Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into prometheus-curation

Author: EdB-MSFT

articles/ai-services/speech-service/role-based-access-control.md

@@ -59,7 +59,7 @@ If Speech Studio uses your Microsoft Entra token, but the Speech resource doesn'
 
 | Authentication credential | Feature availability | 
 | ---| ---|  
-|Speech resource key|Full access limited only by the assigned role permissions.|
+|Speech resource key|Full access. Role configuration is ignored if resource key is used.|
 |Microsoft Entra token with custom subdomain and private endpoint|Full access limited only by the assigned role permissions.|
 |Microsoft Entra token without custom subdomain and private endpoint (not recommended)|Features are limited. For example, the Speech resource can be used to train a custom speech model or custom neural voice. But you can't use a custom speech model or custom neural voice.|
 

articles/app-service/includes/tutorial-connect-msi-azure-database/code-sql-mi.md

@@ -2,7 +2,7 @@
 author: xfz11
 ms.service: service-connector
 ms.topic: include
-ms.date: 10/26/2023
+ms.date: 04/17/2024
 ms.author: xiaofanzhou
 ---
 
@@ -18,6 +18,10 @@ ms.author: xiaofanzhou
 
     ```csharp
     using Microsoft.Data.SqlClient;
+
+    // AZURE_SQL_CONNECTIONSTRING should be one of the following:
+    // For system-assigned managed identity:"Server=tcp:<server-name>.database.windows.net;Database=<database-name>;Authentication=Active Directory Default;TrustServerCertificate=True"
+    // For user-assigned managed identity: "Server=tcp:<server-name>.database.windows.net;Database=<database-name>;Authentication=Active Directory Default;User Id=<client-id-of-user-assigned-identity>;TrustServerCertificate=True"
     
     string connectionString = 
         Environment.GetEnvironmentVariable("AZURE_SQL_CONNECTIONSTRING")!;
@@ -77,7 +81,7 @@ For more information, see [Connect using Microsoft Entra authentication](/sql/co
     python -m pip install pyodbc
     ```
 
-1. Get the Azure SQL Database connection configurations from the environment variable added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.
+1. Get the Azure SQL Database connection configurations from the environment variable added by Service Connector. Uncomment the part of the code snippet for the authentication type you want to use.
     ```python
     import os;
     import pyodbc
@@ -105,7 +109,7 @@ For more information, see [Connect using Microsoft Entra authentication](/sql/co
     ```bash
     npm install mssql
     ```
-1. Get the Azure SQL Database connection configurations from the environment variables added by Service Connector. When using the code below, uncomment the part of the code snippet for the authentication type you want to use.
+1. Get the Azure SQL Database connection configurations from the environment variables added by Service Connector. Uncomment the part of the code snippet for the authentication type you want to use.
     ```javascript
     import sql from 'mssql';
     

articles/app-service/tutorial-connect-msi-sql-database.md

@@ -6,7 +6,7 @@ ms.author: cephalin
 
 ms.devlang: csharp
 ms.topic: tutorial
-ms.date: 04/01/2023
+ms.date: 04/17/2024
 ms.custom: devx-track-csharp, mvc, cli-validate, devx-track-azurecli, devx-track-dotnet, AppServiceConnectivity
 ---
 # Tutorial: Connect to SQL Database from .NET App Service without secrets using a managed identity
@@ -158,8 +158,7 @@ The steps you follow for your project depends on whether you're using [Entity Fr
     ```
 
     > [!NOTE]
-    > The [Active Directory Default](/sql/connect/ado-net/sql/azure-active-directory-authentication#using-active-directory-default-authentication) authentication type can be used both on your local machine and in Azure App Service. The driver attempts to acquire a token from Microsoft Entra ID using various means. If the app is deployed, it gets a token from the app's managed identity. If the app is running locally, it tries to get a token from Visual Studio, Visual Studio Code, and Azure CLI.
-    >
+    > The [Active Directory Default](/sql/connect/ado-net/sql/azure-active-directory-authentication#using-active-directory-default-authentication) authentication type can be used both on your local machine and in Azure App Service. The driver attempts to acquire a token from Microsoft Entra ID using various means. If the app is deployed, it gets a token from the app's system-assigned managed identity. It can also authenticate with a user-assigned managed identity if you include: `User Id=<client-id-of-user-assigned-managed-identity>;` in your connection string. If the app is running locally, it tries to get a token from Visual Studio, Visual Studio Code, and Azure CLI.
 
     That's everything you need to connect to SQL Database. When you debug in Visual Studio, your code uses the Microsoft Entra user you configured in [2. Set up your dev environment](#2-set-up-your-dev-environment). You'll set up SQL Database later to allow connection from the managed identity of your App Service app. The `DefaultAzureCredential` class caches the token in memory and retrieves it from Microsoft Entra ID just before expiration. You don't need any custom code to refresh the token.
 
@@ -176,13 +175,23 @@ The steps you follow for your project depends on whether you're using [Entity Fr
 1. In your DbContext object (in *Models/MyDbContext.cs*), add the following code to the default constructor.
 
     ```csharp
+    Azure.Identity.DefaultAzureCredential credential;
+    var managedIdentityClientId = ConfigurationManager.AppSettings["ManagedIdentityClientId"];
+    if(managedIdentityClientId != null ) {
+        //User-assigned managed identity Client ID is passed in via ManagedIdentityClientId
+        var defaultCredentialOptions = new DefaultAzureCredentialOptions { ManagedIdentityClientId = managedIdentityClientId };
+        credential = new Azure.Identity.DefaultAzureCredential(defaultCredentialOptions);
+    }
+    else {
+        //System-assigned managed identity or logged-in identity of Visual Studio, Visual Studio Code, Azure CLI or Azure PowerShell
+        credential = new Azure.Identity.DefaultAzureCredential();
+    }
     var conn = (System.Data.SqlClient.SqlConnection)Database.Connection;
-    var credential = new Azure.Identity.DefaultAzureCredential();
     var token = credential.GetToken(new Azure.Core.TokenRequestContext(new[] { "https://database.windows.net/.default" }));
     conn.AccessToken = token.Token;
     ```
     
-    This code uses [Azure.Identity.DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) to get a useable token for SQL Database from Microsoft Entra ID and then adds it to the database connection. While you can customize `DefaultAzureCredential`, by default it's already versatile. When it runs in App Service, it uses app's system-assigned managed identity. When it runs locally, it can get a token using the logged-in identity of Visual Studio, Visual Studio Code, Azure CLI, and Azure PowerShell.
+    This code uses [Azure.Identity.DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) to get a useable token for SQL Database from Microsoft Entra ID and then adds it to the database connection. While you can customize `DefaultAzureCredential`, by default it's already versatile. When it runs in App Service, it uses the app's system-assigned managed identity by default. If you prefer to use a user-assigned managed identity, add a new App setting named `ManagedIdentityClientId` and enter the `Client Id` GUID from your user-assigned managed identity in the `value` field.   When it runs locally, it can get a token using the logged-in identity of Visual Studio, Visual Studio Code, Azure CLI, and Azure PowerShell.
 
 1. In *Web.config*, find the connection string called `MyDbConnection` and replace its `connectionString` value with `"server=tcp:<server-name>.database.windows.net;database=<db-name>;"`. Replace _\<server-name>_ and _\<db-name>_ with your server name and database name. This connection string is used by the default constructor in *Models/MyDbContext.cs*.
     

articles/automation/automation-managing-data.md

@@ -12,9 +12,9 @@ ms.custom:
 
 This article contains several topics explaining how data is protected and secured in an Azure Automation environment.
 
-## TLS 1.2 or higher for Azure Automation
+## TLS for Azure Automation
 
-To ensure the security of data in transit to Azure Automation, we strongly encourage you to configure the use of Transport Layer Security (TLS) 1.2 or higher. The following are a list of methods or clients that communicate over HTTPS to the Automation service:
+To ensure the security of data in transit to Azure Automation, we strongly encourage you to configure the use of Transport Layer Security (TLS). The following are a list of methods or clients that communicate over HTTPS to the Automation service:
 
 * Webhook calls
 
@@ -24,11 +24,11 @@ To ensure the security of data in transit to Azure Automation, we strongly encou
 
 Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are **not recommended**. We do not recommend explicitly setting your agent to only use TLS 1.2 unless its necessary, as it can break platform level security features that allow you to automatically detect and take advantage of newer more secure protocols as they become available, such as TLS 1.3.
 
-For information about TLS 1.2 support with the Log Analytics agent for Windows and Linux, which is a dependency for the Hybrid Runbook Worker role, see [Log Analytics agent overview - TLS 1.2](../azure-monitor/agents/log-analytics-agent.md#tls-12-protocol).
+For information about TLS support with the Log Analytics agent for Windows and Linux, which is a dependency for the Hybrid Runbook Worker role, see [Log Analytics agent overview - TLS](../azure-monitor/agents/log-analytics-agent.md#tls-protocol).
 
 ### Upgrade TLS protocol for Hybrid Workers and Webhook calls
 
-From **31 October 2024**, all agent-based and extension-based User Hybrid Runbook Workers, Webhooks, and DSC nodes using Transport Layer Security (TLS) 1.0 and 1.1 protocols would no longer be able to connect to Azure Automation.  All jobs running or scheduled on Hybrid Workers using TLS 1.0 and 1.1 protocols would fail. 
+From **31 October 2024**, all agent-based and extension-based User Hybrid Runbook Workers, Webhooks, and DSC nodes using Transport Layer Security (TLS) 1.0 and 1.1 protocols would no longer be able to connect to Azure Automation.  All jobs running or scheduled on Hybrid Workers using TLS 1.0 and 1.1 protocols will fail. 
 
 Ensure that the Webhook calls that trigger runbooks navigate on TLS 1.2 or higher. Ensure to make registry changes so that Agent and Extension based workers negotiate only on TLS 1.2 and higher protocols. Learn how to [disable TLS 1.0/1.1 protocols on Windows Hybrid Worker and enable TLS 1.2 or above](/system-center/scom/plan-security-tls12-config#configure-windows-operating-system-to-only-use-tls-12-protocol) on Windows machine. 
 

articles/automation/automation-network-configuration.md

@@ -30,7 +30,7 @@ If your nodes are located in a private network, the port and URLs defined above
 
 If you are using DSC resources that communicate between nodes, such as the [WaitFor resources](/powershell/dsc/reference/resources/windows/waitForAllResource), you also need to allow traffic between nodes. See the documentation for each DSC resource to understand these network requirements.
 
-To understand client requirements for TLS 1.2 or higher, see [TLS 1.2 or higher for Azure Automation](automation-managing-data.md#tls-12-or-higher-for-azure-automation).
+To understand client requirements for TLS 1.2 or higher, see [TLS 1.2 or higher for Azure Automation](automation-managing-data.md#tls-for-azure-automation).
 
 ## Update Management and Change Tracking and Inventory
 

articles/automation/automation-webhooks.md

@@ -14,7 +14,7 @@ A webhook allows an external service to start a particular runbook in Azure Auto
 
 ![WebhooksOverview](media/automation-webhooks/webhook-overview-image.png)
 
-To understand client requirements for TLS 1.2 or higher with webhooks, see [TLS 1.2 or higher for Azure Automation](automation-managing-data.md#tls-12-or-higher-for-azure-automation).
+To understand client requirements for TLS 1.2 or higher with webhooks, see [TLS for Azure Automation](automation-managing-data.md#tls-for-azure-automation).
 
 ## Webhook properties
 

articles/automation/change-tracking/overview-monitoring-agent.md

@@ -65,7 +65,7 @@ The following table shows the tracked item limits per machine for change trackin
 
 Change Tracking and Inventory is supported on all operating systems that meet Azure Monitor agent requirements. See [supported operating systems](../../azure-monitor/agents/agents-overview.md#supported-operating-systems) for a list of the Windows and Linux operating system versions that are currently supported by the Azure Monitor agent.
 
-To understand client requirements for TLS 1.2 or higher, see [TLS 1.2 or higher for Azure Automation](../automation-managing-data.md#tls-12-or-higher-for-azure-automation).
+To understand client requirements for TLS, see [TLS for Azure Automation](../automation-managing-data.md#tls-for-azure-automation).
 
 
 ## Enable Change Tracking and Inventory

articles/automation/change-tracking/overview.md

@@ -70,7 +70,7 @@ For limits that apply to Change Tracking and Inventory, see [Azure Automation se
 
 Change Tracking and Inventory is supported on all operating systems that meet Log Analytics agent requirements. See [supported operating systems](../../azure-monitor/agents/agents-overview.md#supported-operating-systems) for a list of the Windows and Linux operating system versions that are currently supported by the Log Analytics agent.
 
-To understand client requirements for TLS 1.2 or higher, see [TLS 1.2 or higher for Azure Automation](../automation-managing-data.md#tls-12-or-higher-for-azure-automation).
+To understand client requirements for TLS 1.2 or higher, see [TLS for Azure Automation](../automation-managing-data.md#tls-for-azure-automation).
 
 ### Python requirement
 

articles/automation/update-management/operating-system-requirements.md

@@ -63,7 +63,7 @@ The following table lists operating systems not supported by Update Management:
 
 ## System requirements
 
-The section describes operating system-specific requirements. For additional guidance, see [Network planning](plan-deployment.md#ports). To understand requirements for TLS 1.2 or higher, see [TLS 1.2 or higher for Azure Automation](../automation-managing-data.md#tls-12-or-higher-for-azure-automation).
+The section describes operating system-specific requirements. For additional guidance, see [Network planning](plan-deployment.md#ports). To understand requirements for TLS 1.2 or higher, see [TLS for Azure Automation](../automation-managing-data.md#tls-for-azure-automation).
 
 # [Windows](#tab/sr-win)
 

articles/automation/whats-new-archive.md

@@ -319,7 +319,7 @@ Automation support of service tags allows or denies the traffic for the Automati
 
 **Type:** Plan for change
 
-Azure Automation fully supports [TLS 1.2 or higher](../automation/automation-managing-data.md#tls-12-or-higher-for-azure-automation) and all client calls (through webhooks, DSC nodes, and hybrid worker). TLS 1.1 and TLS 1.0 are still supported for backward compatibility with older clients until customers standardize and fully migrate to TLS 1.2.
+Azure Automation fully supports [TLS 1.2 or higher](../automation/automation-managing-data.md#tls-for-azure-automation) and all client calls (through webhooks, DSC nodes, and hybrid worker). TLS 1.1 and TLS 1.0 are still supported for backward compatibility with older clients until customers standardize and fully migrate to TLS 1.2.
 
 ## January 2020