Merge pull request #244530 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Taojunshen

articles/active-directory/develop/app-only-access-primer.md

@@ -42,7 +42,7 @@ For example, to read a list of all teams created in an organization, you need to
 
 As a developer, you need to configure all required app-only permissions, also referred to as app roles on your application registration. You can configure your app's requested app-only permissions through the Azure portal or Microsoft Graph. App-only access doesn't support dynamic consent, so you can't request individual permissions or sets of permissions at runtime.
 
-Once you've configured all the permissions your app needs, it must get admin consent [admin consent](../manage-apps/grant-admin-consent.md) for it to access the resources. For example, only users with the global admin role can grant app-only permissions (app roles) for the Microsoft Graph API. Users with other admin roles, like application admin and cloud app admin, are able to grant app-only permissions for other resources. 
+Once you've configured all the permissions your app needs, it must get [admin consent](../manage-apps/grant-admin-consent.md) for it to access the resources. For example, only users with the global admin role can grant app-only permissions (app roles) for the Microsoft Graph API. Users with other admin roles, like application admin and cloud app admin, are able to grant app-only permissions for other resources. 
 
 Admin users can grant app-only permissions by using the Azure portal or by creating grants programmatically through the Microsoft Graph API. You can also prompt for interactive consent from within your app, but this option isn't preferable since app-only access doesn't require a user.
 
@@ -85,4 +85,4 @@ The example given is a simple illustration of application authorization. The pro
 
 - [Learn how to create and assign app roles in Azure AD](howto-add-app-roles-in-azure-ad-apps.md)
 - [Overview of permissions in Microsoft Graph](/graph/permissions-overview)
-- [Microsoft Graph permissions reference](/graph/permissions-reference)
+- [Microsoft Graph permissions reference](/graph/permissions-reference)

articles/active-directory/hybrid/connect/how-to-connect-sync-feature-directory-extensions.md

@@ -59,6 +59,9 @@ During installation of Azure AD Connect, an application is registered where thes
 
 ![Schema extension app](./media/how-to-connect-sync-feature-directory-extensions/extension3new.png)
 
+>[!NOTE]
+> The **Tenant Schema Extension App** is a system-only application that can't be deleted and attribute extension definitions can't be removed.
+
 Make sure you select **All applications** to see this app.
 
 The attributes are prefixed with **extension \_{ApplicationId}\_**. ApplicationId has the same value for all attributes in your Azure AD tenant. You will need this value for all other scenarios in this topic.

articles/aks/api-server-vnet-integration.md

@@ -66,10 +66,6 @@ API Server VNet Integration is available in all global Azure regions.
     az provider register --namespace Microsoft.ContainerService
     ```
 
-## Limitations
-
-* Existing AKS private clusters can't be converted to API Server VNet Integration clusters. 
-
 ## Create an AKS cluster with API Server VNet Integration using managed VNet
 
 You can configure your AKS clusters with API Server VNet Integration in managed VNet or bring-your-own VNet mode. You can create the as public clusters (with API server access available via a public IP) or private clusters (where the API server is only accessible via private VNet connectivity). You can also toggle between a public and private state without redeploying your cluster.
@@ -109,12 +105,12 @@ You can configure your AKS clusters with API Server VNet Integration in managed
 
 ## Create a private AKS cluster with API Server VNet Integration using bring-your-own VNet
 
-When using bring-your-own VNet, you must create and delegate an API server subnet to `Microsoft.ContainerService/managedClusters`, which grants the AKS service permissions to inject the API server pods and internal load balancer into that subnet. You can't use the subnet for any other workloads, but you can use it for multiple AKS clusters located in the same virtual network. An AKS cluster requires *two to seven* IP addresses depending on cluster scale. The minimum supported API server subnet size is a */28*.
+When using bring-your-own VNet, you must create and delegate an API server subnet to `Microsoft.ContainerService/managedClusters`, which grants the AKS service permissions to inject the API server pods and internal load balancer into that subnet. You can't use the subnet for any other workloads, but you can use it for multiple AKS clusters located in the same virtual network. The minimum supported API server subnet size is a */28*.
 
