Merge pull request #207732 from MicrosoftDocs/repo_sync_working_branch

huypub · web-flow · commit 90594134d7fb · 2022-08-11T14:54:20.000-07:00
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)
diff --git a/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md b/articles/active-directory/cloud-infrastructure-entitlement-management/onboard-gcp.md
@@ -36,7 +36,7 @@ This article describes how to onboard a Google Cloud Platform (GCP) project on P
 
     > [!NOTE]
     > 1. To confirm that the app was created, open **App registrations** in Azure and, on the **All applications** tab, locate your app.
-    > 1. Select the app name to open the **Expose an API** page. The **Application ID URI** displayed in the **Overview** page is the *audience value* used while making an OIDC connection with your AWS account.
+    > 1. Select the app name to open the **Expose an API** page. The **Application ID URI** displayed in the **Overview** page is the *audience value* used while making an OIDC connection with your GCP account.
 
     1. Return to Permissions Management, and in the **Permissions Management Onboarding - Azure AD OIDC App Creation**, select **Next**.
 
diff --git a/articles/active-directory/saas-apps/zendesk-tutorial.md b/articles/active-directory/saas-apps/zendesk-tutorial.md
@@ -128,6 +128,8 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 ## Configure Zendesk SSO
 
+You can set up one SAML configuration for team members and a second SAML configuration for end users.
+
 1. To automate the configuration within **Zendesk**, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
 
 	![Screenshot shows the Install the extension button.](./media/target-process-tutorial/install_extension.png)
@@ -136,18 +138,18 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 	![Setup configuration](common/setup-sso.png)
 
-1. If you want to setup Zendesk manually, open a new web browser window and sign into your Zendesk company site as an administrator and perform the following steps:
+1. If you want to set up Zendesk manually, open a new web browser window and sign into your Zendesk company site as an administrator and perform the following steps:
 
-1. In the **Zendesk Admin Center**, Go to the **Account -> Security -> Single sign-on** page and click **Configure** in the **SAML**.
+1. In the **Zendesk Admin Center**, go to **Account -> Security -> Single sign-on**, then click **Create SSO configuration** and select **SAML**.
 
-	![Screenshot shows the Zendesk Admin Center with Security settings selected.](./media/zendesk-tutorial/settings.png "Security")
+	![Screenshot shows the Zendesk Admin Center with Security settings selected.](https://zen-marketing-documentation.s3.amazonaws.com/docs/en/zendesk_create_sso_configuration.png "Security")
 
 1. Perform the following steps in the **Single sign-on** page.
 
-	![Single sign-on](./media/zendesk-tutorial/saml-configuration.png "Single sign-on")
+	![Single sign-on](https://zen-marketing-documentation.s3.amazonaws.com/docs/en/zendesk_saml_configuration_settings.png "Single sign-on")
+
+    a. In **Configuration name**, enter a name for your configuration. Up to two SAML and two JWT configurations are possible.
 
-    a. Check the **Enabled**.
-    
     b. In **SAML SSO URL** textbox, paste the value of **Login URL** which you have copied from Azure portal.
 
     c. In **Certificate fingerprint** textbox, paste the **Thumbprint** value of certificate which you have copied from Azure portal.
@@ -156,6 +158,18 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
     e. Click **Save**.
 
+After creating your SAML configuration, you must activate it by assigning it to end users or team members.
+
+1. In the **Zendesk Admin Center**, go to **Account -> Security** and select either **Team member authentication** or **End user authentication**.
+
+1. If you're assigning the configuration to team members, select **External authentication** to show the authentication options. These options are already displayed for end users.
+
+1. Click the **Single sign-on (SSO)** option in the **External authentication** section, then select the name of the SSO configuration you want to use.
+
+1. Select the primary SSO method for this group of users if you have more than one authentication method assigned to the group. This option sets the default method used when users go to a page that requires authentication.
+
+1. Click **Save**.
+
 ### Create Zendesk test user
 
 The objective of this section is to create a user called Britta Simon in Zendesk. Zendesk supports automatic user provisioning, which is by default enabled. You can find more details [here](Zendesk-provisioning-tutorial.md) on how to configure automatic user provisioning.
diff --git a/articles/azure-resource-manager/bicep/linter-rule-outputs-should-not-contain-secrets.md b/articles/azure-resource-manager/bicep/linter-rule-outputs-should-not-contain-secrets.md
@@ -12,21 +12,22 @@ This rule finds possible exposure of secrets in a template's outputs.
 ## Linter rule code
 
 Use the following value in the [Bicep configuration file](bicep-config-linter.md) to customize rule settings:
-
+​
 `outputs-should-not-contain-secrets`
 
 ## Solution
 
 Don't include any values in an output that could potentially expose secrets. For example, secure parameters of type secureString or secureObject, or [`list*`](./bicep-functions-resource.md#list) functions such as listKeys.
-
-The output from a template is stored in the deployment history, so a malicious user could find that information.
-
+​
+The output from a template is stored in the deployment history, so a user with read-only permissions could gain access to information otherwise not available with read-only permission.
+​
 The following example fails because it includes a secure parameter in an output value.
 
 ```bicep
+
 @secure()
 param secureParam string
-
+​
 output badResult string = 'this is the value ${secureParam}'
 ```
 
