Merge pull request #239555 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 5/29

Author: ttorble

articles/active-directory/authentication/troubleshoot-sspr-writeback.md

@@ -197,6 +197,7 @@ A best practice when you troubleshoot problems with password writeback is to ins
 | 31016| WriteBackServiceStopped| This event indicates that the password writeback service has stopped. Any password management requests from the cloud won't be successful.|
 | 31017| AuthTokenSuccess| This event indicates that we successfully retrieved an authorization token for the Global Administrator specified during Azure AD Connect setup to start the offboarding or onboarding process.|
 | 31018| KeyPairCreationSuccess| This event indicates that we successfully created the password encryption key. This key is used to encrypt passwords from the cloud to be sent to your on-premises environment.|
+| 31019| ServiceBusHeartBeat| This event indicates that we successfully sent a request to your tenant's Service Bus instance.|
 | 31034| ServiceBusListenerError| This event indicates that there was an error connecting to your tenant's Service Bus listener. If the error message includes "The remote certificate is invalid", check to make sure that your Azure AD Connect server has all the required Root CAs as described in [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md). |
 | 31044| PasswordResetService| This event indicates that password writeback is not working. The Service Bus listens for requests on two separate relays for redundancy. Each relay connection is managed by a unique Service Host. The writeback client returns an error if either Service Host is not running.|
 | 32000| UnknownError| This event indicates an unknown error occurred during a password management operation. Look at the exception text in the event for more details. If you're having problems, try disabling and then re-enabling password writeback. If this doesn't help, include a copy of your event log along with the tracking ID specified when you open a support request.|

articles/active-directory/fundamentals/active-directory-deployment-plans.md

@@ -56,7 +56,7 @@ Use the following list to plan for authentication deployment.
 * **Azure AD self-service password reset (SSPR)** - Help users reset a password without administrator intervention:
   * See, [Passwordless authentication options for Azure AD](../authentication/concept-authentication-passwordless.md)
   * See, [Plan an Azure Active Directory self-service password reset deployment](../authentication/howto-sspr-deployment.md) 
-* **Passordless authentication** - Implement passwordless authentication using the Microsoft Authenticator app or FIDO2 Security keys:
+* **Passwordless authentication** - Implement passwordless authentication using the Microsoft Authenticator app or FIDO2 Security keys:
   * See, [Enable passwordless sign-in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md)
   * See, [Plan a passwordless authentication deployment in Azure Active Directory](../authentication/howto-authentication-passwordless-deployment.md)
 

