Merge pull request #211765 from msmbaldwin/akv-misc

Akv misc

Author: liljack17

articles/databox-online/azure-stack-edge-gpu-troubleshoot-activation.md

@@ -48,8 +48,8 @@ The following table summarizes the errors related to device activation and the c
 
 | Error   message| Recommended   resolution |
 |------------------------------------------------------|--------------------------------------|
-| If the diagnostic setting creation fails for your key vault, you'll see this error. <!--<br> ![Key vault error 3](./media/azure-stack-edge-gpu-activation-key-vault/placeholder.png)--> | This is not a blocking error and the activation key will be generated. <br> You can manually [Create a diagnostic setting to store your audit logs](../key-vault/general/howto-logging.md#create-a-storage-account-for-your-logs). |
-| If the storage account creation fails, for example, because an account already exists for the name you specified, you'll see this error. <!--<br> ![Key vault error 3](./media/azure-stack-edge-gpu-activation-key-vault/placeholder.png)--> | You can manually create a storage account and link it to the diagnostic setting on your key vault. This account is then used to store audit logs. <br> For more information, see [Create a storage account for your logs](../key-vault/general/howto-logging.md#create-a-storage-account-for-your-logs).  |
+| If the diagnostic setting creation fails for your key vault, you'll see this error. <!--<br> ![Key vault error 3](./media/azure-stack-edge-gpu-activation-key-vault/placeholder.png)--> | This is not a blocking error and the activation key will be generated. <br>You can manually [Create a diagnostic setting to store your audit logs](../key-vault/general/howto-logging.md). |
+| If the storage account creation fails, for example, because an account already exists for the name you specified, you'll see this error. <!--<br> ![Key vault error 3](./media/azure-stack-edge-gpu-activation-key-vault/placeholder.png)--> | You can manually create a storage account and link it to the diagnostic setting on your key vault. This account is then used to store audit logs. <br> For more information, see [Create a storage account for your logs](../key-vault/general/howto-logging.md).  |
 |If the system assigned managed identity for your Azure Stack Edge resource is deleted, you'll see this error. <!--<br> ![Key vault error 3](./media/azure-stack-edge-gpu-activation-key-vault/placeholder.png)--> | You'll see an alert in the Security blade for your Azure Stack Edge resource. Select this alert to [Create a new managed identity through the Recover key vault blade](azure-stack-edge-gpu-activation-key-vault.md#recover-key-vault)  |
 | If the managed identity doesn't have access to the key vault, you'll see this error. <!--<br> ![Key vault error 3](./media/azure-stack-edge-gpu-activation-key-vault/placeholder.png)--> | You'll see an alert in the Security blade for your Azure Stack Edge resource. Select this alert to [Grant managed identity access to the key vault through the Recover key vault blade](azure-stack-edge-gpu-activation-key-vault.md#recover-key-vault).  |
 
@@ -59,7 +59,7 @@ The following table summarizes the errors related to device activation and the c
 |------------------------------------------------------|--------------------------------------|
 | If the key vault resource is moved across resource groups or subscriptions, you'll see this error. <!--<br> ![Key vault error 3](./media/azure-stack-edge-gpu-activation-key-vault/placeholder.png)--> | The key vault resource move is treated the same way as key vault deletion. You can restore the key vault if the vault is in purge-protection duration. If the purge-protection duration has elapsed, then you'll need to create a new key vault. For more information on either of the above cases, see [Recover a key vault](azure-stack-edge-gpu-activation-key-vault.md#recover-key-vault).    |
 | If the subscription you are using, is moved across tenants, you'll see this error. <!--<br> ![Key vault error 3](./media/azure-stack-edge-gpu-activation-key-vault/placeholder.png)--> | Reconfigure managed identity and create a new key vault. You can also move the key vault resource in which case only the managed identity will need to be reconfigured. In each of the above cases, see [Recover a key vault](azure-stack-edge-gpu-activation-key-vault.md#recover-key-vault).   |
-| If the storage account resource that is used for audit logs, is moved across resource groups or subscriptions, you won't see an error.  | You can [Create a new storage account and configure it to store the audit logs](../key-vault/general/howto-logging.md#create-a-storage-account-for-your-logs). |
+| If the storage account resource that is used for audit logs, is moved across resource groups or subscriptions, you won't see an error.  | You can [Create a new storage account and configure it to store the audit logs](../key-vault/general/howto-logging.md). |
 
