Merge pull request #188091 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: huypub

articles/active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md

@@ -173,9 +173,12 @@ Because these are _application permissions_, not delegated permissions, an admin
 
 The **Status** column should reflect that consent has been **Granted for \<tenant name\>**.
 
-## Use app roles in your web API
+<a name="use-app-roles-in-your-web-api"></a>
+## Usage scenario of app roles
 
-Once you've defined app roles and assigned them to a user, group, or application, your next step is to add code to your web API that checks for those roles when the API is called. That is, when a client app requests an API operation you've decided requires authorization, your API's code must verify the scopes are in the access token presented in the client app's call.
+If you're implementing app role business logic that signs in the users in your application scenario, first define the app roles in **App registration**. Then, an admin assigns them to users and groups in the **Enterprise applications** pane. These assigned app roles are included with any token that's issued for your application, either access tokens when your app is the API being called by an app or ID tokens when your app is signing in a user. 
+
+If you're implementing app role business logic in an app-calling-API scenario, you have two app registrations. One app registration is for the app, and a second app registration is for the API. In this case, define the app roles and assign them to the user or group in the app registration of the API. When the user authenticates with the app and requests an access token to call the API, a roles claim is included in the access token. Your next step is to add code to your web API to check for those roles when the API is called.
 
 To learn how to add authorization to your web API, see [Protected web API: Verify scopes and app roles](scenario-protected-web-api-verification-scope-app-roles.md).
 

articles/active-directory/develop/scenario-desktop-acquire-token-wam.md

@@ -40,8 +40,9 @@ Using an authentication broker such as WAM has numerous benefits.
 
 ## WAM limitations
 
-- B2C authorities are not supported.
-- Available on Win10, Win Server 2016, Win Server 2019. On Mac, Linux and earlier Windows, MSAL will fallback to a browser.
+- B2C and ADFS authorities are not supported. MSAL will fallback to a browser.
+- Available on Win10+ and Win Server 2019+. On Mac, Linux and earlier Windows MSAL will fallback to a browser.
+- Not available on Xbox.
 
 ## WAM calling pattern
 

articles/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles.md

@@ -20,7 +20,7 @@ ms.custom: aaddev
 
 This article describes how you can add authorization to your web API. This protection ensures that the API is called only by:
 
-- Applications on behalf of users who have the right scopes.
+- Applications on behalf of users who have the right scopes and roles.
 - Daemon apps that have the right application roles.
 
 The code snippets in this article are extracted from the following code samples on GitHub:
@@ -277,29 +277,20 @@ public class TodoListController : ApiController
     }
 ```
 
-Instead, you can use the [Authorize(Roles = "role")] attributes on the controller or an action (or a razor page).
+
+Instead, you can use the [Authorize(Roles = "access_as_application")] attributes on the controller or an action (or a razor page).
 
 ```CSharp
-[Authorize(Roles = "role")]
+[Authorize(Roles = "access_as_application")]
 MyController : ApiController
 {
     // ...
 }
 ```
 
-But for this, you'll need to map the Role claim to "roles" in the Startup.cs file:
-
-```CSharp
- services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>
- {
-    // The claim in the Jwt token where App roles are available.
-    options.TokenValidationParameters.RoleClaimType = "roles";
- });
-```
-
-This isn't the best solution if you also need to do authorization based on groups.
+[Role-based authorization in ASP.NET Core](/aspnet/core/security/authorization/roles) lists several approaches to implement role based authorization. Developers can choose one among them which suits to their respective scenarios.
 
-For details, see the web app incremental tutorial on [authorization by roles and groups](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ).
+For working samples, see the web app incremental tutorial on [authorization by roles and groups](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ).
 
 ### [ASP.NET Classic](#tab/aspnet)
 
@@ -340,9 +331,13 @@ For a full version of `ValidateAppRole` for ASP.NET Core, see [_RolesRequiredHtt
 
 ---
 
-### Accepting app-only tokens if the web API should be called only by daemon apps
+### Verify app roles in APIs called on behalf of users
+
+Users can also use roles claims in user assignment patterns, as shown in [How to add app roles in your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md). If the roles are assignable to both, checking roles will let apps sign in as users and users sign in as apps. We recommend that you declare different roles for users and apps to prevent this confusion.
 
-Users can also use roles claims in user assignment patterns, as shown in [How to: Add app roles in your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md). If the roles are assignable to both, checking roles will let apps sign in as users and users to sign in as apps. We recommend that you declare different roles for users and apps to prevent this confusion.
+If you have defined app roles with user/group, then roles claim can also be verified in the API along with scopes. The verification logic of the app roles in this scenario remains same as if API is called by the daemon apps since there is no differentiation in the role claim for user/group and application. 
+
+### Accepting app-only tokens if the web API should be called only by daemon apps
 
 If you want only daemon apps to call your web API, add the condition that the token is an app-only token when you validate the app role.
 

articles/aks/gpu-multi-instance.md

@@ -164,17 +164,17 @@ Use the `kubectl` run command to schedule work using single strategy:
 kubectl run -it --rm \
 --image=nvidia/cuda:11.0-base \
 --restart=Never \
---limits=nvidia.com/mig-1g.5gb=1 \
-mixed-strategy-example -- nvidia-smi -L
+--limits=nvidia.com/gpu=1 \
+single-strategy-example -- nvidia-smi -L
 ```
 
 Use the `kubectl` run command to schedule work using mixed strategy:
 ```
 kubectl run -it --rm \
 --image=nvidia/cuda:11.0-base \
 --restart=Never \
---limits=nvidia.com/gpu=1 \
-single-strategy-example -- nvidia-smi -L
+--limits=nvidia.com/mig-1g.5gb=1 \
+mixed-strategy-example -- nvidia-smi -L
 ```
 
 

articles/cognitive-services/Translator/custom-translator/overview.md

@@ -21,10 +21,8 @@ Custom Translator supports more than three dozen languages, and maps directly to
 
 This documentation contains the following article types:
 
-* [**Quickstarts**](quickstart-build-deploy-custom-model.md) are getting-started instructions to guide you through making requests to the service.  
-* [**How-to guides**](how-to-create-project.md) contain instructions for using the feature in more specific or customized ways.  
-* [**Concepts**](workspace-and-project.md) provide in-depth explanations of the feature functionality.  
-
+* [**Quickstarts**](./v2-preview/quickstart.md) are getting-started instructions to guide you through making requests to the service.  
+* [**How-to guides**](./v2-preview/how-to/create-manage-workspace.md) contain instructions for using the feature in more specific or customized ways.  
 
 ## Features
 
@@ -33,10 +31,10 @@ Custom Translator provides different features to build custom translation system
 |Feature  |Description  |
 |---------|---------|
 |[Apply neural machine translation technology](https://www.microsoft.com/translator/blog/2016/11/15/microsoft-translator-launching-neural-network-based-translations-for-all-its-speech-languages/)     |  Improve your translation by applying neural machine translation (NMT) provided by Custom translator.       |
-|[Build systems that knows your business terminology](what-are-parallel-documents.md)     |  Customize and build translation systems using parallel documents, that understand the terminologies used in your own business and industry.       |
-|[Use a dictionary to build your models](what-is-dictionary.md)     |   If you don't have training data set, you can train a model with only dictionary data.       |
-|[Collaborate with others](how-to-manage-settings.md#share-your-workspace)     |   Collaborate with your team by sharing your work with different people.     |
-|[Access your custom translation model](../reference/v3-0-translate.md?tabs=curl)     |  Your custom translation model can be accessed anytime by your existing applications/ programs via Microsoft Translator Text API V3.       |
+|[Build systems that knows your business terminology](./v2-preview/beginners-guide.md)     |  Customize and build translation systems using parallel documents, that understand the terminologies used in your own business and industry.       |
+|[Use a dictionary to build your models](./v2-preview/how-to/train-custom-model.md#when-to-select-dictionary-only-training)     |   If you don't have training data set, you can train a model with only dictionary data.       |
+|[Collaborate with others](./v2-preview/how-to/create-manage-workspace.md#manage-workspace-settings)     |   Collaborate with your team by sharing your work with different people.     |
+|[Access your custom translation model](./v2-preview/how-to/translate-with-custom-model.md)     |  Your custom translation model can be accessed anytime by your existing applications/ programs via Microsoft Translator Text API V3.       |
 
 ## Get better translations
 
@@ -67,4 +65,4 @@ Custom systems can be seamlessly accessed and integrated into any product or bus
 
 - Read about [pricing details](https://azure.microsoft.com/pricing/details/cognitive-services/translator-text-api/).
 
