Merge pull request #299474 from MicrosoftDocs/main

5/7/2025 AM Publish

Author: Taojunshen

.openpublishing.redirection.json

@@ -6913,6 +6913,11 @@
       "source_path": "articles/nat-gateway/quickstart-create-nat-gateway-bicep.md",
       "redirect_url": "/azure/nat-gateway/quickstart-create-nat-gateway",
        "redirect_document_id": false
-     }
+     },
+     {
+      "source_path": "articles/defender-for-iot/organizations/eiot-sensor.md",
+      "redirect_url": "/azure/defender-for-iot/organizations/concept-enterprise",
+      "redirect_document_id": false
+    }
   ]
 }

articles/api-management/api-management-key-concepts.md

@@ -136,7 +136,7 @@ API Management integrates with many complementary Azure services to create enter
 * **[Azure Monitor](api-management-howto-use-azure-monitor.md)** for logging, reporting, and alerting on management operations, systems events, and API requests​
 * **[Application Insights](api-management-howto-app-insights.md)** for live metrics, end-to-end tracing, and troubleshooting
 * **[Virtual networks](virtual-network-concepts.md)**, **[private endpoints](private-endpoint.md)**, **[Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md)**, and **[Azure Front Door](front-door-api-management.md)** for network-level protection​
-* **[Azure Defender for APIs](protect-with-defender-for-apis.md)** and **[Azure DDoS Protection](protect-with-ddos-protection.md)** for runtime protection against malicious attacks​
+* **[Microsoft Defender for APIs](protect-with-defender-for-apis.md)** and **[Azure DDoS Protection](protect-with-ddos-protection.md)** for runtime protection against malicious attacks​
 * **Microsoft Entra ID** for [developer authentication](api-management-howto-aad.md) and [request authorization](api-management-howto-protect-backend-with-aad.md)​
 * **[Event Hubs](api-management-howto-log-event-hubs.md)** for streaming events​
 * **[Azure Redis](api-management-howto-cache-external.md)** for caching responses​ with Azure Cache for Redis or Azure Managed Redis​

articles/azure-netapp-files/application-volume-group-manage-volumes-oracle.md

@@ -33,7 +33,7 @@ You can manage a volume from its volume group. You can resize, delete, or change
         > Changing the protocol type involves reconfiguration at the Linux host. When using dNFS, it's not recommended to mix volumes using NFSv3 and NFSv4.1.  
 
         > [!NOTE] 
-        > Using Azure NetApp Files built-in automated snapshots doesn't create database consistent backups. Instead, use data protection software such as [SnapCenter](https://docs.netapp.com/us-en/snapcenter/protect-azure/protect-applications-azure-netapp-files.html), [AzAcSnap](azacsnap-introduction.md), or other [validated partner solutions](../storage/solution-integration/validated-partners/backup-archive-disaster-recovery/partner-overview.md) that supports snapshot-based data protection for Oracle. 
+        > Using Azure NetApp Files built-in automated snapshots doesn't create database consistent backups. Instead, use data protection software such as [AzAcSnap](azacsnap-introduction.md), [SnapCenter](https://docs.netapp.com/us-en/snapcenter/protect-azure/protect-applications-azure-netapp-files.html), or other [validated partner solutions](../storage/solution-integration/validated-partners/backup-archive-disaster-recovery/partner-overview.md) that support snapshot-based data protection for Oracle. 
 
     * **Change Throughput**   
         You can adapt the throughput of the volume.

articles/azure-netapp-files/kerberos.md

@@ -58,7 +58,7 @@ This section defines key terminology that is used when describing Kerberos proce
 
 | Term | Definition |
 | -- | ------ |
-| Key distribution center (KDC)	| The KDC is the authentication server that includes the ticket-granting service (TGS) and the authentication service (AS). The terms KDC, AS, and TGS are used interchangeably. In Microsoft environments, an Active Directory (AD) domain controller is a KDC. As such, modifying KDC values can be done by [modifying AD settings](modify-active-directory-connections.md).  |
+| Key distribution center (KDC)	| The KDC is the authentication server that includes the ticket-granting service (TGS) and the authentication service (AS). The terms KDC, AS, and TGS are used interchangeably. In Microsoft environments, an Active Directory (AD) domain controller is a KDC. Modifying KDC values can only be achieved by [modifying AD settings](modify-active-directory-connections.md).  |
 | Realm (or Kerberos realm) | A realm (or Kerberos realm) can use any ASCII string. The standard is to use the domain name in uppercase; for example, contoso.com becomes the realm CONTOSO.COM. Kerberos realms usually are configured in krb5.conf files on clients and servers. <br></br> Administratively, each principal@REALM must be unique. To avoid a single point of failure, each realm can have multiple KDCs that share the same database (principals and their passwords) and have the same KDC master keys. Microsoft Windows Active Directory does this natively by way of Active Directory replication, which takes place every 15 minutes by default.
 | Principal	| The term principal refers to every entity within a Kerberos database. Users, computers, and services are all assigned principals for Kerberos authentication. Every principal must be unique within the Kerberos database and is defined by its distinguished name. A principal can be a user principal name (UPN) or a service principal name (SPN). <br></br> A principal name has three parts: <ul><li>**Primary** - The primary part can be a user or a service such as the NFS service. It can also be the special service "host," which signifies that this service principal is set up to provide multiple various network services.</li><li>**Instance** - This part is optional in the case of a user. A user can have more than one principal, but each principal must be unique in the KDC. For example, Fred might have a principal that is for everyday use ([email protected]) and a principal that allows privileged use such as a sysadmin account ([email protected]). The instance is required for service principals and designates the fully qualified domain name (FQDN) of the host that provides the service.</li><li>**Realm** - A Kerberos realm is the set of Kerberos principals that are registered within a Kerberos server. By convention, the realm name is usually the same as the DNS name, but it's converted to uppercase letters. Uppercase letters aren't obligatory, but the convention provides easy distinction between the DNS name and the realm name.</li></ul> <!-- image --> |
 | Tickets | A ticket is a temporary set of credentials that verifies the identity of a principal for a service and contains the session key. A ticket can be a service, an application ticket, or a ticket-granting ticket (TGT). Tickets are exchanged between client, server, and KDC for Kerberos authentication. |

articles/azure-netapp-files/modify-active-directory-connections.md

@@ -43,7 +43,7 @@ For more information, see [Understand guidelines for Active Directory Domain Ser
 | Username | Username of the Active Directory domain administrator | Yes | None* | Credential change to contact DC |
 | Password | Password of the Active Directory domain administrator | Yes | None* <br></br> Password can't exceed 64 characters. | Credential change to contact DC |
 | Kerberos Realm: AD Server Name | The name of the Active Directory machine. This option is only used when creating a Kerberos volume. | Yes | None* | |
-| Kerberos Realm: KDC IP | Specifies the IP address of the Kerberos Distribution Center (KDC) server. KDC in Azure NetApp Files is an Active Directory server. The only way to modify a KDC is by editing the AD setting.  | Yes | None | A new KDC IP address will be used |
+| Kerberos Realm: KDC IP | Specifies the IP address of the Kerberos Distribution Center (KDC) server. KDC in Azure NetApp Files is an Active Directory server. You can only modify a KDC IP by editing the AD setting.  | Yes | None | A new KDC IP address will be used |
 | Region | The region where the Active Directory credentials are associated | No | None | N/A |
 | User DN | User domain name, which overrides the base DN for user lookups Nested userDN can be specified in `OU=subdirectory, OU=directory, DC=domain, DC=com` format.​ | Yes | None* | User search scope gets limited to User DN instead of base DN. |
 | Group DN | Group domain name. groupDN overrides the base DN for group lookups. Nested groupDN can be specified in `OU=subdirectory, OU=directory, DC=domain, DC=com` format.​ | Yes | None* | Group search scope gets limited to Group DN instead of base DN. |

articles/backup/archive-tier-support.md

@@ -2,7 +2,7 @@
 title: Azure Backup - Archive tier overview 
 description: Learn about Archive tier support for Azure Backup.
 ms.topic: overview
-ms.date: 03/19/2025
+ms.date: 05/07/2025
 ms.custom: references_regions
 ms.service: azure-backup
 author: jyothisuri
@@ -135,6 +135,14 @@ You can also filter from the list of all recovery points as per *daily*, *weekly
 
 :::image type="content" source="./media/archive-tier-support/filter-vm-recovery-points-by-age.png" alt-text="Screenshot shows how to filter recovery points for an Azure VM by daily, weekly, monthly, and yearly." lightbox="./media/archive-tier-support/filter-vm-recovery-points-by-age.png":::
 
+### Can I retrieve snapshot to Standard Tier Permanently after the recovery point is moved to Archive Tier?
+
+No, after moving the recovery point to the archive tier, it can't return to the standard tier permanently. Rehydration provides the only method to place the RP in the standard tier for a specified duration during restore. The recovery point remains in the archive tier.
+
+>[!Note]
+>You can do the rehydration process during the restore from a recovery point only.
+
+
 ## Next steps
 
 - [Use Archive tier](use-archive-tier-support.md).

articles/backup/backup-azure-vms-encryption.md

@@ -2,7 +2,7 @@
 title: Back up and restore encrypted Azure VMs
 description: Describes how to back up and restore encrypted Azure VMs with the Azure Backup service.
 ms.topic: how-to
-ms.date: 04/14/2025
+ms.date: 05/07/2025
 ms.service: azure-backup
 author: jyothisuri
 ms.author: jsuri
@@ -120,6 +120,10 @@ Learn about the [different available roles](/azure/key-vault/general/rbac-guide?
 
 For Azure RBAC enabled key vaults, you can create custom role with the following set of permissions. Learn [how to create custom role](../active-directory/roles/custom-create.md).
 
+>[!Note]
+>When you use Azure Government, ensure that the Key Vault Administrator role is assigned to the Backup Fairfax Entra Application to enable proper access and functionality. 
+
+
 | Action | Description |
 | --- | --- |
 | Microsoft.KeyVault/vaults/keys/backup/action | Creates the backup file of a key.  |

articles/backup/selective-disk-backup-restore.md

@@ -2,7 +2,7 @@
 title: Selective disk backup and restore for Azure virtual machines
 description: In this article, learn about selective disk backup and restore using the Azure virtual machine backup solution.
 ms.topic: how-to
-ms.date: 02/10/2025
+ms.date: 05/07/2025
 ms.custom: references_regions, devx-track-azurecli, devx-track-azurepowershell, engagement-fy24
 ms.service: azure-backup
 author: jyothisuri
@@ -329,7 +329,8 @@ Selective disk restore is an added functionality you get when you enable the sel
 
 - The OS disk is included by default in the VM backup and restore, and can't be excluded.
 - Selective disk restore is supported only for recovery points created after the disk exclusion capability is enabled.
-- Backups with the disk exclude setting **ON** only support the **Disk restore** option. **VM restore** or **Replace Existing** restore options aren't supported in this case.
+- Backups with the disk exclude setting **ON** only support the **Disk restore** option. **VM restore** or **Replace Existing** restore options aren't supported in this case, and the options during restore becomes unavailable. If you choose a Restore Point (RP) containing all disks before configuring disk exclusion during restore, VM restore and replace existing options become available.
+ 
 
 ![The option to restore VM and replace existing aren't available during the restore operation](./media/selective-disk-backup-restore/options-not-available.png)