 ## Other errors
 

articles/key-vault/certificates/about-certificates.md

@@ -110,10 +110,10 @@ The following table represents the mapping of x509 key usage policy to effective
 |----------|--------|--------|
 |DataEncipherment|encrypt, decrypt| N/A |
 |DecipherOnly|decrypt| N/A  |
-|DigitalSignature|sign, verify| Key Vault default without a usage specification at certificate creation time | 
+|DigitalSignature|sign, verify| Key Vault default without a usage specification at certificate creation time |
 |EncipherOnly|encrypt| N/A |
 |KeyCertSign|sign, verify|N/A|
-|KeyEncipherment|wrapKey, unwrapKey| Key Vault default without a usage specification at certificate creation time | 
+|KeyEncipherment|wrapKey, unwrapKey| Key Vault default without a usage specification at certificate creation time |
 |NonRepudiation|sign, verify| N/A |
 |crlsign|sign, verify| N/A |
 
@@ -134,7 +134,7 @@ Before a certificate issuer can be created in a Key Vault, following prerequisit
 
     -   An organization administrator must on-board their company (ex. Contoso) with at least one CA provider.  
 
-2. Admin creates requester credentials for Key Vault to enroll (and renew) TLS/SSL certificates  
+1. Admin creates requester credentials for Key Vault to enroll (and renew) TLS/SSL certificates  
 
     -   Provides the configuration to be used to create an issuer object of the provider in the key vault  
 
@@ -155,7 +155,6 @@ Certificate contacts contain contact information to send notifications triggered
 
  Access control for certificates is managed by Key Vault, and is provided by the Key Vault that contains those certificates. The access control policy for certificates is distinct from the access control policies for keys and secrets in the same Key Vault. Users may create one or more vaults to hold certificates, to maintain scenario appropriate segmentation and management of certificates.  For more information on certificate access control, see [here](certificate-access-control.md)
 
-
 ## Certificate Use Cases
 
 ### Secure communication and authentication
@@ -166,6 +165,7 @@ TLS certificates can help encrypt communications over the internet and establish
 * Cloud/Multi-Cloud: secure cloud-based applications on-prem, cross-cloud, or in your cloud provider's tenant.
 
 ### Code signing
+
 A certificate can help secure the code/script of software, thereby ensuring that the author can share the software over the internet without being changed by malicious entities. Furthermore, once the author signs the code using a certificate leveraging the code signing technology, the software is marked with a stamp of authentication displaying the author and their website. Therefore, the certificate used in code signing helps validate the software's authenticity, promoting end-to-end security.
 
 ## Next steps

articles/key-vault/certificates/tutorial-import-certificate.md

@@ -56,7 +56,7 @@ In this case, we will create a certificate called **ExampleCertificate**, or imp
 
 # [Azure portal](#tab/azure-portal)
 
-1. On the Key Vault properties pages, select **Certificates**.
+1. On the page for your key vault, select **Certificates**.
 2. Click on **Generate/Import**.
 3. On the **Create a certificate** screen choose the following values:
     - **Method of Certificate Creation**: Import.

articles/key-vault/general/howto-logging.md

@@ -30,13 +30,27 @@ What is logged:
 
 ## Prerequisites
 
-To complete this tutorial, you must have the following:
+To complete this tutorial, you will need an Azure key vault. You can create a new key vault using one of these methods:
+  - [Create a key vault using the Azure CLI](quick-create-cli.md)
+  - [Create a key vault using Azure PowerShell](quick-create-powershell.md)
+  - [Create a key vault using the Azure portal](quick-create-portal.md)
 
-* An existing key vault that you have been using.  
-* [Azure Cloud Shell](https://shell.azure.com) - Bash environment.
-* Sufficient storage on Azure for your Key Vault logs.
+You will also need a destination for your logs.  This can be an existing or new Azure storage account and/or Log Analytics workspace.
 