 The cluster identity needs permissions to both the API server subnet and the node subnet. Lack of permissions at the API server subnet can cause a provisioning failure.
 
 > [!WARNING]
-> Running out of IP addresses may prevent API server scaling and cause an API server outage.
+> An AKS cluster reserves at least 9 IPs in the subnet address space. Running out of IP addresses may prevent API server scaling and cause an API server outage.
 
 ### Create a resource group
 
@@ -211,7 +207,7 @@ az group create -l <location> -n <resource-group>
 
 ## Convert an existing AKS cluster to API Server VNet Integration
 
-You can convert existing public AKS clusters to API Server VNet Integration clusters by supplying an API server subnet that meets the requirements listed earlier. These requirements include: in the same VNet as the cluster nodes, permissions granted for the AKS cluster identity, and size of at least */28*. Converting your cluster is a one-way migration. Clusters can't have API Server VNet Integration disabled after it's been enabled.
+You can convert existing public/private AKS clusters to API Server VNet Integration clusters by supplying an API server subnet that meets the requirements listed earlier. These requirements include: in the same VNet as the cluster nodes, permissions granted for the AKS cluster identity, and size of at least */28*. Converting your cluster is a one-way migration. Clusters can't have API Server VNet Integration disabled after it's been enabled.
 
 This upgrade performs a node-image version upgrade on all node pools and restarts all workloads while they undergo a rolling image upgrade.
 

articles/azure-monitor/agents/azure-monitor-agent-windows-client.md

@@ -107,7 +107,7 @@ Since MO is a tenant level resource, the scope of the permission would be higher
 
 #### 1. Assign ‘Monitored Object Contributor’ role to the operator
 
-This step grants the ability to create and link a monitored object to a user.
+This step grants the ability to create and link a monitored object to a user or group.
 
 **Request URI**
 ```HTTP
@@ -139,7 +139,7 @@ PUT https://management.azure.com/providers/microsoft.insights/providers/microsof
 | Name | Description |
 |:---|:---|
 | roleDefinitionId | Fixed value: Role definition ID of the 'Monitored Objects Contributor' role: `/providers/Microsoft.Authorization/roleDefinitions/56be40e24db14ccf93c37e44c597135b` |
-| principalId | Provide the `Object Id` of the identity of the user to which the role needs to be assigned. It may be the user who elevated at the beginning of step 1, or another user who will perform later steps. |
+| principalId | Provide the `Object Id` of the identity of the user to which the role needs to be assigned. It may be the user who elevated at the beginning of step 1, or another user or group who will perform later steps. |
 
 After this step is complete, **reauthenticate** your session and **reacquire** your ARM bearer token.
 
@@ -217,6 +217,71 @@ PUT https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/{
 |:---|:---|
 | `dataCollectionRuleID` | The resource ID of an existing Data Collection Rule that you created in the **same region** as the Monitored Object. |
 
+#### 4. List associations to Monitored Object
+If you need to view the associations, you can list them for the Monitored Object.
+
+**Permissions required**: Anyone who has ‘Reader’ at an appropriate scope can perform this operation, similar to that assigned in step 1.
+
+**Request URI**
+```HTTP
+GET https://management.azure.com/{MOResourceId}/providers/microsoft.insights/datacollectionruleassociations/?api-version=2021-09-01-preview
+```
+**Sample Request URI**
+```HTTP
+GET https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/{AADTenantId}/providers/microsoft.insights/datacollectionruleassociations/?api-version=2021-09-01-preview
+```
+
+```JSON
+{
+  "value": [
+    {
+      "id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVm/providers/Microsoft.Insights/dataCollectionRuleAssociations/myRuleAssociation",
+      "name": "myRuleAssociation",
+      "type": "Microsoft.Insights/dataCollectionRuleAssociations",
+      "properties": {
+        "dataCollectionRuleId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
+        "provisioningState": "Succeeded"
+      },
+      "systemData": {
+        "createdBy": "user1",
+        "createdByType": "User",
+        "createdAt": "2021-04-01T12:34:56.1234567Z",
+        "lastModifiedBy": "user2",
+        "lastModifiedByType": "User",
+        "lastModifiedAt": "2021-04-02T12:34:56.1234567Z"
+      },
+      "etag": "070057da-0000-0000-0000-5ba70d6c0000"
+    }
+  ],
+  "nextLink": null
+}
+```
+
+#### 5. Disassociate DCR to Monitored Object
+If you need to remove an association of a Data Collection Rule (DCR) to the Monitored Object. 
+
+**Permissions required**: Anyone who has ‘Monitored Object Contributor’ at an appropriate scope can perform this operation, as assigned in step 1.
+
+**Request URI**
+```HTTP
+DELETE https://management.azure.com/{MOResourceId}/providers/microsoft.insights/datacollectionruleassociations/{associationName}?api-version=2021-09-01-preview
+```
+**Sample Request URI**
+```HTTP
+DELETE https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/{AADTenantId}/providers/microsoft.insights/datacollectionruleassociations/{associationName}?api-version=2021-09-01-preview
+```
+
+**URI Parameters**
+
+| Name | In | Type | Description |
+|---|---|---|---|
+| `MOResourceId` | path | string | Full resource ID of the MO created in step 2. Example: 'providers/Microsoft.Insights/monitoredObjects/{AADTenantId}' |
+| `associationName` | path | string | The name of the association. The name is case insensitive. Example: 'assoc01' |
+
+**Headers**
+- Authorization: ARM Bearer Token
+- Content-Type: Application/json
+
 
 ### Using PowerShell for onboarding
 ```PowerShell

