Merge pull request #269859 from MicrosoftDocs/repo_sync_working_branch

Taojunshen · web-flow · commit da7831d037bc · 2024-03-22T06:00:45.000+08:00
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)
diff --git a/articles/active-directory-b2c/custom-domain.md b/articles/active-directory-b2c/custom-domain.md
@@ -331,14 +331,6 @@ https://<domain-name>/11111111-1111-1111-1111-111111111111/v2.0/
 ```
 ::: zone pivot="b2c-custom-policy"
 
-## (Optional) Block access to the default domain name
-
-After you add the custom domain and configure your application, users will still be able to access the &lt;tenant-name&gt;.b2clogin.com domain. If you want to prevent access, you can configure the policy to check the authorization request "host name" against an allowed list of domains. The host name is the domain name that appears in the URL. The host name is available through `{Context:HostName}` [claim resolvers](claim-resolver-overview.md). Then you can present a custom error message. 
-
-1. Get the example of a conditional access policy that checks the host name from [GitHub](https://github.com/azure-ad-b2c/samples/tree/master/policies/check-host-name).
-1. In each file, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is *contosob2c*, all instances of `yourtenant.onmicrosoft.com` become `contosob2c.onmicrosoft.com`.
-1. Upload the policy files in the following order: `B2C_1A_TrustFrameworkExtensions_HostName.xml` and then `B2C_1A_signup_signin_HostName.xml`.
-
 ::: zone-end
 
 
diff --git a/articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md b/articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md
@@ -325,7 +325,7 @@ This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
 | [Cloud Services](../../cloud-services/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
 | [Cloud Shell](../../cloud-shell/overview.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
 | **Service** | **FedRAMP High** | **DoD IL2** | **DoD IL4** | **DoD IL5** | **DoD IL6** |
-| [Cognitive Search](../../search/index.yml) (formerly Azure Search) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
+| [Azure AI Search](../../search/index.yml) (formerly Azure Cognitive Search) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |
 | [Azure AI services: Computer Vision](../../ai-services/computer-vision/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
 | [Azure AI services: Content Moderator](../../ai-services/content-moderator/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
 | [Azure AI containers](../../ai-services/cognitive-services-container-support.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |
diff --git a/articles/azure-vmware/azure-vmware-solution-platform-updates.md b/articles/azure-vmware/azure-vmware-solution-platform-updates.md
@@ -126,7 +126,7 @@ AV52 is now available in the East US 2 Region. This node size is used for inte
 
 **Customer-managed keys using Azure Key Vault**
 
-You can use customer-managed keys to bring and manage your master encryption keys to encrypt vSAN. Azure Key Vault allows you to store your privately managed keys securely to access your Azure VMware Solution data.
+You can use customer-managed keys to bring and manage your master encryption keys to encrypt vSAN data. Azure Key Vault allows you to store your privately managed keys securely to access your Azure VMware Solution data.
 
 **Azure NetApp Files - more storage options available**    
 
@@ -140,7 +140,7 @@ For more information, see [Azure Migration and Modernization blog](https://techc
 
 ## January 2023
 
-Starting January 2023, all new Azure VMware Solution private clouds are being deployed with Microsoft signed TLS certificate for vCenter Server and NSX-T Data Center.
+Starting January 2023, all new Azure VMware Solution private clouds are being deployed with Microsoft signed TLS certificate for vCenter Server and NSX.
 
 ## November 2022
 
diff --git a/articles/azure-vmware/faq.yml b/articles/azure-vmware/faq.yml
@@ -245,7 +245,7 @@ sections:
         answer: Each ESXi host has two vSAN disk groups with a capacity tier of 15.2 TB and a 3.2-TB NVMe cache tier (1.6 TB in each disk group).      
 
       - question: Is data stored on the vSAN datastores encrypted at rest?
-        answer: Yes, vSAN datastores use data-at-rest encryption by default using keys stored in Azure Key Vault. The encryption solution is KMS-based and supports vCenter Server operations for key management.  When a host is removed from a vSphere cluster, data on SSDs is invalidated immediately.
+        answer: Yes, vSAN datastores use data-at-rest encryption by default using keys stored in Azure Key Vault. The encryption solution is KMS-based and supports vCenter Server operations for key management.  When a host is removed from a vSphere cluster, data on disk is invalidated immediately.
 
       - question: Can I rename a datastore or cluster during creation?
         answer: No, you can't change the name of datastores or clusters.
diff --git a/articles/cosmos-db/emulator.md b/articles/cosmos-db/emulator.md
@@ -51,7 +51,7 @@ Every request made against the emulator must be authenticated using a key over T
 
 ## Import emulator certificate
 
-In some cases, you may wish to manually import the TLS/SS certificate from the emulator's running container into your host machine. This step avoids bad practices like disabling TLS/SSL validation in the SDK. For more information, see [import certificate](how-to-develop-emulator.md#export-the-emulators-tlsssl-certificate).
+In some cases, you may wish to manually import the TLS/SS certificate from the emulator's running container into your host machine. This step avoids bad practices like disabling TLS/SSL validation in the SDK. For more information, see [import certificate](how-to-develop-emulator.md#import-the-emulators-tlsssl-certificate).
 
 ## Next step
 
diff --git a/articles/cosmos-db/how-to-develop-emulator.md b/articles/cosmos-db/how-to-develop-emulator.md
@@ -351,9 +351,9 @@ The Docker (Windows) container image doesn't support the API for MongoDB.
 
 ::: zone-end
 
-## Export the emulator's TLS/SSL certificate
+## Import the emulator's TLS/SSL certificate
 
-Export the certificate for the emulator to use the emulator with your preferred developer SDK without disable TLS/SSL on the client.
+Import the emulator's TLS/SSL certificate to use the emulator with your preferred developer SDK without disabling TLS/SSL on the client.
 
 ::: zone pivot="api-apache-cassandra,api-apache-gremlin,api-table"
 
@@ -371,7 +371,7 @@ The Windows local installation of the emulator automatically imports the TLS/SSL
 
 ### [Docker (Linux container)](#tab/docker-linux)
 
-The certificate for the emulator is available in the `_explorer/emulator.pem` path on the running container. Use `curl` to download the certificate from the running container to your local machine.
+The certificate for the emulator is available at the path `_explorer/emulator.pem` on the running container. Use `curl` to download the certificate from the running container to your local machine.
 
 ```bash
 curl -k https://localhost:8081/_explorer/emulator.pem > ~/emulatorcert.crt
@@ -391,7 +391,7 @@ The Windows local installation of the emulator automatically imports the TLS/SSL
 
 ### [Docker (Linux container) / Docker (Windows container)](#tab/docker-linux+docker-windows)
 
-The certificate for the emulator is available in the `_explorer/emulator.pem` path on the running container.
+The certificate for the emulator is available at the path `_explorer/emulator.pem` on the running container.
 
 1. Use `curl` to download the certificate from the running container to your local machine.
 
@@ -407,6 +407,20 @@ The certificate for the emulator is available in the `_explorer/emulator.pem` pa
     ```bash
     cp ~/emulatorcert.crt /usr/local/share/ca-certificates/
     ```
+1. Update CA certificates and regenerate the certificate bundle by using the appropriate command for your Linux distribution.
+    
+    For **Debian-based** systems (e.g., Ubuntu), use:
+
+    ```bash
+    sudo update-ca-certificates
+    ```
+
+    For **Red Hat-based** systems (e.g., CentOS, Fedora), use:
+    ```bash
+    sudo update-ca-trust
+    ```
+
+    For more detailed instructions, consult the documentation specific to your Linux distribution.
 
 ### [Windows (local)](#tab/windows)
 
@@ -418,7 +432,7 @@ The Windows local installation of the emulator automatically imports the TLS/SSL
 
 ## Connect to the emulator from the SDK
 
-Each SDK includes a client class typically used to connect the SDK to your Azure Cosmos DB account. Using the [emulator's credentials](emulator.md#authentication), you can connect the SDK to the emulator instance instead.
+Each SDK includes a client class typically used to connect the SDK to your Azure Cosmos DB account. By using the [emulator's credentials](emulator.md#authentication), you can connect the SDK to the emulator instance instead.
 
 ::: zone pivot="api-nosql"  
 
@@ -467,7 +481,7 @@ Use the [Azure Cosmos DB API for NoSQL .NET SDK](nosql/quickstart-dotnet.md) to
     ```
 
     > [!WARNING]
-    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#export-the-emulators-tlsssl-certificate). To resolve this, configure the client's options to disable TLS/SSL validation before creating the client:
+    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#import-the-emulators-tlsssl-certificate). To resolve this, configure the client's options to disable TLS/SSL validation before creating the client:
     >
     > ```csharp
     > CosmosClientOptions options = new ()
@@ -527,7 +541,7 @@ Use the [Azure Cosmos DB API for NoSQL Python SDK](nosql/quickstart-python.md) t
     ```
 
     > [!WARNING]
-    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#export-the-emulators-tlsssl-certificate). To resolve this, configure the application to disable TLS/SSL validation before creating the client:
+    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#import-the-emulators-tlsssl-certificate). To resolve this, configure the application to disable TLS/SSL validation before creating the client:
     >
     > ```python
     > import urllib3
@@ -536,6 +550,41 @@ Use the [Azure Cosmos DB API for NoSQL Python SDK](nosql/quickstart-python.md) t
     > ```
     >
 
+    If you are still facing SSL errors, it is possible that Python is retrieving the certificates from a different certificate store. To determine the path where Python is looking for the certificates, follow these steps:
+    >[!IMPORTANT]
+    >If you are using a Python **virtual environment** (venv) ensure it is **activated** before running the commands!
+    1. Open a terminal
+    1. Start the Python interpreter by typing python or python3, depending on your Python version.
+    1. In the Python interpreter, run the following commands:
+        ```python
+        from requests.utils import DEFAULT_CA_BUNDLE_PATH
+        print(DEFAULT_CA_BUNDLE_PATH)
+        ```
+
+        **Inside a virtual environment**, the path may be (at least in Ubuntu):
+        ```bash
+        path/to/venv/lib/pythonX.XX/site-packages/certifi/cacert.pem
+        ```
+
+        **Outside of a virtual environment**, the path may be (at least in Ubuntu):
+        ```bash
+        /etc/ssl/certs/ca-certificates.crt
+        ```
+
+    1. Once you have identified the DEFAULT_CA_BUNDLE_PATH, open a **new terminal** and run the following commands to append the emulator certificate to the certificate bundle:
+        > [!IMPORTANT]
+        > If DEFAULT_CA_BUNDLE_PATH variable points to a **system directory**, you might encounter a **"Permission denied"** error. In this case, you will need to run the commands with elevated privileges (as root). Also, you will need to [update and regenerate the certificate bundle](#import-the-emulators-tlsssl-certificate) after executing the provided commands.
+
+        ```bash
+        # Add a new line to the certificate bundle
+        echo >> /path/to/ca_bundle
+        ```
+
+        ```bash
+        # Append the emulator certificate to the certificate bundle
+        cat /path/to/emulatorcert.crt >> /path/to/ca_bundle
+        ```
+
 ### [JavaScript / Node.js](#tab/javascript+nodejs)
 
 Use the [Azure Cosmos DB API for NoSQL Node.js SDK](nosql/quickstart-nodejs.md) to connect to the emulator from a Node.js/JavaScript application.
@@ -579,7 +628,7 @@ Use the [Azure Cosmos DB API for NoSQL Node.js SDK](nosql/quickstart-nodejs.md)
     ```
 
     > [!WARNING]
-    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#export-the-emulators-tlsssl-certificate). To resolve this, configure the application to disable TLS/SSL validation before creating the client:
+    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#import-the-emulators-tlsssl-certificate). To resolve this, configure the application to disable TLS/SSL validation before creating the client:
     >
     > ```javascript
     > process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0
@@ -715,7 +764,7 @@ Use the [MongoDB Node.js driver](mongodb/quickstart-nodejs.md) to connect to the
     ```
 
     > [!WARNING]
-    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#export-the-emulators-tlsssl-certificate). To resolve this, configure the application to disable TLS/SSL validation before creating the client:
+    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#import-the-emulators-tlsssl-certificate). To resolve this, configure the application to disable TLS/SSL validation before creating the client:
     >
     > ```javascript
     > const client = new MongoClient(
@@ -858,7 +907,7 @@ Use the [Apache Cassandra Node.js driver](cassandra/manage-data-nodejs.md) to us
     ```
 
     > [!WARNING]
-    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#export-the-emulators-tlsssl-certificate). To resolve this, configure the client to disable TLS/SSL validation:
+    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#import-the-emulators-tlsssl-certificate). To resolve this, configure the client to disable TLS/SSL validation:
     >
     > ```javascript
     > const client = new Client({
@@ -1136,7 +1185,7 @@ Use the [Azure Tables JavaScript SDK](cassandra/manage-data-nodejs.md) to use th
     ```
 
     > [!WARNING]
-    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#export-the-emulators-tlsssl-certificate). To resolve this, configure the client to disable TLS/SSL validation:
+    > If you get a SSL error, you may need to disable TLS/SSL for your application. This commonly occurs if you are developing on your local machine, using the Azure Cosmos DB emulator in a container, and have not [imported the container's SSL certificate](#import-the-emulators-tlsssl-certificate). To resolve this, configure the client to disable TLS/SSL validation:
     >
     > ```javascript
     > const client = TableClient.fromConnectionString(
diff --git a/articles/cosmos-db/mongodb/vcore/quickstart-bicep.md b/articles/cosmos-db/mongodb/vcore/quickstart-bicep.md
@@ -76,8 +76,8 @@ resource firewallRules 'Microsoft.DocumentDB/mongoClusters/firewallRules@2022-10
 
 Two Azure resources are defined in the Bicep file:
 
-- [`Microsoft.DocumentDB/databaseAccounts`](/azure/templates/microsoft.documentdb/databaseAccounts?pivots=deployment-language-bicep): Creates an Azure Cosmos DB for MongoDB vCore cluster.
-  - [`Microsoft.DocumentDB/databaseAccounts/sqlDatabases`](/azure/templates/microsoft.documentdb/databaseAccounts?pivots=deployment-language-bicep): Creates firewall rules for the Azure Cosmos DB for MongoDB vCore cluster.
+- [`Microsoft.DocumentDB/mongoclusters`](/azure/templates/microsoft.documentdb/mongoclusters?pivots=deployment-language-bicep): Creates an Azure Cosmos DB for MongoDB vCore cluster.
+  - [`Microsoft.DocumentDB/mongoClusters/firewallRules`](/azure/templates/microsoft.documentdb/mongoclusters?pivots=deployment-language-bicep): Creates firewall rules for the Azure Cosmos DB for MongoDB vCore cluster.
 
 ## Deploy the Bicep file
 
diff --git a/articles/dev-box/concept-dev-box-network-requirements.md b/articles/dev-box/concept-dev-box-network-requirements.md
@@ -34,6 +34,9 @@ To use your own network and provision [Microsoft Entra hybrid joined](/azure/dev
 
 When connecting to resources on-premises through Microsoft Entra hybrid joins, work with your Azure network topology expert. Best practice is to implement a [hub-and-spoke network topology](/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology). The hub is the central point that connects to your on-premises network; you can use an Express Route, a site-to-site VPN, or a point-to-site VPN. The spoke is the virtual network that contains the dev boxes. You peer the dev box virtual network to the on-premises connected virtual network to provide access to on-premises resources. Hub and spoke topology can help you manage network traffic and security. 
 
+> [!IMPORTANT]
+> When using your own network, Microsoft Dev Box currently does not support moving network interfaces to a different virtual network or a different subnet. 
+
 ## Allow network connectivity
 
 In your network configuration, you must allow traffic to the following service URLs and ports to support provisioning, management, and remote connectivity of dev boxes.
diff --git a/articles/sentinel/quickstart-onboard.md b/articles/sentinel/quickstart-onboard.md
@@ -1,5 +1,5 @@
 ---
-title: 'Quickstart: Onboard in Microsoft Sentinel'
+title: 'Quickstart: Onboard to Microsoft Sentinel'
 description: In this quickstart, you enable Microsoft Sentinel, and set up data connectors to monitor and protect your environment.
 author: yelevin
 ms.author: yelevin
@@ -44,16 +44,18 @@ To get started, add Microsoft Sentinel to an existing workspace or create a new
 
     :::image type="content" source="media/quickstart-onboard/search-product.png" alt-text="Screenshot of searching for a service while enabling Microsoft Sentinel.":::   
 
-1. Select **Add**.
+1. Select **Create**.
 
 1. Select the workspace you want to use or create a new one. You can run Microsoft Sentinel on more than one workspace, but the data is isolated to a single workspace.
 
     :::image type="content" source="media/quickstart-onboard/choose-workspace.png" alt-text="Screenshot of choosing a workspace while enabling Microsoft Sentinel.":::      
  
    - The default workspaces created by Microsoft Defender for Cloud aren't shown in the list. You can't install Microsoft Sentinel on these workspaces.
-   - Once deployed on a workspace, Microsoft Sentinel **doesn't currently support** moving that workspace to another resource group or subscription.
+   - Once deployed on a workspace, Microsoft Sentinel **doesn't support** moving that workspace to another resource group or subscription.
+
+1. Select **Add**.
 
-1. Select **Add Microsoft Sentinel**.
+As an alternative to using the portal, you can onboard to Microsoft Sentinel using an API request, by calling the [OnboardingStates ARM api](/rest/api/securityinsights/sentinel-onboarding-states/create?view=rest-securityinsights-2024-03-01&preserve-view=true&tabs=HTTP).
 
 ## Install a solution from the content hub
 
