Merge pull request #285705 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Taojunshen

articles/backup/backup-sql-server-azure-troubleshoot.md

@@ -226,7 +226,7 @@ AzureBackup workload extension operation failed. | The VM is shut down, or the V
 
 | Error message | Possible causes | Recommended actions |
 |---|---|---|
-The VM is not able to contact Azure Backup service due to internet connectivity issues. | The VM needs outbound connectivity to Azure Backup Service, Azure Storage, or Microsoft Entra services.| <li> If you use NSG to restrict connectivity, then you should use the *AzureBackup* service tag to allows outbound access to Azure Backup Service, and similarly for the Microsoft Entra ID (*AzureActiveDirectory*) and Azure Storage(*Storage*) services. Follow these [steps](./backup-sql-server-database-azure-vms.md#nsg-tags) to grant access. <li> Ensure DNS is resolving Azure endpoints. <li> Check if the VM is behind a load balancer blocking internet access. By assigning public IP to the VMs, discovery will work. <li> Verify there's no firewall/antivirus/proxy that are blocking calls to the above three target services.
+The VM is not able to contact Azure Backup service due to internet connectivity issues. | The VM needs outbound connectivity to Azure Backup Service, Azure Storage, or Microsoft Entra services.| <li> If you use NSG to restrict connectivity, then you should use the *AzureBackup* service tag to allow outbound access to Azure Backup Service, and similarly for the Microsoft Entra ID (*AzureActiveDirectory*) and Azure Storage(*Storage*) services. Follow these [steps](./backup-sql-server-database-azure-vms.md#nsg-tags) to grant access. <li> Ensure DNS is resolving Azure endpoints. <li> Check if the VM is behind a load balancer blocking internet access. By assigning public IP to the VMs, discovery will work. <li> Verify there's no firewall/antivirus/proxy that are blocking calls to the above three target services.
 
 ### UserErrorOperationNotAllowedDatabaseMirroringEnabled
 

articles/cost-management-billing/microsoft-customer-agreement/onboard-microsoft-customer-agreement.md

@@ -213,7 +213,8 @@ This section of the onboarding guide describes the steps you follow to migrate f
 The following points help you plan for your migration from EA to MCA:
 
 - Migrating from EA to MCA redirects your charges from your EA enrollment to your MCA billing account after you complete the subscription migration. The change goes into effect immediately. Any charges incurred up to the point of migration are invoiced to the EA and must be settled on that enrollment. There's no effect on your services and no downtime.
-- You can continue to see your historic charges in the Azure portal under your EA enrollment billing scope. Historical charges aren't visible in cost analysis when migration completes if you're an Account owner or a subscription owner without access to view the EA billing scope. We recommend that you [download your cost and usage data and invoices](../understand/download-azure-daily-usage.md) before you transfer subscriptions.
+- You can continue to see your historic charges in the Azure portal under your EA enrollment billing scope. Historical charges are visible in cost analysis when migration completes if you are an Account Owner or Enterprise Administrator for the enrollment.
+- Subscription ownership does not provide access to historical data since there is no access to the EA Billing Scope. We recommend that you [download your cost and usage data and invoices](../understand/download-azure-daily-usage.md) before you transfer subscriptions.
 - Depending on the timing of your migration, you might receive two invoices, one EA and one MCA, in the transition month. The MCA invoice covers usage for a calendar month and is generated from the fifth to the seventh day of the month following the usage.
 - To ensure your MCA invoice gets received by the right person or group, you must add an accounts payable email address as an invoice recipient's contact to the MCA. For more information, see [share your billing profiles invoice](../understand/download-azure-invoice.md#share-your-billing-profiles-invoice).
 - If you use Cost Management APIs for reporting purposes, familiarize yourself with [Other actions to manage your MCA](#other-actions-to-manage-your-mca).

articles/expressroute/expressroute-network-insights.md

@@ -37,7 +37,7 @@ This article explains how Network Insights can help you view  your ExpressRoute
 
 ## View a detailed and preloaded metrics dashboard
 
-Once you review the topology of your ExpressRoute setup using the functional dependency view, select **View detailed metrics** to navigated to the detailed metrics view to understand the performance of your circuit. This view offers an organized list of linked resources and a rich dashboard of important ExpressRoute metrics.
+Once you review the topology of your ExpressRoute setup using the functional dependency view, select **View detailed metrics** to navigate to the detailed metrics view to understand the performance of your circuit. This view offers an organized list of linked resources and a rich dashboard of important ExpressRoute metrics.
 
 The **Linked Resources** section lists the connected ExpressRoute gateways and configured peerings, which you can select on to navigate to the corresponding resource page.
 

articles/expressroute/expressroute-troubleshooting-network-performance.md

@@ -109,7 +109,7 @@ There are three basic steps to use this toolkit for Performance testing.
 If the performance test isn't giving you expected results, figuring out why should be a progressive step-by-step process. Given the number of components in the path, a systematic approach provides a faster path to resolution than jumping around. By troubleshooting systematically, you can prevent doing unnecessary testing multiple times.
 
 >[!NOTE]
->The scenario here is a performance issue, not a connectivity issue. To isolate the connectivity problem to Azure network, follow [Verifying ExpressRotue connectivity](expressroute-troubleshooting-expressroute-overview.md) article.
+>The scenario here is a performance issue, not a connectivity issue. To isolate the connectivity problem to Azure network, follow [Verifying ExpressRoute connectivity](expressroute-troubleshooting-expressroute-overview.md) article.
 >
 
 First, challenge your assumptions. Is your expectation reasonable? For instance, if you have a 1-Gbps ExpressRoute circuit and 100 ms of latency. It's not reasonable to expect the full 1 Gbps of traffic given the performance characteristics of TCP over high latency links. See the [References section](#references) for more on performance assumptions.

articles/firewall/idps-signature-categories.md

@@ -21,7 +21,7 @@ Azure Firewall IDPS features over 50 categories that can be assigned to individu
 |ActiveX|This category is for signatures that protect against attacks against Microsoft ActiveX controls and exploits targeting vulnerabilities in ActiveX controls.|
 |Adware-PUP|This category is for signatures to identify software that is used for ad tracking or other types of spyware related activity.|
 |Attack Response|This category is for signatures to identify responses indicative of intrusion—examples include but not limited to LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command. These signatures are designed to catch the results of a successful attack. Things like *id=root*, or error messages that indicate a compromise may have happened.|
-|Botcc (Bot Command and Control)|This category is for signatures that are autogenerated from several sources of known and confirmed active botnet and other Command andControl (C2) hosts. This category is updated daily. The category’s primary data source is `Shadowserver.org.`|
+|Botcc (Bot Command and Control)|This category is for signatures that are autogenerated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts. This category is updated daily. The category’s primary data source is `Shadowserver.org.`|
 |Botcc Port grouped|This category is for signatures like those in the Botcc category but grouped by destination port. Rules grouped by port can offer higher fidelity than rules not grouped by port.|
 |Chat|This category is for signatures that identify traffic related to many chat clients such as Internet Relay Chat (IRC). Chat traffic can be indicative of possible check-in activity by threat actors.|
 |CIArmy|This category is for signatures that are generated using Collective Intelligence’s IP rules for blocking.|

articles/sentinel/deploy-overview.md

@@ -64,7 +64,7 @@ Depending on which phase you're in, choose the appropriate next steps:
 
 - Plan and prepare - [Prerequisites to deploy Azure Sentinel](prerequisites.md)
 - Deploy - [Enable Microsoft Sentinel and initial features and content](enable-sentinel-features-content.md)
-- Fine tune and review - [Navigate and investigate incidents in Microsoft Sentinel](investigate-incidents.md)[Navigate and investigate incidents in Microsoft Sentinel](investigate-incidents.md)
+- Fine tune and review - [Navigate and investigate incidents in Microsoft Sentinel](investigate-incidents.md)
 
 When you're finished with your deployment of Microsoft Sentinel, continue to explore Microsoft Sentinel capabilities by reviewing tutorials that cover common tasks:  
 
@@ -77,4 +77,4 @@ When you're finished with your deployment of Microsoft Sentinel, continue to exp
 - [Investigate with UEBA](investigate-with-ueba.md)
 - [Build and monitor Zero Trust](sentinel-solution.md)
 
