Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

.openpublishing.redirection.json

@@ -6813,6 +6813,11 @@
     "redirect_url":  "/azure/azure-functions/functions-bindings-error-pages",
     "redirect_document_id":  false
 },
+{
+    "source_path_from_root":  "/articles/azure-functions/functions-debug-event-grid-trigger-local.md",
+    "redirect_url":  "/azure/azure-functions/functions-event-grid-blob-trigger",
+    "redirect_document_id":  false
+},
 {
     "source_path_from_root":  "/articles/azure-government/documentation-government-k8.md",
     "redirect_url":  "/azure/azure-government",

articles/active-directory/governance/entitlement-management-access-package-auto-assignment-policy.md

@@ -28,6 +28,10 @@ During this preview, you can have at most one automatic assignment policy in an
 
 This article describes how to create an access package automatic assignment policy for an existing access package.
 
+## Before you begin
+
+You'll need to have attributes populated on the users who will be in scope for being assigned access.  The attributes you can use in the rules criteria of an access package assignment policy are those attributes listed in [supported properties](../enterprise-users/groups-dynamic-membership.md#supported-properties), along with [extension attributes and custom extension properties](../enterprise-users/groups-dynamic-membership.md#extension-properties-and-custom-extension-properties).  These attributes can be brought into Azure AD from [Graph](/graph/api/resources/user?view=graph-rest-beta), an HR system such as [SuccessFactors](../app-provisioning/sap-successfactors-integration-reference.md), [Azure AD Connect cloud sync](../cloud-sync/how-to-attribute-mapping.md) or [Azure AD Connect sync](../hybrid/how-to-connect-sync-feature-directory-extensions.md).
+
 ## Create an automatic assignment policy (Preview)
 
 To create a policy for an access package, you need to start from the access package's policy tab. Follow these steps to create a new policy for an access package.
@@ -45,7 +49,7 @@ To create a policy for an access package, you need to start from the access pack
 1. Provide a dynamic membership rule, using the [membership rule builder](../enterprise-users/groups-dynamic-membership.md) or by clicking **Edit** on the rule syntax text box.
 
    > [!NOTE]
-   > The rule builder might not be able to display some rules constructed in the text box. For more information, see [rule builder in the Azure portal](/enterprise-users/groups-create-rule.md#rule-builder-in-the-azure-portal).
+   > The rule builder might not be able to display some rules constructed in the text box, and validating a rule currently requires the you to be in the Global administrator role. For more information, see [rule builder in the Azure portal](/enterprise-users/groups-create-rule.md#rule-builder-in-the-azure-portal).
 
     ![Screenshot of an access package automatic assignment policy rule configuration.](./media/entitlement-management-access-package-auto-assignment-policy/auto-assignment-rule-configuration.png)
 

articles/active-directory/governance/manage-guest-access-with-access-reviews.md

@@ -4,14 +4,14 @@ description: Manage guest users as members of a group or assigned to an applicat
 services: active-directory
 documentationcenter: ''
 author: amsliu
-manager: karenhoran
+manager: amycolannino
 editor: markwahl-msft
 ms.service: active-directory
 ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: conceptual
 ms.subservice: compliance
-ms.date: 4/16/2021
+ms.date: 08/23/2021
 ms.author: amsliu
 ms.reviewer: mwahl
 ms.collection: M365-identity-device-management
@@ -38,7 +38,7 @@ For more information, [License requirements](access-reviews-overview.md#license-
 First, you must be assigned one of the following roles:
 - global administrator
 - User administrator
-- (Preview) M365 or AAD Security Group owner of the group to be reviewed
+- (Preview) Microsoft 365 or Azure AD Security Group owner of the group to be reviewed
 
 Then, go to the [Identity Governance page](https://portal.azure.com/#blade/Microsoft_AAD_ERM/DashboardBlade/) to ensure that access reviews is ready for your organization.
 
@@ -119,7 +119,13 @@ In some organizations, guests might not be aware of their group memberships.
 
 4. After the reviewers give input, stop the access review. For more information, see [Complete an access review of groups or applications](complete-access-review.md).
 
-5. Remove guest access for guests who were denied, didn't complete the review, or didn't previously accept their invitation. If some of the guests are contacts who were selected to participate in the review or they didn't previously accept an invitation, you can disable their accounts by using the Azure portal or PowerShell. If the guest no longer needs access and isn't a contact, you can remove their user object from your directory by using the Azure portal or PowerShell to delete the guest user object.
+5. You can automatically delete the guest users Azure AD B2B accounts as part of an access review when you are configuring an Access review for **Select Team + Groups**. This option is not available for **All Microsoft 365 groups with guest users**.
+
+![Screenshot showing page to create access review.](media/manage-guest-access-with-access-reviews/new-access-review.png)
+
+To do so, select **Auto apply results to resource** as this will automatically remove the user from the resource. **If reviewer don't respond** should be set to **Remove access** and **Action to apply on denied guest users** should also be set to **Block from signing in for 30 days then remove user from the tenant**.
+
+This will immediately block sign in to the guest user account and then automatically delete their Azure AD B2B account after 30 days.
 