articles/batch/simplified-node-communication-pool-no-public-ip.md

@@ -96,7 +96,7 @@ client-request-id: 00000000-0000-0000-0000-000000000000
                "sku": "22_04-lts"
           },
           "nodeAgentSKUId": "batch.node.ubuntu 22.04"
-     }
+     },
      "networkConfiguration": {
           "subnetId": "/subscriptions/<your_subscription_id>/resourceGroups/<your_resource_group>/providers/Microsoft.Network/virtualNetworks/<your_vnet_name>/subnets/<your_subnet_name>",
           "publicIPAddressConfiguration": {

articles/cognitive-services/openai/concepts/models.md

@@ -44,6 +44,8 @@ GPT-3.5 models can understand and generate natural language or code. The most ca
 
 The `gpt-35-turbo` model supports 4096 max input tokens and the `gpt-35-turbo-16k` model supports up to 16,384 tokens.
 
+`gpt-35-turbo` and `gpt-35-turbo-16k` share the same [quota](../how-to/quota.md).
+
 Like GPT-4, use the Chat Completions API to use GPT-3.5 Turbo. To learn more about how to interact with GPT-3.5 Turbo and the Chat Completions API check out our [in-depth how-to](../how-to/chatgpt.md).
 
 ## Embeddings models

articles/cognitive-services/openai/how-to/integrate-synapseml.md

@@ -16,7 +16,7 @@ recommendations: false
 
 # Use Azure OpenAI with large datasets
 
-Azure OpenAI can be used to solve a large number of natural language tasks through prompting the completion API. To make it easier to scale your prompting workflows from a few examples to large datasets of examples, we have integrated the Azure OpenAI service with the distributed machine learning library [SynapseML](https://www.microsoft.com/research/blog/synapseml-a-simple-multilingual-and-massively-parallel-machine-learning-library/). This integration makes it easy to use the [Apache Spark](https://spark.apache.org/) distributed computing framework to process millions of prompts with the OpenAI service. This tutorial shows how to apply large language models at a distributed scale using Azure Open AI and Azure Synapse Analytics.
+Azure OpenAI can be used to solve a large number of natural language tasks through prompting the completion API. To make it easier to scale your prompting workflows from a few examples to large datasets of examples, we have integrated the Azure OpenAI Service with the distributed machine learning library [SynapseML](https://www.microsoft.com/research/blog/synapseml-a-simple-multilingual-and-massively-parallel-machine-learning-library/). This integration makes it easy to use the [Apache Spark](https://spark.apache.org/) distributed computing framework to process millions of prompts with the OpenAI service. This tutorial shows how to apply large language models at a distributed scale using Azure Open AI and Azure Synapse Analytics.
 
