MicrosoftDocs
diff --git a/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 35 additions & 0 deletions b/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 35 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/TOC.yml
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/TOC.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/develop/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/develop/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/troubleshoot-required-resource-access-limits.md
Lines changed: 150 additions & 0 deletions b/‎articles/active-directory/develop/troubleshoot-required-resource-access-limits.md
Lines changed: 150 additions & 0 deletions
diff --git a/‎articles/aks/azure-ad-rbac.md
Lines changed: 1 addition & 1 deletion b/‎articles/aks/azure-ad-rbac.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/aks/azure-cni-overlay.md
Lines changed: 2 additions & 2 deletions b/‎articles/aks/azure-cni-overlay.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/aks/node-access.md
Lines changed: 53 additions & 0 deletions b/‎articles/aks/node-access.md
Lines changed: 53 additions & 0 deletions
diff --git a/‎articles/aks/supported-kubernetes-versions.md
Lines changed: 1 addition & 1 deletion b/‎articles/aks/supported-kubernetes-versions.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/aks/use-multiple-node-pools.md
Lines changed: 6 additions & 1 deletion b/‎articles/aks/use-multiple-node-pools.md
Lines changed: 6 additions & 1 deletion
@@ -5591,6 +5591,41 @@
             "source_path_from_root": "/articles/azure-monitor/logs/collect-sccm.md",
             "redirect_url": "/mem/configmgr/core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/vm/vminsights-health-overview.md",
+            "redirect_url": "/azure/azure-monitor/vm/vminsights-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/vm/vminsights-health-migrate.md",
+            "redirect_url": "/azure/azure-monitor/vm/vminsights-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/vm/vminsights-health-enable.md",
+            "redirect_url": "/azure/azure-monitor/vm/vminsights-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/vm/vminsights-health-alerts.md",
+            "redirect_url": "/azure/azure-monitor/vm/vminsights-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/vm/vminsights-health-configure.md",
+            "redirect_url": "/azure/azure-monitor/vm/vminsights-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/vm/vminsights-health-configure-dcr.md",
+            "redirect_url": "/azure/azure-monitor/vm/vminsights-overview",
+            "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/vm/vminsights-health-troubleshoot.md",
+            "redirect_url": "/azure/azure-monitor/vm/vminsights-overview",
+            "redirect_document_id": false
         }
     ]
 }
@@ -66,7 +66,7 @@
     - name: Authentication library
       href: ../active-directory/develop/msal-overview.md?bc=%2fazure%2factive-directory-b2c%2fbread%2ftoc.json&toc=%2fazure%2factive-directory-b2c%2fTOC.json
       displayName: MSAL, client library, Microsoft Authentication Library
-  - name: Azure AD B2C global identitiy framework
+  - name: Azure AD B2C global identity framework
     items:
       - name: Global identity solutions
         href: azure-ad-b2c-global-identity-solutions.md
 
@@ -812,6 +812,8 @@
           href: reply-url.md
         - name: Validation differences by supported account types
           href: supported-accounts-validation.md
+        - name: Configured permissions limits troubleshooting
+          href: troubleshoot-required-resource-access-limits.md
     - name: Microsoft auth libraries by app type
       displayName: MSAL, auth client library, SDK, token validation
       href: reference-v2-libraries.md
 
@@ -0,0 +1,150 @@
+---
+title: Troubleshooting the configured permissions limits
+description: Learn why some apps may exceed the limits on configured permissions and how to address this issue.
+author: Jackson-Woods
+ms.author: jawoods
+manager: CelesteDG
+ms.date: 12/08/2022
+ms.topic: reference
+ms.subservice: develop
+ms.custom: aaddev
+ms.service: active-directory
+ms.reviewer: phsignor
+---
+
+# Troubleshooting the configured permissions limits
+
+The `RequiredResourceAccess` collection (RRA) on an application object contains all the configured API permissions that an app requires for its default consent request. This collection has various limits depending on which types of identities the app supports, For more information on the limits for supported account types, see [Validation differences by supported account types](supported-accounts-validation.md).
+
+The limits on maximum permissions were updated in May 2022, so some apps may have more permissions in their RRA than are now allowed. In addition, apps that change their supported account types after configuring permissions may exceed the limits of the new setting. When apps exceed the configured permissions limit, no new permissions may be added until the number of permissions in the `RequiredResourceAccess` collection is brought back under the limits.
+
+This document offers additional information and troubleshooting steps to resolve this issue.
+
+## Identifying when an app has exceeded the `RequiredResourceAccess` limits
+
+In general, all applications with more than 400 permissions have exceeded the configuration limits. Apps may also be subject to lower limits if they support sign-in for personal Microsoft accounts (MSA). An app that has exceeded the permission limits will receive the following error when trying to add more permissions in the Azure portal: 
+
+> `Failed to save permissions for <AppName>. This configuration exceeds the global application object limit. Remove some items and retry your request.`
+
+## Resolution steps
+
+If the application isn't needed anymore, the first option you should consider is to delete the app registration entirely. (You can restore recently deleted applications, in case you discover soon afterwards that it was still needed.)
+
+If you still need the application or are unsure, the following steps will help you resolve this issue:
+
+1. **Remove duplicate permissions.** In some cases, the same permission is listed multiple times. Review the required permissions and remove permissions that are listed two or more times. See the related PowerShell script on the [additional resources](#additional-resources) section of this article.
+2. **Remove unused permissions.** Review the permissions required by the application and compare them to what the application or service does. Remove permissions that are configured in the app registration, but which the application or service doesn’t require. For more information on how to review permissions, see [Review application permissions](../manage-apps/manage-application-permissions.md)
+3. **Remove redundant permissions.** In many APIs, including Microsoft Graph, some permissions aren't necessary when other more privileged permissions are included. For example, the Microsoft Graph permission User.Read.All (read all users) isn't needed when an application also has User.ReadWrite.All (read, create and update all users). To learn more about Microsoft Graph permissions, see [Microsoft Graph permissions reference](/graph/permissions-reference). 
+4. **Use multiple app registrations.** If a single app or service requires more than 400 permissions in the required permissions list, the app will need to be configured to use two (or more) different app registrations, each one with 400 or fewer permissions configured on the app registration. 
+
+## Frequently asked questions (FAQ)
+
+### *Why has Microsoft revised the limit on total permissions?*
+
+This limit is important for two reasons:
+
+- To help prevent an app from being configured to require more permissions than can be granted during consent.
+- To keep the total size of the app registration within the limits required for stability and performance of the underlying storage platform.
+
+### *What will happen if I don’t do anything?*
+
+If your app exceeds the total permissions limit, you'll no longer be able to increase the total number of required permissions for your application.
+
+### *Does the limit change how many permissions my application can be granted?*
+
+No. This limit affects only the list of requested API permissions configured on the app registration. This is different from the list of permissions that have been granted to your application.
+
+Even if it isn't listed in the required API permissions list, a delegated permission can still be requested dynamically by an application. Both delegated permissions and app roles (application permissions) can also be granted directly, using Microsoft Graph API or Microsoft Graph PowerShell.  
+
+### *Can the limit be raised for my application?*
+
+No, the limit can't be raised for individual applications or organizations. 
+
+### *Are there other limits on the list of required API permissions?*
+
+Yes. The limits can vary depending on the supported account types for the app. Apps that support personal Microsoft Accounts for sign-in (for example, Outlook.com, Hotmail.com, Xbox Live) generally have lower limits. See [Validation differences by supported account types](supported-accounts-validation.md) to learn more.
+
+## Additional resources
+
+Use the following PowerShell script to remove any duplicate permissions from your app registrations.
+
+```PowerShell
+<#
+.SYNOPSIS
+    Remove duplicate required API permissions from an app registration's required API permission list.
+.DESCRIPTION
+    This script ensures all API permissions listed in a Microsoft identity platform's app registration are only listed once,
+    removing any duplicates it finds. This script requires the Microsoft.Graph.Applications PowerShell module.
+.EXAMPLE
+     Get-MgApplication -Filter "appId eq '46c22aca-bcdd-467d-a837-bd544c09b8b4'" | .\Deduplicate_RequiredResourceAccess.ps1"
+.EXAMPLE
+     $apps = Get-MgApplication -Filter "startswith(displayName,'Test_app')"
+     $apps | .\Deduplicate_RequiredResourceAccess.ps1
+#>
+
+#Requires -Modules Microsoft.Graph.Applications
+
+[CmdletBinding()]
+param(
+    [Parameter(ValueFromPipeline = $true)]
+    $App
+)
+
+begin {
+    $context = Get-MgContext
+    if (-not $context) {
+        throw ("You must connect to Microsoft Graph PowerShell first, with sufficient permissions " +
+               "to manage Application objects. For example: Connect-MgGraph -Scopes ""Application.ReadWrite.All""")
+    }
+}
+
+process {
+    
+    # Build the unique list of required API permissions for each required API
+    $originalCount = 0
+    $tempRras = @{}
+    foreach ($rra in $App.RequiredResourceAccess) {
+        if (-not $tempRras.ContainsKey($rra.ResourceAppId)) {
+            $tempRras[$rra.ResourceAppId] = @{"Scope" = @{}; "Role" = @{}};
+        }
+        foreach ($ra in $rra.ResourceAccess) {
+            if ($tempRras[$rra.ResourceAppId][$ra.Type].ContainsKey($ra.Id)) {
+                # Skip duplicate required API permission
+            } else {
+                $tempRras[$rra.ResourceAppId][$ra.Type][$ra.Id] = $true
+            }
+            $originalCount++
+        }
+    }
+    
+    # Now that we have the unique set of required API permissions, iterate over all the keys to build the final requiredResourceAccess structure
+    $deduplicatedCount = 0
+    $finalRras = @($tempRras.Keys) | ForEach-Object {
+        $resourceAppId = $_
+        @{
+            "resourceAppId" = $resourceAppId
+            "resourceAccess" = @(@("Scope", "Role") | ForEach-Object { 
+                $type = $_
+                $tempRras[$resourceAppId][$type].Keys | ForEach-Object { 
+                    $deduplicatedCount++;
+                    @{"type" = $type; "id" = $_}
+                }
+            })
+        }
+    }
+    
+    $countDifference = $originalCount - $deduplicatedCount
+    if ($countDifference) {
+        Write-Host "Removing $($countDifference) duplicate entries in RequiredResourceAccess for '$($App.DisplayName)' (AppId: $($App.AppId))"
+        Update-MgApplication -ApplicationId $App.Id -RequiredResourceAccess $finalRras
+    } else {
+        Write-Host "No updates necessary for '$($App.DisplayName)' (AppId: $($App.AppId))"
+    }
+}
+```
+
+## Learn more
+
+- Learn about API permissions and the Microsoft identity platform: [Overview of permissions and consent in the Microsoft identity platform](permissions-consent-overview.md)
+- Understand the permissions available for Microsoft Graph: [Microsoft Graph permissions reference](/graph/permissions-reference)
+- Review the limitations to application configurations: [Validation differences by supported account types](supported-accounts-validation.md)
@@ -70,7 +70,7 @@ AKS_ID=$(az aks show \
 Create the first example group in Azure AD for the application developers using the [az ad group create][az-ad-group-create] command. The following example creates a group named *appdev*:
 
 ```azurecli-interactive
-APPDEV_ID=$(az ad group create --display-name appdev --mail-nickname appdev --query objectId -o tsv)
+APPDEV_ID=$(az ad group create --display-name appdev --mail-nickname appdev --query Id -o tsv)
 ```
 
 Now, create an Azure role assignment for the *appdev* group using the [az role assignment create][az-role-assignment-create] command. This assignment lets any member of the group use `kubectl` to interact with an AKS cluster by granting them the *Azure Kubernetes Service Cluster User Role*.
 
@@ -4,7 +4,7 @@ description: Learn how to configure Azure CNI Overlay networking in Azure Kubern
 services: container-service
 ms.topic: article
 ms.custom: references_regions
-ms.date: 11/08/2022
+ms.date: 12/12/2022
 ---
 
 # Configure Azure CNI Overlay networking in Azure Kubernetes Service (AKS)
@@ -17,6 +17,7 @@ With Azure CNI Overlay, the cluster nodes are deployed into an Azure Virtual Net
 > Azure CNI Overlay is currently available only in the following regions:
 > - North Central US
 > - West Central US
+> - East US
 
 ## Overview of overlay networking
 
@@ -89,7 +90,6 @@ The overlay solution has the following limitations today
 * You can't deploy multiple overlay clusters on the same subnet.
 * Overlay can be enabled only for new clusters. Existing (already deployed) clusters can't be configured to use overlay.
 * You can't use Application Gateway as an Ingress Controller (AGIC) for an overlay cluster.
-* v5 VM SKUs are currently not supported.
 
 ## Install the aks-preview Azure CLI extension
 
 
@@ -80,6 +80,10 @@ To connect to another node in the cluster, use the `kubectl debug` command. For
 
 To create the SSH connection to the Windows Server node from another node, use the SSH keys provided when you created the AKS cluster and the internal IP address of the Windows Server node.
 
