Merge pull request #212487 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 9/26

Author: ttorble

articles/active-directory/manage-apps/configure-user-consent.md

@@ -49,22 +49,22 @@ To configure user consent settings through the Azure portal:
 
 # [PowerShell](#tab/azure-powershell)
 
-To choose which app consent policy governs user consent for applications, you can use the latest [Azure AD PowerShell](/powershell/module/azuread/?view=azureadps-2.0&preserve-view=true) module.
+To choose which app consent policy governs user consent for applications, you can use the [Microsoft Graph PowerShell](/powershell/microsoftgraph/get-started?view=graph-powershell-1.0&preserve-view=true) module. The cmdlets used here are included in the [Microsoft.Graph.Identity.SignIns](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.SignIns) module.
 
-> [!NOTE]
-> The instructions below use the generally available Azure AD PowerShell module ([AzureAD](https://www.powershellgallery.com/packages/AzureAD)). The parameter names are different in the preview version of this module ([AzureADPreview](https://www.powershellgallery.com/packages/AzureADPreview)). If you have both modules installed, ensure you're using the cmdlet from the correct module by first running:
-> 
-> ```powershell
-> Remove-Module AzureADPreview -ErrorAction SilentlyContinue
-> Import-Module AzureAD
-> ```
+#### Connect to Microsoft Graph PowerShell
+
+Connect to Microsoft Graph PowerShell using the least-privilege permission needed. For reading the current user consent settings, use *Policy.Read.All*. For reading and changing the user consent settings, use *Policy.ReadWrite.Authorization*.
+
+```powershell
+Connect-MgGraph -Scopes "Policy.ReadWrite.Authorization"
+```
 
 #### Disable user consent
 
 To disable user consent, set the consent policies that govern user consent to empty:
 
 ```powershell
-Set-AzureADMSAuthorizationPolicy -DefaultUserRolePermissions @{
+Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
     "PermissionGrantPoliciesAssigned" = @() }
 ```
 
@@ -73,7 +73,7 @@ Set-AzureADMSAuthorizationPolicy -DefaultUserRolePermissions @{
 To allow user consent, choose which app consent policy should govern users' authorization to grant consent to apps:
 
 ```powershell
-Set-AzureADMSAuthorizationPolicy -DefaultUserRolePermissions @{
+Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
     "PermissionGrantPoliciesAssigned" = @("managePermissionGrantsForSelf.{consent-policy-id}") }
 ```
 
@@ -87,7 +87,7 @@ Replace `{consent-policy-id}` with the ID of the policy you want to apply. You c
 For example, to enable user consent subject to the built-in policy `microsoft-user-default-low`, run the following commands:
 
 ```powershell
-Set-AzureADMSAuthorizationPolicy -DefaultUserRolePermissions @{
+Update-MgPolicyAuthorizationPolicy -DefaultUserRolePermissions @{
     "PermissionGrantPoliciesAssigned" = @("managePermissionGrantsForSelf.microsoft-user-default-low") }
 ```
 

articles/active-directory/manage-apps/manage-app-consent-policies.md

@@ -17,9 +17,9 @@ ms.custom: contperf-fy21q2
 
 # Manage app consent policies
 
-With Azure AD PowerShell, you can view and manage app consent policies.
+With [Microsoft Graph PowerShell](/powershell/microsoftgraph/get-started?view=graph-powershell-1.0&preserve-view=true), you can view and manage app consent policies.
 
-An app consent policy consists of one or more "includes" condition sets and zero or more "excludes" condition sets. For an event to be considered in an app consent policy, it must match *at least* one "includes" condition set, and must not match *any* "excludes" condition set.
+An app consent policy consists of one or more "include" condition sets and zero or more "exclude" condition sets. For an event to be considered in an app consent policy, it must match *at least* one "include" condition set, and must not match *any* "exclude" condition set.
 
 Each condition set consists of several conditions. For an event to match a condition set, *all* conditions in the condition set must be met.
 
@@ -33,10 +33,10 @@ App consent policies where the ID begins with "microsoft-" are built-in policies
    - A custom directory role with the necessary [permissions to manage app consent policies](../roles/custom-consent-permissions.md#managing-app-consent-policies)
    - The Microsoft Graph app role (application permission) Policy.ReadWrite.PermissionGrant (when connecting as an app or a service)
 
-1. Connect to [Azure AD PowerShell](/powershell/module/azuread/).
+1. Connect to [Microsoft Graph PowerShell](/powershell/microsoftgraph/get-started?view=graph-powershell-1.0&preserve-view=true).
 