articles/aks/ingress-basic.md

@@ -228,7 +228,7 @@ helm install ingress-nginx ingress-nginx/ingress-nginx \
     --set defaultBackend.image.registry=$ACR_URL \
     --set defaultBackend.image.image=$DEFAULTBACKEND_IMAGE \
     --set defaultBackend.image.tag=$DEFAULTBACKEND_TAG \
-    --set defaultBackend.image.digest="" \
+    --set defaultBackend.image.digest="" 
 ```
 
 ### [Azure PowerShell](#tab/azure-powershell)

articles/api-management/api-management-get-started-publish-versions.md

@@ -13,7 +13,7 @@ ms.author: danlep
 
 There are times when it's impractical to have all callers to your API use exactly the same version. When callers want to upgrade to a later version, they want an approach that's easy to understand. As shown in this tutorial, it is possible to provide multiple *versions* in Azure API Management. 
 
-For background, see [Versions & revisions](https://azure.microsoft.com/blog/versions-revisions/).
+For background, see [Versions](api-management-versions.md) & [Revisions](api-management-revisions.md).
 
 In this tutorial, you learn how to:
 

articles/api-management/api-management-sample-cache-by-key.md

@@ -21,7 +21,7 @@ API Management service uses a shared per-tenant internal data cache so that, as
 > The internal cache is not available in the **Consumption** tier of Azure API Management. You can [use an external Azure Cache for Redis](api-management-howto-cache-external.md) instead. An external cache allows for greater cache control and flexibility for API Management instances in all tiers.
 
 ## Fragment caching
-There are certain cases where responses being returned contain some portion of data that is expensive to determine and yet remains fresh for a reasonable amount of time. As an example, consider a service built by an airline that provides information relating flight reservations, flight status, and so on. If the user is a member of the airlines points program, they would also have information relating to their current status and accumulated mileage. This user-related information might be stored in a different system, but it may be desirable to include it in responses returned about flight status and reservations. This can be done using a process called fragment caching. The primary representation can be returned from the origin server using some kind of token to indicate where the user-related information is to be inserted. 
+There are certain cases where responses being returned contain some portion of data that is expensive to determine and yet remains fresh for a reasonable amount of time. As an example, consider a service built by an airline that provides information relating to flight reservations, flight status, and so on. If the user is a member of the airlines points program, they would also have information relating to their current status and accumulated mileage. This user-related information might be stored in a different system, but it may be desirable to include it in responses returned about flight status and reservations. This can be done using a process called fragment caching. The primary representation can be returned from the origin server using some kind of token to indicate where the user-related information is to be inserted. 
 
 Consider the following JSON response from a backend API.
 

articles/automation/how-to/move-account.md

@@ -3,7 +3,7 @@ title: Move your Azure Automation account to another subscription
 description: This article tells how to move your Automation account to another subscription.
 services: automation
 ms.subservice: process-automation
-ms.date: 01/07/2021
+ms.date: 05/26/2023
 ms.topic: conceptual 
 ---
 
@@ -16,8 +16,7 @@ The Automation account is one of the resources that you can move. In this articl
 1. Disable your features.
 2. Unlink your workspace.
 3. Move the Automation account.
-4. Delete and re-create the Run As accounts.
-5. Re-enable your features.
+4. Re-enable your features.
 
 ## Remove features
 
@@ -97,43 +96,25 @@ You can now move your Automation account and its runbooks.
 
 2. Select the resources in your resource group that you want to move. Ensure that you include your Automation account, runbooks, and Log Analytics workspace resources.
 
-## Re-create Run As accounts
-
-[Run As accounts](../automation-security-overview.md#run-as-accounts) create a service principal in Azure Active Directory to authenticate with Azure resources. When you change subscriptions, the Automation account no longer uses the existing Run As account. To re-create the Run As accounts:
-
-1. Go to your Automation account in the new subscription, and select **Run as accounts** under **Account Settings**. You'll see that the Run As accounts show as incomplete now.
-
-    ![Screenshot of Run As accounts, showing incomplete](../media/move-account/run-as-accounts.png)
-
-2. Delete the Run As accounts, one at a time, by selecting **Delete** on the **Properties** page. 
-
-    > [!NOTE]
-    > If you don't have permissions to create or view the Run As accounts, you see the following message: `You do not have permissions to create an Azure Run As account (service principal) and grant the Contributor role to the service principal.` For more information, see [Permissions required to configure Run As accounts](../automation-security-overview.md#permissions).
-
-3. After you've deleted the Run As accounts, select **Create** under **Azure Run As account**. 
-
-4. On the Add Azure Run As account page, select **Create** to create the Run As account and service principal. 
-
-5. Repeat the steps above with the Azure Classic Run As account.
+> [!NOTE]
+> The movement of System assigned managed identity, and User-assigned managed identity takes place automatically with the Automation account.
 
 ## Enable features
 
-After you re-create the Run As accounts, you must re-enable the features that you removed before the move:
+You must re-enable the features that you removed before the move:
 
 1. To turn on Change Tracking and Inventory, select **Change Tracking and Inventory** in your Automation account. Choose the Log Analytics workspace that you moved over, and select **Enable**.
 
 2. Repeat step 1 for Update Management.
 
     ![Screenshot of Re-enabling features in your moved Automation account](../media/move-account/reenable-solutions.png)
 
-3. Machines that are enabled with your features are visible when you've connected the existing Log Analytics workspace. To turn on the Start/Stop VMs during off-hours feature, you must re-enable it. Under **Related Resources**, select **Start/Stop VMs** > **Learn more about and enable the solution** > **Create** to start the deployment.
+3. Machines that are enabled with your features are visible when you've connected the existing Log Analytics workspace.
 
 4. On the Add Solution page, choose your Log Analytics workspace and Automation account.
 
     ![Screenshot of Add Solution menu](../media/move-account/add-solution-vm.png)
 
-5. Configure the feature as described in [Start/Stop VMs during off-hours overview](../automation-solution-vm-management.md).
-
 ## Verify the move
 
 When the move is complete, verify that the capabilities listed below are enabled. 

articles/automation/migrate-run-as-accounts-managed-identity.md

@@ -3,7 +3,7 @@ title: Migrate from a Run As account to Managed identities
 description: This article describes how to migrate from a Run As account to managed identities in Azure Automation.
 services: automation
 ms.subservice: process-automation
-ms.date: 03/14/2023
+ms.date: 05/29/2023
 ms.topic: conceptual 
 ms.custom: devx-track-azurepowershell
 ---
@@ -40,6 +40,7 @@ Before you migrate from a Run As account or Classic Run As account to a managed
 
 1. If you're using Classic Run As accounts, ensure that you have [migrated](../virtual-machines/classic-vm-deprecation.md) resources deployed through classic deployment model to Azure Resource Manager.
 1. Use [this script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/Check-AutomationRunAsAccountRoleAssignments.ps1) to find out which Automation accounts are using a Run As account. If your Azure Automation accounts contain a Run As account, it will have the built-in contributor role assigned to it by default. You can use the script to check the Azure Automation Run As accounts and determine if their role assignment is the default one or if it has been changed to a different role definition.
+1. Use [this script](https://github.com/azureautomation/runbooks/blob/master/Utility/AzRunAs/IdentifyRunAsRunbooks.ps1) to find out if all runbooks in your Automation account are using the Run As account.
 
 ## Migrate from an Automation Run As account to a managed identity
 

articles/azure-arc/kubernetes/troubleshooting.md

@@ -43,27 +43,42 @@ If the Helm Chart release is present with `STATUS: deployed`, check the status o
 