-Review the [Microsoft Sentinel operational guide](ops-guide.md) for the regular SOC activities we recommend that you perform daily, weekly, and monthly.
+Review the [Microsoft Sentinel operational guide](ops-guide.md) for the regular SOC activities we recommend that you perform daily, weekly, and monthly.

articles/stream-analytics/stream-analytics-define-inputs.md

@@ -1,6 +1,6 @@
 ---
 title: Stream data as input into Azure Stream Analytics
-description: Learn about setting up a data connection in Azure Stream Analytics. Inputs include a data stream from events, and also reference data.
+description: Learn about setting up a data connection in Azure Stream Analytics. Inputs include a data stream from events and also reference data.
 author: AliciaLiMicrosoft 
 ms.author: ali 
 ms.service: azure-stream-analytics
@@ -9,7 +9,7 @@ ms.date: 01/25/2024
 ---
 # Stream data as input into Stream Analytics
 
-Stream Analytics has first-class integration with Azure data streams as inputs from three kinds of resources:
+Stream Analytics has first-class integration with Azure data streams as inputs from four kinds of resources:
 
 - [Azure Event Hubs](https://azure.microsoft.com/services/event-hubs/)
 - [Azure IoT Hub](https://azure.microsoft.com/services/iot-hub/) 
@@ -50,7 +50,7 @@ The following table explains each property in the **New input** page in the Azur
 | **Event Hub namespace** | The Event Hubs namespace is a container for event hubs. When you create an event hub, you also create the namespace. |
 | **Event Hub name** | The name of the event hub to use as input. |
 | **Event Hub consumer group** (recommended) | We recommend that you use a distinct consumer group for each Stream Analytics job. This string identifies the consumer group to use to ingest data from the event hub. If no consumer group is specified, the Stream Analytics job uses the `$Default` consumer group. |
-| **Authentication mode** | Specify the type of the authentication you want to use to connect to the event hub. You can use a connection string or a managed identity to authenticate with the event hub. For the managed identity option, you can either create a system-assigned managed identity to the Stream Analytics job or a user-assigned managed identity to authenticate with the event hub. When you use a managed identity, the managed identity must be a member of [Azure Event Hubs Data Receiver or Azure Event Hubs Data Owner roles](../event-hubs/authenticate-application.md#built-in-roles-for-azure-event-hubs). | 
+| **Authentication mode** | Specify the type of the authentication you want to use to connect to the event hub. You can use a connection string or a managed identity to authenticate with the event hub. For the managed identity option, you can either create a system-assigned managed identity for the Stream Analytics job or a user-assigned managed identity to authenticate with the event hub. When you use a managed identity, the managed identity must be a member of [Azure Event Hubs Data Receiver or Azure Event Hubs Data Owner roles](../event-hubs/authenticate-application.md#built-in-roles-for-azure-event-hubs). | 
 | **Event Hub policy name** | The shared access policy that provides access to the Event Hubs. Each shared access policy has a name, permissions that you set, and access keys. This option is automatically populated, unless you select the option to provide the Event Hubs settings manually.|
 | **Partition key** | It's an optional field that is available only if your job is configured to use [compatibility level](./stream-analytics-compatibility-level.md) 1.2 or higher. If your input is partitioned by a property, you can add the name of this property here. It's used for improving the performance of your query if it includes a `PARTITION BY` or `GROUP BY` clause on this property. If this job uses compatibility level 1.2 or higher, this field defaults to `PartitionId.` |
 | **Event serialization format** | The serialization format (JSON, CSV, Avro, Parquet, or [Other (Protobuf, XML, proprietary...)](custom-deserializer.md)) of the incoming data stream. Ensure the JSON format aligns with the specification and doesn’t include leading 0 for decimal numbers. |
@@ -63,7 +63,7 @@ When your data comes from an Event Hubs stream input, you have access to the fol
 | Property | Description |
 | --- | --- |
 | **EventProcessedUtcTime** |The date and time when Stream Analytics processes the event. |
-| **EventEnqueuedUtcTime** |The date and time that when Event Hubs receives the events. |
+| **EventEnqueuedUtcTime** |The date and time when Event Hubs receives the events. |
 | **PartitionId** |The zero-based partition ID for the input adapter. |
 
