Merge branch 'MicrosoftDocs:main' into yelevin-patch-2

Author: yelevin

articles/azure-maps/web-sdk-migration-guide.md

@@ -39,7 +39,7 @@ If you're using CDN ([content delivery network]), update the references to the s
 
 ### npm
 
-Install the latest [npm] package using the following command:
+If you're using [npm], update the to the latest Azure Maps control by running the following command:
 
 ```shell
 npm install azure-maps-control@latest
@@ -59,10 +59,18 @@ Consider a gradual rollout strategy for the updated version. Release the migrate
 
 By following these steps and considering best practices, you can successfully migrate your application from Azure Maps WebSDK v1 to v3. Embrace the new capabilities and improvements offered by the latest version while ensuring a smooth and seamless transition for your users. For more information, see [Azure Maps Web SDK best practices].
 
+## Next steps
+
+Learn more about the Azure Maps Power BI visual:
+
+> [!div class="nextstepaction"]
+> [Use the Azure Maps map control]
+
 [Azure Active Directory Authentication]: how-to-secure-spa-users.md
 [Azure Maps Web SDK best practices]: web-sdk-best-practices.md
 [content delivery network]: /azure/cdn/cdn-overview
 [Manage Authentication in Azure Maps]: how-to-manage-authentication.md
 [npm]: https://www.npmjs.com/package/azure-maps-control
 [release notes]: release-notes-map-control.md
 [Shared Key Authentication]: how-to-secure-sas-app.md
+[Use the Azure Maps map control]: how-to-use-map-control.md

articles/azure-monitor/logs/cost-logs.md

@@ -159,9 +159,12 @@ Subscriptions that contained a Log Analytics workspace or Application Insights r
 
 Access to the legacy Free Trial pricing tier was limited on July 1, 2022. Pricing information for the Standalone and Per Node pricing tiers is available [here](https://aka.ms/OMSpricing). 
 
+> [!IMPORTANT] 
+> The legacy pricing tiers do not support access to some of the newest features in Log Analytics such as ingesting data as cost-effective Basic Logs. 
+
 ### Free Trial pricing tier
 
-Workspaces in the Free Trial pricing tier will have daily data ingestion limited to 500 MB (except for security data types collected by [Microsoft Defender for Cloud](../../security-center/index.yml)). The data retention is limited to seven days. The Free Trial pricing tier is intended only for evaluation purposes. No SLA is provided for the Free Trial tier.
+Workspaces in the Free Trial pricing tier have daily data ingestion limited to 500 MB (except for security data types collected by [Microsoft Defender for Cloud](../../security-center/index.yml)). Data retention is limited to seven days. The Free Trial pricing tier is intended only for evaluation purposes, not production workloads. No SLA is provided for the Free Trial tier.
 
 > [!NOTE]
 > Creating new workspaces in, or moving existing workspaces into, the legacy Free Trial pricing tier was possible only until July 1, 2022.

articles/azure-signalr/signalr-howto-diagnostic-logs.md

@@ -42,7 +42,9 @@ Platform metrics and the Activity log are collected and stored automatically, bu
 
 Resource Logs aren't collected and stored until you create a diagnostic setting and route them to one or more locations.
 
-See [Create diagnostic setting to collect platform logs and metrics in Azure](../azure-monitor/essentials/diagnostic-settings.md) for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect.
+Resource Logs are grouped into Category groups. Category groups are a collection of different logs to help you achieve different monitoring goals. These groups are defined dynamically and may change over time as new resource logs become available and are added to the category group. Note that this may incur additionally charges. The audit resource log category group allows you to select the resource logs that are necessary for auditing your resource. For more information, see [Diagnostic settings in Azure Monitor: Resource logs](../azure-monitor/essentials/diagnostic-settings.md?tabs=portal#resource-logs).
+
+For the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect, see [Create diagnostic setting to collect platform logs and metrics in Azure](../azure-monitor/essentials/diagnostic-settings.md).
 
 The metrics and logs you can collect are discussed in the following sections.