 ## Prerequisites
 

articles/container-instances/container-instances-tutorial-deploy-confidential-container-default-portal.md

@@ -65,7 +65,10 @@ Open the overview for the container group by navigating to **Resource Groups** >
 
 2. Once its status is *Running*, navigate to the IP address in your browser. 
 
-:::image type="content" source="media/container-instances-confidential-containers-tutorials/confidential-containers-aci-hello-world.png" alt-text="Screenshot of the hello world application running, PNG.":::
+    :::image type="content" source="media/container-instances-confidential-containers-tutorials/confidential-containers-aci-hello-world.png" alt-text="Screenshot of the hello world application running, PNG.":::
+
+    The presence of the attestation report below the Azure Container Instances logo confirms that the container is running on hardware that supports a hardware-based and attested trusted execution environment (TEE).
+    If you deploy to hardware that does not support a TEE, for example by choosing a region where the [ACI Confidential SKU is not available](./container-instances-region-availability.md#linux-container-groups), no attestation report will be shown.
 
 Congratulations! You have deployed a confidential container on Azure Container Instances which is displaying a hardware attestation report in your browser. 
 

articles/container-instances/container-instances-tutorial-deploy-confidential-containers-cce-arm.md

@@ -194,7 +194,7 @@ With the ARM template that you've crafted and the Azure CLI confcom extension, y
 
    * **Subscription**: select an Azure subscription.
    * **Resource group**: select **Create new**, enter a unique name for the resource group, and then select **OK**.
-   * **Location**: select a location for the resource group. Example: **North Europe**.
+   * **Location**: select a location for the resource group. Choose a region where the [Confidential SKU is supported](./container-instances-region-availability.md#linux-container-groups). Example: **North Europe**.
    * **Name**: accept the generated name for the instance, or enter a name.
    * **Image**: accept the default image name. This sample Linux image displays a hardware attestation.
 
@@ -224,6 +224,9 @@ Use the Azure portal or a tool such as the [Azure CLI](container-instances-quick
 
     ![Screenshot of browser view of app deployed using Azure Container Instances, PNG.](media/container-instances-confidential-containers-tutorials/confidential-containers-aci-hello-world.png)
 
+    The presence of the attestation report below the Azure Container Instances logo confirms that the container is running on hardware that supports a TEE.
+    If you deploy to hardware that does not support a TEE, for example by choosing a region where the ACI Confidential SKU is not available, no attestation report will be shown.
+
 ## Next Steps  
 
 Now that you have deployed a confidential container group on ACI, you can learn more about how policies are enforced. 

articles/cosmos-db/introduction.md

@@ -18,7 +18,7 @@ adobe-target: true
 
 Today's applications are required to be highly responsive and always online. To achieve low latency and high availability, instances of these applications need to be deployed in datacenters that are close to their users. Applications need to respond in real time to large changes in usage at peak hours, store ever increasing volumes of data, and make this data available to users in milliseconds.
 
-Azure Cosmos DB is a fully managed NoSQL and relational database for modern app development. Azure Cosmos DB offers single-digit millisecond response times, automatic and instant scalability, along with guarantee speed at any scale. Business continuity is assured with [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) availability and enterprise-grade security.
+Azure Cosmos DB is a fully managed NoSQL and relational database for modern app development. Azure Cosmos DB offers single-digit millisecond response times, automatic and instant scalability, along with guaranteed speed at any scale. Business continuity is assured with [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) availability and enterprise-grade security.
 
 App development is faster and more productive thanks to: