Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into dajusto/pystein-df-patch-link

Author: davidmrdavid

articles/batch/account-move.md

@@ -2,7 +2,7 @@
 title: Move an Azure Batch account to another region
 description: Learn how to move an Azure Batch account to a different region using an Azure Resource Manager template in the Azure portal.
 ms.topic: how-to
-ms.date: 12/20/2021
+ms.date: 02/27/2023
 ms.custom: subject-moving-resources
 ---
 
@@ -17,11 +17,11 @@ For more information on Resource Manager and templates, see [Quickstart: Create
 ## Prerequisites
 
 - Make sure that the services and features that your Batch account uses are supported in the new target region.
-- It's recommended to move the storage account associated with your Batch account to the new target region. Follow the steps in [Move an Azure Storage account to another region](../storage/common/storage-account-move.md). If you prefer, you can leave the storage account in the original region. Typically, performance is better when your storage account is in the same region as your Batch account. This article assumes you've already migrated your storage account.
+- It's recommended to move any Azure resources associated with your Batch account to the new target region. For example, follow the steps in [Move an Azure Storage account to another region](../storage/common/storage-account-move.md) to move an associated autostorage account. If you prefer, you can leave resources in the original region, however, performance is typically better when your Batch account is in the same region as your other Azure resources used by your workload. This article assumes you've already migrated your storage account or any other regional Azure resources to be aligned with your Batch account.
 
 ## Prepare the template
 
-To get started, you'll need to export and then modify an ARM template.
+To get started, you need to export and then modify an ARM template.
 
 ### Export a template
 
@@ -80,15 +80,15 @@ Load and modify the template so you can create a new Batch account in the target
    ```
 
 1. Finally, edit the **location** property to use your target region. This example sets the target region to `centralus`.
-    
+
     ```json
         {
             "resources": [
                 {
                     "type": "Microsoft.Batch/batchAccounts",
                     "apiVersion": "2021-01-01",
                     "name": "[parameters('batchAccounts_mysourceaccount_name')]",
-                    "location": "centralus",  
+                    "location": "centralus",
     ```
 
 To obtain region location codes, see [Azure Locations](https://azure.microsoft.com/global-infrastructure/locations/).  The code for a region is the region name with no spaces. For example, **Central US** = **centralus**.
@@ -110,15 +110,21 @@ Deploy the template to create a new Batch account in the target region.
 
 ### Configure the new Batch account
 
-Some features won't export to a template, so you'll have to recreate them in the new Batch account. These features include:
+Some features don't export to a template, so you have to recreate them in the new Batch account. These features include:
 
-- Jobs
+- Jobs (and tasks)
 - Job schedules
 - Certificates
 - Application packages
 
 Be sure to configure features in the new account as needed. You can look at how you've configured these features in your source Batch account for reference.
 
+> [!IMPORTANT]
+> New Batch accounts are entirely separate from any prior existing Batch accounts, even within the same region. These newly
+> created Batch accounts will have [default service and core quotas](batch-quota-limit.md) associated with them. For User
+> Subscription pool allocation mode Batch accounts, core quotas from the subscription will apply. You will need to ensure
+> that these new Batch accounts have sufficient quota before migrating your workload.
+
 ## Discard or clean up
 
 Confirm that your new Batch account is successfully working in the new region. Also make sure to restore the necessary features. Then, you can delete the source Batch account.
@@ -132,4 +138,3 @@ Confirm that your new Batch account is successfully working in the new region. A
 ## Next steps
 
 - Learn more about [moving resources to a new resource group or subscription](../azure-resource-manager/management/move-resource-group-and-subscription.md).
-- Learn how to [move Azure VMs to another region](../site-recovery/azure-to-azure-tutorial-migrate.md).

articles/batch/batch-customer-managed-key.md

@@ -1,21 +1,27 @@
 ---
 title: Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity
-description: Learn how to encrypt Batch data using customer-managed keys. 
+description: Learn how to encrypt Batch data using customer-managed keys.
 ms.topic: how-to
-ms.date: 02/11/2021
+ms.date: 02/27/2023
 ms.devlang: csharp
 ms.custom: devx-track-azurecli
 ---
 
 # Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity
 
-By default Azure Batch uses platform-managed keys to encrypt all the customer data stored in the Azure Batch Service, like certificates, job/task metadata. Optionally, you can use your own keys, i.e., customer-managed keys, to encrypt data stored in Azure Batch.
+By default Azure Batch uses platform-managed keys to encrypt all the customer data stored in the Azure Batch Service, like certificates, job/task metadata. Optionally, you can use your own keys, that is, customer-managed keys, to encrypt data stored in Azure Batch.
 
 The keys you provide must be generated in [Azure Key Vault](../key-vault/general/basic-concepts.md), and they must be accessed with [managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
 
 There are two types of managed identities: [*system-assigned* and *user-assigned*](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types).
 
-You can either create your Batch account with system-assigned managed identity, or create a separate user-assigned managed identity that will have access to the customer-managed keys. Review the [comparison table](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) to understand the differences and consider which option works best for your solution. For example, if you want to use the same managed identity to access multiple Azure resources, a user-assigned managed identity will be needed. If not, a system-assigned managed identity associated with your Batch account may be sufficient. Using a user-assigned managed identity also gives you the option to enforce customer-managed keys at Batch account creation, as shown [in the example below](#create-a-batch-account-with-user-assigned-managed-identity-and-customer-managed-keys).
+You can either create your Batch account with system-assigned managed identity, or create a separate user-assigned managed identity
+that has access to the customer-managed keys. Review the
+[comparison table](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) to understand the
+differences and consider which option works best for your solution. For example, if you want to use the same managed identity to
+access multiple Azure resources, a user-assigned managed identity is needed. If not, a system-assigned managed identity associated
+with your Batch account may be sufficient. Using a user-assigned managed identity also gives you the option to enforce
+customer-managed keys at Batch account creation, as shown next.
 
 ## Create a Batch account with system-assigned managed identity
 
@@ -31,13 +37,13 @@ After the account is created, you can find a unique GUID in the **Identity princ
 
 ![Screenshot showing a unique GUID in the Identity principal Id field.](./media/batch-customer-managed-key/linked-batch-principal.png)
 
-You will need this value in order to grant this Batch account access to the Key Vault.
+You need this value in order to grant this Batch account access to the Key Vault.
 
 ### Azure CLI
 
 When you create a new Batch account, specify `SystemAssigned` for the `--identity` parameter.
 
-```azurecli
+```azurecli-interactive
 resourceGroupName='myResourceGroup'
 accountName='mybatchaccount'
 
@@ -48,9 +54,9 @@ az batch account create \
     --identity 'SystemAssigned'
 ```
 
