Merge pull request #272755 from MicrosoftDocs/main

4/19/2024 AM Publish

Author: Taojunshen

articles/ai-services/speech-service/bring-your-own-storage-speech-resource-speech-to-text.md

@@ -87,7 +87,7 @@ Such a request returns direct Storage Account URLs to data files (without SAS or
 URL of this format ensures that only Microsoft Entra identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL.
 
 > [!WARNING]
-> If `sasValidityInSeconds` parameter is omitted in [Get Transcription Files](/rest/api/speechtotext/transcriptions/list-files) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 30 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens). 
+> If `sasValidityInSeconds` parameter is omitted in [Get Transcription Files](/rest/api/speechtotext/transcriptions/list-files) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 5 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens). 
 
 ## Real-time transcription with audio and transcription result logging enabled
 
@@ -96,7 +96,7 @@ You can enable logging for both audio input and recognized speech when using spe
 If you use BYOS, then you find the logs in `customspeech-audiologs` Blob container in the BYOS-associated Storage account.
 
 > [!WARNING]
-> Logging data is kept for 30 days. After this period the logs are automatically deleted. This is valid for BYOS-enabled Speech resources as well. If you want to keep the logs longer, copy the correspondent files and folders from `customspeech-audiologs` Blob container directly or use REST API.
+> Logging data is kept for 5 days. After this period the logs are automatically deleted. This is valid for BYOS-enabled Speech resources as well. If you want to keep the logs longer, copy the correspondent files and folders from `customspeech-audiologs` Blob container directly or use REST API.
 
 ### Get real-time transcription logs via REST API
 
@@ -119,7 +119,7 @@ Such a request returns direct Storage Account URLs to data files (without SAS or
 URL of this format ensures that only Microsoft Entra identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL.
 
 > [!WARNING]
-> If `sasValidityInSeconds` parameter is omitted in [Get Base Model Logs](/rest/api/speechtotext/endpoints/list-base-model-logs) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 30 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens). 
+> If `sasValidityInSeconds` parameter is omitted in [Get Base Model Logs](/rest/api/speechtotext/endpoints/list-base-model-logs) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 5 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens). 
 
 ## Custom speech
 
@@ -160,7 +160,7 @@ Such a request returns direct Storage Account URLs to data files (without SAS or
 URL of this format ensures that only Microsoft Entra identities (users, service principals, managed identities) with sufficient access rights (like *Storage Blob Data Reader* role) can access the data from the URL.
 
 > [!WARNING]
-> If `sasValidityInSeconds` parameter is omitted in [Get Dataset Files](/rest/api/speechtotext/datasets/list-files) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 30 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens). 
+> If `sasValidityInSeconds` parameter is omitted in [Get Dataset Files](/rest/api/speechtotext/datasets/list-files) request or similar ones, then a [User delegation SAS](../../storage/common/storage-sas-overview.md) with the validity of 5 days will be generated for each data file URL returned. This SAS is signed by the system assigned managed identity of your BYOS-enabled Speech resource. Because of it, the SAS allows access to the data, even if storage account key access is disabled. See details [here](../../storage/common/shared-key-authorization-prevent.md#understand-how-disallowing-shared-key-affects-sas-tokens). 
 
 ## Next steps
 

articles/ai-services/speech-service/how-to-migrate-to-prebuilt-neural-voice.md

@@ -13,7 +13,7 @@ ms.author: v-baolianzou
 # Migrate from prebuilt standard voice to prebuilt neural voice
 
 > [!IMPORTANT]
-> We are retiring the standard voices from September 1, 2021 through August 31, 2024. If you used a standard voice with your Speech resource that was created prior to September 1, 2021 then you can continue to do so until August 31, 2024. To use neural voices, choose voice names that include 'Neural' in their name, for example: en-US-JennyMultilingualNeural. All other Speech resources can only use prebuilt neural voices. You can choose from the supported [neural voice names](language-support.md?tabs=tts). After August 31, 2024 the standard voices won't be supported with any Speech resource.
+> We are retiring the standard voices from September 1, 2021 through August 31, 2024. Speech resources created after September 1, 2021 could never use standard voices. We are gradually sunsetting standard voice support for Speech resources created prior to September 1, 2021. By August 31, 2024 the standard voices won’t be available for all customers. You can choose from the supported [neural voice names](language-support.md?tabs=tts).
 > 
 > The pricing for prebuilt standard voice is different from prebuilt neural voice. Go to the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) and check the pricing details in the collapsable "Deprecated" section. Prebuilt standard voice (retired) is referred as **Standard**. 
 

articles/ai-services/speech-service/migration-overview-neural-voice.md

@@ -30,7 +30,7 @@ Go to the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-s
 ## Prebuilt standard voice
 
 > [!IMPORTANT]
-> We are retiring the standard voices from September 1, 2021 through August 31, 2024. If you used a standard voice with your Speech resource that was created prior to September 1, 2021 then you can continue to do so until August 31, 2024. All other Speech resources can only use prebuilt neural voices. You can choose from the supported [neural voice names](language-support.md?tabs=tts). After August 31, 2024 the standard voices won't be supported with any Speech resource.
+> We are retiring the standard voices from September 1, 2021 through August 31, 2024. Speech resources created after September 1, 2021 could never use standard voices. We are gradually sunsetting standard voice support for Speech resources created prior to September 1, 2021. By August 31, 2024 the standard voices won’t be available for all customers. You can choose from the supported [neural voice names](language-support.md?tabs=tts).
 > 
 > The pricing for prebuilt standard voice is different from prebuilt neural voice. Go to the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) and check the pricing details in the collapsable "Deprecated" section. Prebuilt standard voice (retired) is referred as **Standard**. 
 

articles/ai-studio/how-to/connections-add.md

@@ -117,6 +117,30 @@ When you [create a new connection](#create-a-new-connection), you enter the foll
 
 ---
 
+## Network isolation
+
+If your hub is configured for [network isolation](configure-managed-network.md), you might need to create an outbound private endpoint rule to connect to **Azure Blob Storage**, **Azure Data Lake Storage Gen2**, or **Microsoft OneLake**. A private endpoint rule is needed if one or both of the following are true:
+
+- The managed network for the hub is configured to [allow only approved outbound traffic](configure-managed-network.md#configure-a-managed-virtual-network-to-allow-only-approved-outbound). In this configuration, you must explicitly create outbound rules to allow traffic to other Azure resources.
+- The data source is configured to disallow public access. In this configuration, the data source can only be reached through secure methods, such as a private endpoint.
+
+To create an outbound private endpoint rule to the data source, use the following steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com), and select the Azure AI hub.
+1. Select **Networking**, then **Workspace managed outbound access**.
+1. To add an outbound rule, select **Add user-defined outbound rules**. From the **Workspace outbound rules** sidebar, provide the following information:
+    
+    - **Rule name**: A name for the rule. The name must be unique for the AI hub.
+    - **Destination type**: Private Endpoint.
+    - **Subscription**: The subscription that contains the Azure resource you want to connect to.
+    - **Resource type**: `Microsoft.Storage/storageAccounts`. This resource provider is used for Azure Storage, Azure Data Lake Storage Gen2, and Microsoft OneLake.
+    - **Resource name**: The name of the Azure resource (storage account).
+    - **Sub Resource**: The sub-resource of the Azure resource. Select `blob` in the case of Azure Blob storage. Select `dfs` for Azure Data Lake Storage Gen2 and Microsoft OneLake. 
+  
+  Select **Save** to create the rule.
+
+1. Select **Save** at the top of the page to save the changes to the managed network configuration.
+
 ## Next steps
 
 - [Connections in Azure AI Studio](../concepts/connections.md)

articles/ai-studio/how-to/create-azure-ai-hub-template.md

@@ -60,7 +60,7 @@ The Bicep template is made up of the following files:
 | File | Description |
 | ---- | ----------- |
 | [main.bicep](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aistudio-basics/main.bicep) | The main Bicep file that defines the parameters and variables. Passing parameters & variables to other modules in the `modules` subdirectory. |
-| [ai-resource.bicep](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aistudio-basics/modules/ai-resource.bicep)  | Defines the Azure AI hub resource. |
+| [ai-resource.bicep](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aistudio-basics/modules/ai-hub.bicep)  | Defines the Azure AI hub resource. |
 | [dependent-resources.bicep](https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aistudio-basics/modules/dependent-resources.bicep) | Defines the dependent resources for the Azure AI hub. Azure Storage Account, Container Registry, Key Vault, and Application Insights. |
 
 > [!IMPORTANT]

articles/aks/istio-deploy-addon.md

@@ -35,16 +35,6 @@ export LOCATION=<location>
 
 This section includes steps to install the Istio add-on during cluster creation or enable for an existing cluster using the Azure CLI. If you want to install the add-on using Bicep, see [install an AKS cluster with the Istio service mesh add-on using Bicep][install-aks-cluster-istio-bicep]. To learn more about the Bicep resource definition for an AKS cluster, see [Bicep managedCluster reference][bicep-aks-resource-definition].
 