 ```console
 $ kubectl -n azure-arc get deployments,pods
-NAME                                       READY  UP-TO-DATE  AVAILABLE  AGE
-deployment.apps/clusteridentityoperator     1/1       1          1       16h
-deployment.apps/config-agent                1/1       1          1       16h
-deployment.apps/cluster-metadata-operator   1/1       1          1       16h
-deployment.apps/controller-manager          1/1       1          1       16h
-deployment.apps/flux-logs-agent             1/1       1          1       16h
-deployment.apps/metrics-agent               1/1       1          1       16h
-deployment.apps/resource-sync-agent         1/1       1          1       16h
-
-NAME                                            READY   STATUS  RESTART  AGE
-pod/cluster-metadata-operator-7fb54d9986-g785b  2/2     Running  0       16h
-pod/clusteridentityoperator-6d6678ffd4-tx8hr    3/3     Running  0       16h
-pod/config-agent-544c4669f9-4th92               3/3     Running  0       16h
-pod/controller-manager-fddf5c766-ftd96          3/3     Running  0       16h
-pod/flux-logs-agent-7c489f57f4-mwqqv            2/2     Running  0       16h
-pod/metrics-agent-58b765c8db-n5l7k              2/2     Running  0       16h
-pod/resource-sync-agent-5cf85976c7-522p5        3/3     Running  0       16h
+NAME                                         READY   UP-TO-DATE   AVAILABLE   AGE
+deployment.apps/cluster-metadata-operator    1/1     1            1           3d19h
+deployment.apps/clusterconnect-agent         1/1     1            1           3d19h
+deployment.apps/clusteridentityoperator      1/1     1            1           3d19h
+deployment.apps/config-agent                 1/1     1            1           3d19h
+deployment.apps/controller-manager           1/1     1            1           3d19h
+deployment.apps/extension-events-collector   1/1     1            1           3d19h
+deployment.apps/extension-manager            1/1     1            1           3d19h
+deployment.apps/flux-logs-agent              1/1     1            1           3d19h
+deployment.apps/kube-aad-proxy               1/1     1            1           3d19h
+deployment.apps/metrics-agent                1/1     1            1           3d19h
+deployment.apps/resource-sync-agent          1/1     1            1           3d19h
+
+ 
+
+NAME                                              READY   STATUS    RESTARTS        AGE
+pod/cluster-metadata-operator-74747b975-9phtz     2/2     Running   0               3d19h
+pod/clusterconnect-agent-cf4c7849c-88fmf          3/3     Running   0               3d19h
+pod/clusteridentityoperator-79bdfd945f-pt2rv      2/2     Running   0               3d19h
+pod/config-agent-67bcb94b7c-d67t8                 1/2     Running   0               3d19h
+pod/controller-manager-559dd48b64-v6rmk           2/2     Running   0               3d19h
+pod/extension-events-collector-85f4fbff69-55zmt   2/2     Running   0               3d19h
+pod/extension-manager-7c7668446b-69gps            3/3     Running   0               3d19h
+pod/flux-logs-agent-fc7c6c959-vgqvm               1/1     Running   0               3d19h
+pod/kube-aad-proxy-84d668c44b-j457m               2/2     Running   0               3d19h
+pod/metrics-agent-58fb8554df-5ll67                2/2     Running   0               3d19h
+pod/resource-sync-agent-dbf5db848-c9lg8           2/2     Running   0               3d19h
 ```
 
 All pods should show `STATUS` as `Running` with either `3/3` or `2/2` under the `READY` column. Fetch logs and describe the pods returning an `Error` or `CrashLoopBackOff`. If any pods are stuck in `Pending` state, there might be insufficient resources on cluster nodes. [Scaling up your cluster](https://kubernetes.io/docs/tasks/administer-cluster/) can get these pods to transition to `Running` state.
 
+### Resource Provisioning Failed 
+If you receive this error, it indicates that there was an error due to which the resource could not be provisioned successfully. Please check the status of the Azure Arc enabled Kubernetes service at the following dashboard: [Azure status](https://azure.status.microsoft/en-us/status). If the status is healthy and you continue to face issues while onboarding, please raise a support ticket. If the status is unhealthy, please wait until the status becomes healthy and try onboarding again after deleting the existing connected cluster Azure resource.
+
+### Service Timeout 