@@ -37,7 +38,7 @@ param storageName string
 resource stg 'Microsoft.Storage/storageAccounts@2021-04-01' existing = {
   name: storageName
 }
-
+​
 output badResult object = {
   value: stg.listKeys().keys[0].value
 }
@@ -49,7 +50,19 @@ The following example fails because the output name contains 'password', indicat
 output accountPassword string = '...'
 ```
 
-To fix it, you will need to remove the secret data from the output.
+To fix it, you will need to remove the secret data from the output.  The recommended practice is to output the resourceId of the resource containing the secret and retrieve the secret when the resource needing the information is created or updated.  Secrets may also be stored in KeyVault for more complex deployment scenarios.
+
+The following example shows a secure pattern for retrieving a storageAccount key from a module.
+
+```bicep
+output storageId string = stg.id
+```
+
+Which can be used in a subsequent deployment as sown in the following example
+
+```bicep
+someProperty: listKeys(myStorageModule.outputs.storageId.value, '2021-09-01').keys[0].value
+```
 
 ## Silencing false positives
 
@@ -64,4 +77,4 @@ It is good practice to add a comment explaining why the rule does not apply to t
 
 ## Next steps
 
-For more information about the linter, see [Use Bicep linter](./linter.md).
+For more information about the linter, see [Use Bicep linter](./linter.md).
diff --git a/articles/virtual-machines/linux/create-upload-centos.md b/articles/virtual-machines/linux/create-upload-centos.md
@@ -227,6 +227,12 @@ Preparing a CentOS 7 virtual machine for Azure is very similar to CentOS 6, howe
 * The NetworkManager package no longer conflicts with the Azure Linux agent. This package is installed by default and we recommend that it is not removed.
 * GRUB2 is now used as the default bootloader, so the procedure for editing kernel parameters has changed (see below).
 * XFS is now the default file system. The ext4 file system can still be used if desired.
+* Since CentOS 8 Stream and newer no longer include `network.service` by default, you will need to install it manually:
+
+	```console
+	sudo yum install network-scripts
+	sudo systemctl enable network.service
+	```
 
 **Configuration Steps**
 
diff --git a/articles/virtual-machines/workloads/sap/hana-vm-operations-storage.md b/articles/virtual-machines/workloads/sap/hana-vm-operations-storage.md
@@ -223,7 +223,7 @@ Check whether the storage throughput for the different suggested volumes meets t
 
 Azure Write Accelerator only works with [Azure managed disks](https://azure.microsoft.com/services/managed-disks/). So at least the Azure premium storage disks forming the **/hana/log** volume need to be deployed as managed disks. More detailed instructions and restrictions of Azure Write Accelerator can be found in the article [Write Accelerator](../../how-to-enable-write-accelerator.md).
 
-For the HANA certified VMs of the Azure [Esv3](../../ev3-esv3-series.md?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#esv3-series) family and the [Edsv4](../../edv4-edsv4-series.md?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#edsv4-series), [Edsv5](../../edv5-edsv5-series.md?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#edsv5-series), and [Esv5](../../ev5-esv5-series.md?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#esv5-series) you need to use ANF for the **/hana/data** and **/hana/log** volume. Or you need to leverage Azure Ultra disk storage instead of Azure premium storage only for the **/hana/log** volume to be compliant with the SAP HANA certification KPIs. Though, many custmers are using premium storage SSD disks for the **/hana/log** volume for non-production purposes or even for smaller production workloads since the write latency experienced with premium storage for the critical redo log writes are meeting the workload requirements. The configurations for the **/hana/data** volume on Azure premium storage could look like:
+For the HANA certified VMs of the Azure [Esv3](../../ev3-esv3-series.md?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#esv3-series) family and the [Edsv4](../../edv4-edsv4-series.md?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#edsv4-series), [Edsv5](../../edv5-edsv5-series.md?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#edsv5-series), and [Esv5](../../ev5-esv5-series.md?toc=/azure/virtual-machines/linux/toc.json&bc=/azure/virtual-machines/linux/breadcrumb/toc.json#esv5-series) you need to use ANF for the **/hana/data** and **/hana/log** volume. Or you need to leverage Azure Ultra disk storage instead of Azure premium storage only for the **/hana/log** volume to be compliant with the SAP HANA certification KPIs. Though, many customers are using premium storage SSD disks for the **/hana/log** volume for non-production purposes or even for smaller production workloads since the write latency experienced with premium storage for the critical redo log writes are meeting the workload requirements. The configurations for the **/hana/data** volume on Azure premium storage could look like:
 
 | VM SKU | RAM | Max. VM I/O<br /> Throughput | /hana/data | Provisioned Throughput | Maximum burst throughput | IOPS | Burst IOPS |
 | --- | --- | --- | --- | --- | --- | --- |