 For example, using these fields, you can write a query like the following example:

articles/virtual-network/network-security-group-how-it-works.md

@@ -12,7 +12,7 @@ ms.author: allensu
 # How network security groups filter network traffic
 <a name="network-security-groups"></a>
 
-You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains [security rules](./network-security-groups-overview.md#security-rules) that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
+You can use an Azure network security group (NSG) to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains [security rules](./network-security-groups-overview.md#security-rules) that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.
 
 You can deploy resources from several Azure services into an Azure virtual network. For a complete list, see [Services that can be deployed into a virtual network](virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network). You can associate zero, or one, network security group to each virtual network [subnet](virtual-network-manage-subnet.md#change-subnet-settings) and [network interface](virtual-network-network-interface.md#associate-or-dissociate-a-network-security-group) in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.
 
@@ -50,7 +50,7 @@ For outbound traffic, Azure processes the rules in a network security group asso
 
 It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VMs within it. By default, virtual machines in the same subnet can communicate based on a default NSG rule allowing intra-subnet traffic. If you add a rule to *NSG1* that denies all inbound and outbound traffic, *VM1* and *VM2* won't be able to communicate with each other.
 
-You can easily view the aggregate rules applied to a network interface by viewing the [effective security rules](virtual-network-network-interface.md#view-effective-security-rules) for a network interface. You can also use the [IP flow verify](../network-watcher/diagnose-vm-network-traffic-filtering-problem.md?toc=%2fazure%2fvirtual-network%2ftoc.json) capability in Azure Network Watcher to determine whether communication is allowed to or from a network interface. You can use IP flow verify to determine whether a communication is allowed or denied. Additionally, Use IP flow verify to surface the identity of the network security rule responsible for allowing or denying the traffic.
+You can easily view the aggregate rules applied to a network interface by viewing the [effective security rules](virtual-network-network-interface.md#view-effective-security-rules) for a network interface. You can also use the [IP flow verify](../network-watcher/ip-flow-verify-overview.md) capability in Azure Network Watcher to determine whether communication is allowed to or from a network interface. You can use IP flow verify to determine whether a communication is allowed or denied. Additionally, Use IP flow verify to surface the identity of the network security rule responsible for allowing or denying the traffic.
 
 > [!NOTE]
 > Network security groups are associated to subnets or to virtual machines and cloud services deployed in the classic deployment model, and to subnets or network interfaces in the Resource Manager deployment model. To learn more about Azure deployment models, see [Understand Azure deployment models](../azure-resource-manager/management/deployment-models.md?toc=%2fazure%2fvirtual-network%2ftoc.json).

articles/virtual-wan/virtual-wan-faq.md

@@ -46,7 +46,7 @@ No, each Azure Virtual Hub must have their own Firewall. The deployment of custo
 
 ### What client does the Azure Virtual WAN User VPN (point-to-site) support?
 
-Virtual WAN supports [Azure VPN client](https://go.microsoft.com/fwlink/?linkid=2117554), OpenVPN Client, or any IKEv2 client. Microsoft Entra authentication is supported with Azure VPN Client.A minimum of Windows 10 client OS version 17763.0 or higher is required. OpenVPN client(s) can support certificate-based authentication. Once cert-based auth is selected on the gateway, you'll see the.ovpn* file to download to your device. IKEv2 supports both certificate and RADIUS authentication.
+Virtual WAN supports [Azure VPN client](https://go.microsoft.com/fwlink/?linkid=2117554), OpenVPN Client, or any IKEv2 client. Microsoft Entra authentication is supported with Azure VPN Client. A minimum of Windows 10 client OS version 17763.0 or higher is required. OpenVPN client(s) can support certificate-based authentication. Once cert-based auth is selected on the gateway, you'll see the.ovpn* file to download to your device. IKEv2 supports both certificate and RADIUS authentication.
 
 ### For User VPN (point-to-site)- why is the P2S client pool split into two routes?