Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -7,7 +7,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 08/25/2022
+ms.date: 04/04/2023
 ms.author: billmath
 ms.reviewer: arvinh
 ---
@@ -27,7 +27,7 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
 ## Deploying Azure AD provisioning agent
 The Azure AD Provisioning agent can be deployed on the same server hosting a SCIM enabled application, or a separate server, providing it has line of sight to the application's SCIM endpoint. A single agent also supports provision to multiple applications hosted locally on the same server or separate hosts, again as long as each SCIM endpoint is reachable by the agent.  
 
- 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM application endpoint is hosted on.
+ 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM application endpoint is hosted on. 
  2. Run the provisioning agent installer, agree to the terms of service, and select **Install**.
  3. Once installed, locate  and launch the **AAD Connect Provisioning Agent wizard**, and when prompted for an extensions select **On-premises provisioning**
  4. For the agent to register itself with your tenant, provide credentials for an Azure AD admin with Hybrid administrator or global administrator permissions.
@@ -41,7 +41,10 @@ Once the agent is installed, no further configuration is necesary on-prem, and a
  3. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
  4.  Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
  5.  Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection.
- 6.  In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolveable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
+ 6.  In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolveable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png) 
+>[!NOTE]
+>The Azure AD provisioning service currently drops everything in the URL after the hostname.
+
  7.  Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. 
  8.  Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
  9.  Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.

articles/active-directory/authentication/how-to-mfa-number-match.md

@@ -387,6 +387,10 @@ Minimum Microsoft Authenticator version for number matching which prompts to ent
 - Android 6.2111.7701
 - iOS 6.5.85
 
+### How can users recheck the number on mobile iOS devices after the match request appears?
+
+During mobile iOS broker flows, the number match request appears over the number after a two-second delay. To recheck the number, click **Show me the number again**. This action only occurs in mobile iOS broker flows. 
+
 ## Next steps
 
 [Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md)

articles/active-directory/authentication/media/how-to-authentication-methods-manage/authentication-methods-policy.png

@@ -2,16 +2,16 @@
 title: Azure Active Directory certificate authorities
 description: Listing of trusted certificates used in Azure
 services: active-directory
-author: janicericketts
-manager: martinco
+author: shlipsey3
+manager: amycolannino
 
 ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
 ms.date: 10/10/2020
-ms.author: jricketts
-ms.reviewer: baselden
+ms.author: sarahlipsey
+ms.reviewer: sarahlipsey
 ms.custom: "it-pro, seodec18"
 ms.collection: M365-identity-device-management
 ---

articles/active-directory/authentication/media/how-to-authentication-methods-manage/start-mfa-migration.png

@@ -74,7 +74,7 @@ Follow these steps to create an Azure Database for Postgres in your subscription
        --location $LOCATION \
        --admin-user $POSTGRESQL_ADMIN_USER \
        --admin-password $POSTGRESQL_ADMIN_PASSWORD \
-       --public-network-access 0.0.0.0 \
+       --public-access 0.0.0.0 \
        --sku-name Standard_D2s_v3 
    ```
 

articles/active-directory/fundamentals/certificate-authorities.md

@@ -40,7 +40,7 @@ Application Gateway uses a secret identifier in Key Vault to reference the certi
 
 The Azure portal supports only Key Vault certificates, not secrets. Application Gateway still supports referencing secrets from Key Vault, but only through non-portal resources like PowerShell, the Azure CLI, APIs, and Azure Resource Manager templates (ARM templates).
 
-References to Key Vaults in other Azure subscriptions is supported, but must be configured via ARM Template, Azure PowerShell, CLI, Bicep, etc. Cross-subscription key vault configuration is not supported by Application Gateway via Azure Portal today.
+References to Key Vaults in other Azure subscriptions are supported, but must be configured via ARM Template, Azure PowerShell, CLI, Bicep, etc. Cross-subscription key vault configuration is not supported by Application Gateway via Azure portal today.
 
 ## Certificate settings in Key Vault
 
@@ -85,7 +85,7 @@ When you're using a restricted Key Vault, use the following steps to configure A
 
 1. In the Azure portal, in your Key Vault, select **Networking**.
 1. On the **Firewalls and virtual networks** tab, select **Selected networks**.
-1. For **Virtual networks**, select **+ Add existing virtual networks**, and then add the virtual network and subnet for your Application Gateway instance. During the process, also configure the `Microsoft.KeyVault` service endpoint by selecting its checkbox.
+1. For **Virtual networks**, select **+ Add existing virtual networks**, and then add the virtual network and subnet for your Application Gateway instance. If prompted, ensure the _Do not configure 'Microsoft.KeyVault' service endpoint(s) at this time_ checkbox is unchecked to ensure the `Microsoft.KeyVault` service endpoint is enabled on the subnet.
 1. Select **Yes** to allow trusted services to bypass the Key Vault's firewall.
 
    ![Screenshot that shows selections for configuring Application Gateway to use firewalls and virtual networks.](media/key-vault-certs/key-vault-firewall.png)

articles/app-service/tutorial-java-tomcat-connect-managed-identity-postgresql-database.md

@@ -8,11 +8,11 @@ ms.topic: article
 ---
 # Prefer options
 
-The API supports setting some request options using the `Prefer` header. This section describes how to set each preference and their values.
+The API supports setting some request and response options using the `Prefer` header. This section describes how to set each preference and their values.
 
 ## Visualization information
 
-In the query language, you can specify different render options. By default, the API does not return information about the type of visualization. To include a specific visualization, include this header:
+In the query language, you can specify different render options. By default, the API doesn't return information about the type of visualization. To include a specific visualization, include this header:
 
 ```
     Prefer: include-render=true
@@ -63,3 +63,13 @@ To get information about query statistics, include this header:
 ```
 
 The header includes a `statistics` property in the response that describes various performance statistics such as query execution time and resource usage.
+
+## Query timeout
+The default query timeout is 3 minutes. To adjust the query timeout set the `wait` property, as documented [here](timeouts.md). 
+
+## Query data sources
+To get information about the query data sources - regions, workspaces, clusters and tables, include this header:
+
+```
+    Prefer: include-dataSources=true
+```

articles/application-gateway/key-vault-certs.md

@@ -12,7 +12,7 @@ ms.date: 02/07/2023
 
 # Monitor Log Analytics workspace health
 
-[Azure Service Health](../../service-health/overview.md) monitors the health of your cloud resources, including Log Analytics workspaces. When a Log Analytics workspace is healthy, data you collect from resources in your IT environment is available for querying and analysis in a relatively short period of time, known as [latency](../logs/data-ingestion-time.md). This article explains how to view the health status of your Log Analytics workspace and set up alerts to track Log Analytics workspace health status changes.  
+[Azure Service Health](../../service-health/overview.md) monitors the health of your cloud resources, including Log Analytics workspaces. When a Log Analytics workspace is healthy, data you collect from resources in your IT environment is available for querying and analysis in a relatively short period of time, known as [latency](../logs/data-ingestion-time.md). This article explains how to view the health status of your Log Analytics workspace, set up workspace health status alerts, and view workspace health metrics.  
 
 Azure Service Health monitors:
 
@@ -39,22 +39,41 @@ To view your Log Analytics workspace health and set up health status alerts:
 
 1. To set up health status alerts, you can either [enable recommended out-of-the-box alert](../alerts/alerts-overview.md#recommended-alert-rules) rules, or manually create new alert rules.
     - To enable the recommended alert rules:
-        1. select **Alerts**, then select **Enable recommended alert rules**. The **Enable recommended alert rules** pane opens with a list of recommended alert rules based on your type of resource.  
-        1. In the **Alert me if** section, select all of the rules you want to enable. The rules are populated with the default values for the rule condition, you can change the default values if you would like.
-        1. In the **Notify me by** section, select the way you want to be notified if an alert is fired.
+        1. Select **Alerts** > **Enable recommended alert rules**. 
+        
+            The **Enable recommended alert rules** pane opens with a list of recommended alert rules for your Log Analytics workspace.  
+        
+            :::image type="content" source="../alerts/media/alerts-managing-alert-instances/alerts-enable-recommended-alert-rule-pane.png" alt-text="Screenshot of recommended alert rules pane.":::
+
+        1. In the **Alert me if** section, select all of the rules you want to enable. 
+        1. In the **Notify me by** section, select the way you want to be notified if an alert is triggered.
         1. Select **Use an existing action group**, and enter the details of the existing action group if you want to use an action group that already exists.
         1. Select **Enable**.
 
-        :::image type="content" source="../alerts/media/alerts-managing-alert-instances/alerts-enable-recommended-alert-rule-pane.png" alt-text="Screenshot of recommended alert rules pane.":::
-
     - To create a new alert rule:
        1. Select **Add resource health alert**.
 
-            The **Create alert rule** wizard opens, with the **Scope** and **Condition** panes pre-populated. By default, the rule triggers alerts all status changes in all Log Analytics workspaces in the subscription. If necessary, you can edit and modify the scope and condition at this stage. 
+            The **Create alert rule** wizard opens, with the **Scope** and **Condition** panes prepopulated. By default, the rule triggers alerts all status changes in all Log Analytics workspaces in the subscription. If necessary, you can edit and modify the scope and condition at this stage. 
 
             :::image type="content" source="media/data-ingestion-time/log-analytics-workspace-latency-alert-rule.png" lightbox="media/data-ingestion-time/log-analytics-workspace-latency-alert-rule.png" alt-text="Screenshot that shows the Create alert rule wizard for Log Analytics workspace latency issues.":::
 
        1. Follow the rest of the steps in [Create a new alert rule in the Azure portal](../alerts/alerts-create-new-alert-rule.md#create-a-new-alert-rule-in-the-azure-portal). 
+
+## View Log Analytics workspace health metrics
+
+Azure Monitor exposes a set of metrics that provide insight into Log Analytics workspace health. 
+
+To view Log Analytics workspace health metrics:
+
+1. Select **Metrics** from the Log Analytics workspace menu. This opens [Metrics Explorer](../essentials/metrics-charts.md) in context of your Log Analytics workspace.
+1. In the **Metric** field, select one of the Log Analytics workspace health metrics:
+
+   | Metric name | Description |
+   | - | - |
+   | Query count | Total number of user queries in the Log Analytics workspace within the selected time range.<br>This number includes only user-initiated queries, and doesn't include queries initiated by Sentinel rules and alert-related queries. |
+   | Query failure count | Total number of failed user queries in the Log Analytics workspace within the selected time range.<br>This number includes all queries that return 5XX response codes - except 504 *Gateway Timeout* - which indicate an error related to the application gateway or the backend server.|
+   | Query success rate | Total number of successful user queries in the Log Analytics workspace within the selected time range.<br>This number includes all queries that return 2XX, 4XX, and 504 response codes; in other words, all user queries that don't result in a service error. |
+
 ## Investigate Log Analytics workspace health issues
 
 To investigate Log Analytics workspace health issues:
@@ -63,6 +82,9 @@ To investigate Log Analytics workspace health issues:
 - Query the data in your Log Analytics workspace to [understand which factors are contributing greater than expected latency in your workspace](../logs/data-ingestion-time.md).  
 - [Use the `_LogOperation` function to view and set up alerts about operational issues](../logs/monitor-workspace.md) logged in your Log Analytics workspace.
 
+      
+
+
 ## Next steps
 
 Learn more about:

articles/azure-monitor/logs/api/prefer-options.md

@@ -40,6 +40,7 @@ The following diagram demonstrates how customer-managed keys work with Azure Net
 
 * Customer-managed keys can only be configured on new volumes. You can't migrate existing volumes to customer-managed key encryption. 
 * To create a volume using customer-managed keys, you must select the *Standard* network features. You can't use customer-managed key volumes with volume configured using Basic network features. Follow instructions in to [Set the Network Features option](configure-network-features.md#set-the-network-features-option) in the volume creation page.
+* Customer-managed keys private endpoints do not support the **Disable public access** option. You must choose one of the **Allow public access** options.
 * Switching from user-assigned identity to the system-assigned identity isn't currently supported.
 * MSI Automatic certificate renewal isn't currently supported.  
 * The MSI certificate has a lifetime of 90 days. It becomes eligible for renewal after 46 days. **After 90 days, the certificate is no longer be valid and the customer-managed key volumes under the NetApp account will go offline.**