Merge pull request #245343 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Taojunshen

articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md

@@ -171,6 +171,13 @@ Or, you can specify a tenant by URL to access security information.
 
 `https://mysignins.microsoft.com/security-info/?tenantId=<Tenant ID>`
 
+> [!NOTE]
+> Customers attempting to register or manage security info through combined registration or the My Sign-ins page should use a modern browser such as Microsoft Edge. 
+> 
+> IE11 is not officially supported for creating a webview or browser in applications as it will not work as expected in all scenarios.
+> 
+> Applications that have not been updated and are still using Azure AD Authentication Library (ADAL) that rely on legacy webviews can fallback to older versions of IE. In these scenarios, users will experience a blank page when directed to the My Sign-ins page. To resolve this issue, switch to a modern browser.
+
 ## Next steps
 
 To get started, see the tutorials to [enable self-service password reset](tutorial-enable-sspr.md) and [enable Azure AD Multi-Factor Authentication](tutorial-enable-azure-mfa.md).

articles/active-directory/fundamentals/users-default-permissions.md

@@ -60,7 +60,7 @@ You can restrict default permissions for member users in the following ways:
 | **Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). |
 | **Restrict access to Azure AD administration portal** | **What does this switch do?** <br>**No** lets non-administrators browse the Azure AD administration portal. <br>**Yes** Restricts non-administrators from browsing the Azure AD administration portal. Non-administrators who are owners of groups or applications are unable to use the Azure portal to manage their owned resources. </p><p></p><p>**What does it not do?** <br> It doesn't restrict access to Azure AD data using PowerShell, Microsoft GraphAPI, or other clients such as Visual Studio. <br>It doesn't restrict access as long as a user is assigned a custom role (or any role). </p><p></p><p>**When should I use this switch?** <br>Use this option to prevent users from misconfiguring the resources that they own. </p><p></p><p>**When should I not use this switch?** <br>Don't use this switch as a security measure. Instead, create a Conditional Access policy that targets Microsoft Azure Management that blocks non-administrators access to [Microsoft Azure Management](../conditional-access/concept-conditional-access-cloud-apps.md#microsoft-azure-management). </p><p></p><p> **How do I grant only a specific non-administrator users the ability to use the Azure AD administration portal?** <br> Set this option to **Yes**, then assign them a role like global reader. </p><p></p><p>**Restrict access to the Entra administration portal** <br>A Conditional Access policy that targets Microsoft Azure Management targets access to all Azure management. |
 | **Restrict non-admin users from creating tenants** | Users can create tenants in the Azure AD and Entra administration portal under Manage tenant. The creation of a tenant is recorded in the Audit log as category DirectoryManagement and activity Create Company. Anyone who creates a tenant becomes the Global Administrator of that tenant. The newly created tenant doesn't inherit any settings or configurations. </p><p></p><p>**What does this switch do?** <br> Setting this option to **Yes** restricts creation of Azure AD tenants to the Global Administrator or tenant creator roles. Setting this option to **No** allows non-admin users to create Azure AD tenants. Tenant create will continue to be recorded in the Audit log. </p><p></p><p>**How do I grant only a specific non-administrator users the ability to create new tenants?** <br> Set this option to Yes, then assign them the tenant creator role.|
-| **Restrict users from recovering the BitLocker key(s) for their owned devices** | Setting this option to **Yes** restricts users from being able to self-service recover BitLocker key(s) for their owned devices. Users will have to contact their organization's helpdesk to retrieve their BitLocker keys. Setting this option to **No** allows users to recover their BitLocker key(s). |
+| **Restrict users from recovering the BitLocker key(s) for their owned devices** | This setting can be found in the Azure AD and Entral portal in the Device Settings. Setting this option to **Yes** restricts users from being able to self-service recover BitLocker key(s) for their owned devices. Users will have to contact their organization's helpdesk to retrieve their BitLocker keys. Setting this option to **No** allows users to recover their BitLocker key(s). |
 | **Read other users** | This setting is available in Microsoft Graph and PowerShell only. Setting this flag to `$false` prevents all non-admins from reading user information from the directory. This flag doesn't prevent reading user information in other Microsoft services like Exchange Online.</p><p>This setting is meant for special circumstances, so we don't recommend setting the flag to `$false`. |
 
 The **Restrict non-admin users from creating tenants** option is shown [below](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/UserSettings)

articles/active-directory/hybrid/connect/how-to-connect-syncservice-features.md

@@ -28,9 +28,40 @@ This topic explains how the following features of the **Azure AD Connect sync se
 
 These settings are configured by the [Azure Active Directory Module for Windows PowerShell](/previous-versions/azure/jj151815(v=azure.100)). Download and install it separately from Azure AD Connect. The cmdlets documented in this topic were introduced in the [2016 March release (build 9031.1)](https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx#Version_9031_1). If you do not have the cmdlets documented in this topic or they do not produce the same result, then make sure you run the latest version.
 
-To see the configuration in your Azure AD directory, run `Get-MsolDirSyncFeatures`.  
+To see the configuration in your Azure AD directory, run `Get-MsolDirSyncFeatures`.
 ![Get-MsolDirSyncFeatures result](./media/how-to-connect-syncservice-features/getmsoldirsyncfeatures.png)
 
+To see the configuration in your Azure AD directory using the Graph Powershell, use the following commands:
+```powershell
+Connect-MgGraph -Scopes OnPremDirectorySynchronization.Read.All, OnPremDirectorySynchronization.ReadWrite.All
+
+Get-MgDirectoryOnPremisSynchronization | Select-Object -ExpandProperty Features | Format-List
+```
+
+The output looks similar to `Get-MsolDireSyncFeatures`:
+```powershell
+BlockCloudObjectTakeoverThroughHardMatchEnabled  : False
+BlockSoftMatchEnabled                            : False
+BypassDirSyncOverridesEnabled                    : False
+CloudPasswordPolicyForPasswordSyncedUsersEnabled : False
+ConcurrentCredentialUpdateEnabled                : False
+ConcurrentOrgIdProvisioningEnabled               : False
+DeviceWritebackEnabled                           : False
+DirectoryExtensionsEnabled                       : True
+FopeConflictResolutionEnabled                    : False
+GroupWriteBackEnabled                            : False
+PasswordSyncEnabled                              : True
+PasswordWritebackEnabled                         : False
+QuarantineUponProxyAddressesConflictEnabled      : False
+QuarantineUponUpnConflictEnabled                 : False
+SoftMatchOnUpnEnabled                            : True
+SynchronizeUpnForManagedUsersEnabled             : False
+UnifiedGroupWritebackEnabled                     : True
+UserForcePasswordChangeOnLogonEnabled            : False
+UserWritebackEnabled                             : True
+AdditionalProperties                             : {}
+```
+
 Many of these settings can only be changed by Azure AD Connect.
 
 The following settings can be configured by `Set-MsolDirSyncFeature`:
@@ -72,7 +103,12 @@ If you need to match on-premises AD accounts with existing accounts created in t
 This feature is on by default for newly created Azure AD directories. You can see if this feature is enabled for you by running:  
 
 ```powershell
+## Using the MSOnline module
 Get-MsolDirSyncFeatures -Feature EnableSoftMatchOnUpn
+
+## Using the Graph Powershell module
+$Config = Get-MgDirectoryOnPremisSynchronization
+$Config.Features.SoftMatchOnUpnEnabled
 ```
 
 If this feature is not enabled for your Azure AD directory, then you can enable it by running:  
@@ -106,7 +142,12 @@ Enabling this feature allows the sync engine to update the userPrincipalName whe
 This feature is on by default for newly created Azure AD directories. You can see if this feature is enabled for you by running:  
 
 ```powershell
+## Using the MSOnline module
 Get-MsolDirSyncFeatures -Feature SynchronizeUpnForManagedUsers
+
+## Using the Graph Powershell module
+$config = Get-MgDirectoryOnPremisSynchronization
+$config.Features.SynchronizeUpnForManagedUsersEnabled
 ```
 
 If this feature is not enabled for your Azure AD directory, then you can enable it by running:  

articles/active-directory/hybrid/get-started.md

@@ -41,7 +41,7 @@ Use these tasks if you're deploying Azure AD Connect to integrate with Active Di
 
 |Task|Description|
 |-----|-----|
-|[Determine which sync tool is correct for you](https://setup.microsoft.com/azure/add-or-sync-users-to-microsoft-365) |Use the wizard to determine whether cloud sync or Azure AD Connect is the right tool for you.|
+|[Determine which sync tool is correct for you](https://setup.microsoft.com/azure/add-or-sync-users-to-azure-ad) |Use the wizard to determine whether cloud sync or Azure AD Connect is the right tool for you.|
 |[Review the Azure AD Connect prerequisites](connect/how-to-connect-install-prerequisites.md)|Review the necessary prerequisites before getting started.|
 |[Review and choose an installation type](connect/how-to-connect-install-select-installation.md)|Determine whether you'll use express or custom installation.|
 |[Download Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594)|Download Azure AD Connect.|

articles/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm.md

@@ -95,7 +95,7 @@ If you have a Virtual Machine that no longer needs the system-assigned managed i
 
    ```azurepowershell-interactive
    $vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM
-   Update-AzVm -ResourceGroupName myResourceGroup -VM $vm -IdentityType "UserAssigned"
+   Update-AzVm -ResourceGroupName myResourceGroup -VM $vm -IdentityType "UserAssigned" -IdentityID "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/<RESROURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>..."
    ```
 
 If you have a virtual machine that no longer needs system-assigned managed identity and it has no user-assigned managed identities, use the following commands:

articles/azure-resource-manager/custom-providers/overview.md

@@ -36,7 +36,7 @@ Azure Custom Resource Providers are made by creating a contract between Azure an
 
 ## How to build custom resource providers
 
-Custom resource providers are a list of contracts between Azure and endpoints. This contract describes how Azure should interact with an endpoint. The resource provider acts like a proxy and will forward requests and responses to and from the specified **endpoint**. A resource provider can specify two types of contracts: [**resourceTypes**](./custom-providers-resources-endpoint-how-to.md) and [**actions**](./custom-providers-action-endpoint-how-to.md). These are enabled through endpoint definitions. An endpoint definition is comprised of three fields: **name**, **routingType**, and **endpoint**.
+Custom resource providers are a list of contracts between Azure and endpoints. These contracts describe how Azure should interact with their endpoints. The resource providers act like a proxy and will forward requests and responses to and from their specified **endpoint**. A resource provider can specify two types of contracts: [**resourceTypes**](./custom-providers-resources-endpoint-how-to.md) and [**actions**](./custom-providers-action-endpoint-how-to.md). These are enabled through endpoint definitions. An endpoint definition is comprised of three fields: **name**, **routingType**, and **endpoint**.
 
 Sample Endpoint:
 

articles/machine-learning/how-to-configure-network-isolation-with-v2.md

@@ -105,13 +105,13 @@ The Azure CLI [extension v1 for machine learning](./v1/reference-azure-machine-l
 > The `v1-legacy-mode` parameter is only available in version 1.41.0 or newer of the Azure CLI extension for machine learning v1 (`azure-cli-ml`). Use the `az version` command to view version information.
 
 ```azurecli
-az ml workspace update -g <myresourcegroup> -w <myworkspace> --v1-legacy-mode False
+az ml workspace update -g <myresourcegroup> -n <myworkspace> --v1-legacy-mode False
 ```
 
 The return value of the `az ml workspace update` command may not show the updated value. To view the current state of the parameter, use the following command:
 
 ```azurecli
-az ml workspace show -g <myresourcegroup> -w <myworkspace> --query v1LegacyMode
+az ml workspace show -g <myresourcegroup> -n <myworkspace> --query v1LegacyMode
 ```
 
 ---

articles/purview/how-to-managed-attributes.md

@@ -97,7 +97,7 @@ Once you have created managed attributes, you can refine your [data catalog sear
 
 Below are the known limitations of the managed attribute feature as it currently exists in Microsoft Purview.
 
-- Managed attributes can only be expired, not deleted.
+- Managed attributes can only be deleted if they have not been applied to any assets.
 - Managed attributes can't be applied via the bulk edit experience.
 - After creating an attribute group, you can't edit the name of the attribute group.
 - After creating a managed attribute, you can't update the attribute name, attribute group or the field type.

articles/virtual-machines/linux/azure-hybrid-benefit-linux.md

@@ -2,15 +2,15 @@
 title: Azure Hybrid Benefit for Linux virtual machines
 description: Learn how Azure Hybrid Benefit can save you money on Linux virtual machines.
 services: virtual-machines
-author: mathapli
+author: Dhiraj3030
 manager: gachandw
 ms.service: virtual-machines
 ms.subservice: billing
 ms.collection: linux
 ms.topic: conceptual
 ms.workload: infrastructure-services
 ms.date: 05/02/2023
-ms.author: mattmcinnes
+ms.author: dkulkarni
 ms.custom: kr2b-contr-experiment
 ---
 
@@ -122,13 +122,15 @@ az vm update -g myResourceGroup -n myVmName --license-type SLES_BYOS
 
 #### Convert to PAYG using the Azure CLI
 
-To return a VM to a PAYG model, use a `--license-type` value of `None`:
+If the system was originally a PAYG image and you want to return the VM to a PAYG model, use a `--license-type` value of `None`. For example:
 
 ```azurecli
 # This will enable PAYG on a virtual machine using Azure Hybrid Benefit
 az vm update -g myResourceGroup -n myVmName --license-type None
 ```
 
+If you have a BYOS and want to convert the VM to PAYG, use a `--license-type` value that covers the VM needs as described futher in this article. For example, for RHEL systems you can use any of the following:  RHEL_BASE, RHEL_EUS, RHEL_SAPAPPS, RHEL_SAPHA, RHEL_BASEAPAPPS or RHEL_BASESAPHA. 
+
 #### Convert multiple VM license models simultaneously using the Azure CLI
 
 To switch the licensing model on a large number of virtual machines, you can use the `--ids` parameter in the Azure CLI:

articles/virtual-network/tutorial-filter-network-traffic.md

@@ -100,7 +100,7 @@ An [application security group (ASGs)](application-security-groups.md) enables y
 
 A [network security group (NSG)](network-security-groups-overview.md) secures network traffic in your virtual network. 
 
-1. From the Azure portal menu, select **+ Create a resource** > **Networking** > **Network security group**, or search for *Network security group* in the portal search box.
+1. From the Azure portal menu, select **+ Create a resource** > **Networking** > **Network security group**, or use the portal search box to search for **Network security group** (not *Network security group (classic)*).
 
 1. Select **Create**.