-After the account is created, you can verify that system-assigned managed identity has been enabled on this account. Be sure to note the `PrincipalId`, as this value will be needed to grant this Batch account access to the Key Vault.
+After the account is created, you can verify that system-assigned managed identity has been enabled on this account. Be sure to note the `PrincipalId`, as this value is needed to grant this Batch account access to the Key Vault.
 
-```azurecli
+```azurecli-interactive
 az batch account show \
     --name $accountName \
     --resource-group $resourceGroupName \
@@ -62,13 +68,13 @@ az batch account show \
 
 ## Create a user-assigned managed identity
 
-If you prefer, you can [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity) which can be used to access your customer-managed keys.
+If you prefer, you can [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity) that can be used to access your customer-managed keys.
 
-You will need the **Client ID** value of this identity in order for it to access the Key Vault.
+You need the **Client ID** value of this identity in order for it to access the Key Vault.
 
 ## Configure your Azure Key Vault instance
 
-The Azure Key Vault in which your keys will be generated must be created in the same tenant as your Batch account. It does not need to be in the same resource group or even in the same subscription.
+The Azure Key Vault in which your keys are generated must be created in the same tenant as your Batch account. It doesn't need to be in the same resource group or even in the same subscription.
 
 ### Create an Azure Key Vault
 
@@ -95,11 +101,11 @@ In the Azure portal, go to the Key Vault instance in the **key** section, select
 
 ![Create a key](./media/batch-customer-managed-key/create-key.png)
 
-After the key is created, click on the newly created key and the current version, copy the **Key Identifier** under **properties** section.  Be sure sure that under **Permitted Operations**, **Wrap Key** and **Unwrap Key** are both checked.
+After the key is created, click on the newly created key and the current version, copy the **Key Identifier** under **properties** section.  Be sure that under **Permitted Operations**, **Wrap Key** and **Unwrap Key** are both checked.
 
