Merge pull request #201577 from MicrosoftDocs/main

6/14 AM Publish

Author: huypub

.openpublishing.redirection.azure-monitor.json

@@ -203,7 +203,7 @@
         },
         {
             "source_path_from_root": "/articles/azure-monitor/alerts/alerts-managing-alert-instances.md" ,
-            "redirect_url": "/azure/azure-monitor/alerts/alerts-page.md",
+            "redirect_url": "/azure/azure-monitor/alerts/alerts-page",
             "redirect_document_id": false
         },
         {

articles/active-directory/develop/active-directory-v2-protocols.md

@@ -37,7 +37,7 @@ Four parties are typically involved in an OAuth 2.0 and OpenID Connect authentic
 
 ## Tokens
 
-The parties in an authentication flow use **bearer tokens** to assure identification (authentication) and to grant or deny access to protected resources (authorization). Bearer tokens in the Microsoft identity platform are formatted as [JSON Web Tokens](https://tools.ietf.org/html/rfc7519) (JWT).
+The parties in an authentication flow use **bearer tokens** to assure, verify, and authenticate a principal (user, host, or service) and to grant or deny access to protected resources (authorization). Bearer tokens in the Microsoft identity platform are formatted as [JSON Web Tokens](https://tools.ietf.org/html/rfc7519) (JWT).
 
 Three types of bearer tokens are used by the Microsoft identity platform as *security tokens*:
 

articles/active-directory/fundamentals/active-directory-get-started-premium.md

@@ -30,7 +30,7 @@ Before you sign up for Active Directory Premium 1 or Premium 2, you must first d
 Signing up using your Azure subscription with previously purchased and activated Azure AD licenses, automatically activates the licenses in the same directory. If that's not the case, you must still activate your license plan and your Azure AD access. For more information about activating your license plan, see [Activate your new license plan](#activate-your-new-license-plan). For more information about activating your Azure AD access, see [Activate your Azure AD access](#activate-your-azure-ad-access). 
 
 ## Sign up using your existing Azure or Microsoft 365 subscription
-As an Azure or Microsoft 365 subscriber, you can purchase the Azure Active Directory Premium editions online. For detailed steps, see [Buy or remove licenses](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide).
+As an Azure or Microsoft 365 subscriber, you can purchase the Azure Active Directory Premium editions online. For detailed steps, see [Buy or remove licenses](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide&preserve-view=true).
 
 ## Sign up using your Enterprise Mobility + Security licensing plan
 Enterprise Mobility + Security is a suite, comprised of Azure AD Premium, Azure Information Protection, and Microsoft Intune. If you already have an EMS license, you can get started with Azure AD, using one of these licensing options:

articles/active-directory/saas-apps/wikispaces-tutorial.md

@@ -102,7 +102,7 @@ To configure Azure AD single sign-on with Wikispaces, perform the following step
     `https://session.wikispaces.net/<instancename>`
 
 	> [!NOTE]
-	> These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Wikispaces Client support team](https://wikispaces.psu.edu/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+	> These values are not real. Update these values with the actual Sign on URL and Identifier. Contact Wikispaces Client support team to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
 
 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
 
@@ -120,7 +120,7 @@ To configure Azure AD single sign-on with Wikispaces, perform the following step
 
 ### Configure Wikispaces Single Sign-On
 
-To configure single sign-on on **Wikispaces** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Wikispaces support team](https://wikispaces.psu.edu/). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **Wikispaces** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to Wikispaces support team. They set this setting to have the SAML SSO connection set properly on both sides.
 
 ### Create an Azure AD test user 
 
@@ -214,4 +214,4 @@ When you click the Wikispaces tile in the Access Panel, you should be automatica
 
 - [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
 
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)

articles/aks/certificate-rotation.md

@@ -55,7 +55,7 @@ az vmss run-command invoke -g MC_rg_myAKSCluster_region -n vmss-name --instance-
 
 ## Certificate Auto Rotation
 
-For AKS to automatically rotate non-CA certificates, the cluster must have [TLS Bootstrapping](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) which has been enabled by default in all Azure regions.
+For AKS to automatically rotate non-CA certificates, the cluster must have [TLS Bootstrapping](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) which has been enabled by default in all Azure regions.
 