-In this article, commands are formatted for [Cloud Shell](https://shell.azure.com) with Bash as an environment.
+> [!IMPORTANT]
+> If you use an existing Azure storage account or Log Analytics workspace, it must be in the same subscription as your key vault. It must also use the Azure Resource Manager deployment model, rather than the classic deployment model.
+>
+> If you create a new Azure storage account or Log Analytics workspace, we recommend you create it in the same resource group as your key vault, for ease of management.
+
+You can create a new Azure storage account using one of these methods:
+  - [Create a storage account using the Azure CLI](../../storage/common/storage-account-create.md?tabs=azure-cli)
+  - [Create a storage account using Azure PowerShell](../../storage/common/storage-account-create.md?tabs=azure-powershell)
+  - [Create a storage account using the Azure portal](../../storage/common/storage-account-create.md?tabs=azure-portal)
+
+You can create a new Log Analytics workspace using one of these methods:
+  - [Create a Log Analytics workspace using the Azure CLI](../../azure-monitor/logs/quick-create-workspace.md?tabs=azure-cli)
+  - [Create a Log Analytics workspace using Azure PowerShell](../../azure-monitor/logs/quick-create-workspace.md?tabs=azure-powershell)
+  - [Create a Log Analytics workspace the Azure portal](../../azure-monitor/logs/quick-create-workspace.md?tabs=azure-portal)
 
 ## Connect to your Key Vault subscription
 
@@ -58,41 +72,11 @@ Get-AzSubscription
 Set-AzContext -SubscriptionId "<subscriptionID>"
 ```
 
-## Create a storage account for your logs
-
-Although you can use an existing storage account for your logs, here you create a new storage account dedicated to Key Vault logs. 
-
-For additional ease of management, you'll also use the same resource group as the one that contains the key vault. In the [Azure CLI quickstart](quick-create-cli.md) and [Azure PowerShell quickstart](quick-create-powershell.md), this resource group is named **myResourceGroup**, and the location is *eastus*. Replace these values with your own, as applicable. 
-
-You also need to provide a storage account name. Storage account names must be unique, between 3 and 24 characters in length, and use numbers and lowercase letters only. Lastly, you create a storage account of the `Standard_LRS` SKU.
-
-With the Azure CLI, use the [az storage account create](/cli/azure/storage/account#az-storage-account-create) command. 
-
-```azurecli-interactive
-az storage account create --name "<your-unique-storage-account-name>" -g "myResourceGroup" --sku "Standard_LRS"
-```
-
-With Azure PowerShell, use the [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount) cmdlet. You will need to provide the location that corresponds to the resource group.
+## Obtain resource IDs
 
-```powershell
- New-AzStorageAccount -ResourceGroupName myResourceGroup -Name "<your-unique-storage-account-name>" -Type "Standard_LRS" -Location "eastus"
-```
-
-In either case, note the ID of the storage account. The Azure CLI operation returns the ID in the output. To obtain the ID with Azure PowerShell, use [Get-AzStorageAccount](/powershell/module/az.storage/get-azstorageaccount), and assign the output to the variable `$sa`. You can then see the storage account with `$sa.id`. (The `$sa.Context` property is also used later in this article.)
-
-```powershell-interactive
-$sa = Get-AzStorageAccount -Name "<your-unique-storage-account-name>" -ResourceGroup "myResourceGroup"
-$sa.id
-```
-
-The ID of the storage account is in the following format: "/subscriptions/*your-subscription-ID*/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/*your-unique-storage-account-name*".
-
-> [!NOTE]
-> If you decide to use an existing storage account, it must use the same subscription as your key vault. It must use the Azure Resource Manager deployment model, rather than the classic deployment model.
+To enable logging on a key vault, you will need the resource ID of the key vault, as well as the destination (Azure Storage or Log Analytics account).
 
-## Obtain your key vault resource ID
-
-In the [CLI quickstart](quick-create-cli.md) and [PowerShell quickstart](quick-create-powershell.md), you created a key with a unique name. Use that name again in the following steps. If you can't remember the name of your key vault, you can use the Azure CLI [az keyvault list](/cli/azure/keyvault#az-keyvault-list) command, or the Azure PowerShell [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault) cmdlet, to list them.
+If you can't remember the name of your key vault, you can use the Azure CLI [az keyvault list](/cli/azure/keyvault#az-keyvault-list) command, or the Azure PowerShell [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault) cmdlet, to find it.
 
 Use the name of your key vault to find its resource ID. With the Azure CLI, use the [az keyvault show](/cli/azure/keyvault#az-keyvault-show) command.
 
@@ -150,23 +134,19 @@ Set-AzDiagnosticSetting "<key-vault-resource-id>" -StorageAccountId $sa.id -Enab
 
 To configure diagnostic settings in the Azure portal, follow these steps:
 
-1. From the **Resource** pane menu, select **Diagnostic settings**.
+1. From the **Resource** pane menu, select **Diagnostic settings**, and then  **Add diagnostic setting**
 
    :::image type="content" source="../media/diagnostics-portal-1.png" alt-text="Screenshot that shows how to select diagnostic settings.":::
 
-1. Select **+ Add diagnostic setting**.
-
-    :::image type="content" source="../media/diagnostics-portal-2.png" alt-text="Screenshot that shows adding a diagnostic setting.":::
- 
-1. Select a name for your diagnostic setting. To configure logging for Azure Monitor for Key Vault, select **AuditEvent** and **Send to Log Analytics workspace**. Then choose the subscription and Log Analytics workspace to which you want to send your logs. You can also select the option to **Archive to a storage account**.
+1. Under **Category groups**, select both **audit** and **allLogs**. 
+1. If Azure Log Analytics is the destination, select **Send to Log Analytics workspace** and choose your subscription and workspace from the drop-down menus. You may also select **Archive to a storage account** and choose your subscription and storage account from the drop-down menus.
 
-    :::image type="content" source="../media/diagnostics-portal-3.png" alt-text="Screenshot of diagnostic settings options.":::
+    :::image type="content" source="../media/diagnostics-portal-2.png" alt-text="Screenshot of diagnostic settings options.":::
 
-    Otherwise, select the options that pertain to the logs that you want to select.
 
 1. When you have selected your desired options, select **Save**.
 
-    :::image type="content" source="../media/diagnostics-portal-4.png" alt-text="Screenshot that shows how to save the options you selected.":::
+    :::image type="content" source="../media/diagnostics-portal-3.png" alt-text="Screenshot that shows how to save the options you selected.":::
 
 ---
 

articles/key-vault/general/private-link-service.md

@@ -50,15 +50,15 @@ After configuring the key vault basics, select the Networking tab and follow the
 1. Click the "+ Add" Button to add a private endpoint.
 
     ![Screenshot that shows the 'Networking' tab on the 'Create key vault' page.](../media/private-link-service-1.png)
- 
+
 1. In the "Location" field of the Create Private Endpoint Blade, select the region in which your virtual network is located. 
 1. In the "Name" field, create a descriptive name that will allow you to identify this private endpoint. 
 1. Select the virtual network and subnet you want this private endpoint to be created in from the dropdown menu. 
 1. Leave the "integrate with the private zone DNS" option unchanged.  
 1. Select "Ok".
 
     ![Screenshot that shows the 'Create private endpoint' page with settings selected.](../media/private-link-service-8.png)
- 
+
 You will now be able to see the configured private endpoint. You now have the option to delete and edit this private endpoint. 
 Select the "Review + Create" button and create the key vault. It will take 5-10 minutes for the deployment to complete.