your Call Automation client. Refer [here](../../../quickstarts/voice-video-calling/get-resource-id.md) about how to get it.
-   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT token. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
+   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
 
 This sample code demonstrates how to configure OIDC client to validate webhook payload using JWT
 
diff --git a/articles/communication-services/how-tos/call-automation/includes/secure-webhook-endpoint-javascript.md b/articles/communication-services/how-tos/call-automation/includes/secure-webhook-endpoint-javascript.md
@@ -26,9 +26,9 @@ npm install express jwks-rsa jsonwebtoken
 ```
 
 3. Configure your application to validate the JWT and the configuration of your Azure Communication Services resource. You need the `audience` values as it is present in the JWT payload.
-4. Validate the issuer, audience and the JWT token.
+4. Validate the issuer, audience and the JWT.
    - The audience is your Azure Communication Services resource ID you used to set up your Call Automation client. Refer [here](../../../quickstarts/voice-video-calling/get-resource-id.md) about how to get it.
-   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT token. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
+   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
 
 This sample code demonstrates how to configure OIDC client to validate webhook payload using JWT
 
diff --git a/articles/communication-services/how-tos/call-automation/includes/secure-webhook-endpoint-python.md b/articles/communication-services/how-tos/call-automation/includes/secure-webhook-endpoint-python.md
@@ -25,9 +25,9 @@ pip install flask pyjwt
 ```
 
 3. Configure your application to validate the JWT and the configuration of your Azure Communication Services resource. You need the `audience` values as it is present in the JWT payload.
-4. Validate the issuer, audience and the JWT token.
+4. Validate the issuer, audience and the JWT.
    - The audience is your Azure Communication Services resource ID you used to set up your Call Automation client. Refer [here](../../../quickstarts/voice-video-calling/get-resource-id.md) about how to get it.
-   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT token. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
+   - The JSON Web Key Set (JWKS) endpoint in the OpenId configuration contains the keys used to validate the JWT. When the signature is valid and the token hasn't expired (within 5 minutes of generation), the client can use the token for authorization.
 
 This sample code demonstrates how to configure OIDC client to validate webhook payload using JWT
 
diff --git a/articles/confidential-computing/skr-flow-confidential-vm-sev-snp.md b/articles/confidential-computing/skr-flow-confidential-vm-sev-snp.md
@@ -689,7 +689,7 @@ $cert | Format-List *
 # Subject              : CN=vault.azure.net, O=Microsoft Corporation, L=Redmond, S=WA, C=US
 ```
 
-The response's JWT token body looks incredibly similar to the response that you get when invoking the `get` key operation. However, the `release` operation includes the `key_hsm` property, amongst other things.
+The response's JWT body looks incredibly similar to the response that you get when invoking the `get` key operation. However, the `release` operation includes the `key_hsm` property, amongst other things.
 
 ```json
 {
diff --git a/articles/cost-management-billing/costs/understand-work-scopes.md b/articles/cost-management-billing/costs/understand-work-scopes.md
@@ -46,10 +46,10 @@ Azure supports three scopes for resource management. Each scope supports managin
 
     Resource type: [Microsoft.Resources/subscriptions](/rest/api/resources/subscriptions)
 
-- [**Resource groups**](../../azure-resource-manager/management/overview.md#resource-groups) - Logical groupings of related resources for an Azure solution that share the same lifecycle. For example resources that are deployed and deleted together.
+- **[Resource groups](../../azure-resource-manager/management/overview.md#resource-groups)** - Logical groupings of related resources for an Azure solution that share the same lifecycle. For example resources that are deployed and deleted together.
 
     Resource type: [Microsoft.Resources/subscriptions/resourceGroups](/rest/api/resources/resourcegroups)
-
+  
 Management groups allow you to organize subscriptions into a hierarchy. For example, you might create a logical organization hierarchy using management groups. Then, give teams subscriptions for production and dev/test workloads. And then create resource groups in the subscriptions to manage each subsystem or component.
 
