Merge pull request #260113 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

.openpublishing.redirection.sentinel.json

@@ -479,6 +479,11 @@
             "source_path": "articles/sentinel/data-connectors/deprecated-cisco-firepower-estreamer-via-legacy-agent.md",
             "redirect_url": "/azure/sentinel/data-connectors/cisco-firepower-estreamer",
             "redirect_document_id": true
-          } 
+          },
+          {
+            "source_path": "articles/sentinel/data-connectors/cyberpion-security-logs.md",
+            "redirect_url": "/azure/sentinel/data-connectors-reference",
+            "redirect_document_id": false
+          }  
     ]
 }

articles/active-directory-b2c/localization-string-ids.md

@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 
 ms.topic: reference
-ms.date: 04/19/2022
+ms.date: 11/14/2023
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -615,7 +615,8 @@ The following IDs are used for claims transformations error messages:
 | `DateTimeGreaterThan` |[AssertDateTimeIsGreaterThan](date-transformations.md#assertdatetimeisgreaterthan) | Claim value comparison failed: The provided left operand is greater than the right operand.|
 | `UserMessageIfClaimsTransformationStringsAreNotEqual` |[AssertStringClaimsAreEqual](string-transformations.md#assertstringclaimsareequal) | Claim value comparison failed using StringComparison "OrdinalIgnoreCase".|
 
-### Claims transformations example
+### Claims transformations example 1:
+This example shows localized messages for local account signup.
 
 ```xml
 <LocalizedResources Id="api.localaccountsignup.en">
@@ -627,6 +628,17 @@ The following IDs are used for claims transformations error messages:
 </LocalizedResources>
 ```
 
+### Claims transformations example 2:
+This example shows localized messages for local account password reset.
+
+```xml
+<LocalizedResources Id="api.localaccountpasswordreset.en">
+  <LocalizedStrings>
+    <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsTransformationBooleanValueIsNotEqual">You cannot use the old password</LocalizedString>    
+  </LocalizedStrings>
+</LocalizedResources>
+```
+
 ## Next steps
 
 See the following articles for localization examples:

articles/advisor/advisor-cost-recommendations.md

@@ -5,7 +5,7 @@ author: mabrahms
 ms.author: v-mabrahms
 ms.service: azure
 ms.topic: article
-ms.date: 09/16/2023
+ms.date: 12/1/2023
 
 ---
 
@@ -88,9 +88,9 @@ From any Azure Advisor page, click **Configuration** in the left navigation pane
 
 * **Resources**: Uncheck any subscriptions you don't want to receive Advisor recommendations for, click **Apply**. The page refreshes.
 
-* **VM/VMSS right sizing**: You can adjust the average CPU utilization rule and the look back period on a per-subscription basis. Doing virtual machine (VM) right sizing requires specialized knowledge.
+* **VM/VMSS right sizing**: You can adjust Advisor virtual machine (VM) and virtual machine scale sets (VMSS) recommendations. Specifically, you can setup a filter for each subscription to only show recommendations for machines with certain CPU utilization. This setting will filter recommendations but will not change how they are generated.
 
-  1. Select the subscriptions you’d like to adjust the average CPU utilization rule for, and then click **Edit**. Not all subscriptions can be edited for VM/VMSS right sizing and certain privileges are required; for more information on permissions, see [Permissions in Azure Advisor](permissions.md).
+  1. Select the subscriptions you’d like to setup a filter for average CPU utilization, and then click **Edit**. Not all subscriptions can be edited for VM/VMSS right sizing and certain privileges are required; for more information on permissions, see [Permissions in Azure Advisor](permissions.md).
 
   1. Select the desired average CPU utilization value and click **Apply**. It can take up to 24 hours for the new settings to be reflected in recommendations.
 

articles/advisor/advisor-get-started.md

@@ -112,9 +112,9 @@ Reserved CPU is dependent on node type and cluster configuration, which may caus
 Memory utilized by AKS includes the sum of two values.
 
 > [!IMPORTANT]
-> AKS 1.28 includes certain changes to memory reservations. These changes are detailed in the following section.
+> AKS 1.29 previews in January 2024 and includes certain changes to memory reservations. These changes are detailed in the following section.
 
