Merge pull request #210211 from MicrosoftDocs/main

ttorble · web-flow · commit ca99be0ef424 · 2022-09-06T12:19:00.000+01:00
Publish to live, Tuesday 4 AM PST, 9/6
diff --git a/articles/active-directory/hybrid/how-to-connect-fed-group-claims.md b/articles/active-directory/hybrid/how-to-connect-fed-group-claims.md
@@ -163,7 +163,9 @@ For more information about regex replace and capture groups, see [The Regular Ex
 >[!NOTE]
 > As described in the Azure AD documentation, you can't modify a restricted claim by using a policy. The data source can't be changed, and no transformation is applied when you're generating these claims. The group claim is still a restricted claim, so you need to customize the groups by changing the name. If you select a restricted name for the name of your custom group claim, the claim will be ignored at runtime. 
 >
-> You can also use the regex transform feature as a filter, because any groups that don't match the regex pattern will not be emitted in the resulting claim. 
+> You can also use the regex transform feature as a filter, because any groups that don't match the regex pattern will not be emitted in the resulting claim.
+>
+>If the transform applied to the original groups claim results in a new custom claim, then the original groups claim will be omitted from the token. However, if the configured regex doesn't match any value in the original list, then the custom claim will not be present and the original groups claim will be included in the token.
 
 ### Edit the group claim configuration
 
diff --git a/articles/active-directory/saas-apps/saml-toolkit-tutorial.md b/articles/active-directory/saas-apps/saml-toolkit-tutorial.md
@@ -161,4 +161,4 @@ In this section, you test your Azure AD single sign-on configuration with follow
 
 ## Next steps
 
-Once you configure Azure AD SAML Toolkit you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure Azure AD SAML Toolkit you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
diff --git a/articles/azure-monitor/profiler/profiler-azure-functions.md b/articles/azure-monitor/profiler/profiler-azure-functions.md
@@ -17,7 +17,7 @@ In this article, you'll use the Azure portal to:
 > [!NOTE]
 > You can enable the Application Insights Profiler for Azure Functions apps on the **App Service** plan. 
 
-## Pre-requisites
+## Prerequisites
 
 - [An Azure Functions app](../../azure-functions/functions-create-function-app-portal.md). Verify your Functions app is on the **App Service** plan. 
      
diff --git a/articles/azure-resource-manager/bicep/learn-bicep.md b/articles/azure-resource-manager/bicep/learn-bicep.md
@@ -2,14 +2,14 @@
 title: Learn modules for Bicep
 description: Provides an overview of the Learn modules for Bicep.
 ms.topic: conceptual
-ms.date: 12/03/2021
+ms.date: 09/05/2022
 ---
 # Learn modules for Bicep
 
 Ready to see how Bicep can help simplify and accelerate your deployments to Azure? Check out the many hands-on courses.
 
 > [!TIP]
-> Want to learn Bicep live from subject matter experts? [Learn Live with our experts every Tuesday (Pacific time) beginning March 8, 2022.](/events/learntv/learnlive-iac-and-bicep/)
+> Want to learn Bicep live from subject matter experts? [Follow on-demand Learn Live sessions with our experts.](/events/learntv/learnlive-iac-and-bicep/)
 
 ## Get started
 
diff --git a/articles/container-apps/ingress.md b/articles/container-apps/ingress.md
@@ -47,7 +47,7 @@ The following settings are available when configuring ingress:
 
 | Property | Description | Values | Required |
 |---|---|---|---|
-| `external` | When enabled, the environment is assigned a public IP and fully qualified domain name (FQDN) for external ingress and an internal IP and FQDN for internal ingress.  When disabled, only an internal IP/FQDN is created. |`true` for external visibility, `false` for internal visibility (default) | Yes |
+| `external` | Your ingress IP and app fully qualified domain name (FQDN) can either be visible externally from the internet, or internally from a VNET depending on whether the app environment has an external or internal endpoint, respectively - or visibility from within the app environment only. |`true` for visibility from internet or VNET, depending on app environment endpoint is configured, `false` for visibility within app environment only. (default) | Yes |
 | `targetPort` | The port your container listens to for incoming requests. | Set this value to the port number that your container uses. Your application ingress endpoint is always exposed on port `443`. | Yes |
 | `transport` | You can use either HTTP/1.1 or HTTP/2, or you can set it to automatically detect the transport type. | `http` for HTTP/1, `http2` for HTTP/2, `auto` to automatically detect the transport type (default) | No |
 | `allowInsecure` | Allows insecure traffic to your container app. | `false` (default), `true`<br><br>If set to `true`, HTTP requests to port 80 aren't automatically redirected to port 443 using HTTPS, allowing insecure connections. | No |
diff --git a/articles/data-factory/connector-dynamics-crm-office-365.md b/articles/data-factory/connector-dynamics-crm-office-365.md
@@ -8,7 +8,7 @@ ms.topic: conceptual
 ms.author: jianleishen
 author: jianleishen
 ms.custom: synapse
-ms.date: 08/19/2022
+ms.date: 09/05/2022
 ---
 # Copy and transform data in Dynamics 365 (Microsoft Dataverse) or Dynamics CRM using Azure Data Factory or Azure Synapse Analytics
 
@@ -530,7 +530,7 @@ To write data into a lookup field using alternate key columns, follow this guida
     :::image type="content" source="./media/connector-dynamics-crm-office-365/connector-dynamics-lookup-field-column-mapping-alternate-key-2.png" alt-text="Screenshot shows mapping columns to lookup fields via alternate keys step 2.":::
 
 > [!Note]
-> Currently this is only supported in mapping data flows.
+> Currently this is only supported when you use inline mode in the sink transformation of mapping data flows.
 
 ## Mapping data flow properties
 
diff --git a/articles/defender-for-iot/organizations/getting-started.md b/articles/defender-for-iot/organizations/getting-started.md
@@ -98,7 +98,8 @@ This procedure describes how to add a Defender for IoT plan for OT networks to a
 
 1. Select the **I accept the terms** option, and then select **Save**.
 
-Your OT networks plan will be shown under the associated subscription in the **Plans** grid. 
+Your OT networks plan will be shown under the associated subscription in the **Plans** grid. For more information, see [Manage your subscriptions](how-to-manage-subscriptions.md).
+
 
 ## Add a Defender for IoT plan for Enterprise IoT networks to an Azure subscription
 
@@ -119,3 +120,4 @@ For more information, see:
 
 - [Welcome to Microsoft Defender for IoT for organizations](overview.md)
 - [Microsoft Defender for IoT architecture](architecture.md)
+- [Move existing sensors to a different subscription](how-to-manage-subscriptions.md#move-existing-sensors-to-a-different-subscription)
diff --git a/articles/defender-for-iot/organizations/how-to-create-and-manage-users.md b/articles/defender-for-iot/organizations/how-to-create-and-manage-users.md
@@ -11,7 +11,7 @@ This article describes how to create and manage users of sensors and the on-prem
 
 Features are also available to track user activity and enable Active Directory sign in.
 
-By default, each sensor and on-premises management console is installed with a *cyberx, support* and *cyberx_host* user. These users have access to advanced tools for troubleshooting and setup. Administrator users should sign in with these user credentials, create an admin user, and then create extra users for security analysts and read-only users.
+By default, each sensor and on-premises management console is installed with the *cyberx* and *support* users. Sensors are also installed with the *cyberx_host* user. These users have access to advanced tools for troubleshooting and setup. Administrator users should sign in with these user credentials, create an admin user, and then create extra users for security analysts and read-only users.
 
 ## Role-based permissions
 The following user roles are available:
diff --git a/articles/defender-for-iot/organizations/how-to-manage-subscriptions.md b/articles/defender-for-iot/organizations/how-to-manage-subscriptions.md
@@ -55,18 +55,38 @@ When onboarding or editing your Defender for IoT plan, you'll need to know how m
 
 [!INCLUDE [devices-inventoried](includes/devices-inventoried.md)]
 
-**To calculate the number of devices you need to monitor**:
+#### Calculate the number of devices you need to monitor
 
 We recommend making an initial estimate of your committed devices when onboarding your Defender for IoT plan.
 
-1. Collect the total number of devices in your network.
+**For OT devices**:
 
-1. Remove any devices that are *not* considered as committed devices by Defender for IoT.
+1. Collect the total number of devices at each site in your network, and add them together.
 
-    If you are also a Defender for Endpoint customer, you can identify devices managed by Defender for Endpoint in the Defender for Endpoint **Device inventory** page. In the **Endpoints** tab, filter for devices by **Onboarding status**. For more information, see [Defender for Endpoint Device discovery overview](/microsoft-365/security/defender-endpoint/device-discovery).
+1. Remove any devices that are [*not* considered as committed devices by Defender for IoT](#defender-for-iot-committed-devices).
 