 ## Enable customer-managed keys on a Batch account
 
-Once you have followed the steps above, you can enable customer-managed keys on your Batch account.
+Now that the prerequisites are in place, you can enable customer-managed keys on your Batch account.
 
 ### Azure portal
 
@@ -111,7 +117,7 @@ In the [Azure portal](https://portal.azure.com/), go to the Batch account page.
 
 After the Batch account is created with system-assigned managed identity and the access to Key Vault is granted, update the Batch account with the `{Key Identifier}` URL under `keyVaultProperties` parameter. Also set `--encryption-key-source` as `Microsoft.KeyVault`.
 
-```azurecli
+```azurecli-interactive
 az batch account set \
     --name $accountName \
     --resource-group $resourceGroupName \
@@ -121,7 +127,8 @@ az batch account set \
 
 ## Create a Batch account with user-assigned managed identity and customer-managed keys
 
-Using the Batch management .NET client, you can create a Batch account that will have a user-assigned managed identity and customer-managed keys.
+As an example using the Batch management .NET client, you can create a Batch account that has a user-assigned managed identity
+and customer-managed keys.
 
 ```c#
 EncryptionProperties encryptionProperties = new EncryptionProperties()
@@ -144,7 +151,7 @@ BatchAccountIdentity identity = new BatchAccountIdentity()
 var parameters = new BatchAccountCreateParameters(TestConfiguration.ManagementRegion, encryption:encryptionProperties, identity: identity);
 
 var account = await batchManagementClient.Account.CreateAsync("MyResourceGroup",
-    "mynewaccount", parameters); 
+    "mynewaccount", parameters);
 ```
 
 ## Update the customer-managed key version
@@ -157,13 +164,18 @@ When you create a new version of a key, update the Batch account to use the new
 
 You can also use Azure CLI to update the version.
 