 

articles/data-factory/concepts-change-data-capture-resource.md

@@ -9,7 +9,7 @@ ms.service: data-factory
 ms.subservice: data-movement
 ms.custom:
 ms.topic: conceptual
-ms.date: 08/08/2023
+ms.date: 08/18/2023
 ---
 
 # Change data capture resource overview
@@ -51,6 +51,7 @@ The new Change Data Capture resource in ADF allows for full fidelity change data
 * JSON
 * ORC
 * Parquet
+* Azure Synapse Analytics
 
 ## Known limitations
 * Currently, when creating source/target mappings, each source and target is only allowed to be used once. 
@@ -59,8 +60,16 @@ The new Change Data Capture resource in ADF allows for full fidelity change data
 
 For more information on known limitations and troubleshooting assistance, please reference [this troubleshooting guide](change-data-capture-troubleshoot.md).
 
+## Azure Synapse Analytics as Target
+When using Azure Synapse Analytics as target, the **Staging Settings** is available on the main table canvas. Enabling staging is mandatory when selecting Azure Synapse Analytics as the target. This significantly enhances write performance by utilizing performant bulk loading capability such as COPY INTO command. **Staging Settings** can be configured in two ways: utilizing **Factory settings** or opting for a **Custom settings**. **Factory settings** apply at the factory level. For the first time, if these settings aren't configured, you'll be directed to the global staging setting section for configuration. Once set, all CDC top-level resources will adopt this configuration. **Custom settings** is scoped only for the CDC resource for which it is configured and overrides the **Factory settings**.
+
+> [!NOTE]
+> As we utilize the COPY INTO command to transfer data from the staging location to Azure Synapse Analytics, it is advisable to ensure that all required permissions are pre-configured within Azure Synapse Analytics.
+
+
 > [!NOTE]
 > We always use the last published configuration when starting a CDC. For running CDCs, while your data is being processed, you will be billed 4 v-cores of General Purpose Data Flows.
 
 ## Next steps
 - [Learn how to set up a change data capture resource](how-to-change-data-capture-resource.md).
+- [Learn how to set up a change data capture resource with schema evolution](how-to-change-data-capture-resource-with-schema-evolution.md).

articles/defender-for-cloud/multi-factor-authentication-enforcement.md

@@ -2,14 +2,14 @@
 title: Security recommendations for multi-factor authentication
 description: Learn how to enforce multi-factor authentication for your Azure subscriptions using Microsoft Defender for Cloud
 ms.topic: conceptual
-ms.date: 06/28/2023
+ms.date: 08/14/2023
 ---
 
-# Manage multi-factor authentication (MFA) enforcement on your subscriptions
+# Manage multi-factor authentication (MFA) on your subscriptions
 
-If you're using passwords, only to authenticate your users, you're leaving an attack vector open. Users often use weak passwords or reuse them for multiple services. With [MFA](https://www.microsoft.com/security/business/identity/mfa) enabled, your accounts are more secure, and users can still authenticate to almost any application with single sign-on (SSO).
+If you're using passwords only to authenticate your users, you're leaving an attack vector open. Users often use weak passwords or reuse them for multiple services. With [MFA](https://www.microsoft.com/security/business/identity/mfa) enabled, your accounts are more secure, and users can still authenticate to almost any application with single sign-on (SSO).
 
-There are multiple ways to enable MFA for your Azure Active Directory (AD) users based on the licenses that your organization owns. This page provides the details for each in the context of Microsoft Defender for Cloud.
+There are multiple ways to enable MFA for your Azure Active Directory (Azure AD) users based on the licenses that your organization owns. This page provides the details for each in the context of Microsoft Defender for Cloud.
 
 ## MFA and Microsoft Defender for Cloud
 
@@ -21,7 +21,7 @@ The recommendations in the Enable MFA control ensure you're meeting the recommen
 - Accounts with write permissions on Azure resources should be MFA enabled
 - Accounts with read permissions on Azure resources should be MFA enabled
 
-There are three ways to enable MFA and be compliant with the two recommendations in Defender for Cloud: security defaults, per-user assignment, conditional access (CA) policy.
+There are three ways to enable MFA and be compliant with the two recommendations in Defender for Cloud: security defaults, per-user assignment, and conditional access (CA) policy.
 
 ### Free option - security defaults
 
@@ -33,7 +33,7 @@ Customers with Microsoft 365 can use **Per-user assignment**. In this scenario,
 
 ### MFA for Azure AD Premium customers
 
-For an improved user experience, upgrade to Azure AD Premium P1 or P2 for **conditional access (CA) policy** options. To configure a CA policy, you'll need [Azure Active Directory (AD) tenant permissions](../active-directory/roles/permissions-reference.md).
+For an improved user experience, upgrade to Azure AD Premium P1 or P2 for **conditional access (CA) policy** options. To configure a CA policy, you need [Azure Active Directory (Azure AD) tenant permissions](../active-directory/roles/permissions-reference.md).
 
 Your CA policy must:
 
@@ -51,7 +51,7 @@ Learn more in the [Azure Conditional Access documentation](../active-directory/c
 
 ## Identify accounts without multi-factor authentication (MFA) enabled
 
-You can view the list of user accounts without MFA enabled from either the Defender for Cloud recommendations details page, or using Azure Resource Graph.
+You can view the list of user accounts without MFA enabled from either the Defender for Cloud recommendations details page, or by using the Azure Resource Graph.
 
 ### View the accounts without MFA enabled in the Azure portal
 
@@ -63,24 +63,26 @@ To see which accounts don't have MFA enabled, use the following Azure Resource G
 
 1. Open **Azure Resource Graph Explorer**.
 
-    :::image type="content" source="./media/multi-factor-authentication-enforcement/opening-resource-graph-explorer.png" alt-text="Launching Azure Resource Graph Explorer** recommendation page" :::
+    :::image type="content" source="./media/multi-factor-authentication-enforcement/opening-resource-graph-explorer.png" alt-text="Screenshot showing launching the Azure Resource Graph Explorer** recommendation page"  lightbox="media/multi-factor-authentication-enforcement/opening-resource-graph-explorer.png":::
 
 1. Enter the following query and select **Run query**.
 
-    ```kusto
+    ```
     securityresources
-     | where type == "microsoft.security/assessments"
-     | where properties.displayName contains "Accounts with owner permissions on Azure resources should be MFA enabled"
-     | where properties.status.code == "Unhealthy"
+    | where type =~ "microsoft.security/assessments/subassessments"
+    | where id has "assessments/dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c" or id has "assessments/c0cb17b2-0607-48a7-b0e0-903ed22de39b" or id has "assessments/6240402e-f77c-46fa-9060-a7ce53997754"
+    | parse id with start "/assessments/" assessmentId "/subassessments/" userObjectId
+    | summarize make_list(userObjectId) by strcat(tostring(properties.displayName), " (", assessmentId, ")")
+    | project ["Recommendation Name"] = Column1 , ["Account ObjectIDs"] = list_userObjectId
     ```
 
 1. The `additionalData` property reveals the list of account object IDs for accounts that don't have MFA enforced.
 
     > [!NOTE]
-    > The accounts are shown as object IDs rather than account names to protect the privacy of the account holders.
+    > The 'Account ObjectIDs' column contains the list of account object IDs for accounts that don't have MFA enforced per recommendation.
 
-> [!TIP]
-> Alternatively, you can use the Defender for Cloud REST API method [Assessments - Get](/rest/api/defenderforcloud/assessments/get).
+    > [!TIP]
+    > Alternatively, you can use the Defender for Cloud REST API method [Assessments - Get](/rest/api/defenderforcloud/assessments/get).
 
 ## Next steps
 

articles/defender-for-cloud/plan-multicloud-security-determine-multicloud-dependencies.md

@@ -37,15 +37,16 @@ In Defender for Cloud, you enable specific plans to get Cloud Workload Platform
 - [Defender for Containers](./defender-for-containers-introduction.md): Help secure your Kubernetes clusters with security recommendations and hardening, vulnerability assessments, and runtime protection.
 - [Defender for SQL](./defender-for-sql-usage.md): Protect SQL databases running in AWS and GCP.
 
-### What agent do I need?
+### What extension do I need?
 
-The following table summarizes agent requirements for CWPP.
+The following table summarizes extension requirements for CWPP.