    ```powershell
-   Connect-AzureAD
+   Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant"
    ```
 
 ## List existing app consent policies
@@ -46,21 +46,19 @@ It's a good idea to start by getting familiar with the existing app consent poli
 1. List all app consent policies:
 
    ```powershell
-   Get-AzureADMSPermissionGrantPolicy | ft Id, DisplayName, Description
+   Get-MgPolicyPermissionGrantPolicy | ft Id, DisplayName, Description
    ```
 
-1. View the "includes" condition sets of a policy:
+1. View the "include" condition sets of a policy:
 
     ```powershell
-    Get-AzureADMSPermissionGrantConditionSet -PolicyId "microsoft-application-admin" `
-                                             -ConditionSetType "includes"
+    Get-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId "microsoft-application-admin" | fl
     ```
 
-1. View the "excludes" condition sets:
+1. View the "exclude" condition sets:
 
     ```powershell
-    Get-AzureADMSPermissionGrantConditionSet -PolicyId "microsoft-application-admin" `
-                                             -ConditionSetType "excludes"
+    Get-MgPolicyPermissionGrantPolicyExclude -PermissionGrantPolicyId "microsoft-application-admin" | fl
     ```
 
 ## Create a custom app consent policy
@@ -70,36 +68,34 @@ Follow these steps to create a custom app consent policy:
 1. Create a new empty app consent policy.
 
    ```powershell
-   New-AzureADMSPermissionGrantPolicy `
+   New-MgPolicyPermissionGrantPolicy `
        -Id "my-custom-policy" `
        -DisplayName "My first custom consent policy" `
        -Description "This is a sample custom app consent policy."
    ```
 
-1. Add "includes" condition sets.
+1. Add "include" condition sets.
 
    ```powershell
    # Include delegated permissions classified "low", for apps from verified publishers
-   New-AzureADMSPermissionGrantConditionSet `
-       -PolicyId "my-custom-policy" `
-       -ConditionSetType "includes" `
+   New-MgPolicyPermissionGrantPolicyInclude `
+       -PermissionGrantPolicyId "my-custom-policy" `
        -PermissionType "delegated" `
        -PermissionClassification "low" `
-       -ClientApplicationsFromVerifiedPublisherOnly $true
+       -ClientApplicationsFromVerifiedPublisherOnly
    ```
 
    Repeat this step to add additional "include" condition sets.
 
-1. Optionally, add "excludes" condition sets.
+1. Optionally, add "exclude" condition sets.
 
    ```powershell
    # Retrieve the service principal for the Azure Management API
-   $azureApi = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n:n eq 'https://management.azure.com/')"
+   $azureApi = Get-MgServicePrincipal -Filter "servicePrincipalNames/any(n:n eq 'https://management.azure.com/')"
 
    # Exclude delegated permissions for the Azure Management API
-   New-AzureADMSPermissionGrantConditionSet `
-       -PolicyId "my-custom-policy" `
-       -ConditionSetType "excludes" `
+   New-MgPolicyPermissionGrantPolicyExclude `
+       -PermissionGrantPolicyId "my-custom-policy" `
        -PermissionType "delegated" `
        -ResourceApplication $azureApi.AppId
    ```
@@ -113,7 +109,7 @@ Once the app consent policy has been created, you can [allow user consent](confi
 1. The following shows how you can delete a custom app consent policy. **This action cannot be undone.**
 
    ```powershell
-   Remove-AzureADMSPermissionGrantPolicy -Id "my-custom-policy"
+   Remove-MgPolicyPermissionGrantPolicy -PermissionGrantPolicyId "my-custom-policy"
    ```
 