 Creating an organizational hierarchy allows cost and policy compliance to roll up organizationally. Then, each leader can view and analyze their current costs. And then they can create budgets to curb bad spending patterns and optimize costs with Advisor recommendations at the lowest level.
@@ -78,6 +78,36 @@ Management groups are only supported if they contain up to 3,000 Enterprise Agre
 
 If you have a mix of subscriptions, move the unsupported subscriptions to a separate arm of the management group hierarchy to enable Cost Management for the supported subscriptions. As an example, create two management groups under the root management group: **Microsoft Entra ID** and **My Org**. Move your Microsoft Entra subscription to the **Microsoft Entra ID** management group and then view and manage costs using the **My Org** management group.
 
+### Managed resource groups 
+
+Managed resource groups created by certain resource providers - such as Azure Red Hat OpenShift (ARO) or Azure Databricks - can't be used as scopes for Cost Management features like budgets or exports. These resource groups typically include deny assignments that restrict modifications to protect critical resources, which can result in authorization errors. For more information on deny assignments, please refer to [List Azure deny assignments](/azure/role-based-access-control/deny-assignments?tabs=azure-portal).
+
+To avoid these issues, use a higher-level scope such as the subscription scope which contains this managed resource group when configuring budgets or exports.
+
+#### Required permissions for exports at RBAC scope
+
+- Microsoft.CostManagement/exports/Read – View exports
+
+- Microsoft.CostManagement/exports/Write – Create or update exports
+
+- Microsoft.CostManagement/exports/Delete – Delete exports
+
+- Microsoft.CostManagement/exports/Action – Run export
+
+*Note: Deny assignments can result in permission errors, so please check even with these permissions if there are any deny assignments at this scope.*
+
+#### Required permissions for budgets at RBAC scope
+
+- Microsoft.Consumption/budgets/Read – View budgets
+
+- Microsoft.Consumption/budgets/Write – Create or update budgets
+
+- Microsoft.Consumption/budgets/Delete – Delete budgets
+
+- (Optional) Microsoft.Insights/actionGroups/Read – If action groups are configured for alerts
+
+*Note: Deny assignments can result in permission errors, so please check even with these permissions if there are any deny assignments at this scope.*
+
 ### Feature behavior for each role
 
 The following table shows how Cost Management features are used by each role. The following behavior is applicable to all Azure RBAC scopes.
diff --git a/articles/dns/dns-reverse-dns-overview.md b/articles/dns/dns-reverse-dns-overview.md
@@ -6,7 +6,7 @@ manager: KumuD
 ms.service: azure-dns
 ms.topic: concept-article
 ms.custom:
-ms.date: 09/12/2024
+ms.date: 04/21/2025
 ms.author: greglin
 ---
 
@@ -16,15 +16,15 @@ This article provides an overview of how reverse DNS works, and scenarios in whi
 
 ## What is reverse DNS?
 
-Conventional DNS records map a DNS name to an IP address, such as `www.contoso.com` resolves to 64.4.6.100. A reverse DNS does the opposite by translating an IP address back to a name. For example, a lookup of 64.4.6.100 will resolve to `www.contoso.com`.
+Conventional DNS records map a DNS name to an IP address. For example, assume that `www.contoso.com` resolves to 203.0.113.100. Reverse DNS does the opposite by translating an IP address back to a name. Using the same example, a lookup of 203.0.113.100 resolves to `www.contoso.com`.
 
 Reverse DNS records are used in various situations. For example, reverse DNS records are widely used in combating e-mail spam by verifying the sender of an e-mail message.  The receiving mail server retrieves the reverse DNS record of the sending server's IP address. Then the receiving mail server verifies if that host is authorized to send e-mail from the originating domain.
 
 ## How reverse DNS works
 
 Reverse DNS records are hosted in special DNS zones, known as 'ARPA' zones.  These zones form a separate DNS hierarchy in parallel with the normal hierarchy hosting domains such as `contoso.com`.
 
-For example, the DNS record `www.contoso.com` is implemented using a DNS 'A' record with the name 'www' in the zone `contoso.com`. This A record points to the corresponding IP address, in this case 64.4.6.100.  The reverse lookup gets implemented separately, using a 'PTR' record named '100' in the zone '6.4.64.in-addr.arpa'. Notice that IP addresses in ARPA zones are reversed. This PTR record, when configured correctly will point to the name `www.contoso.com`.
+For example, the DNS record `www.contoso.com` is implemented using a DNS 'A' record with the name 'www' in the zone `contoso.com`. This A record points to the corresponding IP address, in this case 203.0.113.100.  The reverse lookup gets implemented separately, using a 'PTR' record named '100' in the zone '113.0.203.in-addr.arpa'. Notice that IP addresses in ARPA zones are reversed. This PTR record, when configured correctly will point to the name `www.contoso.com`.
 
 When an organization is assigned an IP address block, they also acquire the right to manage the corresponding ARPA zone. The ARPA zones corresponding to the IP address blocks used by Azure are hosted and managed by Microsoft. Your ISP may host the ARPA zone for you for the IP addresses you owned. They may also allow you to host the ARPA zone in a DNS service of your choice, such as Azure DNS.
 
diff --git a/articles/healthcare-apis/fhir/customer-managed-keys.md b/articles/healthcare-apis/fhir/customer-managed-keys.md
@@ -17,7 +17,7 @@ Customer-managed keys (CMK) are encryption keys that you create and manage in yo
 
 Follow security best practices and rotate keys often. Keys used with the FHIR service must be rotated manually. When you rotate a key, update the version of the existing key or set a new encryption key from a different storage location. Always make sure to keep existing keys enabled when adding new keys because they're still needed to access the data that was encrypted with them.  
 
-To rotate the key by generating a new version of the key, use the 'az keyvault key rotate' command. For more information, see [Azure key vault rotate command](/cli/azure/keyvault/key)
+To rotate the key by generating a new version of the key, use the 'az keyvault key rotate' command. For more information, see [Azure Key Vault rotate command](/cli/azure/keyvault/key).
 
 ## Update the FHIR service after changing a managed identity
 
diff --git a/articles/iot-dps/concepts-custom-allocation.md b/articles/iot-dps/concepts-custom-allocation.md
diff --git a/articles/operator-nexus/howto-kubernetes-cluster-customize-workers.md b/articles/operator-nexus/howto-kubernetes-cluster-customize-workers.md
diff --git a/articles/role-based-access-control/permissions/ai-machine-learning.md b/articles/role-based-access-control/permissions/ai-machine-learning.md
diff --git a/articles/virtual-network/ip-services/public-ip-upgrade-availability-set.md b/articles/virtual-network/ip-services/public-ip-upgrade-availability-set.md
diff --git a/articles/virtual-wan/how-to-network-virtual-appliance-add-ip-configurations.md b/articles/virtual-wan/how-to-network-virtual-appliance-add-ip-configurations.md

Original file line number	Diff line number	Diff line change
`@@ -689,7 +689,7 @@ $cert \| Format-List *`
`689`	`689`	`# Subject : CN=vault.azure.net, O=Microsoft Corporation, L=Redmond, S=WA, C=US`
`690`	`690`	```
`691`	`691`
`692`		-The response's JWT token body looks incredibly similar to the response that you get when invoking the `get` key operation. However, the `release` operation includes the `key_hsm` property, amongst other things.
	`692`	+The response's JWT body looks incredibly similar to the response that you get when invoking the `get` key operation. However, the `release` operation includes the `key_hsm` property, amongst other things.
`693`	`693`
`694`	`694`	```json
`695`	`695`	`{`