 After you've set up your network sensor and have full visibility into all devices, you can [Edit a plan](#edit-a-plan-for-ot-networks) to update the number of committed devices as needed.
 
+**For Enterprise IoT devices**:
+
+In the **Device inventory** page in the **Defender for Endpoint** portal:
+
+1. Add the total number of discovered **network devices** with the total number of discovered **IoT devices**. 
+
+    For example: 
+
+    :::image type="content" source="media/how-to-manage-subscriptions/eiot-calculate-devices.png" alt-text="Screenshot of network device and IoT devices in the device inventory in Microsoft Defender for Endpoint.":::
+
+    For more information, see the [Defender for Endpoint Device discovery overview](/microsoft-365/security/defender-endpoint/device-discovery).
+
+1. Remove any devices that are [*not* considered as committed devices by Defender for IoT](#defender-for-iot-committed-devices).
+
+1. Round up your total to a multiple of 100.
+
+    For example: In the device inventory, you have 473 network devices and 1206 IoT devices. Added together the total is 1679 devices, and rounded up to a multiple of 100 is 1700. Use 1700 as the estimated number of committed devices.  
+ 
+To edit the number of committed Enterprise IoT devices after you've onboarded a plan, you will need to cancel the plan and onboard a new plan in Defender for Endpoint. For more information, see the [Defender for Endpoint documentation](/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration).
+
 ## Onboard a Defender for IoT plan for OT networks
 
 This procedure describes how to add a Defender for IoT plan for OT networks to an Azure subscription.
diff --git a/articles/defender-for-iot/organizations/media/how-to-manage-subscriptions/eiot-calculate-devices.png b/articles/defender-for-iot/organizations/media/how-to-manage-subscriptions/eiot-calculate-devices.png
diff --git a/articles/remote-rendering/quickstarts/deploy-to-hololens.md b/articles/remote-rendering/quickstarts/deploy-to-hololens.md
@@ -12,7 +12,7 @@ ms.custom: mode-other
 
 This quickstart covers how to deploy and run the quickstart sample app for Unity to a HoloLens 2.
 
-In this quickstart you will learn how to:
+In this quickstart you'll learn how to:
 
 > [!div class="checklist"]
 >
@@ -22,10 +22,11 @@ In this quickstart you will learn how to:
 
 ## Prerequisites
 
-In this quickstart we will deploy the sample project from [Quickstart: Render a model with Unity](render-model.md).
-
+In this quickstart, we'll deploy the sample project from [Quickstart: Render a model with Unity](render-model.md).
 Make sure your credentials are saved properly with the scene and you can connect to a session from within the Unity editor.
 
+The HoloLens 2 must be in developer mode and paired with the desktop machine. Refer to [using the device portal](/windows/mixed-reality/develop/advanced-concepts/using-the-windows-device-portal#setting-up-hololens-to-use-windows-device-portal) for further instructions.
+
 ## Build the sample project
 
 1. Open *File > Build Settings*.
@@ -35,7 +36,7 @@ Make sure your credentials are saved properly with the scene and you can connect
 1. Set *Build Type* to **D3D Project**\
     ![Build settings](./media/unity-build-settings.png)
 1. Select **Switch to Platform**
-1. When pressing **Build** (or 'Build And Run'), you will be asked to select some folder where the solution should be stored
+1. When pressing **Build** (or 'Build And Run'), you'll be asked to select some folder where the solution should be stored
 1. Open the generated **Quickstart.sln** with Visual Studio
 1. Change the configuration to **Release** and **ARM64**
 1. Switch the debugger mode to **Remote Machine**\
@@ -56,7 +57,7 @@ If you want to launch the sample a second time later, you can also find it from
 
 ## Next steps
 
-In the next quickstart, we will take a look at converting a custom model.
+In the next quickstart, we'll take a look at converting a custom model.
 
 > [!div class="nextstepaction"]
 > [Quickstart: Convert a model for rendering](convert-model.md)
diff --git a/articles/site-recovery/vmware-physical-azure-support-matrix.md b/articles/site-recovery/vmware-physical-azure-support-matrix.md
@@ -55,6 +55,7 @@ IIS | Make sure you:<br/><br/> - Don't have a pre-existing default website <br/>
 NIC type | VMXNET3 (when deployed as a VMware VM)
 IP address type | Static
 Ports | 443 used for control channel orchestration<br/>9443 for data transport
+IP address | Make sure that configuration server and process server have a static IPv4 address, and doesn't have NAT configured.
 
 > [!NOTE]
 > Operating system has to be installed with English locale. Conversion of locale post installation could result in potential issues.
diff --git a/articles/spring-apps/faq.md b/articles/spring-apps/faq.md
@@ -43,7 +43,7 @@ Azure Spring Apps intelligently schedules your applications on the underlying Ku
 
 ### In which regions is Azure Spring Apps Basic/Standard tier available?
 
-East US, East US 2, Central US, South Central US, North Central US, West US, West US 2, West US 3, West Europe, North Europe, UK South, Southeast Asia, Australia East, Canada Central, UAE North, Central India, Korea Central, East Asia, Japan East, South Africa North, Brazil South, France Central, Germany West Central, Switzerland North, China East 2 (Mooncake), and China North 2 (Mooncake). [Learn More](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud)
+East US, East US 2, Central US, South Central US, North Central US, West US, West US 2, West US 3, West Europe, North Europe, UK South, Southeast Asia, Australia East, Canada Central, UAE North, Central India, Korea Central, East Asia, Japan East, South Africa North, Brazil South, France Central, Germany West Central, Switzerland North, China East 2 (Mooncake), China North 2 (Mooncake), and China North 3 (Mooncake). [Learn More](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud)
 
 ### In which regions is Azure Spring Apps Enterprise tier available?
 
diff --git a/articles/synapse-analytics/media/synapse-notebook-activity/create-synapse-notebook-activity.png b/articles/synapse-analytics/media/synapse-notebook-activity/create-synapse-notebook-activity.png
diff --git a/articles/synapse-analytics/synapse-notebook-activity.md b/articles/synapse-analytics/synapse-notebook-activity.md
@@ -27,9 +27,20 @@ You can create a Synapse notebook activity directly from the Synapse pipeline ca
 
 Drag and drop **Synapse notebook** under **Activities** onto the Synapse pipeline canvas. Select on the Synapse notebook activity box and config the notebook content for current activity in the **settings**. You can select an existing notebook from the current workspace or add a new one. 
 
-You can also select an Apache Spark pool in the settings. It should be noted that the Apache spark pool set here will replace the Apache spark pool used in the notebook. If Apache spark pool is not selected in the settings of notebook content for current activity, the Apache spark pool selected in that notebook will be used to run.
+(Optional) You can also reconfigure Spark pool\Executor size\Dynamically allocate executors\Min executors\Max executors\Driver size in settings. It should be noted that the settings reconfigured here will replace the settings of the configure session in Notebook. If nothing is set in the settings of the current notebook activity, it will run with the settings of the configure session in that notebook.
 
-![screenshot-showing-create-notebook-activity](./media/synapse-notebook-activity/create-synapse-notebook-activity.png)
+> [!div class="mx-imgBorder"]
+> ![screenshot-showing-create-notebook-activity](./media/synapse-notebook-activity/create-synapse-notebook-activity.png)
+
+
+|  Property   | Description   |  Required   |
+| ----- | ----- | ----- |  
+|Spark pool| Reference to the Spark pool. You can select Apache Spark pool from the list. If this setting is empty, it will run in the spark pool of the notebook itself.| No |
+|Executor size| Number of cores and memory to be used for executors allocated in the specified Apache Spark pool for the session.| No |
+|Dynamically allocate executors| This setting maps to the dynamic allocation property in Spark configuration for Spark Application executors allocation.| No |
+|Min executors| Min number of executors to be allocated in the specified Spark pool for the job.| No |
+|Max executors| Max number of executors to be allocated in the specified Spark pool for the job.| No |
+|Driver size| Number of cores and memory to be used for driver given in the specified Apache Spark pool for the job.| No |
 
 > [!NOTE]
 > The execution of parallel Spark Notebooks in Azure Synapse pipelines be queued and executed in a FIFO manner, jobs order in the queue is according to the time sequence, the expire time of a job in the queue is 3 days, please notice that queue for notebook only work in synapse pipeline.
diff --git a/articles/virtual-machines/sizes-b-series-burstable.md b/articles/virtual-machines/sizes-b-series-burstable.md
@@ -25,7 +25,7 @@ The B-series comes in the following VM sizes:
 [Memory Preserving Updates](maintenance-and-updates.md): Supported<br>
 [VM Generation Support](generation-2.md): Generation 1 and 2<br>
 [Accelerated Networking](../virtual-network/create-vm-accelerated-networking-cli.md): Supported**<br>
-[Ephemeral OS Disks](ephemeral-os-disks.md): Not Supported <br>
+[Ephemeral OS Disks](ephemeral-os-disks.md): Supported <br>
 [Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Not Supported <br>
 
 *B-series VMs are burstable and thus ACU numbers will vary depending on workloads and core usage.<br>
diff --git a/articles/virtual-machines/workloads/sap/get-started.md b/articles/virtual-machines/workloads/sap/get-started.md
@@ -66,6 +66,7 @@ In the SAP workload documentation space, you can find the following areas:
 
 ## Change Log
 
+- September 6, 2022: Add managed identity for pacemaker fence agent [Set up Pacemaker on SUSE Linux Enterprise Server (SLES) in Azure](high-availability-guide-suse-pacemaker.md) on SLES and [Setting up Pacemaker on RHEL in Azure](high-availability-guide-rhel-pacemaker.md) RHEL.
 - August 22, 2022: Release of cost optimization scenario [Deploy PAS and AAS with SAP NetWeaver HA cluster](high-availability-guide-rhel-with-dialog-instance.md) on RHEL.
 - August 09, 2022: Release of scenario [HA for SAP ASCS/ERS with NFS simple mount](./high-availability-guide-suse-nfs-simple-mount.md) on SLES 15 for SAP Applications.
 - July 18, 2022: Clarify statement around Pacemaker support on Oracle Linux in [Azure Virtual Machines Oracle DBMS deployment for SAP workload](./dbms_guide_oracle.md)
diff --git a/articles/virtual-machines/workloads/sap/high-availability-guide-suse-pacemaker.md b/articles/virtual-machines/workloads/sap/high-availability-guide-suse-pacemaker.md
@@ -637,6 +637,10 @@ Make sure to assign the custom role to the service principal at all VM (cluster
    >[!IMPORTANT]
    > The installed version of the *fence-agents* package must be 4.4.0 or later to benefit from the faster failover times with the Azure fence agent, when a cluster node is fenced. If you're running an earlier version, we recommend that you update the package.  
 
+   >[!IMPORTANT]
+   > If using managed identity, the installed version of the *fence-agents* package must be fence-agents 4.5.2+git.1592573838.1eee0863 or later. Earlier versions will not work correctly with a managed identity configuration.  
+   > Currently only SLES 15 SP1 and older are supported for managed identity configuration.
+
 1. **[A]** Install the Azure Python SDK and Azure Identity Python module.  
 
     Install the Azure Python SDK on SLES 12 SP4 or SLES 12 SP5:
diff --git a/includes/virtual-network-multiple-ip-addresses-os-config.md b/includes/virtual-network-multiple-ip-addresses-os-config.md

Original file line number	Diff line number	Diff line change
`@@ -163,7 +163,9 @@ For more information about regex replace and capture groups, see [The Regular Ex`
`163`	`163`	`>[!NOTE]`
`164`	`164`	`> As described in the Azure AD documentation, you can't modify a restricted claim by using a policy. The data source can't be changed, and no transformation is applied when you're generating these claims. The group claim is still a restricted claim, so you need to customize the groups by changing the name. If you select a restricted name for the name of your custom group claim, the claim will be ignored at runtime.`
`165`	`165`	`>`
`166`		`-> You can also use the regex transform feature as a filter, because any groups that don't match the regex pattern will not be emitted in the resulting claim.`
	`166`	`+> You can also use the regex transform feature as a filter, because any groups that don't match the regex pattern will not be emitted in the resulting claim.`
	`167`	`+>`
	`168`	`+>If the transform applied to the original groups claim results in a new custom claim, then the original groups claim will be omitted from the token. However, if the configured regex doesn't match any value in the original list, then the custom claim will not be present and the original groups claim will be included in the token.`
`167`	`169`
`168`	`170`	`### Edit the group claim configuration`
`169`	`171`
Original file line number	Diff line number	Diff line change
`@@ -161,4 +161,4 @@ In this section, you test your Azure AD single sign-on configuration with follow`
`161`	`161`
`162`	`162`	`## Next steps`
`163`	`163`
`164`		`-Once you configure Azure AD SAML Toolkit you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).`
	`164`	`+Once you configure Azure AD SAML Toolkit you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).`