-When you install the Istio add-on, it deploys the following set of resources to your AKS cluster to enable Istio functionality:
-
-* Istio control plane components, such as Pilot, Mixer, and Citadel
-* Istio ingress gateway
-* Istio egress gateway
-* Istio sidecar injector webhook
-* Istio CRDs (Custom Resource Definitions)
-
-When you enable Istio on your AKS cluster, the sidecar proxy is automatically injected into your application pods. The sidecar proxy is responsible for intercepting all network traffic to and from the pod, and forwarding it to the appropriate destination. In Istio, the sidecar proxy is called **istio-proxy** instead of **envoy**, which is used in other service mesh solutions like Open Sevice Mesh (OSM).
-
 ### Revision selection
 
 If you enable the add-on without specifying a revision, a default supported revision is installed for you.

articles/app-service/configure-language-java.md

@@ -15,7 +15,7 @@ ms.author: cephalin
 # Configure a Java app for Azure App Service
 
 > [!NOTE]
-> For Spring applications, we recommend using Azure Spring Apps. However, you can still use Azure App Service as a destination. 
+> For Spring applications, we recommend using Azure Spring Apps. However, you can still use Azure App Service as a destination. See [Java Workload Destination Guidance](https://aka.ms/javadestinations) for advice.
 
 Azure App Service lets Java developers to quickly build, deploy, and scale their Java SE, Tomcat, and JBoss EAP web applications on a fully managed service. Deploy applications with Maven plugins, from the command line, or in editors like IntelliJ, Eclipse, or Visual Studio Code.
 

articles/app-service/tutorial-java-spring-cosmosdb.md

@@ -12,7 +12,7 @@ ms.custom: mvc, devx-track-java, devx-track-azurecli, devx-track-extended-java,
 # Tutorial: Build a Java Spring Boot web app with Azure App Service on Linux and Azure Cosmos DB
 
 > [!NOTE]
-> For Spring applications, we recommend using Azure Spring Apps. However, you can still use Azure App Service as a destination.
+> For Spring applications, we recommend using Azure Spring Apps. However, you can still use Azure App Service as a destination. See [Java Workload Destination Guidance](https://aka.ms/javadestinations) for advice.
 
 This tutorial walks you through the process of building, configuring, deploying, and scaling Java web apps on Azure. 
 When you are finished, you will have a [Spring Boot](https://spring.io/projects/spring-boot) application storing data in [Azure Cosmos DB](../cosmos-db/index.yml) running on [Azure App Service on Linux](overview.md).

articles/azure-arc/kubernetes/release-notes.md

@@ -13,7 +13,7 @@ When any of the Arc-enabled Kubernetes agents are updated, all of the agents in
 
 We generally recommend using the most recent versions of the agents. The [version support policy](agent-upgrade.md#version-support-policy) covers the most recent version and the two previous versions (N-2).
 
-## Version 1.15.3 (March 2023)
+## Version 1.15.3 (March 2024)
 
 - Various enhancements and bug fixes
 

articles/azure-arc/servers/onboard-group-policy-powershell.md

@@ -22,7 +22,7 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
 The Group Policy Object, which is used to onboard Azure Arc-enabled servers, requires a remote share with the Connected Machine agent. You will need to:
 
-1. Prepare a remote share to host the Azure Connected Machine agent package for Windows and the configuration file. You need to be able to add files to the distributed location. The network share should provide Domain Controllers, Domain Computers, and Domain Admins with Change permissions.
+1. Prepare a remote share to host the Azure Connected Machine agent package for Windows and the configuration file. You need to be able to add files to the distributed location. The network share should provide Domain Controllers, and Domain Computers with Change permissions, and Domain Admins with Full Control permissions.
 
 1. Follow the steps to [create a service principal for onboarding at scale](onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale).