Merge pull request #1 from alvinli222/alvinli222-pdb-patch

add PodDrainFailure into troubleshooting

Author: alvinli222

articles/active-directory/develop/mobile-app-quickstart-portal-android.md

@@ -24,7 +24,7 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > 
 > We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
 
-> [!div renderon="portal" class="sxs-lookup display-on-portal"]
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
 > # Quickstart: Sign in users and call the Microsoft Graph API from an Android app
 > 
 > In this quickstart, you download and run a code sample that demonstrates how an Android application can sign in users and get an access token to call the Microsoft Graph API. 
@@ -42,15 +42,17 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > ### Step 1: Configure your application in the Azure portal
 > For the code sample in this quickstart to work, add a **Redirect URI** compatible with the Auth broker.
 > 
-> <button id="makechanges" class="nextstepaction" class="configure-app-button"> Make this change for me </button>
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
 > 
 > > [!div id="appconfigured" class="alert alert-info"]
 > > ![Already configured](media/quickstart-v2-android/green-check.png) Your application is configured with these attributes
 > 
 > ### Step 2: Download the project
 > 
 > Run the project using Android Studio.
-> <a href='https://github.com/Azure-Samples/ms-identity-android-java/archive/master.zip'><button id="downloadsample" class="download-sample-button">Download the code sample</button></a>
+> 
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample" class="download-sample-button">Download the code sample</button>
 > 
 > 
 > ### Step 3: Your app is configured and ready to run
@@ -484,4 +486,4 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > Move on to the Android tutorial in which you build an Android app that gets an access token from the Microsoft identity platform and uses it to call the Microsoft Graph API.
 > 
 > > [!div class="nextstepaction"]
-> > [Tutorial: Sign in users and call the Microsoft Graph from an Android application](tutorial-v2-android.md)
+> > [Tutorial: Sign in users and call the Microsoft Graph from an Android application](tutorial-v2-android.md)

articles/active-directory/develop/mobile-app-quickstart-portal-ios.md

@@ -26,7 +26,7 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > 
 > We apologize for the inconvenience and appreciate your patience while we work to get this resolved.
 
-> [!div renderon="portal" class="sxs-lookup display-on-portal"]
+> [!div renderon="portal" id="display-on-portal" class="sxs-lookup"]
 > # Quickstart: Sign in users and call the Microsoft Graph API from an iOS or macOS app
 > 
 > In this quickstart, you download and run a code sample that demonstrates how a native iOS or macOS application can sign in users and get an access token to call the Microsoft Graph API.
@@ -47,16 +47,18 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > #### Step 1: Configure your application
 > For the code sample in this quickstart to work, add a **Redirect URI** compatible with the Auth broker.
 > 
-> <button id="makechanges" class="nextstepaction" class="configure-app-button"> Make this change for me </button>
+> <button id="makechanges" class="nextstepaction configure-app-button"> Make these changes for me </button>
 > 
 > > [!div id="appconfigured" class="alert alert-info"]
 > > ![Already configured](media/quickstart-v2-ios/green-check.png) Your application is configured with these attributes
 > 
 > #### Step 2: Download the sample project
 > 
-> <a href='https://github.com/Azure-Samples/active-directory-ios-swift-native-v2/archive/master.zip'><button id="downloadsample" class="downloadsample_ios">Download the code sample for iOS</button></a>
-> 
-> <a href='https://github.com/Azure-Samples/active-directory-macOS-swift-native-v2/archive/master.zip'><button id="downloadsample" class="downloadsample_ios">Download the code sample for macOS</button></a>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample_ios" class="download-sample-button">Download the code sample for iOS</button>
+>
+> > [!div class="nextstepaction"]
+> > <button id="downloadsample_macos" class="download-sample-button">Download the code sample for macOS</button>
 > 
 > #### Step 3: Install dependencies
 > 
@@ -238,4 +240,4 @@ ms.custom: aaddev, identityplatformtop40, "scenarios:getting-started", "language
 > Move on to the step-by-step tutorial in which you build an iOS or macOS app that gets an access token from the Microsoft identity platform and uses it to call the Microsoft Graph API.
 > 
 > > [!div class="nextstepaction"]
-> > [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md)
+> > [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md)

articles/active-directory/develop/refresh-tokens.md

@@ -29,7 +29,10 @@ Before reading through this article, it's recommended that you go through the fo
 
 ## Refresh token lifetime
 
-Refresh tokens have a longer lifetime than access tokens. The default lifetime for the tokens is 90 days and they replace themselves with a fresh token upon every use. As such, whenever a refresh token is used to acquire a new access token, a new refresh token is also issued. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials. 
+Refresh tokens have a longer lifetime than access tokens. The default lifetime for the refresh tokens is 24 hours for [single page apps](reference-third-party-cookies-spas.md) and 90 days for all other scenarios. Refresh tokens replace themselves with a fresh token upon every use. The Microsoft identity platform doesn't revoke old refresh tokens when used to fetch new access tokens. Securely delete the old refresh token after acquiring a new one. Refresh tokens need to be stored safely like access tokens or application credentials. 
+
+>[!IMPORTANT]
+> Refresh tokens sent to a redirect URI registered as `spa` expire after 24 hours. Additional refresh tokens acquired using the initial refresh token carry over that expiration time, so apps must be prepared to rerun the authorization code flow using an interactive authentication to get a new refresh token every 24 hours. Users do not have to enter their credentials and usually don't even see any related user experience, just a reload of your application. The browser must visit the log-in page in a top-level frame to show the login session. This is due to [privacy features in browsers that block third party cookies](reference-third-party-cookies-spas.md).
 
 ## Refresh token expiration
 

articles/active-directory/privileged-identity-management/pim-resource-roles-configure-alerts.md

@@ -10,7 +10,7 @@ ms.topic: how-to
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: pim
-ms.date: 05/24/2022
+ms.date: 10/07/2021
 ms.author: curtand
 ms.reviewer: shaunliu
 ms.custom: pim
@@ -31,15 +31,11 @@ Select an alert to see a report that lists the users or roles that triggered the
 
 ## Alerts
 
-Alert | Severity | Trigger | Recommendation
---- | --- | --- | ---
-**Too many owners assigned to a resource** |Medium |Too many users have the owner role. |Review the users in the list and reassign some to less privileged roles.
-**Too many permanent owners assigned to a resource** |Medium |Too many users are permanently assigned to a role. |Review the users in the list and re-assign some to require activation for role use.
-**Duplicate role created** |Medium |Multiple roles have the same criteria. |Use only one of these roles.
-**Roles are being assigned outside of Privileged Identity Management (Preview)** | High | A role is managed directly through the Azure IAM resource blade or the Azure Resource Manager API | Review the users in the list and remove them from privileged roles assigned outside of Privilege Identity Management. 
-
-> [!Note]
-> During the public preview of the **Roles are being assigned outside of Privileged Identity Management (Preview)** alert, Microsoft supports only permissions that are assigned at the subscription level. 
+| Alert | Severity | Trigger | Recommendation |
+| --- | --- | --- | --- |
+| **Too many owners assigned to a resource** |Medium |Too many users have the owner role. |Review the users in the list and reassign some to less privileged roles. |
+| **Too many permanent owners assigned to a resource** |Medium |Too many users are permanently assigned to a role. |Review the users in the list and re-assign some to require activation for role use. |
+| **Duplicate role created** |Medium |Multiple roles have the same criteria. |Use only one of these roles. |
 
 ### Severity
 

articles/aks/howto-deploy-java-liberty-app-with-postgresql.md

@@ -81,7 +81,7 @@ The steps in this section guide you through creating an Azure Database for Postg
    Use the [az postgres server create](/cli/azure/postgres/server#az-postgres-server-create) command to create the DB server. The following example creates a DB server named *youruniquedbname*. Make sure *youruniqueacrname* is unique within Azure.
 
    > [!TIP]
-   > To help ensure a globally unique name, prepend a disambiguation string such as your intitials and the MMDD of today's date.
+   > To help ensure a globally unique name, prepend a disambiguation string such as your initials and the MMDD of today's date.
 
 
    ```bash
@@ -153,7 +153,7 @@ In directory *liberty/config*, the *server.xml* is used to configure the DB conn
 
 After the offer is successfully deployed, an AKS cluster will be generated automatically. The AKS cluster is configured to connect to the ACR. Before we get started with the application, we need to extract the namespace configured for the AKS.
 
-1. Run following command to print the current deployment file, using the `appDeploymentTemplateYamlEncoded` you saved above. The output contains all the variables we need.
+1. Run the following command to print the current deployment file, using the `appDeploymentTemplateYamlEncoded` you saved above. The output contains all the variables we need.
 
    ```bash
    echo <appDeploymentTemplateYamlEncoded> | base64 -d

articles/aks/troubleshooting.md

@@ -131,6 +131,20 @@ To help diagnose the issue run `az aks show -g myResourceGroup -n myAKSCluster -
 * If cluster is actively upgrading, wait until the operation finishes. If it succeeded, retry the previously failed operation again.
 * If cluster has failed upgrade, follow steps outlined in previous section.
 
+## I'm receiving an error due to "PodDrainFailure"
+
+This error is due to the requested operation being blocked by a PodDisruptionBudget (PDB) that has been set on the deployments within the cluster. To learn more about how PodDisruptionBudgets work, please visit check out [the official Kubernetes example](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pdb-example).
+
+If you'd like to proceed, either configure your PDB to be less restrictive by reducing the minAvailable pod count, or increasing the maxUnavailable pod count, or deleting the PDB completely before proceeding with the operation.
+
+You may use this command to find the PDBs applied on your cluster:
+
+```
+kubectl get poddisruptionbudgets
+```
+
+For more information about PodDisruptionBudgets, please check out the [official Kubernetes guide on configuring a PDB](https://kubernetes.io/docs/tasks/run-application/configure-pdb/).
+
 ## Can I move my cluster to a different subscription or my subscription with my cluster to a new tenant?
 
 If you've moved your AKS cluster to a different subscription or the cluster's subscription to a new tenant, the cluster won't function because of missing cluster identity permissions. **AKS doesn't support moving clusters across subscriptions or tenants** because of this constraint.

articles/aks/web-app-routing.md

@@ -23,10 +23,9 @@ The Web Application Routing solution makes it easy to access applications that a
 The add-on deploys four components: an [nginx ingress controller][nginx], [Secrets Store CSI Driver][csi-driver], [Open Service Mesh (OSM)][osm], and [External-DNS][external-dns] controller.
 
 - **Nginx ingress Controller**: The ingress controller exposed to the internet.
-- **External-dns**: Watches for Kubernetes Ingress resources and creates DNS A records in the cluster-specific DNS zone.
+- **External-DNS controller**: Watches for Kubernetes Ingress resources and creates DNS A records in the cluster-specific DNS zone.
 - **CSI driver**: Connector used to communicate with keyvault to retrieve SSL certificates for ingress controller.
 - **OSM**: A lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
-- **External-DNS controller**: Watches for Kubernetes Ingress resources and creates DNS A records in the cluster-specific DNS zone.
 
 ## Prerequisites
 
@@ -251,4 +250,4 @@ service "aks-helloworld" deleted
 [kubectl-delete]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#delete
 [kubectl-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs
 [ingress]: https://kubernetes.io/docs/concepts/services-networking/ingress/
-[ingress-resource]: https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource
+[ingress-resource]: https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource

articles/azure-arc/data/active-directory-introduction.md

@@ -12,8 +12,11 @@ ms.topic: how-to
 ---
 
 # Azure Arc-enabled SQL Managed Instance with Active Directory authentication 
+
 Azure Arc-enabled data services support Active Directory (AD) for Identity and Access Management (IAM). The Arc-enabled SQL Managed Instance uses an existing on-premises Active Directory (AD) domain for authentication. 
 
+[!INCLUDE [azure-arc-data-preview](../../../includes/azure-arc-data-preview.md)]
+
 This article describes how to enable Azure Arc-enabled SQL Managed Instance with Active Directory (AD) Authentication. The article demonstrates two possible AD integration modes: 
 -  Customer-managed keytab (CMK) 
 -  System-managed keytab (SMK)  

articles/azure-arc/data/active-directory-prerequisites.md

@@ -15,6 +15,8 @@ ms.topic: how-to
 
 This document explains how to prepare to deploy Azure Arc-enabled data services with Active Directory (AD) authentication. Specifically the article describes Active Directory objects you need to configure before the deployment of Kubernetes resources.
 
+[!INCLUDE [azure-arc-data-preview](../../../includes/azure-arc-data-preview.md)]
+
 [The introduction](active-directory-introduction.md#compare-ad-integration-modes) describes two different integration modes:
 - *System-managed keytab* mode allows the system to create and manage the AD accounts for each SQL Managed Instance.
 - *Customer-managed keytab* mode allows you to create and manage the AD accounts for each SQL Managed Instance.

articles/azure-arc/data/configure-managed-instance.md

@@ -7,7 +7,7 @@ ms.subservice: azure-arc-data
 author: dnethi
 ms.author: dinethi
 ms.reviewer: mikeray
-ms.date: 02/22/2022
+ms.date: 05/27/2022
 ms.topic: how-to
 ---
 
@@ -45,6 +45,39 @@ To view the changes made to the Azure Arc-enabled SQL managed instance, you can
 az sql mi-arc show -n <NAME_OF_SQL_MI> --k8s-namespace <namespace> --use-k8s
 ```
 
+## Configure readable secondaries
+
+When you deploy Azure Arc enabled SQL managed instance in `BusinessCritical` service tier with 2 or more replicas, by default, one secondary replica is automatically configured as `readableSecondary`. This setting can be changed, either to add or to remove the readable secondaries as follows:
+
+```azurecli
+az sql mi-arc update --name <sqlmi name>  --readable-secondaries <value> --k8s-namespace <namespace> --use-k8s
+```
+
+For example, the following example will reset the readable secondaries to 0.
+
+```azurecli
+az sql mi-arc update --name sqlmi1 --readable-secondaries 0 --k8s-namespace mynamespace --use-k8s
+```
+## Configure replicas
+
+You can also scale up or down the number of replicas deployed in the `BusinessCritical` service tier as follows:
+
+```azurecli
+az sql mi-arc update --name <sqlmi name> --replicas <value> --k8s-namespace <namespace> --use-k8s
+```
+
+For example:
+
+The following example will scale down the number of replicas from 3 to 2.
+
+```azurecli
+az sql mi-arc update --name sqlmi1 --replicas 2 --k8s-namespace mynamespace --use-k8s
+```
+
+> [Note]
+> If you scale down from 2 replicas to 1 replica, you may run into a conflict with the pre-configured `--readable--secondaries` setting. You can first edit the `--readable--secondaries` before scaling down the replicas. 
+
+
 ## Configure Server options
 
 You can configure server configuration settings for Azure Arc-enabled SQL managed instance after creation time. This article describes how to configure settings like enabling or disabling mssql Agent, enable specific trace flags for troubleshooting scenarios.