Merge pull request #291007 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 11/25

Author: ttorble

articles/backup/backup-azure-arm-restore-vms.md

@@ -330,34 +330,69 @@ For more information, see [Back up and restore Active Directory domain controlle
 
 Managed identities eliminate the need for the user to maintain the credentials. Managed identities provide an identity for applications to use when connecting to resources that support Microsoft Entra authentication.  
 
-Azure Backup offers the flexibility to restore the managed Azure VM with [managed identities](../active-directory/managed-identities-azure-resources/overview.md). You can choose to select [system-managed identities](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) or user-managed identities as shown in the figure below. This is introduced as one of the input parameters in the [**Restore configuration** blade](#create-a-vm) of Azure VM. Managed identities used as one of the input parameters is only used for accessing the storage accounts, which are used as staging location during restore and not for any other Azure resource controlling. These managed identities have to be associated to the vault.
+Azure Backup offers the flexibility to restore the managed Azure VM with [managed identities](../active-directory/managed-identities-azure-resources/overview.md). You can choose to select [system-managed identities](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) or user-managed identities as shown in the figure below. This is introduced as one of the input parameters in the [**Restore configuration** blade](#create-a-vm) of Azure VM. Managed identities are used for accessing the storage accounts and automated cleanup of any resources created during restore process in case of restore failures. These managed identities have to be associated to the vault.
 
 :::image type="content" source="./media/backup-azure-arm-restore-vms/select-system-managed-identities-or-user-managed-identities.png" alt-text="Screenshot for choice to select system-managed identities or user-managed identities.":::
 
-If you choose to select system-assigned or user-assigned managed identities, check for the below actions for managed identity on the target staging Storage Account.
+If you choose to select system-assigned or user-assigned managed identities, check for the below actions for managed identity on the target staging Storage Account and Resource Group.
 
 ```json
 "permissions": [
-  {
-    "actions": [
-        "Microsoft.Authorization/*/read",
-        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
-        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
-        "Microsoft.Storage/storageAccounts/blobServices/containers/write"
-    ],
-    "notActions": [],
-    "dataActions": [
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
-    ],
-    "notDataActions": []
-  }
-]
+            {
+                "actions": [
+                    "Microsoft.Authorization/*/read",
+                    "Microsoft.Compute/disks/read",
+                    "Microsoft.Compute/disks/write",
+                    "Microsoft.Compute/disks/delete",
+                    "Microsoft.Compute/disks/beginGetAccess/action",
+                    "Microsoft.Compute/disks/endGetAccess/action",
+                    "Microsoft.Compute/locations/diskOperations/read",
+                    "Microsoft.Compute/virtualMachines/read",
+                    "Microsoft.Compute/virtualMachines/write",
+                    "Microsoft.Compute/virtualMachines/delete",
+                    "Microsoft.Compute/virtualMachines/instanceView/read",
+                    "Microsoft.Compute/virtualMachines/extensions/read",
+                    "Microsoft.Compute/virtualMachines/extensions/write",
+                    "Microsoft.Compute/virtualMachines/extensions/delete",
+                    "Microsoft.Insights/alertRules/*",
+                    "Microsoft.Network/locations/operationResults/read",
+                    "Microsoft.Network/locations/operations/read",
+                    "Microsoft.Network/locations/usages/read",
+                    "Microsoft.Network/networkInterfaces/delete",
+                    "Microsoft.Network/networkInterfaces/ipconfigurations/read",
+                    "Microsoft.Network/networkInterfaces/join/action",
+                    "Microsoft.Network/networkInterfaces/read",
+                    "Microsoft.Network/networkInterfaces/write",
+                    "Microsoft.Network/networkSecurityGroups/read",
+                    "Microsoft.Network/networkSecurityGroups/securityRules/read",
+                    "Microsoft.Network/publicIPAddresses/delete",
+                    "Microsoft.Network/publicIPAddresses/join/action",
+                    "Microsoft.Network/publicIPAddresses/read",
+                    "Microsoft.Network/publicIPAddresses/write",
+                    "Microsoft.Network/virtualNetworks/read",
+                    "Microsoft.Network/virtualNetworks/subnets/join/action",
+                    "Microsoft.Network/virtualNetworks/subnets/read",
+                    "Microsoft.Resources/deployments/*",
+                    "Microsoft.Resources/subscriptions/resourceGroups/read",
+                    "Microsoft.Storage/checkNameAvailability/read",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/read",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/write",
+                    "Microsoft.Storage/storageAccounts/listKeys/action",
+                    "Microsoft.Storage/storageAccounts/read",
+                    "Microsoft.Storage/storageAccounts/write"
+                ],
+                "notActions": [],
+                "dataActions": [
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
+                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
+                ],
+
 ```
 