-**AKS 1.28 and later**
+**AKS 1.29 and later**
 
 1. **`kubelet` daemon** has the *memory.available<100Mi* eviction rule by default. This ensures that a node always has at least 100Mi allocatable at all times. When a host is below that available memory threshold, the `kubelet` triggers the termination of one of the running pods and frees up memory on the host machine.
 2. **A rate of memory reservations** set according to the lesser value of: *20MB * Max Pods supported on the Node + 50MB* or *25% of the total system memory resources*.
@@ -125,7 +125,7 @@ Memory utilized by AKS includes the sum of two values.
 
     For more information, see [Configure maximum pods per node in an AKS cluster](./azure-cni-overview.md#maximum-pods-per-node).
 
-**AKS versions prior to 1.28**
+**AKS versions prior to 1.29**
 
 1. **`kubelet` daemon** is installed on all Kubernetes agent nodes to manage container creation and termination. By default on AKS, `kubelet` daemon has the *memory.available<750Mi* eviction rule, ensuring a node must always have at least 750Mi allocatable at all times. When a host is below that available memory threshold, the `kubelet` will trigger to terminate one of the running pods and free up memory on the host machine.
 

articles/aks/concepts-clusters-workloads.md

@@ -1,36 +1,38 @@
 ---
-title: Provide an access identity to the Azure Key Vault provider for Secrets Store CSI Driver for Azure Kubernetes Service (AKS) secrets
-description: Learn how to integrate the Azure Key Vault provider for Secrets Store CSI Driver with your Azure key vault.
+title: Access Azure Key Vault with the CSI Driver Identity Provider
+description: Learn how to integrate the Azure Key Vault Provider for Secrets Store CSI Driver with your Azure credentials and user identities.
 author: nickomang 
 ms.author: nickoman
 ms.topic: article
-ms.date: 10/19/2023
+ms.date: 12/01/2023
 ms.custom: devx-track-azurecli, devx-track-linux
 ---
 
-# Provide an identity to access the Azure Key Vault provider for Secrets Store CSI Driver in Azure Kubernetes Service (AKS)
+# Connect your Azure identity provider to the Azure Key Vault Secrets Store CSI Driver in Azure Kubernetes Service (AKS)
 
-The Secrets Store CSI Driver on Azure Kubernetes Service (AKS) provides various methods of identity-based access to your Azure Key Vault. This article outlines these methods and how to use them to access your key vault and its contents from your AKS cluster.
+The Secrets Store Container Storage Interface (CSI) Driver on Azure Kubernetes Service (AKS) provides various methods of identity-based access to your Azure Key Vault. This article outlines these methods and best practices for when to use Role-based access control (RBAC) or OpenID Connect (OIDC) security models to access your key vault and AKS cluster.
 
 You can use one of the following access methods:
 
 - [Microsoft Entra Workload ID](#access-with-a-microsoft-entra-workload-id)
 - [User-assigned managed identity](#access-with-a-user-assigned-managed-identity)
 
-## Prerequisites
+## Prerequisites for CSI Driver
 
-- Before you begin, make sure you followed the steps in [Use the Azure Key Vault provider for Secrets Store CSI Driver in an Azure Kubernetes Service (AKS) cluster][csi-secrets-store-driver] to create an AKS cluster with Azure Key Vault provider for Secrets Store CSI Driver support.
+- Before you begin, make sure you finish the steps in [Use the Azure Key Vault provider for Secrets Store CSI Driver in an Azure Kubernetes Service (AKS) cluster][csi-secrets-store-driver] to enable the Azure Key Vault Secrets Store CSI Driver in your AKS cluster.
 
 <a name='access-with-an-azure-ad-workload-identity'></a>
 
 ## Access with a Microsoft Entra Workload ID
 
-A [Microsoft Entra Workload ID][workload-identity] is an identity that an application running on a pod uses that authenticates itself against other Azure services that support it, such as Storage or SQL. It integrates with the native Kubernetes capabilities to federate with external identity providers. In this security model, the AKS cluster acts as token issuer. Microsoft Entra ID then uses OpenID Connect (OIDC) to discover public signing keys and verify the authenticity of the service account token before exchanging it for a Microsoft Entra token. Your workload can exchange a service account token projected to its volume for a Microsoft Entra token using the Azure Identity client library using the Azure SDK or the Microsoft Authentication Library (MSAL).
+A [Microsoft Entra Workload ID][workload-identity] is an identity that an application running on a pod uses to authenticate itself against other Azure services, such as workloads in software. The Storage Store CSI Driver integrates with native Kubernetes capabilities to federate with external identity providers.
+
+In this security model, the AKS cluster acts as token issuer. Microsoft Entra ID then uses OIDC to discover public signing keys and verify the authenticity of the service account token before exchanging it for a Microsoft Entra token. For your workload to exchange a service account token projected to its volume for a Microsoft Entra token, you need the Azure Identity client library in the Azure SDK or the Microsoft Authentication Library (MSAL) 
 
