Merge pull request #191831 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: huypub

articles/active-directory/develop/active-directory-signing-key-rollover.md

@@ -286,10 +286,93 @@ Follow the steps below to verify that the key rollover logic is working.
 ### <a name="other"></a>Web applications / APIs protecting resources using any other libraries or manually implementing any of the supported protocols
 If you are using some other library or manually implemented any of the supported protocols, you'll need to review the library or your implementation to ensure that the key is being retrieved from either the OpenID Connect discovery document or the federation metadata document. One way to check for this is to do a search in your code or the library's code for any calls out to either the OpenID discovery document or the federation metadata document.
 
-If they key is being stored somewhere or hardcoded in your application, you can manually retrieve the key and update it accordingly by performing a manual rollover as per the instructions at the end of this guidance document. **It is strongly encouraged that you enhance your application to support automatic rollover** using any of the approaches outline in this article to avoid future disruptions and overhead if the Microsoft identity platform increases its rollover cadence or has an emergency out-of-band rollover.
+If the key is being stored somewhere or hardcoded in your application, you can manually retrieve the key and update it accordingly by performing a manual rollover as per the instructions at the end of this guidance document. **It is strongly encouraged that you enhance your application to support automatic rollover** using any of the approaches outline in this article to avoid future disruptions and overhead if the Microsoft identity platform increases its rollover cadence or has an emergency out-of-band rollover.
 
 ## How to test your application to determine if it will be affected
-You can validate whether your application supports automatic key rollover by downloading the scripts and following the instructions in [this GitHub repository.](https://github.com/AzureAD/azure-activedirectory-powershell-tokenkey)
+
+You can validate whether your application supports automatic key rollover by using the following PowerShell scripts.
+
+To check and update signing keys with PowerShell, you'll need the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module.
+
+1. Install the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module:
+
+    ```powershell
+    Install-Module -Name MSIdentityTools
+    ```
+
+1. Sign in by using the Connect-MgGraph command with an admin account to consent to the required scopes:
+
+   ```powershell
+    Connect-MgGraph -Scope "Application.ReadWrite.All"
+   ```
+
+1. Get the list of available signing key thumbprints:
+
+    ```powershell
+    Get-MsIdSigningKeyThumbprint
+    ```
+
+1. Pick any of the key thumbprints and configure Azure Active Directory to use that key with your application (get the app ID from the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps)):
+
+    ```powershell
+    Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId> -KeyThumbprint <Thumbprint>
+    ```
+
+1. Test the web application by signing in to get a new token. The key update change is instantaneous, but make sure you use a new browser session (using, for example, Internet Explorer's "InPrivate," Chrome's "Incognito," or Firefox's "Private" mode) to ensure you are issued a new token.
+
+1. For each of the returned signing key thumbprints, run the `Update-MsIdApplicationSigningKeyThumbprint` cmdlet and test your web application sign-in process.
+
+1. If the web application signs you in properly, it supports automatic rollover. If it doesn't, modify your application to support manual rollover. Check out [Establishing a manual rollover process](#how-to-perform-a-manual-rollover-if-your-application-does-not-support-automatic-rollover) for more information.
+
+1. Run the following script to revert to normal behavior:
+
+    ```powershell
+    Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId> -Default
+    ```
 
 ## How to perform a manual rollover if your application does not support automatic rollover
-If your application does **not** support automatic rollover, you will need to establish a process that periodically monitors Microsoft identity platform's signing keys and performs a manual rollover accordingly. [This GitHub repository](https://github.com/AzureAD/azure-activedirectory-powershell-tokenkey) contains scripts and instructions on how to do this.
+If your application doesn't support automatic rollover, you need to establish a process that periodically monitors Microsoft identity platform's signing keys and performs a manual rollover accordingly.
+
+To check and update signing keys with PowerShell, you'll need the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module.
+
+1. Install the [MSIdentityTools](https://www.powershellgallery.com/packages/MSIdentityTools) PowerShell Module:
+
+    ```powershell
+    Install-Module -Name MSIdentityTools
+    ```
+
+1. Get the latest signing key (get the tenant ID from the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)):
+
+    ```powershell
+    Get-MsIdSigningKeyThumbprint -Tenant <tenandId> -Latest
+    ```
+
+1. Compare this key against the key your application is currently hardcoded or configured to use.
+
+1. If the latest key is different from the key your application is using, download the latest signing key:
+
+    ```powershell
+    Get-MsIdSigningKeyThumbprint -Latest -DownloadPath <DownloadFolderPath>
+    ```
+
+1. Update your application's code or configuration to use the new key.
+
+1. Configure Azure Active Directory to use that latest key with your application (get the app ID from the [portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps)):
+
+    ```powershell
+    Get-MsIdSigningKeyThumbprint -Latest | Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId>
+    ```
+
+1. Test the web application by signing in to get a new token. The key update change is instantaneous, but make sure you use a new browser session (using, for example, Internet Explorer's "InPrivate," Chrome's "Incognito," or Firefox's "Private" mode) to ensure you are issued a new token.
+
+1. If you experience any issues, revert to the previous key you were using and contact Azure support:
+
+    ```powershell
+    Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId> -KeyThumbprint <PreviousKeyThumbprint>
+    ```
+
+1. After you update your application to support manual rollover, revert to normal behavior:
+
+    ```powershell
+    Update-MsIdApplicationSigningKeyThumbprint -ApplicationId <ApplicationId> -Default
+    ```

articles/active-directory/governance/entitlement-management-catalog-create.md

@@ -80,6 +80,8 @@ To include resources in an access package, the resources must exist in a catalog
 * Groups can be cloud-created Microsoft 365 Groups or cloud-created Azure AD security groups. Groups that originate in an on-premises Active Directory can't be assigned as resources because their owner or member attributes can't be changed in Azure AD. Groups that originate in Exchange Online as Distribution groups can't be modified in Azure AD either.
 * Applications can be Azure AD enterprise applications, which include both software as a service (SaaS) applications and your own applications integrated with Azure AD. For more information on how to select appropriate resources for applications with multiple roles, see [Add resource roles](entitlement-management-access-package-resources.md#add-resource-roles).
 * Sites can be SharePoint Online sites or SharePoint Online site collections.
+> [!NOTE]
+> Search SharePoint Site by site name or an exact URL as the search box is case sensitive.
 
 **Prerequisite roles:** See [Required roles to add resources to a catalog](entitlement-management-delegate.md#required-roles-to-add-resources-to-a-catalog).
 
@@ -265,4 +267,4 @@ You can also delete a catalog by using Microsoft Graph. A user in an appropriate
 
 ## Next steps
 
-[Delegate access governance to access package managers](entitlement-management-delegate-managers.md)
+[Delegate access governance to access package managers](entitlement-management-delegate-managers.md)

articles/aks/openfaas.md

@@ -243,7 +243,7 @@ You can also test the function within the OpenFaaS UI.
 
 ## Next Steps
 
-You can continue to learn with the OpenFaaS workshop through a set of hands-on labs that cover topics such as how to create your own GitHub bot, consuming secrets, viewing metrics, and auto-scaling.
+You can continue to learn with the [OpenFaaS workshop](https://github.com/openfaas/workshop) through a set of hands-on labs that cover topics such as how to create your own GitHub bot, consuming secrets, viewing metrics, and auto-scaling.
 
 <!-- LINKS - external -->
 [install-mongo]: https://docs.mongodb.com/manual/installation/

articles/app-service/reference-app-settings.md

@@ -33,7 +33,7 @@ The following environment variables are related to the app environment in genera
 | `WEBSITE_PRIVATE_EXTENSIONS` | Set to `0` to disable the use of private site extensions. ||
 | `WEBSITE_TIME_ZONE` | By default, the time zone for the app is always UTC. You can change it to any of the valid values that are listed in [TimeZone](/previous-versions/windows/it-pro/windows-vista/cc749073(v=ws.10)). If the specified value isn't recognized, UTC is used. | `Atlantic Standard Time` |
 | `WEBSITE_ADD_SITENAME_BINDINGS_IN_APPHOST_CONFIG` | In the case of a storage volume failover or reconfiguration, your app is switched over to a standby storage volume. The default setting of `1` prevents your worker process from recycling when the storage infrastructure changes. If you are running a Windows Communication Foundation (WCF) app, disable it by setting it to `0`. The setting is slot-specific, so you should set it in all slots. ||
-| `WEBSITE_PROACTIVE_AUTOHEAL_ENABLED` | By default, a VM instance is proactively "autohealed" when it's using more than 90% of allocated memory for more than 30 seconds, or when 80% of the total requests in the last two minutes take longer than 200 seconds. If a VN instance has triggered one of these rules, the recovery process is an overlapping restart of the instance. Set to `false` to disable this recovery behavior. The default is `true`. For more information, see [Proactive Auto Heal](https://azure.github.io/AppService/2017/08/17/Introducing-Proactive-Auto-Heal.html). ||
+| `WEBSITE_PROACTIVE_AUTOHEAL_ENABLED` | By default, a VM instance is proactively "autohealed" when it's using more than 90% of allocated memory for more than 30 seconds, or when 80% of the total requests in the last two minutes take longer than 200 seconds. If a VM instance has triggered one of these rules, the recovery process is an overlapping restart of the instance. Set to `false` to disable this recovery behavior. The default is `true`. For more information, see [Proactive Auto Heal](https://azure.github.io/AppService/2017/08/17/Introducing-Proactive-Auto-Heal.html). ||
 | `WEBSITE_PROACTIVE_CRASHMONITORING_ENABLED` | Whenever the w3wp.exe process on a VM instance of your app crashes due to an unhandled exception for more than three times in 24 hours, a debugger process is attached to the main worker process on that instance, and collects a memory dump when the worker process crashes again. This memory dump is then analyzed and the call stack of the thread that caused the crash is logged in your App Service’s logs. Set to `false` to disable this automatic monitoring behavior. The default is `true`. For more information, see [Proactive Crash Monitoring](https://azure.github.io/AppService/2021/03/01/Proactive-Crash-Monitoring-in-Azure-App-Service.html). ||
 | `WEBSITE_DAAS_STORAGE_SASURI` | During crash monitoring (proactive or manual), the memory dumps are deleted by default. To save the memory dumps to a storage blob container, specify the SAS URI.  ||
 | `WEBSITE_CRASHMONITORING_ENABLED` | Set to `true` to enable [crash monitoring](https://azure.github.io/AppService/2020/08/11/Crash-Monitoring-Feature-in-Azure-App-Service.html) manually. You must also set `WEBSITE_DAAS_STORAGE_SASURI` and `WEBSITE_CRASHMONITORING_SETTINGS`. The default is `false`. This setting has no effect if remote debugging is enabled. Also, if this setting is set to `true`, [proactive crash monitoring](https://azure.github.io/AppService/2020/08/11/Crash-Monitoring-Feature-in-Azure-App-Service.html) is disabled. ||

articles/azure-app-configuration/rest-api-authentication-hmac.md

@@ -428,7 +428,7 @@ def sign_request(host,
                 secret):    # Access Key Value
     verb = method.upper()
 
-    utc_now = str(datetime.utcnow().strftime("%b, %d %Y %H:%M:%S ")) + "GMT"
+    utc_now = str(datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S ")) + "GMT"
 
     if six.PY2:
         content_digest = hashlib.sha256(bytes(body)).digest()

articles/cognitive-services/Translator/containers/translator-how-to-install-container.md

@@ -97,13 +97,13 @@ Application for Gated Services**](https://aka.ms/csgate-translator) to request a
 Use the [docker run](https://docs.docker.com/engine/reference/commandline/run/) command to download a container image from Microsoft Container registry and run it.
 
 ```Docker
-docker run --rm -it -p 5000:80 --memory 12g --cpus 4 \
+docker run --rm -it -p 5000:5000 --memory 12g --cpus 4 \
 -v /mnt/d/TranslatorContainer:/usr/local/models \
 -e apikey={API_KEY} \
 -e eula=accept \
 -e billing={ENDPOINT_URI} \
 -e Languages=en,fr,es,ar,ru  \
-mcr.microsoft.com/azure-cognitive-services/translator/text-translation
+mcr.microsoft.com/azure-cognitive-services/translator/text-translation:1.0.018950002-amd64-preview
 ```
 
 The above command:

articles/cognitive-services/containers/container-image-tags.md

@@ -2963,13 +2963,13 @@ Release notes for `3.0.015490002-onprem-amd64`:
 
 ## Translator
 
-The [Translator][tr-containers] container image can be found on the `mcr.microsoft.com` container registry syndicate. It resides within the `azure-cognitive-services/translator` repository and is named `text-translation`. The fully qualified container image name is `mcr.microsoft.com/azure-cognitive-services/translator/text-translation`.
+The [Translator][tr-containers] container image can be found on the `mcr.microsoft.com` container registry syndicate. It resides within the `azure-cognitive-services/translator` repository and is named `text-translation`. The fully qualified container image name is `mcr.microsoft.com/azure-cognitive-services/translator/text-translation:1.0.018950002-amd64-preview`.
 
 This container image has the following tags available.
 
 | Image Tags                    | Notes |
 |-------------------------------|:------|
-| `latest`                      |       |
+| `1.0.018950002-amd64-preview`                      |       |
 
 
 [ad-containers]: ../anomaly-Detector/anomaly-detector-container-howto.md

articles/cosmos-db/graph/gremlin-headers.md

@@ -66,7 +66,7 @@ using (GremlinClient client = new GremlinClient(server, new GraphSON2Reader(), n
 }
 ```
 
-An example that demonstrates how to read status attribute from Gremlin java client:
+An example that demonstrates how to read status attribute from Gremlin Java client:
 
 ```java
 try {

articles/data-factory/store-credentials-in-key-vault.md

@@ -9,7 +9,7 @@ ms.date: 01/21/2022
 ms.author: abnarain
 ---
 
-# Store credential in Azure Key Vault
+# Store credentials in Azure Key Vault
 
 [!INCLUDE[appliesto-adf-asa-md](includes/appliesto-adf-asa-md.md)]
 

articles/data-factory/transform-data-using-spark.md

@@ -82,15 +82,15 @@ The following table describes the JSON properties used in the JSON definition:
 | getDebugInfo          | Specifies when the Spark log files are copied to the Azure storage used by HDInsight cluster (or) specified by sparkJobLinkedService. Allowed values: None, Always, or Failure. Default value: None. | No       |
 
 ## Folder structure
-Spark jobs are more extensible than Pig/Hive jobs. For Spark jobs, you can provide multiple dependencies such as jar packages (placed in the java CLASSPATH), Python files (placed on the PYTHONPATH), and any other files.
+Spark jobs are more extensible than Pig/Hive jobs. For Spark jobs, you can provide multiple dependencies such as jar packages (placed in the Java CLASSPATH), Python files (placed on the PYTHONPATH), and any other files.
 
 Create the following folder structure in the Azure Blob storage referenced by the HDInsight linked service. Then, upload dependent files to the appropriate sub folders in the root folder represented by **entryFilePath**. For example, upload Python files to the pyFiles subfolder and jar files to the jars subfolder of the root folder. At runtime, the service expects the following folder structure in the Azure Blob storage:     
 
 | Path                  | Description                              | Required | Type   |
 | --------------------- | ---------------------------------------- | -------- | ------ |
 | `.` (root)            | The root path of the Spark job in the storage linked service | Yes      | Folder |
 | <user defined > | The path pointing to the entry file of the Spark job | Yes      | File   |
-| ./jars                | All files under this folder are uploaded and placed on the java classpath of the cluster | No       | Folder |
+| ./jars                | All files under this folder are uploaded and placed on the Java classpath of the cluster | No       | Folder |
 | ./pyFiles             | All files under this folder are uploaded and placed on the PYTHONPATH of the cluster | No       | Folder |
 | ./files               | All files under this folder are uploaded and placed on executor working directory | No       | Folder |
 | ./archives            | All files under this folder are uncompressed | No       | Folder |