-Or, add the role assignment on the staging location (Storage Account) to have [Storage account Backup Contributor](./blob-backup-configure-manage.md#grant-permissions-to-the-backup-vault-on-storage-accounts) and [Storage Blob data Contributor](../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) for the successful restore operation.
+Or, add the **VM restore operator** role assignment on the staging location (Storage Account) and target Resource Group for the successful restore operation.
 
 :::image type="content" source="./media/backup-azure-arm-restore-vms/add-role-assignment-on-staging-location.png" alt-text="Screenshot for adding the role assignment on the staging location.":::
 

articles/backup/backup-client-automation.md

@@ -139,7 +139,7 @@ $CredsFilename = Get-AzRecoveryServicesVaultSettingsFile -Backup -Vault $Vault1
 In the latest Az module of PowerShell, because of underlying platform limitations, downloading the vault credentials requires a self-signed certificate. The following example shows how to provide a self-signed certificate and download the vault credentials.
 
 ```powershell
-$dt = $(Get-Date).ToString("M-d-yyyy")
+
 $cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -FriendlyName 'test-vaultcredentials' -subject "Windows Azure Tools" -KeyExportPolicy Exportable -NotAfter $(Get-Date).AddHours(48) -NotBefore $(Get-Date).AddHours(-24) -KeyProtection None -KeyUsage None -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") -Provider "Microsoft Enhanced Cryptographic Provider v1.0"
 $certficate = [convert]::ToBase64String($cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx))
 $CredsFilename = Get-AzRecoveryServicesVaultSettingsFile -Backup -Vault $Vault -Path $CredsPath -Certificate $certficate

articles/expressroute/metro.md

@@ -5,7 +5,7 @@ services: expressroute
 author: duongau
 ms.service: azure-expressroute
 ms.topic: conceptual
-ms.date: 06/03/2024
+ms.date: 11/24/2024
 ms.author: duau
 ms.custom: references_regions, ai-usage
 ---
@@ -40,9 +40,9 @@ The following diagram allows for a comparison between the standard ExpressRoute
 
 | Metro location | Peering locations | Location address | Zone | Local Azure Region | ER Direct | Service Provider |
 |--|--|--|--|--|--|--|
-| Amsterdam Metro | Amsterdam<br>Amsterdam2 | Equinix AM5<br>Digital Realty AMS8 | 1 | West Europe | &check; | Colt<sup>1</sup><br>Console Connect<sup>1</sup><br>Digital Realty<br>Equinix<br>euNetworks<br><br>Megaport<br> |
-| Singapore Metro | Singapore<br>Singapore2 | Equinix SG1<br>Global Switch Tai Seng | 2 | Southeast Asia | &check; | Console Connect<sup>1</sup><br>Equinix<br>Megaport |
-| Zurich Metro | Zurich<br>Zurich2 | Digital Realty ZUR2<br>Equinix ZH5 | 1 | Switzerland North | &check; | Colt<sup>1</sup><br>Digital Realty |
+| Amsterdam Metro | Amsterdam<br>Amsterdam2 | Equinix AM5<br>Digital Realty AMS8 | 1 | West Europe | &check; | Colt<br>Digital Realty<br>Equinix<br>euNetworks<br><br>Megaport<br> |
+| Singapore Metro | Singapore<br>Singapore2 | Equinix SG1<br>Global Switch Tai Seng | 2 | Southeast Asia | &check; | Colt<br>Equinix<br>Megaport |
+| Zurich Metro | Zurich<br>Zurich2 | Digital Realty ZUR2<br>Equinix ZH5 | 1 | Switzerland North | &check; | Colt<br>Digital Realty |
 
 <sup>1<sup> These service providers will be available in the future.
 

articles/frontdoor/front-door-caching.md

@@ -206,6 +206,7 @@ The following request headers don't get forwarded to the origin when caching is
 - `Accept`
 - `Accept-Charset`
 - `Accept-Language`
+- `Vary`
 
 > [!NOTE]
 > Requests that include authorization header will not be cached, unless the response contains a Cache-Control directive that allows caching. The following Cache-Control directives have such an effect: must-revalidate, public, and s-maxage.

articles/hdinsight/configure-azure-blob-storage.md

@@ -3,7 +3,7 @@ title: Configure Azure Blob Storage on Azure HDInsight