 > [!WARNING]
@@ -134,7 +130,7 @@ The following table provides the list of supported conditions for app consent po
 | ClientApplicationIds | A list of **AppId** values for the client applications to match with, or a list with the single value "all" to match any client application. Default is the single value "all". |
 | ClientApplicationTenantIds | A list of Azure Active Directory tenant IDs in which the client application is registered, or a list with the single value "all" to match with client apps registered in any tenant. Default is the single value "all". |
 | ClientApplicationPublisherIds | A list of Microsoft Partner Network (MPN) IDs for [verified publishers](../develop/publisher-verification-overview.md) of the client application, or a list with the single value "all" to match with client apps from any publisher. Default is the single value "all". |
-| ClientApplicationsFromVerifiedPublisherOnly | Set to `$true` to only match on client applications with a [verified publishers](../develop/publisher-verification-overview.md). Set to `$false` to match on any client app, even if it does not have a verified publisher. Default is `$false`. |
+| ClientApplicationsFromVerifiedPublisherOnly | Set this switch to only match on client applications with a [verified publishers](../develop/publisher-verification-overview.md). Disable this switch (`-ClientApplicationsFromVerifiedPublisherOnly:$false`) to match on any client app, even if it does not have a verified publisher. Default is `$false`. |
 
 ## Next steps
 

articles/api-management/api-management-get-started-publish-versions.md

@@ -60,7 +60,7 @@ Enter the values from the following table. Then select **Create** to create your
 |---------|---------|---------|
 |**Name**     |  *demo-conference-api-v1*       |  Unique name in your API Management instance.<br/><br/>Because a version is in fact a new API based off an API's [revision](api-management-get-started-revise-api.md), this setting is the new API's name.   |
 |**Versioning scheme**     |  **Path**       |  The way callers specify the API version.     |
-|**Version identifer**     |  *v1*       |  Scheme-specific indicator of the version. For **Path**, the suffix for the API URL path. <br/><br/> If **Header** or **Query string** is selected, enter an additional value: the name of the header or query string parameter.<br/><br/> A usage example is displayed.        |
+|**Version identifier**     |  *v1*       |  Scheme-specific indicator of the version. For **Path**, the suffix for the API URL path. <br/><br/> If **Header** or **Query string** is selected, enter an additional value: the name of the header or query string parameter.<br/><br/> A usage example is displayed.        |
 |**Products**     |  **Unlimited**       |  Optionally, one or more products that the API version is associated with. To publish the API, you must associate it with a product. You can also [add the version to a product](#add-the-version-to-a-product) later.      |
 
 After creating the version, it now appears underneath **Demo Conference API** in the API List. You now see two APIs: **Original**, and **v1**.

articles/azure-monitor/agents/data-collection-text-log.md

@@ -518,7 +518,7 @@ do
     $randomContent = New-Guid
     $logRecord = "$(Get-Date -format s)Z Record number $count with random content $randomContent"
     $logRecord | Out-File "$logFolder\\$logFileName" -Encoding utf8 -Append
-    Sleep $sleepSeconds
+    Start-Sleep $sleepSeconds
 }
 while ($true)
 

articles/backup/backup-vault-overview.md

@@ -2,7 +2,7 @@
 title: Overview of Backup vaults
 description: An overview of Backup vaults.
 ms.topic: conceptual
-ms.date: 02/14/2022
+ms.date: 09/26/2022
 ms.custom: references_regions
 author: v-amallick
 ms.service: backup
@@ -120,7 +120,7 @@ In the **Backup Instances** tile, you get a summarized view of all backup instan
 
 ![Backup jobs](./media/backup-vault-overview/backup-jobs.png)
 
-## Move a Backup vault across Azure subscriptions/resource groups (Public Preview)
+## Move a Backup vault across Azure subscriptions/resource groups
 
 This section explains how to move a Backup vault (configured for Azure Backup) across Azure subscriptions and resource groups using the Azure portal.
 
@@ -241,7 +241,13 @@ Troubleshoot the following common issues you might encounter during Backup vault
 
 **Cause**: Resource move for Backup vault is currently not supported in the selected Azure region.
 
-**Recommendation**: Ensure that you've selected one of the supported regions to move Backup vaults. See [Supported regions](#supported-regions).
+**Recommendation**: Ensure that you've selected one of the supported regions to move Backup vaults. See [Supported regions](#supported-regions
+
+#### UserErrorCrossTenantMSIMoveNotSupported 
+
+**Cause**: This error occurs if the subscription with which resource is associated has moved to a different Tenant, but the Managed Identity is still associated with the old Tenant.
+
+**Recommendation**: Remove the Managed Identity from the existing Tenant; move the resource and add it again to the new one.
 
 ## Next steps