-- With [Quickstart](quickstart-build-deploy-custom-model.md) learn to build a translation model in Custom Translator.
+- With [Quickstart](./v2-preview/quickstart.md) learn to build a translation model in Custom Translator.

articles/cognitive-services/Translator/reference/v3-0-reference.md

@@ -40,7 +40,7 @@ To force the request to be handled within a specific geography, use the desired
 <sup>1</sup> Customers with a resource located in Switzerland North or Switzerland West can ensure that their Text API requests are served within Switzerland. To ensure that requests are handled in Switzerland, create the Translator resource in the 'Resource region' 'Switzerland North' or 'Switzerland West', then use the resource's custom endpoint in your API requests. For example: If you create a Translator resource in Azure portal with 'Resource region' as 'Switzerland North' and your resource name is 'my-ch-n', then your custom endpoint is "https://my-ch-n.cognitiveservices.azure.com". And a sample request to translate is:
 ```curl
 // Pass secret key and region using headers to a custom endpoint
-curl -X POST " my-ch-n.cognitiveservices.azure.com/translator/text/v3.0/translate?to=fr" \
+curl -X POST " my-ch-n.cognitiveservices.azure.com/translate?to=fr" \
 -H "Ocp-Apim-Subscription-Key: xxx" \
 -H "Ocp-Apim-Subscription-Region: switzerlandnorth" \
 -H "Content-Type: application/json" \
@@ -126,7 +126,7 @@ Alternatively, you can exchange your secret key for an access token. This token
 | Global          | `https://api.cognitive.microsoft.com/sts/v1.0/issueToken` |
 | Regional or Multi-Service | `https://<your-region>.api.cognitive.microsoft.com/sts/v1.0/issueToken` |
 
-Here are example requests to obtain a token given a secret key:
+Here are example requests to obtain a token given a secret key for a global resource:
 
 ```curl
 // Pass secret key using header
@@ -136,6 +136,16 @@ curl --header 'Ocp-Apim-Subscription-Key: <your-key>' --data "" 'https://api.cog
 curl --data "" 'https://api.cognitive.microsoft.com/sts/v1.0/issueToken?Subscription-Key=<your-key>'
 ```
 
+And here are example requests to obtain a token given a secret key for a regional resource located in Central US:
+
+```curl
+// Pass secret key using header
+curl --header "Ocp-Apim-Subscription-Key: <your-key>" --data "" "https://centralus.api.cognitive.microsoft.com/sts/v1.0/issueToken"
+
+// Pass secret key using query string parameter
+curl --data "" "https://centralus.api.cognitive.microsoft.com/sts/v1.0/issueToken?Subscription-Key=<your-key>"
+```
+
 A successful request returns the encoded access token as plain text in the response body. The valid token is passed to the Translator service as a bearer token in the Authorization.
 
 ```http
@@ -173,7 +183,7 @@ An authentication token is valid for 10 minutes. The token should be reused when
 ```curl
  // Using headers, pass a bearer token generated by Azure AD, resource ID, and the region.
 
-curl -X POST "https://api.cognitive.microsofttranslator.com/translator/text/v3.0/translate?api-version=3.0&to=es" \
+curl -X POST "https://api.cognitive.microsofttranslator.com/translate?api-version=3.0&to=es" \
      -H "Authorization: Bearer <Base64-access_token>"\
      -H "Ocp-Apim-ResourceId: <Resource ID>" \
      -H "Ocp-Apim-Subscription-Region: <your-region>" \
@@ -186,7 +196,7 @@ curl -X POST "https://api.cognitive.microsofttranslator.com/translator/text/v3.0
 ```curl
 // Using headers, pass a bearer token generated by Azure AD.
 
-curl -X POST https://<your-custom-domain>.cognitiveservices.azure.com/translator/text/v3.0/translate?api-version=3.0&to=es \
+curl -X POST https://<your-custom-domain>.cognitiveservices.azure.com/translate?api-version=3.0&to=es \
      -H "Authorization: Bearer <Base64-access_token>"\
      -H "Content-Type: application/json" \
      -data-raw "[{'Text':'Hello, friend.'}]"
@@ -201,7 +211,7 @@ Translator v3.0 also supports authorizing access to managed identities. If a man
 ```curl
 // Using headers, pass a bearer token generated either by Azure AD or Managed Identities, resource ID, and the region.
 
-curl -X POST https://api.cognitive.microsofttranslator.com/translator/text/v3.0/translate?api-version=3.0&to=es \
+curl -X POST https://api.cognitive.microsofttranslator.com/translate?api-version=3.0&to=es \
      -H "Authorization: Bearer <Base64-access_token>"\
      -H "Ocp-Apim-ResourceId: <Resource ID>" \
      -H "Ocp-Apim-Subscription-Region: <your-region>" \
@@ -214,7 +224,7 @@ curl -X POST https://api.cognitive.microsofttranslator.com/translator/text/v3.0/
 ```curl
 //Using headers, pass a bearer token generated by Managed Identities.
 
-curl -X POST https://<your-custom-domain>.cognitiveservices.azure.com/translator/text/v3.0/translate?api-version=3.0&to=es \
+curl -X POST https://<your-custom-domain>.cognitiveservices.azure.com/translate?api-version=3.0&to=es \
      -H "Authorization: Bearer <Base64-access_token>"\
      -H "Content-Type: application/json" \
      -data-raw "[{'Text':'Hello, friend.'}]"
@@ -237,7 +247,7 @@ Here's an example request to call the Translator using the custom endpoint
 
 ```curl
 // Pass secret key and region using headers
-curl -X POST "https://<your-custom-domain>.cognitiveservices.azure.com/translator/text/v3.0/translate?api-version=3.0&to=es" \
+curl -X POST "https://<your-custom-domain>.cognitiveservices.azure.com/translate?api-version=3.0&to=es" \
      -H "Ocp-Apim-Subscription-Key:<your-key>" \
      -H "Ocp-Apim-Subscription-Region:<your-region>" \
      -H "Content-Type: application/json" \

articles/confidential-ledger/quickstart-python.md

@@ -94,7 +94,7 @@ credential = DefaultAzureCredential()
 We'll finish setup by setting some variables for use in your application: the resource group (myResourceGroup), the name of ledger you want to create, and two urls to be used by the data plane client library.
 
   > [!Important]
-  > Each ledger must have a globally unique name. Replace \<your-unique-keyvault-name\> with the name of your ledger in the following example.
+  > Each ledger must have a globally unique name. Replace \<your-unique-ledger-name\> with the name of your ledger in the following example.
 
 ```python
 resource_group = "myResourceGroup"

articles/storage/blobs/storage-how-to-mount-container-linux.md

@@ -146,6 +146,9 @@ To mount blobfuse, run the following command with your user. This command mounts
 sudo blobfuse ~/mycontainer --tmp-path=/mnt/resource/blobfusetmp  --config-file=/path/to/fuse_connection.cfg -o attr_timeout=240 -o entry_timeout=240 -o negative_timeout=120
 ```
 
+> [!NOTE]
+> If you use an ADLS account, you must include `--use-adls=true`.
+
 You should now have access to your block blobs through the regular file system APIs. The user who mounts the directory is the only person who can access it, by default, which secures the access. To allow access to all users, you can mount via the option `-o allow_other`.
 
 ```bash

articles/virtual-machines/spot-vms.md

@@ -18,7 +18,7 @@ ms.reviewer: cynthn
 
 Using Azure Spot Virtual Machines allows you to take advantage of our unused capacity at a significant cost savings. At any point in time when Azure needs the capacity back, the Azure infrastructure will evict Azure Spot Virtual Machines. Therefore, Azure Spot Virtual Machines are great for workloads that can handle interruptions like batch processing jobs, dev/test environments, large compute workloads, and more.
 
-The amount of available capacity can vary based on size, region, time of day, and more. When deploying Azure Spot Virtual Machines, Azure will allocate the VMs if there is capacity available, but there is no SLA for these VMs. A Azure Spot Virtual Machine offers no high availability guarantees. At any point in time when Azure needs the capacity back, the Azure infrastructure will evict Azure Spot Virtual Machines with 30 seconds notice. 
+The amount of available capacity can vary based on size, region, time of day, and more. When deploying Azure Spot Virtual Machines, Azure will allocate the VMs if there is capacity available, but there is no SLA for these VMs. An Azure Spot Virtual Machine offers no high availability guarantees. At any point in time when Azure needs the capacity back, the Azure infrastructure will evict Azure Spot Virtual Machines with 30 seconds notice. 
 
 
 ## Eviction policy
@@ -86,7 +86,7 @@ You can see historical pricing and eviction rates per size in a region in the po
 
 ##  Frequently asked questions
 
-**Q:** Once created, is a Azure Spot Virtual Machine the same as regular standard VM?
+**Q:** Once created, is an Azure Spot Virtual Machine the same as regular standard VM?
 
 **A:** Yes, except there is no SLA for Azure Spot Virtual Machines and they can be evicted at any time.
 

articles/virtual-network/nat-gateway/faq.yml

@@ -90,7 +90,11 @@ sections:
       - question: Can I use Virtual Network NAT gateway with Azure Firewall?
         answer: |
           Yes. For more information about Virtual Network NAT integration with Azure Firewall, see [Scale SNAT ports with Azure NAT Gateway](../../firewall/integrate-with-nat-gateway.md).
-          
+
+      - question: Can I use Virtual Network NAT gateway with Virtual Network service endpoints?
+        answer: | 
+           Yes. The addition of a Virtual Network NAT Gateway to a subnet with service endpoints does not affect the endpoints. [Virtual Network service endpoints](../virtual-network-service-endpoints-overview.md) enable a more specific route for the destination Azure service traffic they represent. Traffic for the service endpoint will continue to be routed toward the service and wont go via the NAT Gateway.
+
 additionalContent: |
 
   ## Next steps