+If you receive this error, it indicates that the service timed out while provisioning the certificates. Please check the status of the Azure Arc enabled Kubernetes service at the following dashboard: [Azure status](https://azure.status.microsoft/en-us/status). If the status is healthy and you continue to face issues while onboarding, please raise a support ticket. If the status is unhealthy, please wait until the status becomes healthy and try onboarding again after deleting the existing connected cluster Azure resource.
 
 ### Overage claims error
 

articles/azure-arc/servers/onboard-portal.md

@@ -23,23 +23,22 @@ The script to automate the download and installation, and to establish the conne
 
 1. On the **Servers - Azure Arc** page, select **Add** at the upper left.
 
-1. On the **Select a method** page, select the **Add a single server** tile, and then select **Generate script**.
+1. On the **Select a method** page, under the **Add a single server** tile, and then select **Generate script**.
 
-1. On the **Generate script** page, select the subscription and resource group where you want the machine to be managed within Azure. Select an Azure location where the machine metadata will be stored. This location can be the same or different, as the resource group's location.
-
-1. On the **Prerequisites** page, review the information and then select **Next: Resource details**.
+1. On the **Prerequisites** page, review the information and then select **Next** to Resource details page.
 
 1. On the **Resource details** page, provide the following:
 
     1. In the **Resource group** drop-down list, select the resource group the machine will be managed from.
     1. In the **Region** drop-down list, select the Azure region to store the servers metadata.
     1. In the **Operating system** drop-down list, select the operating system that the script is configured to run on.
-    1. If the machine is communicating through a proxy server to connect to the internet, specify the proxy server IP address or the name and port number that the machine will use to communicate with the proxy server. Enter the value in the format `http://<proxyURL>:<proxyport>`.
-    1. Select **Next: Tags**.
+    1. In the **Connectivity method** section, If the machine is communicating through a proxy server to connect to the internet, select **Proxy server** option and specify the proxy server IP address or the name and port number that the machine will use to communicate with the proxy server. Enter the value in the format `http://<proxyURL>:<proxyport>`. Else if the machine is communicating through a private endpoint then select **Private endpoint** option and appropriate private link scope in the drop-down list. Else if the machine is communicating through a public endpoint then select **Public endpoint** option.
+    1. In the **Automanage machine best practices** section, you may enable automanage if you want to onboard and configure best practice services like Machine configuration and Insights, based on your server needs.
+    1. Select **Next** to Tags page.
 
 1. On the **Tags** page, review the default **Physical location tags** suggested and enter a value, or specify one or more **Custom tags** to support your standards.
 
-1. Select **Next: Download and run script**.
+1. Select **Next** to Download and run script page.
 
 1. On the **Download and run script** page, review the summary information, and then select **Download**. If you still need to make changes, select **Previous**.
 

articles/azure-monitor/essentials/prometheus-api-promql.md

@@ -77,7 +77,7 @@ curl -X POST 'https://login.microsoftonline.com/<tennant ID>/oauth2/token' \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 --data-urlencode 'grant_type=client_credentials' \
 --data-urlencode 'client_id=<your apps client ID>' \
---data-urlencode 'client_secret=<your apps client secret' \
+--data-urlencode 'client_secret=<your apps client secret>' \
 --data-urlencode 'resource=https://prometheus.monitor.azure.com'
 ```
 
@@ -211,4 +211,4 @@ For more information on Prometheus metrics limits, see [Prometheus metrics](../.
 [Azure Monitor workspace overview](./azure-monitor-workspace-overview.md)  
 [Manage an Azure Monitor workspace](./azure-monitor-workspace-manage.md)  
 [Overview of Azure Monitor Managed Service for Prometheus](./prometheus-metrics-overview.md)  
-[Query Prometheus metrics using Azure workbooks](./prometheus-workbooks.md)
+[Query Prometheus metrics using Azure workbooks](./prometheus-workbooks.md)