-```azurecli
+```azurecli-interactive
 az batch account set \
     --name $accountName \
     --resource-group $resourceGroupName \
     --encryption-key-identifier {YourKeyIdentifierWithNewVersion}
 ```
 
+> [!TIP]
+> You can have your keys automatically rotate by creating a key rotation policy within Key Vault. When specifying a Key Identifier
+> for the Batch account, use the versionless key identifier to enable autorotation with a valid rotation policy. For more information,
+> see [how to configure key rotation](../key-vault/keys/how-to-configure-key-rotation.md) in Key Vault.
+
 ## Use a different key for Batch encryption
 
 To change the key used for Batch encryption, follow these steps:
@@ -174,7 +186,7 @@ To change the key used for Batch encryption, follow these steps:
 
 You can also use Azure CLI to use a different key.
 
-```azurecli
+```azurecli-interactive
 az batch account set \
     --name $accountName \
     --resource-group $resourceGroupName \
@@ -187,11 +199,11 @@ az batch account set \
 - **Can I select RSA key sizes larger than 2048 bits?** Yes, RSA key sizes of `3072` and `4096` bits are also supported.
 - **What operations are available after a customer-managed key is revoked?** The only operation allowed is account deletion if Batch loses access to the customer-managed key.
 - **How should I restore access to my Batch account if I accidentally delete the Key Vault key?** Since purge protection and soft delete are enabled, you could restore the existing keys. For more information, see [Recover an Azure Key Vault](../key-vault/general/key-vault-recovery.md).
-- **Can I disable customer-managed keys?** You can set the encryption type of the Batch Account back to "Microsoft managed key" at any time. After this, you are free to delete or change the key.
-- **How can I rotate my keys?** Customer-managed keys are not automatically rotated. To rotate the key, update the Key Identifier that the account is associated with.
+- **Can I disable customer-managed keys?** You can set the encryption type of the Batch Account back to "Microsoft managed key" at any time. You're free to delete or change the key afterwards.
+- **How can I rotate my keys?** Customer-managed keys aren't automatically rotated unless the [key is versionless with an appropriate key rotation policy set within Key Vault](../key-vault/keys/how-to-configure-key-rotation.md). To manually rotate the key, update the Key Identifier that the account is associated with.
 - **After I restore access how long will it take for the Batch account to work again?** It can take up to 10 minutes for the account to be accessible again once access is restored.
-- **While the Batch Account is unavailable what happens to my resources?** Any pools that are running when Batch access to customer-managed keys is lost will continue to run. However, the nodes will transition into an unavailable state, and tasks will stop running (and be requeued). Once access is restored, nodes will become available again and tasks will be restarted.
-- **Does this encryption mechanism apply to VM disks in a Batch pool?** No. For Cloud Services Configuration pools (which are [deprecated](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/)), no encryption is applied for the OS and temporary disk. For Virtual Machine Configuration pools, the OS and any specified data disks will be encrypted with a Microsoft platform managed key by default. Currently, you cannot specify your own key for these disks. To encrypt the temporary disk of VMs for a Batch pool with a Microsoft platform managed key, you must enable the [diskEncryptionConfiguration](/rest/api/batchservice/pool/add#diskencryptionconfiguration) property in your [Virtual Machine Configuration](/rest/api/batchservice/pool/add#virtualmachineconfiguration) Pool. For highly sensitive environments, we recommend enabling temporary disk encryption and avoiding storing sensitive data on OS and data disks. For more information, see [Create a pool with disk encryption enabled](./disk-encryption.md)
+- **While the Batch Account is unavailable what happens to my resources?** Any pools that are running when Batch access to the customer-managed key is lost will continue to run. However, the nodes in these pools will transition into an unavailable state, and tasks will stop running (and be requeued). Once access is restored, nodes become available again, and tasks are restarted.
+- **Does this encryption mechanism apply to VM disks in a Batch pool?** No. For Cloud Services Configuration pools (which are [deprecated](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/)), no encryption is applied for the OS and temporary disk. For Virtual Machine Configuration pools, the OS and any specified data disks are encrypted with a Microsoft platform managed key by default. Currently, you can't specify your own key for these disks. To encrypt the temporary disk of VMs for a Batch pool with a Microsoft platform managed key, you must enable the [diskEncryptionConfiguration](/rest/api/batchservice/pool/add#diskencryptionconfiguration) property in your [Virtual Machine Configuration](/rest/api/batchservice/pool/add#virtualmachineconfiguration) Pool. For highly sensitive environments, we recommend enabling temporary disk encryption and avoiding storing sensitive data on OS and data disks. For more information, see [Create a pool with disk encryption enabled](./disk-encryption.md)
 - **Is the system-assigned managed identity on the Batch account available on the compute nodes?** No. The system-assigned managed identity is currently used only for accessing the Azure Key Vault for the customer-managed key. To use a user-assigned managed identity on compute nodes, see [Configure managed identities in Batch pools](managed-identity-pools.md).
 
 ## Next steps

articles/healthcare-apis/iot/get-started.md

@@ -5,14 +5,17 @@ author: msjasteppe
 ms.service: healthcare-apis
 ms.subservice: fhir
 ms.topic: quickstart
-ms.date: 1/20/2023
+ms.date: 02/27/2023
 ms.author: jasteppe
 ms.custom: mode-api
 ---
 
 # Get started with the MedTech service in the Azure Health Data Services
 
-This article will show you how to get started with the Azure MedTech service in the [Azure Health Data Services](../healthcare-apis-overview.md). There are six steps you need to follow to be able to deploy and process MedTech service to ingest data from a device using Azure Event Hubs service, persist the data to Azure Fast Healthcare Interoperability Resources (FHIR®) service as Observation resources, and link FHIR service Observations to user and device resources. This article provides an architecture overview to help you follow the six steps of the implementation process.
+> [!NOTE]
+> [Fast Healthcare Interoperability Resources (FHIR®)](https://www.hl7.org/fhir/) is an open healthcare specification.
+
+This article will show you how to get started with the Azure MedTech service in the [Azure Health Data Services](../healthcare-apis-overview.md). There are six steps you need to follow to be able to deploy and process MedTech service to ingest data from a device using Azure Event Hubs service, persist the data to Azure FHIR service as Observation resources, and link FHIR service Observations to user and device resources. This article provides an architecture overview to help you follow the six steps of the implementation process.
 
 ## Architecture overview of the MedTech service