Merge pull request #281419 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 7/22

Author: ttorble

articles/ai-studio/how-to/prompt-flow-tools/prompt-flow-tools-overview.md

@@ -20,15 +20,15 @@ author: lgayhardt
 The following table provides an index of tools in prompt flow.
 
 | Tool name | Description | Package name |
-|------|-----------|-------------|--------------|
+|------|-----------|-------------|
 | [LLM](./llm-tool.md) | Use large language models (LLM) with the Azure OpenAI Service for tasks such as text completion or chat. | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |
 | [Prompt](./prompt-tool.md) | Craft a prompt by using Jinja as the templating language. | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |
 | [Python](./python-tool.md) | Run Python code. | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |
 | [Azure OpenAI GPT-4 Turbo with Vision](./azure-open-ai-gpt-4v-tool.md) | Use an Azure OpenAI GPT-4 Turbo with Vision model deployment to analyze images and provide textual responses to questions about them. | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |
 | [Content Safety (Text)](./content-safety-tool.md) | Use Azure AI Content Safety to detect harmful content. | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |
 | [Embedding](./embedding-tool.md) | Use Azure OpenAI embedding models to create an embedding vector that represents the input text. | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |
 | [Serp API](./serp-api-tool.md) | Use Serp API to obtain search results from a specific search engine. | [promptflow-tools](https://pypi.org/project/promptflow-tools/) |
-| [Index Lookup](./index-lookup-tool.md) | Search a vector-based query for relevant results using one or more text queries. | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |
+| [Index Lookup](./index-lookup-tool.md)<sup>1</sup> | Search a vector-based query for relevant results using one or more text queries. | [promptflow-vectordb](https://pypi.org/project/promptflow-vectordb/) |
 
 <sup>1</sup> The Index Lookup tool replaces the three deprecated legacy index tools: Vector Index Lookup, Vector DB Lookup, and Faiss Index Lookup. If you have a flow that contains one of those tools, follow the [migration steps](./index-lookup-tool.md#migrate-from-legacy-tools-to-the-index-lookup-tool) to upgrade your flow.
 

articles/azure-monitor/agents/data-collection-log-text.md

@@ -62,9 +62,8 @@ The incoming stream of data includes the columns in the following table.
 ## Custom table
 Before you can collect log data from a text file, you must create a custom table in your Log Analytics workspace to receive the data. The table schema must match the data you are collecting, or you must add a transformation to ensure that the output schema matches the table. 
 
->
-> Warning: You shouldn’t use an existing custom log table used by MMA agents. Your MMA agents won't be able to write to the table once the first AMA agent writes to the table. You should create a new table for AMA to use to prevent MMA data loss.
->
+> [!Warning]
+> You shouldn’t use an existing custom log table used by MMA agents. Your MMA agents won't be able to write to the table once the first AMA agent writes to the table. You should create a new table for AMA to use to prevent MMA data loss.
 
 
 For example, you can use the following PowerShell script to create a custom table with `RawData` and `FilePath`. You wouldn't need a transformation for this table because the schema matches the default schema of the incoming stream. 

articles/azure-monitor/essentials/activity-log.md

@@ -155,8 +155,6 @@ You can also access activity log events by using the following methods:
 - Use the [Get-AzLog](/powershell/module/az.monitor/get-azlog) cmdlet to retrieve the activity log from PowerShell. See [Azure Monitor PowerShell samples](../powershell-samples.md#retrieve-activity-log).
 - Use [az monitor activity-log](/cli/azure/monitor/activity-log) to retrieve the activity log from the CLI.  See [Azure Monitor CLI samples](../cli-samples.md#view-activity-log).
 - Use the [Azure Monitor REST API](/rest/api/monitor/) to retrieve the activity log from a REST client.
-- 
-- 
 ## Legacy collection methods
 
 > [!NOTE]

articles/business-continuity-center/tutorial-view-protectable-resources.md

@@ -2,7 +2,7 @@
 title: Tutorial - View protectable resources
 description: In this tutorial, learn how to view your resources that are currently not protected by any solution using Azure Business Continuity center.
 ms.topic: tutorial
-ms.date: 03/29/2024
+ms.date: 07/22/2024
 ms.service: azure-business-continuity-center
 ms.custom:
   - ignite-2023
@@ -18,7 +18,7 @@ This tutorial shows you how to view your resources that are currently not protec
 
 Before you start this tutorial:
 
-- Review supported regions for ABC Center.
+- Review [supported regions for ABC Center](business-continuity-center-support-matrix.md#supported-regions).
 - Ensure you have the required resource permissions to view them in the ABC center.
 
 ## View protectable resources

articles/defender-for-cloud/faq-vulnerability-assessments.yml

@@ -5,7 +5,6 @@ metadata:
   services: defender-for-cloud
   ms.author: dacurwin
   author: dcurwin
-  manager: raynew
   ms.topic: faq
   ms.date: 06/20/2023
 title: Common questions about vulnerability assessment
@@ -14,6 +13,18 @@ summary: |
 sections:
   - name: Ignored
     questions:
+
+      - question: |
+          What is the Auto-Provisioning feature for BYOL, and can it work on multiple solutions?
+        answer: |
+          The Defender for Cloud BYOL integration allows only one solution to have auto-provisioning enabled per subscription. This feature scans all unhealthy machines in the subscription (those without any VA solution installed) and automatically remediates them by installing the selected VA solution. Auto-provisioning will use the single selected BYOL solution for remediation. If no solution is selected or if multiple solutions have auto-provisioning enabled, the system will not perform auto-remediation, as it can't implicitly decide which solution to prioritize.
+                    
+      - question: |
+          Why do I have to specify a resource group when configuring a Bring Your Own License (BYOL) solution?
+        answer: |
+          When you set up your solution, you must choose a resource group to attach it to. The solution isn't an Azure resource, so it won't be included in the list of the resource group’s resources. Nevertheless, it's attached to that resource group. If you later delete the resource group, the BYOL solution is unavailable.
+
+
       - question: |
           Are there any additional charges for the Qualys license?
         answer: |
@@ -99,7 +110,3 @@ sections:
           There are multiple Qualys platforms across various geographic locations. The SOC CIDR and URLs differ depending on the host platform of your Qualys subscription. [Identify your Qualys host platform](https://www.qualys.com/platform-identification/).
                     
           
-      - question: |
-          Why do I have to specify a resource group when configuring a Bring Your Own License (BYOL) solution?
-        answer: |
-          When you set up your solution, you must choose a resource group to attach it to. The solution isn't an Azure resource, so it won't be included in the list of the resource group’s resources. Nevertheless, it's attached to that resource group. If you later delete the resource group, the BYOL solution is unavailable.

articles/defender-for-cloud/recommendations-reference-ai.md

@@ -33,10 +33,20 @@ This recommendation replaces the old recommendation *Cognitive Services accounts
 
 **Description**: By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service resource.
 
-This recommendation replaces the old recommendation *Cognitive Services accounts should restrict network access*. It was formerly in category Cognitive Services and Cognitive Search, and was updated to comply with the Azure AI Services naming format and align with the relevant resources. 
+This recommendation replaces the old recommendation *Cognitive Services accounts should restrict network access*. It was formerly in category Cognitive Services and Cognitive Search, and was updated to comply with the Azure AI Services naming format and align with the relevant resources.
 **Severity**: Medium
 
 
+### [(Enable if required) Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/18bf29b3-a844-e170-2826-4e95d0ba4dc9/showSecurityCenterCommandBar~/false)
+
+**Description**: Using customer-managed keys to encrypt data at rest provides more control over the key lifecycle, including rotation and management. This is particularly relevant for organizations with related compliance requirements.
+
+This is not assessed by default and should only be applied when required by compliance or restrictive policy requirements. If not enabled, the data will be encrypted using platform-managed keys. To implement this, update the 'Effect' parameter in the Security Policy for the applicable scope. (Related policy: [Azure AI Services resources should encrypt data at rest with a customer-managed key (CMK)](/azure/ai-services/openai/how-to/use-your-data-securely))
+
+This recommendation replaces the old recommendation *Cognitive services accounts should enable data encryption using customer keys*. It was formerly in category Data recommendations, and was updated to comply with the Azure AI Services naming format and align with the relevant resources. 
+
+**Severity**: Low
+
 ### Resource logs in Azure Machine Learning Workspaces should be enabled (Preview)
 
 **Description & related policy**: Resource logs enable recreating activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.

articles/defender-for-cloud/recommendations-reference-data.md

@@ -82,15 +82,6 @@ Manage encryption at rest of your Azure Machine Learning workspace data with cus
 **Severity**: Medium
 
 
-### [(Enable if required) Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/18bf29b3-a844-e170-2826-4e95d0ba4dc9)
-
-**Description**: Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.
-To enable this recommendation, navigate to your Security Policy for the applicable scope, and update the *Effect* parameter for the corresponding policy to audit or enforce the use of customer-managed keys. Learn more in [Manage security policies](tutorial-security-policy.md).
-Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at <https://aka.ms/cosmosdb-cmk>.
-(Related policy: [Cognitive Services accounts should enable data encryption with a customer-managed key?(CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f67121cc7-ff39-4ab8-b7e3-95b84dab487d))
-
-**Severity**: Low
-
 ### [(Enable if required) MySQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/6b51b7f7-cbed-75bf-8a02-43384bf47562)
 
 **Description**: Recommendations to use customer-managed keys for encryption of data at rest are not assessed by default, but are available to enable for applicable scenarios. Data is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when obligated by compliance or restrictive policy requirements.

articles/defender-for-cloud/release-notes-recommendations-alerts.md

@@ -48,7 +48,7 @@ New and updated recommendations and alerts are added to the table in date order.
 | ----------- | ------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
 | June 28     | Recommendation                 | GA                                                           | [Azure DevOps repositories should require minimum two-reviewer approval for code pushes](recommendations-reference-devops.md#preview-azure-devops-repositories-should-require-minimum-two-reviewer-approval-for-code-pushes) |
 | June 28     | Recommendation                 | GA                                                           | [Azure DevOps repositories should not allow requestors to approve their own Pull Requests](recommendations-reference-devops.md#preview-azure-devops-repositories-should-not-allow-requestors-to-approve-their-own-pull-requests) |
-| June 28     | Recommendation                 | GA                                                           | [GitHub organizations should not make action secrets accessible to all repositories](recommendations-reference-devops.md#github-organizations-should-not-make-action-secrets-accessible-to-all repositories) |
+| June 28     | Recommendation                 | GA                                                           | [GitHub organizations should not make action secrets accessible to all repositories](recommendations-reference-devops.md#github-organizations-should-not-make-action-secrets-accessible-to-all-repositories) |
 | June 27     | Alert                          | Deprecation                                                  | `Security incident detected suspicious source IP activity`<br><br/> Severity: Medium/High |
 | June 27     | Alert                          | Deprecation                                                  | `Security incident detected on multiple resources`<br><br/> Severity: Medium/High |
 | June 27     | Alert                          | Deprecation                                                  | `Security incident detected compromised machine`<br><br/> Severity: Medium/High |

articles/defender-for-cloud/secrets-scanning.md

@@ -23,6 +23,20 @@ Defender for Cloud provides secrets scanning for virtual machines, and for cloud
 - **Cloud deployments**: Agentless secrets scanning across multicloud infrastructure-as-code deployment resources.
 - **Azure DevOps**: [Scanning to discover exposed secrets in Azure DevOps](defender-for-devops-introduction.md).
 
+## Prerequisites
+
+Required roles and permissions:
+
+   - Security Reader
+   
+      - Security Admin
+      
+         - Reader
+         
+            - Contributor
+            
+               - Owner
+               
 ## Deploying secrets scanning
 
 Secrets scanning is provided as a feature in Defender for Cloud plans:

articles/hdinsight/benefits-of-migrating-to-hdinsight-40.md

@@ -3,7 +3,7 @@ title: Benefits of migrating to Azure HDInsight 4.0.
 description: Learn the benefits of migrating to Azure HDInsight 4.0.
 ms.service: hdinsight
 ms.topic: conceptual
-ms.date: 10/16/2023
+ms.date: 07/22/2024
 ---
 # Significant version changes in HDInsight 4.0 and advantages
 
@@ -27,7 +27,7 @@ HDInsight 4.0 has several advantages over HDInsight 3.6. Here's an overview of w
 **Hive**
 - Advanced features
   - LLAP workload management
-  - LLAP Support JDBC, Druid and Kafka connectors
+  - LLAP Support JDBC, Druid, and Kafka connectors
   - Better SQL features – Constraints and default values
   - Surrogate Keys
   - Information schema.
@@ -95,14 +95,14 @@ Set synchronization of partitions to occur every 10 minutes expressed in seconds
 
 
 > [!WARNING]
-> With the `management.task` running every 10 minutes, there will be pressure on the SQL server DTU.
->
+> With the `management.task` running every 10 minutes, there will be pressure on the SQL server DTU. This feature also adds cost to Storage access as the partition management threads runs at regular intervals even when cluster is idle.
+
 You can verify the output from Microsoft Azure portal.
 
 :::image type="content" source="./media/hdinsight-migrate-to-40/hive-verify-output.png" alt-text="Screenshot showing compute utilization graph.":::
 
 Hive drops the metadata and corresponding data in any partition created after the retention period. You express the retention time using a numeral and the following character or characters.
-Hive drops the metadata and corresponding data in any partition created after the retention period. You express the retention time using a numeral and the following  character(s).
+Hive drops the metadata and corresponding data in any partition created after the retention period. You express the retention time using a numeral and the following  characters.
 
 ```
 ms (milliseconds)
@@ -189,7 +189,7 @@ More information, see [Hive - Materialized Views - Microsoft Tech Community](htt
 
 Use the built-in `SURROGATE_KEY` user-defined function (UDF) to automatically generate numerical Ids for rows as you enter data into a table. The generated surrogate keys can replace wide, multiple composite keys.
 
-Hive supports the surrogate keys on ACID tables only. The table you want to join using surrogate keys can't have column types that need casting. These data types must be primitives, such as INT or `STRING`.
+Hive supports the surrogate keys on ACID tables only. The table you want to join using surrogate keys can't have column types that need to cast. These data types must be primitives, such as INT or `STRING`.
 
 Joins using the generated keys are faster than joins using strings. Using generated keys doesn't force data into a single node by a row number. You can generate keys as abstractions of natural keys. Surrogate keys have an advantage over UUIDs, which are slower and probabilistic.