Merge pull request #218424 from MicrosoftDocs/main

11/15 AM Publish

Author: huypub

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -297,7 +297,7 @@ The AADLoginForWindows extension must be installed successfully for the VM to co
 1. View the device state by running `dsregcmd /status`. The goal is for the device state to show as `AzureAdJoined : YES`.
 
    > [!NOTE]
-   > Azure AD join activity is captured in Event Viewer under the *User Device Registration\Admin* log at *Event Viewer (local)\Applications* and *Services Logs\Windows\Microsoft\User Device Registration\Admin*.
+   > Azure AD join activity is captured in Event Viewer under the *User Device Registration\Admin* log at *Event Viewer (local)\Applications* and *Services Logs\Microsoft\Windows\User Device Registration\Admin*.
 
 If the AADLoginForWindows extension fails with an error code, you can perform the following steps.
 

articles/active-directory/enterprise-users/licensing-service-plan-reference.md

@@ -288,7 +288,7 @@ When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
 | Power BI Pro | POWER_BI_PRO | f8a1db68-be16-40ed-86d5-cb42ce701560 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba) |
 | Power BI Pro CE | POWER_BI_PRO_CE | 420af87e-8177-4146-a780-3786adaffbca | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba) |
 | Power BI Pro Dept | POWER_BI_PRO_DEPT | 3a6a908c-09c5-406a-8170-8ebb63c42882 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>BI_AZURE_P2 (70d33638-9c74-4d01-bfd3-562de28bd4ba) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power BI Pro (70d33638-9c74-4d01-bfd3-562de28bd4ba) |
-| Power BI Pro for GCC | POWERBI_PRO_GOV |	f0612879-44ea-47fb-baf0-3d76d9235576 | EXCHANGE_S_FOUNDATION_GOV (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>BI_AZURE_P_2_GOV (944e9726-f011-4353-b654-5f7d2663db76) | Exchange Foundation for Government (922ba911-5694-4e99-a794-73aed9bfeec8)</br>Power BI Pro for Government (944e9726-f011-4353-b654-5f7d2663db76) |
+| Power BI Pro for GCC | POWERBI_PRO_GOV |	f0612879-44ea-47fb-baf0-3d76d9235576 | EXCHANGE_S_FOUNDATION_GOV (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>BI_AZURE_P_2_GOV (944e9726-f011-4353-b654-5f7d2663db76) | Exchange Foundation for Government (922ba911-5694-4e99-a794-73aed9bfeec8)<br/>Power BI Pro for Government (944e9726-f011-4353-b654-5f7d2663db76) |
 | Power Virtual Agent |	VIRTUAL_AGENT_BASE | e4e55366-9635-46f4-a907-fc8c3b5ec81f | CDS_VIRTUAL_AGENT_BASE (0a0a23fa-fea1-4195-bb89-b4789cb12f7f)<br/>FLOW_VIRTUAL_AGENT_BASE (4b81a949-69a1-4409-ad34-9791a6ec88aa)<br/>VIRTUAL_AGENT_BASE (f6934f16-83d3-4f3b-ad27-c6e9c187b260) | Common Data Service for Virtual Agent Base (0a0a23fa-fea1-4195-bb89-b4789cb12f7f)<br/>Power Automate for Virtual Agent (4b81a949-69a1-4409-ad34-9791a6ec88aa)<br/>Virtual Agent Base (f6934f16-83d3-4f3b-ad27-c6e9c187b260) |
 | Power Virtual Agents Viral Trial | CCIBOTS_PRIVPREV_VIRAL |	606b54a9-78d8-4298-ad8b-df6ef4481c80 | DYN365_CDS_CCI_BOTS (cf7034ed-348f-42eb-8bbd-dddeea43ee81)<br/>CCIBOTS_PRIVPREV_VIRAL (ce312d15-8fdf-44c0-9974-a25a177125ee)<br/>FLOW_CCI_BOTS (5d798708-6473-48ad-9776-3acc301c40af) | Common Data Service for CCI Bots (cf7034ed-348f-42eb-8bbd-dddeea43ee81)<br/>Dynamics 365 AI for Customer Service Virtual Agents Viral (ce312d15-8fdf-44c0-9974-a25a177125ee)<br/>Flow for CCI Bots (5d798708-6473-48ad-9776-3acc301c40af) |
 | Project for Office 365	| PROJECTCLIENT	| a10d5e58-74da-4312-95c8-76be4e5b75a0	| PROJECT_CLIENT_SUBSCRIPTION (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3) | PROJECT ONLINE DESKTOP CLIENT (fafd7243-e5c1-4a3a-9e40-495efcb1d3c3) |

articles/active-directory/fundamentals/recover-from-deletions.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 08/26/2022
+ms.date: 11/14/2022
 ms.author: jricketts
 ms.reviewer: jricketts
 ms.custom: "it-pro, seodec18"
@@ -89,19 +89,25 @@ The most frequent scenarios for application deletion are:
 * An administrator intentionally deletes the application, for example, in response to a support request.
 * An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you might want a process for deleting abandoned applications that are no longer used or managed. In general, create an offboarding process for applications rather than scripting to avoid unintentional deletions.
 
-### Properties maintained with soft delete
+When you delete an application, the application registration by default enters the soft-delete state. To understand the relationship between application registrations and service principals, see [Apps and service principals in Azure AD - Microsoft identity platform](../develop/app-objects-and-service-principals.md).
 
-| Object type| Important properties maintained |
-| - | - |
-| Users (including external users)| *All properties are maintained*, including ObjectID, group memberships, roles, licenses, and application assignments. |
-| Microsoft 365 Groups| *All properties are maintained*, including ObjectID, group memberships, licenses, and application assignments. |
-| Application registration| *All properties are maintained.* (See more information after this table.) |
+### Administrative units
 
-When you delete an application, the application registration by default enters the soft-delete state. To understand the relationship between application registrations and service principals, see [Apps and service principals in Azure AD - Microsoft identity platform](../develop/app-objects-and-service-principals.md).
+The most common scenario for deletions is when administrative units (AU) are deleted by accident, although still needed. 
 
 ## Recover from soft deletion
 
-You can restore soft-deleted items in the Azure portal or with Microsoft Graph.
+You can restore soft-deleted items in the administrative portal, or by using Microsoft Graph. Not all object classes can manage soft-delete capabilities in the portal, some are only listed, viewed, hard deleted, or restored using the deletedItems Microsoft Graph API.
+
+### Properties maintained with soft delete
+
+|Object type|Important properties maintained|
+|---|---|
+|Users (including external users)|All properties maintained, including ObjectID, group memberships, roles, licenses, and application assignments|
+|Microsoft 365 Groups|All properties maintained, including ObjectID, group memberships, licenses, and application assignments|
+|Application registration | All properties maintained. See more information after this table.|
+|Service principal|All properties maintained|
+|Administrative unit (AU)|All properties maintained|
 
 ### Users
 
@@ -125,15 +131,19 @@ For more information on how to restore soft-deleted Microsoft 365 Groups, see th
 * To restore from the Azure portal, see [Restore a deleted Microsoft 365 Group](../enterprise-users/groups-restore-deleted.md).
 * To restore by using Microsoft Graph, see [Restore deleted item – Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?tabs=http).
 
-### Applications
+### Applications and service principals
 
 Applications have two objects: the application registration and the service principal. For more information on the differences between the registration and the service principal, see [Apps and service principals in Azure AD](../develop/app-objects-and-service-principals.md).
 
 To restore an application from the Azure portal, select **App registrations** > **Deleted applications**. Select the application registration to restore, and then select **Restore app registration**.
 
 [![Screenshot that shows the app registration restore process in the azure portal.](./media/recoverability/deletion-restore-application.png)](./media/recoverability/deletion-restore-application.png#lightbox)
 
-To restore applications using Microsoft Graph, see [Restore deleted item - Microsoft Graph v1.0.](/graph/api/directory-deleteditems-restore?tabs=http)
+Currently, service principals can be listed, viewed, hard deleted, or restored via the deletedItems Microsoft Graph API. To restore applications using Microsoft Graph, see [Restore deleted item - Microsoft Graph v1.0.](/graph/api/directory-deleteditems-restore?tabs=http).
+
+### Administrative units
+
+AUs can be listed, viewed, hard deleted, or restored via the deletedItems Microsoft Graph API. To restore AUs using Microsoft Graph, see [Restore deleted item - Microsoft Graph v1.0.](/graph/api/directory-deleteditems-restore?tabs=http).
 
 ## Hard deletions
 
@@ -150,7 +160,7 @@ A hard deletion is the permanent removal of an object from your Azure AD tenant.
 
 ### When hard deletes usually occur
 
-Hard deletes most often occur in the following circumstances.
+Hard deletes might occur in the following circumstances.
 
 Moving from soft to hard delete:
 

articles/active-directory/hybrid/how-to-connect-fed-o365-certs.md

@@ -42,7 +42,7 @@ The token signing and token decrypting certificates are usually self-signed cert
 >
 >
 
-Azure AD attempts to monitor the federation metadata, and update the token signing certificates as indicated by this metadata. 30 days before the expiration of the token signing certificates, Azure AD checks if new certificates are available by polling the federation metadata.
+Azure AD attempts to monitor the federation metadata, and update the token signing certificates as indicated by this metadata. 35 days before the expiration of the token signing certificates, Azure AD checks if new certificates are available by polling the federation metadata.
 
 * If it can successfully poll the federation metadata and retrieve the new certificates, no email notification is issued to the user.
 * If it cannot retrieve the new token signing certificates, either because the federation metadata is not reachable or automatic certificate rollover is not enabled, Azure AD issues an email.
@@ -101,13 +101,13 @@ Get-MsolFederationProperty -DomainName <domain.name> | FL Source, TokenSigningCe
 If the thumbprints in both the outputs match, your certificates are in sync with Azure AD.
 
 ### Step 3: Check if your certificate is about to expire
-In the output of either Get-MsolFederationProperty or Get-AdfsCertificate, check for the date under "Not After." If the date is less than 30 days away, you should take action.
+In the output of either Get-MsolFederationProperty or Get-AdfsCertificate, check for the date under "Not After." If the date is less than 35 days away, you should take action.
 
 | AutoCertificateRollover | Certificates in sync with Azure AD | Federation metadata is publicly accessible | Validity | Action |
 |:---:|:---:|:---:|:---:|:---:|
 | Yes |Yes |Yes |- |No action needed. See [Renew token signing certificate automatically](#autorenew). |
 | Yes |No |- |Less than 15 days |Renew immediately. See [Renew token signing certificate manually](#manualrenew). |
-| No |- |- |Less than 30 days |Renew immediately. See [Renew token signing certificate manually](#manualrenew). |
+| No |- |- |Less than 35 days |Renew immediately. See [Renew token signing certificate manually](#manualrenew). |
 
 \[-]  Does not matter
 
@@ -187,6 +187,6 @@ Token signing certificates are standard X509 certificates that are used to secur
 
 By default, AD FS is configured to generate token signing and token decryption certificates automatically, both at the initial configuration time and when the certificates are approaching their expiration date.
 
-Azure AD tries to retrieve a new certificate from your federation service metadata 30 days before the expiry of the current certificate. In case a new certificate is not available at that time, Azure AD will continue to monitor the metadata on regular daily intervals. As soon as the new certificate is available in the metadata, the federation settings for the domain are updated with the new certificate information. You can use `Get-MsolDomainFederationSettings` to verify if you see the new certificate in the NextSigningCertificate / SigningCertificate.
+Azure AD tries to retrieve a new certificate from your federation service metadata 35 days before the expiry of the current certificate. In case a new certificate is not available at that time, Azure AD will continue to monitor the metadata on regular daily intervals. As soon as the new certificate is available in the metadata, the federation settings for the domain are updated with the new certificate information. You can use `Get-MsolDomainFederationSettings` to verify if you see the new certificate in the NextSigningCertificate / SigningCertificate.
 
 For more information on Token Signing certificates in AD FS see [Obtain and Configure Token Signing and Token Decryption Certificates for AD FS](/windows-server/identity/ad-fs/operations/configure-ts-td-certs-ad-fs)

articles/azure-monitor/alerts/alerts-manage-alert-rules.md

@@ -28,7 +28,10 @@ Manage your alert rules in the Azure portal, or using the CLI or PowerShell.
 ## Enable recommended alert rules in the Azure portal (preview)
 
 > [!NOTE]
-> The alert rule recommendations feature is currently in preview and is only enabled for VMs.
+> The alert rule recommendations feature is currently in preview and is only enabled for unmonitored:
+> - Virtual machines
+> - AKS resources
+> - Log Analytics workspaces
 
 If you don't have alert rules defined for the selected resource, either individually or as part of a resource group or subscription, you can [create a new alert rule](alerts-log.md#create-a-new-log-alert-rule-in-the-azure-portal), or enable recommended out-of-the-box alert rules in the Azure portal.
 

articles/azure-monitor/alerts/alerts-overview.md

@@ -42,6 +42,7 @@ Once an alert is triggered, the alert is made up of:
 - The **user response** is set by the user and doesn’t change until the user changes it. 
 
 You can see all alert instances in all your Azure resources generated in the last 30 days on the **[Alerts page](alerts-page.md)** in the Azure portal. 
+
 ## Types of alerts
 
 There are four types of alerts. This table provides a brief description of each alert type. 
@@ -53,12 +54,16 @@ See [this article](alerts-types.md) for detailed information about each alert ty
 |[Log alerts](alerts-types.md#log-alerts)|Log alerts allow users to use a Log Analytics query to evaluate resource logs at a predefined frequency.|
 |[Activity log alerts](alerts-types.md#activity-log-alerts)|Activity log alerts are triggered when a new activity log event occurs that matches the defined conditions.|
 |[Smart detection alerts](alerts-types.md#smart-detection-alerts)|Smart detection on an Application Insights resource automatically warns you of potential performance problems and failure anomalies in your web application. You can migrate smart detection on your Application Insights resource to create alert rules for the different smart detection modules.|
+
 ## Out-of-the-box alert rules (preview)
 
 If you don't have alert rules defined for the selected resource, you can [enable recommended out-of-the-box alert rules in the Azure portal](alerts-manage-alert-rules.md#enable-recommended-alert-rules-in-the-azure-portal-preview).
 
 > [!NOTE]
-> The alert rule recommendations feature is currently in preview and is only enabled for VMs.
+> The alert rule recommendations feature is currently in preview and is only enabled for unmonitored:
+> - Virtual machines
+> - AKS resources
+> - Log Analytics workspaces
 
 ## Azure role-based access control (Azure RBAC) for alerts
 

articles/azure-monitor/app/java-jmx-metrics-configuration.md

@@ -1,6 +1,6 @@
 ---
 title: How to configure JMX metrics - Azure Monitor application insights for Java
-description: Configure additional JMX metrics collection for Azure Monitor application insights Java agent
+description: Configure additional JMX metrics collection for Azure Monitor Application Insights Java agent
 ms.topic: conceptual
 ms.date: 03/16/2021
 ms.devlang: java

articles/azure-monitor/change/change-analysis.md

@@ -5,7 +5,7 @@ ms.topic: conceptual
 ms.author: hannahhunter
 author: hhunter-ms
 ms.contributor: cawa
-ms.date: 08/23/2022 
+ms.date: 11/15/2022 
 ms.subservice: change-analysis
 ms.custom: devx-track-azurepowershell, ignite-2022
 ---
@@ -32,7 +32,7 @@ Change Analysis detects various types of changes, from the infrastructure layer
 
 The following diagram illustrates the architecture of Change Analysis:
 
-![Architecture diagram of how Change Analysis gets change data and provides it to client tools](./media/change-analysis/overview.png)
+:::image type="content" source="./media/change-analysis/architecture-overview.png" alt-text="Architecture diagram of how Change Analysis gets change data and provides it to client tools.":::
 
 ## Supported resource types
 
@@ -126,6 +126,8 @@ Currently the following dependencies are supported in **Web App Diagnose and sol
 - **App Services file changes**: File changes take up to 30 minutes to display.
 - **App Services configuration changes**: Due to the snapshot approach to configuration changes, timestamps of configuration changes could take up to 6 hours to display from when the change actually happened.
 - **Web app deployment and configuration changes**: Since these changes are collected by a site extension and stored on disk space owned by your application, data collection and storage is subject to your application's behavior. Check to see if a misbehaving application is affecting the results.
+- **Snapshot retention for all changes**: The Change Analysis data for resources is tracked by Azure Resource Graphs (ARG). ARG keeps snapshot history of tracked resources only for 14 days.
+
 
 ## Next steps
 

articles/azure-monitor/change/media/change-analysis/architecture-overview.png

@@ -66,7 +66,7 @@ Using loops in Bicep has these limitations:
 - Bicep loops only work with values that can be determined at the start of deployment.
 - Loop iterations can't be a negative number or exceed 800 iterations.
 - Can't loop a resource with nested child resources. Change the child resources to top-level resources.  See [Iteration for a child resource](#iteration-for-a-child-resource).
-- To loop on multiple levels of properties, use [lambda map function](./bicep-functions-lambda.md#map).
+- To loop on multiple levels of properties, use the [lambda map function](./bicep-functions-lambda.md#map).
 
 ## Integer index