Merge pull request #1 from MicrosoftDocs/main

Updating branch

Author: dascottmsft

articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md

@@ -141,34 +141,28 @@ IIF(IsPresent([alternativeSecurityId]),
 
 ## Look up certificateUserIds using Microsoft Graph queries
 
-Tenant admins can run MS Graph queries to find all the users with a given certificateUserId value.
+Authorized callers can run Microsoft Graph queries to find all the users with a given certificateUserId value. On the Microsoft Graph [user](/graph/api/resources/user) object, the collection of certificateUserIds are stored in the **authorizationInfo** property.
 
-GET all user objects that have the value '[email protected]' value in certificateUserIds:
+To retrieve all user objects that have the value '[email protected]' in certificateUserIds:
 
-```http
-GET  https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds/any(x:x eq '[email protected]')
-```
- 
-```http
-GET https://graph.microsoft.com/v1.0/users?$filter=startswith(certificateUserIds, '[email protected]')
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/users?$filter=authorizationInfo/certificateUserIds/any(x:x eq '[email protected]')&$count=true
+ConsistencyLevel: eventual
 ```
 
-```http
-GET https://graph.microsoft.com/v1.0/users?$filter=certificateUserIds eq '[email protected]'
-```
+You can also use the `not` and `startsWith` operators to match the filter condition. To filter against the certificateUserIds object, the request must include the `$count=true` query string and the **ConsistencyLevel** header set to `eventual`.
 
-## Update certificate user IDs using Microsoft Graph queries
-PATCH the user object certificateUserIds value for a given userId
+## Update certificateUserIds using Microsoft Graph queries
+
+Run a PATCH request to update the certificateUserIds for a given user.
 
 #### Request body:
 
 ```http
-PATCH https://graph.microsoft.us/v1.0/users/{id}
+PATCH https://graph.microsoft.com/v1.0/users/{id}
 Content-Type: application/json
-{
 
-    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(authorizationInfo,department)/$entity",
-    "department": "Accounting",
+{
     "authorizationInfo": {
         "certificateUserIds": [
             "X509:<PN>123456789098765@mil"

articles/active-directory/fundamentals/resilience-client-app.md

@@ -11,7 +11,7 @@ ms.subservice: pim
 ms.topic: overview
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 01/25/2023
+ms.date: 3/3/2023
 ms.author: amsliu
 ms.custom: pim 
 ms.collection: M365-identity-device-management
@@ -52,7 +52,7 @@ Azure AD role-assignable group feature is not part of Azure AD Privileged Identi
 
 Groups can be role-assignable or non-role-assignable. The group can be enabled in PIM for Groups or not enabled in PIM for Groups. These are independent properties of the group. Any Azure AD security group and any Microsoft 365 group (except dynamic groups and groups synchronized from on-premises environment) can be enabled in PIM for Groups. The group does not have to be role-assignable group to be enabled in PIM for Groups.
 
-If you want to assign Azure AD role to a group, it has to be role-assignable. Even if you do not intend to assign Azure AD role to the group but the group provides access to sensitive resources, it is still recommended to consider creating the group as role-assignable. This is because of extra protections role-assignable groups have – see “What are Azure AD role-assignable groups?” in the section above.
+If you want to assign Azure AD role to a group, it has to be role-assignable. Even if you do not intend to assign Azure AD role to the group but the group provides access to sensitive resources, it is still recommended to consider creating the group as role-assignable. This is because of extra protections role-assignable groups have – see [“What are Azure AD role-assignable groups?”](#what-are-azure-ad-role-assignable-groups) in the section above.
 
 Up until January 2023, it was required that every Privileged Access Group (former name for this PIM for Groups feature) had to be role-assignable group. This restriction is currently removed. Because of that, it is now possible to enable more than 500 groups per tenant in PIM, but only up to 500 groups can be role-assignable.
 

articles/active-directory/privileged-identity-management/concept-pim-for-groups.md

@@ -2585,7 +2585,7 @@ Privileged Auth Admin |   |   |   |   | :heavy_check_mark: |
 Privileged Role Admin |   |   |   |   | :heavy_check_mark: | :heavy_check_mark:
 Reports Reader |   | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
 User<br/>(no admin role) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
-User<br/>(no admin role, but member or owner of a role-assignable group) | &nbsp; | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:
+User<br/>(no admin role, but member or owner of a [role-assignable group](groups-concept.md)) | &nbsp; | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:
 User Admin | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
 Usage Summary Reports Reader | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
 All custom roles | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
@@ -2631,7 +2631,7 @@ Privileged Auth Admin | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark
 Privileged Role Admin | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:
 Reports Reader | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
 User<br/>(no admin role) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
-User<br/>(no admin role, but member or owner of a role-assignable group) | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:
+User<br/>(no admin role, but member or owner of a [role-assignable group](groups-concept.md)) | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:
 User Admin | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
 Usage Summary Reports Reader | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
 All custom roles | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:

articles/active-directory/roles/permissions-reference.md

@@ -413,7 +413,8 @@ At a high-level, the launcher performs the following sequence of steps:
 3. Perform CRD metadata scan to discover existing Arc and Arc Data Services Custom Resources
 4. Clean up any existing Custom Resources in Kubernetes, and subsequent resources in Azure. If any mismatch between the credentials in `.test.env` compared to resources existing in the cluster, quit.
 5. Generate a unique set of environment variables based on timestamp for Arc Cluster name, Data Controller and Custom Location/Namespace. Prints out the environment variables, obfuscating sensitive values (e.g. Service Principal Password etc.)
-6. a. For Direct Mode - Onboard the Cluster to Azure Arc, then deploys the Controller via the [unified experience](create-data-controller-direct-cli.md?tabs=linux#deploy---unified-experience)
+6. a. For Direct Mode - Onboard the Cluster to Azure Arc, then deploys the controller. 
+
    b. For Indirect Mode: deploy the Data Controller
 7. Once Data Controller is `Ready`, generate a set of Azure CLI ([`az arcdata dc debug`](/cli/azure/arcdata/dc/debug?view=azure-cli-latest&preserve-view=true)) logs and store locally, labeled as `setup-complete` - as a baseline.
 8. Use the `TESTS_DIRECT/INDIRECT` environment variable from `.test.env` to launch a set of parallelized Sonobuoy test runs based on a space-separated array (`TESTS_(IN)DIRECT`). These runs execute in a new `sonobuoy` namespace, using `arc-sb-plugin` pod that contains the Pytest validation tests.

articles/azure-arc/data/automated-integration-testing.md

@@ -20,7 +20,7 @@ This article describes how to enable transparent data encryption on a database c
 
 Before you proceed with this article, you must have an Azure Arc-enabled SQL Managed Instance resource created and connect to it.
 
-- [An Azure Arc-enabled SQL Managed Instance created](./create-sql-managed-instance.md)
+- [Create an Azure Arc-enabled SQL Managed Instance](./create-sql-managed-instance.md)
 - [Connect to Azure Arc-enabled SQL Managed Instance](./connect-managed-instance.md)
 
 ## Turn on transparent data encryption on a database in the managed instance

articles/azure-arc/data/configure-transparent-data-encryption-manually.md

@@ -30,7 +30,7 @@ Turning on the TDE feature does the following:
 
 Before you proceed with this article, you must have an Azure Arc-enabled SQL Managed Instance resource created and connect to it.
 
-- [An Azure Arc-enabled SQL Managed Instance created](./create-sql-managed-instance.md)
+- [Create an Azure Arc-enabled SQL Managed Instance](./create-sql-managed-instance.md)
 - [Connect to Azure Arc-enabled SQL Managed Instance](./connect-managed-instance.md)
 
 ## Limitations

articles/azure-arc/data/configure-transparent-data-encryption-sql-managed-instance.md

@@ -62,6 +62,6 @@ The progress of Azure Arc data controller deployment can be monitored as follows
 
 ## Next steps
 
-[Create an Azure Arc-enabled SQL managed instance](create-sql-managed-instance.md)
+[Create an Azure Arc-enabled SQL Managed Instance](create-sql-managed-instance.md)
 
 [Create an Azure Arc-enabled PostgreSQL server](create-postgresql-server.md)