+> [!IMPORTANT]
+>
+> The following steps for creating the SSH connection to the Windows Server node from another node can only be used if you created your AKS cluster using the Azure CLI and the `--generate-ssh-keys` parameter. If you didn't use this method to create your cluster, you'll use a password instead of an SSH key. To do this, see [Create the SSH connection to a Windows node using a password](#create-the-ssh-connection-to-a-windows-node-using-a-password)
+
 Open a new terminal window and use the `kubectl get pods` command to get the name of the pod started by `kubectl debug`.
 
 ```bash
@@ -155,6 +159,54 @@ azureuser@aksnpwin000000 C:\Users\azureuser>
 >  ssh -o 'ProxyCommand ssh -p 2022 -W %h:%p [email protected]' -o PreferredAuthentications=password [email protected]
 > ```
 
+### Create the SSH connection to a Windows node using a password
+
+If you didn't create your AKS cluster using the Azure CLI and the `--generate-ssh-keys` parameter, you'll use a password instead of an SSH key to create the SSH connection. To do this with Azure CLI, use the following steps:
+
+1. Create a root user called `azureuser`.
+
+    ```azurecli
+    az vmss update -g <nodeRG> -n <vmssName> --set virtualMachineProfile.osProfile.adminUsername=azureuser
+    ```
+
+2. Create a password for the new root user.
+
+    ```azurecli
+    az vmss update -g <nodeRG> -n <vmssName> --set virtualMachineProfile.osProfile.adminPassword=<new password>
+    ```
+
+3. Update the instances to use the above changes.
+
+    ```azurecli
+    az vmss update-instances -g <nodeRG> -n <vmssName> --instance-ids '*'
+    ```
+
+4. Reimage the affected nodes so you can connect using your new credentials.
+
+    ```azurecli
+    az vmss reimage -g <nodeRG> -n <vmssName> --instance-id <affectedNodeInstanceId>
+    ```
+
+5. Use `kubectl debug` to connect to another node.
+
+    ```azurecli
+    kubectl debug node/<nodeName> -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0
+    ```
+
+6. Open a second terminal to use port forwarding to connect the debug pod to your local computer.
+
+    ```azurecli
+    kubectl port-forward <debugPodName> 2022:22
+    ```
+
+7. Open a third terminal to get the `INTERNAL-IP` of the affected node to initiate the SSH connection. You can get this with `kubectl get nodes -o wide`. Once you have it, use the following command to connect.
+
+    ```azurecli
+     ssh -o 'ProxyCommand ssh -p 2022 -W %h:%p [email protected]' azureuser@<affectedNodeIp>
+    ```
+
+8. Enter your password.
+
 ### Remove SSH access
 
 When done, `exit` the SSH session, stop any port forwarding, and then `exit` the interactive container session. After the interactive container session closes, delete the pod used for SSH access using the `kubectl delete pod` command.
@@ -166,6 +218,7 @@ kubectl delete pod node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx
 ## Update SSH key on an existing AKS cluster (preview)
 
 ### Prerequisites
+
 * Before you start, ensure the Azure CLI is installed and configured. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
 * The aks-preview extension version 0.5.111 or later. To learn how to install an Azure extension, see [How to install extensions][how-to-install-azure-extensions].
 
 
@@ -15,7 +15,7 @@ The Kubernetes community releases minor versions roughly every three months. Rec
 Minor version releases include new features and improvements. Patch releases are more frequent (sometimes weekly) and are intended for critical bug fixes within a minor version. Patch releases include fixes for security vulnerabilities or major bugs.
 
 >[!WARNING]
-> AKS clusters with Calico enabled should not upgrade to Kubernetes v1.25 preview.
+> Due to an issue with Calico and AKS. It is highly reccomended that customers using Calico do not upgrade or create new clusters on v1.25.
 
 ## Kubernetes versions
 
 
@@ -124,6 +124,11 @@ The following example output shows that *mynodepool* has been successfully creat
 
 The ARM64 processor provides low power compute for your Kubernetes workloads. To create an ARM64 node pool, you will need to choose a [Dpsv5][arm-sku-vm1], [Dplsv5][arm-sku-vm2] or [Epsv5][arm-sku-vm3] series Virtual Machine.
 
+#### Limitations
+
+* ARM64 node pools are not supported on Defender-enabled clusters
+* FIPS-enabled node pools are not supported with ARM64 SKUs 
+
 Use `az aks nodepool add` command to add an ARM64 node pool.
 
 ```azurecli
@@ -132,7 +137,7 @@ az aks nodepool add \
     --cluster-name myAKSCluster \
     --name armpool \
     --node-count 3 \
-    --node-vm-size Standard_Dpds_v5
+    --node-vm-size Standard_D2pds_v5
 ```
 
 ### Add a Mariner node pool