 > [!NOTE]
 >
 > - This authentication method replaces Microsoft Entra pod-managed identity (preview). The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
-> - Microsoft Entra Workload ID is supported on both Windows and Linux clusters.
+> - Microsoft Entra Workload ID is supports both Windows and Linux clusters.
 
 ### Configure workload identity
 
@@ -70,7 +72,7 @@ A [Microsoft Entra Workload ID][workload-identity] is an identity that an applic
     echo $AKS_OIDC_ISSUER
     ```
 
-5. Establish a federated identity credential between the Microsoft Entra application and the service account issuer and subject. Get the object ID of the Microsoft Entra application using the following commands. Make sure to update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace.
+5. Establish a federated identity credential between the Microsoft Entra application, service account issuer, and subject. Get the object ID of the Microsoft Entra application using the following commands. Make sure to update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace.
 
     ```bash
     export SERVICE_ACCOUNT_NAME="workload-identity-sa"  # sample name; can be changed
@@ -126,7 +128,7 @@ A [Microsoft Entra Workload ID][workload-identity] is an identity that an applic
     ```
 
     > [!NOTE]
-    > If you use `objectAlias` instead of `objectName`, make sure to update the YAML script.
+    > If you use `objectAlias` instead of `objectName`, update the YAML script to account for it.
 
 8. Deploy a sample pod using the `kubectl apply` command and the following YAML script.
 
@@ -161,9 +163,17 @@ A [Microsoft Entra Workload ID][workload-identity] is an identity that an applic
     EOF   
     ```
 
-## Access with a user-assigned managed identity
+<a name='access-with-a-user-assigned-managed-identity'></a>
+
+## Access with managed identity 
+
+A [Microsoft Entra Managed ID][managed-identity] is an identity that an administrator uses to authenticate themselves against other Azure services. The managed identity uses RBAC to federate with external identity providers. 
+
+In this security model, you can grant access to your cluster's resources to team members or tenants sharing a managed role. The role is checked for scope to access the keyvault and other credentials. When you [enabled the Azure Key Vault provider for Secrets Store CSI Driver on your AKS Cluster](./csi-secrets-store-driver.md#create-an-aks-cluster-with-azure-key-vault-provider-for-secrets-store-csi-driver-support), it created a user identity.
+
+### Configure managed identity
 
-1. Access your key vault using the [`az aks show`][az-aks-show] command and the user-assigned managed identity created by the add-on when you [enabled the Azure Key Vault provider for Secrets Store CSI Driver on your AKS Cluster](./csi-secrets-store-driver.md#create-an-aks-cluster-with-azure-key-vault-provider-for-secrets-store-csi-driver-support).
+1. Access your key vault using the [`az aks show`][az-aks-show] command and the user-assigned managed identity created by the add-on.
 
     ```azurecli-interactive
     az aks show -g <resource-group> -n <cluster-name> --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv
@@ -177,7 +187,7 @@ A [Microsoft Entra Workload ID][workload-identity] is an identity that an applic
     az vm identity assign -g <resource-group> -n <agent-pool-vm> --identities <identity-resource-id>
     ```
 
-2. Create a role assignment that grants the identity permission to access the key vault secrets, access keys, and certificates using the [`az role assignment create`][az-role-assignment-create] command.
+2. Create a role assignment that grants the identity permission access to the key vault secrets, access keys, and certificates using the [`az role assignment create`][az-role-assignment-create] command.
 
     ```azurecli-interactive
     export IDENTITY_CLIENT_ID="$(az identity show -g <resource-group> --name <identity-name> --query 'clientId' -o tsv)"
@@ -258,9 +268,9 @@ A [Microsoft Entra Workload ID][workload-identity] is an identity that an applic
     kubectl apply -f pod.yaml
     ```
 
-## Validate the secrets
+## Validate Key Vault secrets
 
-After the pod starts, the mounted content at the volume path that you specified in your deployment YAML is available. Use the following commands to validate your secrets and print a test secret.
+After the pod starts, the mounted content at the volume path specified in your deployment YAML is available. Use the following commands to validate your secrets and print a test secret.
 
 1. Show secrets held in the secrets store using the following command.
 
@@ -276,7 +286,7 @@ After the pod starts, the mounted content at the volume path that you specified
 
 ## Obtain certificates and keys
 
-The Azure Key Vault design makes sharp distinctions between keys, secrets, and certificates. The certificate features of the Key Vault service were designed to make use of key and secret capabilities. When you create a key vault certificate, it creates an addressable key and secret with the same name. The key allows key operations, and the secret allows the retrieval of the certificate value as a secret.
+The Azure Key Vault design makes sharp distinctions between keys, secrets, and certificates. The certificate features of the Key Vault service are designed to make use of key and secret capabilities. When you create a key vault certificate, it creates an addressable key and secret with the same name. This key allows authentication operations, and the secret allows the retrieval of the certificate value as a secret.
 
 A key vault certificate also contains public x509 certificate metadata. The key vault stores both the public and private components of your certificate in a secret. You can obtain each individual component by specifying the `objectType` in `SecretProviderClass`. The following table shows which objects map to the various resources associated with your certificate:
 
@@ -286,7 +296,7 @@ A key vault certificate also contains public x509 certificate metadata. The key
 |`cert`|The certificate, in PEM format.|No|
 |`secret`|The private key and certificate, in PEM format.|Yes|
 
-## Disable the Azure Key Vault provider for Secrets Store CSI Driver on an existing AKS cluster
+## Disable the addon on existing clusters
 
 > [!NOTE]
 > Before you disable the add-on, ensure that *no* `SecretProviderClass` is in use. Trying to disable the add-on while a `SecretProviderClass` exists results in an error.
@@ -313,6 +323,7 @@ In this article, you learned how to create and provide an identity to access you
 [az-aks-show]: /cli/azure/aks#az-aks-show
 [az-identity-federated-credential-create]: /cli/azure/identity/federated-credential#az-identity-federated-credential-create
 [workload-identity]: ./workload-identity-overview.md
+[managed-identity]:/entra/identity/managed-identities-azure-resources/overview
 [az-account-set]: /cli/azure/account#az-account-set
 [az-identity-create]: /cli/azure/identity#az-identity-create
 [az-role-assignment-create]: /cli/azure/role/assignment#az-role-assignment-create

articles/aks/csi-secrets-store-identity-access.md

@@ -338,7 +338,7 @@ For this preview release, we recommend for test and evaluation purposes to eithe
 
     ```
 
-1. Prepare the RSA Encryption/Decryption key by [downloading][download-setup-key-script] the Bash script for the workload from GitHub. Save the file as `setup-key.sh`.
+1. Prepare the RSA Encryption/Decryption key by [https://github.com/microsoft/confidential-container-demos/blob/main/kafka/setup-key.sh] the Bash script for the workload from GitHub. Save the file as `setup-key.sh`.
 
 1. Set the `MAA_ENDPOINT` environmental variable to match the value for the `SkrClientMAAEndpoint` from the `consumer.yaml` manifest file by running the following command.
 

articles/aks/deploy-confidential-containers-default-policy.md

@@ -209,7 +209,7 @@ The following example resolves a GraphQL query by making a single-result T-SQL r
         </sql-statement> 
         <parameters> 
             <parameter name="@familyId">       
-                {context.GraphQL.Arguments.["id"]}
+                @(context.GraphQL.Arguments["id"])
             </parameter> 
         </parameters> 
     </request>
@@ -242,7 +242,7 @@ The query parameter is accessed using the `context.GraphQL.Arguments` context va
         </sql-statement> 
         <parameters> 
             <parameter name="@familyId">       
-                {context.GraphQL.Arguments.["id"]}
+                @(context.GraphQL.Arguments["id"])
             </parameter> 
         </parameters> 
     </request> 
@@ -288,10 +288,10 @@ The following example resolves a GraphQL mutation using a T-SQL INSERT statement
         </sql-statement> 
         <parameters> 
             <parameter name="@familyId">       
-                {context.GraphQL.Arguments.["id"]}
+                @(context.GraphQL.Arguments["id"])
             </parameter>
             <parameter name="@familyName">       
-                {context.GraphQL.Arguments.["name"]}
+                @(context.GraphQL.Arguments["name"])
             </parameter> 
         </parameters> 
     </request>