 
-| Agent  |Defender for Servers|Defender for Containers|Defender fo SQL on Machines|
+| Extension  |Defender for Servers|Defender for Containers|Defender for SQL on Machines|
 |:---:|:---:|:---:|:---:|
 |Azure Arc Agent |  ✔  |  ✔ | ✔ |
-|Microsoft Defender for Endpoint extension |✔|
-|Vulnerability assessment| ✔| |
+|Microsoft Defender for Endpoint extension |✔|||
+|Vulnerability assessment| ✔| ||
+|Agentless Disk Scanning| ✔ | ✔ ||
 |Log Analytics or Azure Monitor Agent (preview) extension|✔| |✔|
 |Defender agent| | ✔| |
 |Azure Policy for Kubernetes | | ✔| |
@@ -78,14 +79,14 @@ The following components and requirements are needed to receive full protection
 
 - **Azure Arc agent**: AWS and GCP machines connect to Azure using Azure Arc. The Azure Arc agent connects them.
   - The Azure Arc agent is needed to read security information on the host level and allow Defender for Cloud to deploy the agents/extensions required for complete protection.
-To auto-provision the Azure Arc agent, the OS configuration agent on [GCP VM instances](./quickstart-onboard-gcp.md?pivots=env-settings) and the AWS Systems Manager (SSM) agent for [AWS EC2 instances](./quickstart-onboard-aws.md?pivots=env-settings) must be configured. [Learn more](../azure-arc/servers/agent-overview.md) about the agent.
+  To autoprovision the Azure Arc agent, the OS configuration agent on [GCP VM instances](./quickstart-onboard-gcp.md?pivots=env-settings) and the AWS Systems Manager (SSM) agent for [AWS EC2 instances](./quickstart-onboard-aws.md?pivots=env-settings) must be configured. [Learn more](../azure-arc/servers/agent-overview.md) about the agent.
 - **Defender for Endpoint capabilities**: The [Microsoft Defender for Endpoint](./integration-defender-for-endpoint.md?tabs=linux) agent provides comprehensive endpoint detection and response (EDR) capabilities.
 - **Vulnerability assessment**: Using either the integrated [Qualys vulnerability scanner](./deploy-vulnerability-assessment-vm.md), or the [Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management) solution.
 - **Log Analytics agent/[Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) (AMA) (in preview)**: Collects security-related configuration information and event logs from machines.
 
 #### Check networking requirements
 
-Machines must meet [network requirements](../azure-arc/servers/network-requirements.md?tabs=azure-cloud) before onboarding the agents.  Auto-provisioning is enabled by default.
+Machines must meet [network requirements](../azure-arc/servers/network-requirements.md?tabs=azure-cloud) before onboarding the agents.  Autoprovisioning is enabled by default.
 
 ### Defender for Containers
 
@@ -119,7 +120,7 @@ To receive the full benefits of Defender for SQL on your multicloud workload, yo
 
 - **Azure Arc agent**: AWS and GCP machines connect to Azure using Azure Arc. The Azure Arc agent connects them.
   - The Azure Arc agent is needed to read security information on the host level and allow Defender for Cloud to deploy the agents/extensions required for complete protection.
-  - To auto-provision the Azure Arc agent, the OS configuration agent on [GCP VM instances](./quickstart-onboard-gcp.md?pivots=env-settings) and the AWS Systems Manager (SSM) agent for [AWS EC2 instances](./quickstart-onboard-aws.md?pivots=env-settings) must be configured. [Learn more](../azure-arc/servers/agent-overview.md) about the agent.
+  - To autoprovision the Azure Arc agent, the OS configuration agent on [GCP VM instances](./quickstart-onboard-gcp.md?pivots=env-settings) and the AWS Systems Manager (SSM) agent for [AWS EC2 instances](./quickstart-onboard-aws.md?pivots=env-settings) must be configured. [Learn more](../azure-arc/servers/agent-overview.md) about the agent.
 - **Log Analytics agent/[Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) (AMA) (in preview)**: Collects security-related configuration information and event logs from machines
 - **Automatic SQL server discovery and registration**: Supports automatic discovery and registration of SQL servers