 ## Next steps
 

articles/active-directory/governance/media/create-access-review/teams-groups.png

@@ -29,6 +29,8 @@ Follow these steps to open the settings for an Azure privileged access group rol
 1. Open **Azure AD Privileged Identity Management**.
 
 1. Select **Privileged access (Preview)**.
+    >[!NOTE]
+    > Approver doesn't have to be member of the group, owner of the group or have Azure AD role assigned.
 
 1. Select the group that you want to manage.
 

articles/active-directory/governance/media/manage-guest-access-with-access-reviews/new-access-review.png

@@ -30,6 +30,8 @@ Follow these steps to open the settings for an Azure resource role.
 1. Open **Azure AD Privileged Identity Management**.
 
 1. Select **Azure resources**.
+    >[!NOTE]
+    > Approver doesn't have to have any Azure or Azure AD role assigned.
 
 1. Select the resource you want to manage, such as a subscription or management group.
 

articles/active-directory/privileged-identity-management/groups-role-settings.md

@@ -48,7 +48,7 @@ Azure Premium Storage delivers high-performance, low-latency disk support for vi
 
 ## Remove data skew on your Azure Synapse Analytics tables to increase query performance
 
-Data skew can cause unnecessary data movement or resource bottlenecks when you run your workload. Advisor detects distribution data skew of greater than 15%. It recommends that you redistribute your data and revisit your table distribution key selections. To learn more about identifying and removing skew, see [troubleshooting skew](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-tables-distribute.md#how-to-tell-if-your-distribution-column-is-a-good-choice).
+Data skew can cause unnecessary data movement or resource bottlenecks when you run your workload. Advisor detects distribution data skew of greater than 15%. It recommends that you redistribute your data and revisit your table distribution key selections. To learn more about identifying and removing skew, see [troubleshooting skew](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-tables-distribute.md#how-to-tell-if-your-distribution-is-a-good-choice).
 
 ## Create or update outdated table statistics in your Azure Synapse Analytics tables to increase query performance
 
@@ -186,7 +186,7 @@ Learn more about [Azure Communication Services](../communication-services/overvi
 
 1. Sign in to the [Azure portal](https://portal.azure.com), and then open [Advisor](https://aka.ms/azureadvisordashboard).
 
-2.	On the Advisor dashboard, select the **Performance** tab.
+2.    On the Advisor dashboard, select the **Performance** tab.
 
 ## Next steps
 

articles/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings.md

@@ -262,7 +262,7 @@ or
 ```
 
 > [!NOTE]
-> Backend entities can be managed via [Azure portal](how-to-configure-service-fabric-backend.md), management [API](/rest/api/apimanagement), and [PowerShell](https://www.powershellgallery.com/packages?q=apimanagement).
+> Backend entities can be managed via [Azure portal](how-to-configure-service-fabric-backend.md), management [API](/rest/api/apimanagement), and [PowerShell](https://www.powershellgallery.com/packages?q=apimanagement). Currently, if you define a base `set-backend-service` policy using the `backend-id` attribute and inherit the base policy using `<base />` within the scope, then it can be only overridden with a policy using the `backend-id` attribute, not the `base-url` attribute.
 
 ### Example
 
@@ -844,4 +844,4 @@ OriginalUrl.
 
 -   **Policy scopes:** all scopes
 
-[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]
+[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]

articles/advisor/advisor-performance-recommendations.md

@@ -4,7 +4,7 @@ description: Connect privately to a Web App using Azure Private Endpoint
 author: ericgre
 ms.assetid: 2dceac28-1ba6-4904-a15d-9e91d5ee162c
 ms.topic: article
-ms.date: 03/04/2022
+ms.date: 08/23/2022
 ms.author: ericg
 ms.service: app-service
 ms.workload: web
@@ -49,7 +49,6 @@ From a security perspective:
 - By default, when you enable Private Endpoints to your Web App, you disable all public access.
 - You can enable multiple Private Endpoints in others VNets and Subnets, including VNets in other regions.
 - The IP address of the Private Endpoint NIC must be dynamic, but will remain the same until you delete the Private Endpoint.
-- The NIC of the Private Endpoint can't have an NSG associated.
 - The Subnet that hosts the Private Endpoint can have an NSG associated, but you must disable the network policies enforcement for the Private Endpoint: see [Disable network policies for private endpoints][disablesecuritype]. As a result, you can't filter by any NSG the access to your Private Endpoint.
 - By default, when you enable Private Endpoint to your Web App, the [access restrictions][accessrestrictions] configuration of the Web App isn't evaluated.
 - You can eliminate the data exfiltration risk from the VNet by removing all NSG rules where destination is tag Internet or Azure services. When you deploy a Private Endpoint for a Web App, you can only reach this specific Web App through the Private Endpoint. If you have another Web App, you must deploy another dedicated Private Endpoint for this other Web App.