 description: Learn how to Configure Azure Blob storage on Azure HDInsight.
 ms.service: azure-hdinsight
 ms.topic: how-to
-ms.date: 11/15/2023
+ms.date: 11/25/2023
 
 ---
 # Configure Azure Blob Storage as primary storage account in Azure HDInsight
@@ -82,7 +82,22 @@ Same thing can be achieved via ARM request if that is how you want to create HDI
 
     } 
     ```  
-     
+
+## MSI based Script Action using primary Azure Blob Storage storage 
+
+Previously while adding the primary storage as Azure Blob Storage storage in the Azure HDInsight cluster, you can't provide MSI for authentication. 
+Also to access a script action that isn't accessible anonymously, you need to mention the SAS Key in the script action parameters, so the Azure HDInsight Cluster can access the script for execution.
+
+Now, you can add Azure Blob Storage storage in Azure HDInsight cluster as a primary storage using MSI. 
+
+Hence there's no need to provide the SAS key in the script action parameters, while adding the script action, if the script uploaded to the  primary Azure Blob Storage storage account. 
+
+The script is downloaded and implemented. This will work even if the script isn't publicly accessible. 
+
+The new feature specifically supports scripts that aren't publicly accessible but don't require a SAS key or token. This provides an additional layer of security for scripts that need to be kept private. 
+
+The conventional script action in which is anonymously accessible or if a SAS key is passed along with the script URI, still works without any changes. For more information, see [Customize Azure HDInsight clusters by using script actions](./hdinsight-hadoop-customize-cluster-linux.md)     
+
 ## Next steps
 
 * [Use Azure Data Lake Storage Gen2 with Azure HDInsight clusters](./hdinsight-managed-identities.md)

articles/role-based-access-control/built-in-roles.md

@@ -71,6 +71,7 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='virtual-machine-data-access-administrator-preview'></a>[Virtual Machine Data Access Administrator (preview)](./built-in-roles/compute.md#virtual-machine-data-access-administrator-preview) | Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. | 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04 |
 > | <a name='virtual-machine-local-user-login'></a>[Virtual Machine Local User Login](./built-in-roles/compute.md#virtual-machine-local-user-login) | View Virtual Machines in the portal and login as a local user configured on the arc server | 602da2ba-a5c2-41da-b01d-5360126ab525 |
 > | <a name='virtual-machine-user-login'></a>[Virtual Machine User Login](./built-in-roles/compute.md#virtual-machine-user-login) | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
+> | [Virtual Machine Restore Operator](/azure/role-based-access-control/built-in-roles/compute#virtual-machine-operator) | Provides permissions to Recovery Services vault to staging storage account and target resource group for VM restore operations. | dfce897125e342e3ba336055438e3080 |
 > | <a name='windows-365-network-interface-contributor'></a>[Windows 365 Network Interface Contributor](./built-in-roles/compute.md#windows-365-network-interface-contributor) | This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces. | 1f135831-5bbe-4924-9016-264044c00788 |
 > | <a name='windows-365-network-user'></a>[Windows 365 Network User](./built-in-roles/compute.md#windows-365-network-user) | This role is used by Windows 365 to read virtual networks and join the designated virtual networks. | 7eabc9a4-85f7-4f71-b8ab-75daaccc1033 |
 > | <a name='windows-admin-center-administrator-login'></a>[Windows Admin Center Administrator Login](./built-in-roles/compute.md#windows-admin-center-administrator-login) | Let's you manage the OS of your resource via Windows Admin Center as an administrator. | a6333a3e-0164-44c3-b281-7a577aff287f |