 > [!Note]
 > If you have an existing cluster you have to upgrade that cluster to enable Certificate Auto-Rotation.

articles/aks/internal-lb.md

@@ -105,7 +105,7 @@ You must have the following resource installed:
 
 ### Create a Private Link service connection
 
-To attach an Azure Private Link service to an internal load balancer, create a service manifest named `internal-lb-pls.yaml` with the service type *LoadBalancer* and the *azure-load-balancer-internal* and *azure-pls-create* annotation as shown in the example below.  For more options, refer to the [Azure Private Link Service Integration](https://kubernetes-sigs.github.io/cloud-provider-azure/development/design-docs/pls-integration/) design document
+To attach an Azure Private Link service to an internal load balancer, create a service manifest named `internal-lb-pls.yaml` with the service type *LoadBalancer* and the *azure-load-balancer-internal* and *azure-pls-create* annotation as shown in the example below.  For more options, refer to the [Azure Private Link Service Integration](https://kubernetes-sigs.github.io/cloud-provider-azure/topics/pls-integration/) design document
 
 ```yaml
 apiVersion: v1

articles/aks/operator-best-practices-cluster-security.md

@@ -22,7 +22,13 @@ This article focuses on how to secure your AKS cluster. You learn how to:
 
 You can also read the best practices for [container image management][best-practices-container-image-management] and for [pod security][best-practices-pod-security].
 
-You can also use [Azure Kubernetes Services integration with Defender for Cloud][security-center-aks] to help detect threats and view recommendations for securing your AKS clusters.
+
+## Enable threat protection
+
+> **Best practice guidance** 
+>
+> You can enable [Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) to help secure your containers. Defender for Containers can assess cluster configurations and provide security recommendations, run vulnerability scans, and provide real-time protection and alerting for Kubernetes nodes and clusters.
+
 
 ## Secure access to the API server and cluster nodes
 
@@ -335,4 +341,4 @@ For Windows Server nodes, regularly perform a node image upgrade operation to sa
 [pod-security-contexts]: developer-best-practices-pod-security.md#secure-pod-access-to-resources
 [aks-ssh]: ssh.md
 [security-center-aks]: ../defender-for-cloud/defender-for-kubernetes-introduction.md
-[node-image-upgrade]: node-image-upgrade.md
+[node-image-upgrade]: node-image-upgrade.md

articles/applied-ai-services/form-recognizer/quickstarts/try-v3-rest-api.md

@@ -119,11 +119,7 @@ After you've called the [**Analyze document**](https://westus.dev.cognitive.micr
 #### GET request
 
 ```bash
-<<<<<<< HEAD
-curl -v -X GET "{endpoint}/formrecognizer/documentModels/{model name}/analyzeResults/{resultId}?api-version=2022-06-30-preview" -H "Ocp-Apim-Subscription-Key: {key}"
-=======
 curl -v -X GET "{endpoint}/formrecognizer/documentModels/{modelID}/analyzeResults/{resultId}?api-version=2022-06-30-preview" -H "Ocp-Apim-Subscription-Key: {key}"
->>>>>>> resolve-merge-conflict
 ```
 
 #### Examine the response

articles/azure-arc/servers/learn/media/quick-enable-hybrid-vm/enabled-machine.png

@@ -42,33 +42,54 @@ If you are onboarding machines to Azure Arc-enabled servers, copy the following
       subscription_id: 'INSERT-SUBSCRIPTION-ID'
       location: 'INSERT-LOCATION'
   tasks:
+	- name: Check if the Connected Machine Agent has already been downloaded on Linux servers
+	  stat:
+	  	path: /usr/bin/azvmagent
+	  	get_attributes: False
+	  	get_checksum: False
+	  	get_mine: azcmagent_downloaded 
+        register: azcmagent_downloaded
+	  when: ansible_system == 'Linux'
+	- name: Check if the Connected Machine Agent has already been downloaded on Windows servers
+	  stat:
+	  	path: C:\Program Files\AzureConnectedMachineAgent
+	  	get_attributes: False
+	  	get_checksum: False
+	  	get_mine: azcmagent_downloaded 
+        register: azcmagent_downloaded
+	  when: ansible_system == 'Windows'
       - name: Download the Connected Machine Agent on Linux servers
         become: yes
         get_url:
           url: https://aka.ms/azcmagent
           dest: ~/install_linux_azcmagent.sh
           mode: '700'
-        when: ansible_system == 'Linux'
+        when: (ansible_system == 'Linux') and (not azcmagent_downloaded.stat.exists)
       - name: Download the Connected Machine Agent on Windows servers
         win_get_url:
           url: https://aka.ms/AzureConnectedMachineAgent
           dest: C:\AzureConnectedMachineAgent.msi
-        when: ansible_os_family == 'Windows'
+        when: (ansible_os_family == 'Windows') and (not azcmagent_downloaded.stat.exists)
       - name: Install the Connected Machine Agent on Linux servers
         become: yes
         shell: bash ~/install_linux_azcmagent.sh
-        when: ansible_system == 'Linux'
+        when: (ansible_system == 'Linux') and (not azcmagent_downloaded.stat.exists)
       - name: Install the Connected Machine Agent on Windows servers
         win_package:
           path: C:\AzureConnectedMachineAgent.msi
-        when: ansible_os_family == 'Windows'
+        when: (ansible_os_family == 'Windows') and (not azcmagent_downloaded.stat.exists)
+	- name: Check if the Connected Machine Agent has already been connected
+	  become: true 
+	  command:
+	  	cmd: azcmagent show --join
+        register: azcmagent_connected
       - name: Connect the Connected Machine Agent on Linux servers to Azure Arc
         become: yes
         shell: sudo azcmagent connect --service-principal-id {{ azure.service_principal_id }} --service-principal-secret {{ azure.service_principal_secret }} --resource-group {{ azure.resource_group }} --tenant-id {{ azure.tenant_id }} --location {{ azure.location }} --subscription-id {{ azure.subscription_id }}
-        when: ansible_system == 'Linux'
+        when: (azcmagent_connected.rc == 0) and (ansible_system == 'Linux')
       - name: Connect the Connected Machine Agent on Windows servers to Azure
         win_shell: '& $env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe connect --service-principal-id "{{ azure.service_principal_id }}" --service-principal-secret "{{ azure.service_principal_secret }}" --resource-group "{{ azure.resource_group }}" --tenant-id "{{ azure.tenant_id }}" --location "{{ azure.location }}" --subscription-id "{{ azure.subscription_id }}"'
-        when: ansible_os_family == 'Windows'
+        when: (azcmagent_connected.rc == 0) and (ansible_os_family == 'Windows')
 ```
 
 ## Modify the Ansible playbook
@@ -77,15 +98,17 @@ After downloading the Ansible playbook, complete the following steps:
 
 1. Within the Ansible playbook, modify the variables under the **vars section** with the service principal and Azure details collected earlier:
 
-    * Service Principal Id
+    * Service Principal ID
     * Service Principal Secret
     * Resource Group
-    * Tenant Id
-    * Subscription Id
+    * Tenant ID
+    * Subscription ID
     * Region
 
 1. Enter the correct hosts field capturing the target servers for onboarding to Azure Arc. You can employ [Ansible patterns](https://docs.ansible.com/ansible/latest/user_guide/intro_patterns.html#common-patterns) to selectively target which hybrid machines to onboard.
 
+1. This template passes the service principal secret as a variable in the Ansible playbook. Please note that an [Ansible vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) could be used to encrypt this secret and the variables could be passed through a configuration file.
+
 ## Run the Ansible playbook
 
 From the Ansible control node, run the Ansible playbook by invoking the `ansible-playbook` command: