Merge pull request #183450 from MicrosoftDocs/master

12/21 AM Publishing

Author: v-alje

articles/active-directory/app-provisioning/index.yml

@@ -22,6 +22,8 @@ landingContent:
         links:
           - text: What is application provisioning?
             url: user-provisioning.md
+          - text: What is HR-driven provisioning?
+            url: what-is-hr-driven-provisioning.md  
           - text: How provisioning works
             url: how-provisioning-works.md
       - linkListType: tutorial

articles/active-directory/governance/entitlement-management-process.md

@@ -49,6 +49,9 @@ If you're an approver, you're sent email notifications when you need to approve
 
 The following diagrams show when these email notifications are sent to either the approvers or the requestor. Reference the [email notifications table](entitlement-management-process.md#email-notifications-table) to find the corresponding number to the email notifications displayed in the diagrams.
 
+> [!NOTE]
+> If the admin directly assigns a user to an access package, you won't receive an email notification when an access request has been completed or denied. Email notifications are sent only when a user makes a request for access.
+
 ### First approvers and alternate approvers
 The following diagram shows the experience of first approvers and alternate approvers, and the email notifications they receive during the request process:
 

articles/active-directory/hybrid/index.yml

@@ -27,6 +27,8 @@ landingContent:
         links:
           - text: What is hybrid identity?
             url: whatis-hybrid-identity.md
+          - text: What is inter-directory provisioning?
+            url: whatis-hybrid-identity.md  
 
   # Card
   - title: Determine the best solution to manage the lifecycle of your users and groups

articles/active-directory/manage-apps/f5-big-ip-kerberos-easy-button.md

@@ -315,7 +315,7 @@ Enable **Kerberos** and **Show Advanced Setting** to enter the following:
 
 * **User Realm Source:** Required if the user domain is different to the BIG-IP’s kerberos realm. In that case, the APM session variable would contain the logged in user domain. For example,*session.saml.last.attr.name.domain*
 
-![Screenshot for SSO and HTTP headers](./media/f5-big-ip-kerberos-easy-button/sso-headers.png)
+   ![Screenshot for SSO and HTTP headers](./media/f5-big-ip-kerberos-easy-button/sso-headers.png)
 
 * **KDC:** IP of a Domain Controller (Or FQDN if DNS is configured & efficient)
 
@@ -325,7 +325,7 @@ Enable **Kerberos** and **Show Advanced Setting** to enter the following:
 
 * **Send Authorization:** Disable for applications that prefer negotiating authentication instead of receiving the kerberos token in the first request. For example, *Tomcat.*
 
-![Screenshot for SSO method configuration](./media/f5-big-ip-kerberos-easy-button/sso-method-config.png)
+   ![Screenshot for SSO method configuration](./media/f5-big-ip-kerberos-easy-button/sso-method-config.png)
 
 
 ### Session Management

articles/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md

@@ -12,7 +12,7 @@ ms.topic: how-to
 ms.tgt_pltfrm:
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 5/19/2021
+ms.date: 12/21/2021
 ms.author: markvi
 ms.reviewer: dhanyahk
 ---
@@ -71,12 +71,27 @@ To use Monitor workbooks, you need:
     - Global administrator
 
 ## Roles
-You must be in one of the following roles as well as have [access to underlying Log Analytics](../../azure-monitor/logs/manage-access.md#manage-access-using-azure-permissions) workspace to manage the workbooks:
-- 	Global administrator
-- 	Security administrator
-- 	Security reader
-- 	Report reader
-- 	Application administrator
+
+To access workbooks in Azure Active Directory, you must have access to the underlying [Log Analytics](../../azure-monitor/logs/manage-access.md#manage-access-using-azure-permissions) workspace and be assigned to one of the following roles:
+
+
+- Global Reader
+
+- Reports Reader
+
+- Security Reader
+
+- Application Administrator 
+
+- Cloud Application Administrator
+
+- Company Administrator
+
+- Security Administrator
+
+
+
+
 
 ## Workbook access 
 

articles/aks/command-invoke.md

@@ -25,7 +25,7 @@ The pod created by the `run` command provides the following binaries:
 
 In addition, `command invoke` runs the commands from your cluster so any commands run in this manner are subject to networking and other restrictions you have configured on your cluster.
 
-## Use `invoke commnad` to run a single command
+## Use `command invoke` to run a single command
 
 Use `az aks command invoke --command` to run a command on your cluster. For example:
 
@@ -75,4 +75,4 @@ az aks command invoke \
   --file .
 ```
 
-The above runs `kubectl apply -f deployment.yaml configmap.yaml -n default` on the *myAKSCluster* cluster in *myResourceGroup*. The `deployment.yaml` and `configmap.yaml` files used by that command are part of the current directory on the development computer where `az aks command invoke` was run.
+The above runs `kubectl apply -f deployment.yaml configmap.yaml -n default` on the *myAKSCluster* cluster in *myResourceGroup*. The `deployment.yaml` and `configmap.yaml` files used by that command are part of the current directory on the development computer where `az aks command invoke` was run.

articles/aks/support-policies.md

@@ -51,7 +51,7 @@ Microsoft provides technical support for the following examples:
 
 * Connectivity to all Kubernetes components that the Kubernetes service provides and supports, such as the API server.
 * Management, uptime, QoS, and operations of Kubernetes control plane services (Kubernetes control plane, API server, etcd, and coreDNS, for example).
-* Etcd data store. Support includes automated, transparent backups of all etcd data every 30 minutes for disaster planning and cluster state restoration. These backups aren't directly available to you or any users. They ensure data reliability and consistency. Etcd. on-demand rollback or restore is not supported as a feature.
+* Etcd data store. Support includes automated, transparent backups of all etcd data every 30 minutes for disaster planning and cluster state restoration. These backups aren't directly available to you or any users. They ensure data reliability and consistency. On-demand rollback or restore is not supported as a feature.
 * Any integration points in the Azure cloud provider driver for Kubernetes. These include integrations into other Azure services such as load balancers, persistent volumes, or networking (Kubernetes and Azure CNI).
 * Questions or issues about customization of control plane components such as the Kubernetes API server, etcd, and coreDNS.
 * Issues about networking, such as Azure CNI, kubenet, or other network access and functionality issues. Issues could include DNS resolution, packet loss, routing, and so on. Microsoft supports various networking scenarios:

articles/app-service/configure-connect-to-azure-storage.md

@@ -4,37 +4,25 @@ description: Learn how to attach custom network share in a containerized app in
 author: msangapu-msft
 
 ms.topic: article
-ms.date: 09/02/2021
+ms.date: 12/03/2021
 ms.author: msangapu
 zone_pivot_groups: app-service-containers-windows-linux
 ---
 # Mount Azure Storage as a local share in a custom container in App Service
 
 ::: zone pivot="container-windows"
 
-> [!NOTE]
->Azure Storage in App Service Windows container is **in preview** and **not supported** for **production scenarios**.
-
 This guide shows how to mount Azure Storage Files as a network share in a Windows container in App Service. Only [Azure Files Shares](../storage/files/storage-how-to-use-files-portal.md) and [Premium Files Shares](../storage/files/storage-how-to-create-file-share.md) are supported. The benefits of custom-mounted storage include:
 
-::: zone-end
-
-::: zone pivot="container-linux"
-
-This guide shows how to mount Azure Storage as a network share in a built-in Linux container or a custom Linux container in App Service. See the video [how to mount Azure Storage as a local share](https://www.youtube.com/watch?v=OJkvpWYr57Y). The benefits of custom-mounted storage include:
-
-::: zone-end
-
 - Configure persistent storage for your App Service app and manage the storage separately.
 - Make static content like video and images readily available for your App Service app. 
 - Write application log files or archive older application log to Azure File shares.  
 - Share content across multiple apps or with other Azure services.
-
-::: zone pivot="container-windows"
+- Mount Azure Storage in a Windows container in a Standard tier or higher plan, including Isolated ([App Service environment v3](environment/overview.md)).
 
 The following features are supported for Windows containers:
 
-- Secured access to storage accounts with [private links](../storage/common/storage-private-endpoints.md) (when [VNET integration](./overview-vnet-integration.md) is used). [Service endpoint](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) support is currently unavailable.
+- Secured access to storage accounts with [private endpoints](../storage/common/storage-private-endpoints.md) and [service endpoints](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) (when [VNET integration](./overview-vnet-integration.md) is used).
 - Azure Files (read/write).
 - Up to five mount points per app.
 - Drive letter assignments (`C:` to `Z:`).
@@ -43,6 +31,13 @@ The following features are supported for Windows containers:
 
 ::: zone pivot="container-linux"
 
+This guide shows how to mount Azure Storage as a network share in a built-in Linux container or a custom Linux container in App Service. See the video [how to mount Azure Storage as a local share](https://www.youtube.com/watch?v=OJkvpWYr57Y). The benefits of custom-mounted storage include:
+
+- Configure persistent storage for your App Service app and manage the storage separately.
+- Make static content like video and images readily available for your App Service app. 
+- Write application log files or archive older application log to Azure File shares.  
+- Share content across multiple apps or with other Azure services.
+
 The following features are supported for Linux containers:
 
 - Secured access to storage accounts with [service endpoints](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) and [private links](../storage/common/storage-private-endpoints.md) (when [VNET integration](./overview-vnet-integration.md) is used).
@@ -52,11 +47,19 @@ The following features are supported for Linux containers:
 
 ::: zone-end
 
+<!-- ::: zone pivot="container-windows"
+
+::: zone-end
+
+::: zone pivot="container-linux"
+
+::: zone-end -->
+
 ## Prerequisites
 
 ::: zone pivot="container-windows"
 
-- [An existing Windows custom container in Azure App Service](quickstart-custom-container.md)
+- [An existing Windows container app in App Service](quickstart-custom-container.md)
 - [Create Azure file share](../storage/files/storage-how-to-use-files-portal.md)
 - [Upload files to Azure File share](../storage/files/storage-how-to-create-file-share.md)
 
@@ -80,7 +83,7 @@ The following features are supported for Linux containers:
 
 - Storage mounts are not supported for native Windows (non-containerized) apps.
 - Azure blobs are not supported.
-- [Storage firewall](../storage/common/storage-network-security.md) is supported only through [private endpoints](../storage/common/storage-private-endpoints.md) (when [VNET integration](./overview-vnet-integration.md) is used). Custom DNS support is currently unavailable when the mounted Azure Storage account uses a private endpoint.
+- [Storage firewall](../storage/common/storage-network-security.md) is supported only through [private endpoints](../storage/common/storage-private-endpoints.md) and [service endpoints](../storage/common/storage-network-security.md#grant-access-from-a-virtual-network) (when [VNET integration](./overview-vnet-integration.md) is used).
 - FTP/FTPS access to mounted storage not supported (use [Azure Storage Explorer](https://azure.microsoft.com/features/storage-explorer/)).
 - Mapping `[C-Z]:\`, `[C-Z]:\home`, `/`, and `/home` to custom-mounted storage is not supported.
 - Storage mounts cannot be used together with clone settings option during [deployment slot](deploy-staging-slots.md) creation.
@@ -135,21 +138,17 @@ The following features are supported for Linux containers:
     | **Mount path** | Directory inside the Linux container to mount to Azure Storage. Do not use `/` or `/home`.|
     ::: zone-end
 
-    > [!CAUTION]
-    > The directory specified in **Mount path** in the container should be empty. Any content stored in this directory is deleted when the Azure Storage is mounted (if you specify a directory under `/home`, for example). If you are migrating files for an existing app, make a backup of the app and its content before you begin.
-    >
-    
 # [Azure CLI](#tab/cli)
 
 Use the [`az webapp config storage-account add`](/cli/azure/webapp/config/storage-account#az_webapp_config_storage_account_add) command. For example:
 
-```azurecli
+```azurecli-interactive
 az webapp config storage-account add --resource-group <group-name> --name <app-name> --custom-id <custom-id> --storage-type AzureFiles --share-name <share-name> --account-name <storage-account-name> --access-key "<access-key>" --mount-path <mount-path-directory>
 ```
 
 ::: zone pivot="container-windows"
 - `--storage-type` must be `AzureFiles` for Windows containers. 
-- `mount-path-directory` must be in the form `/path/to/dir` or `[C-Z]:\path\to\dir` with no drive letter. Do not use a root directory (`[C-Z]:\` or `/`) or the `home` directory (`[C-Z]:\home`, or `/home`).
+- `mount-path-directory` must be in the form `/path/to/dir` or `[C-Z]:\path\to\dir`.
 ::: zone-end
 ::: zone pivot="container-linux"
 - `--storage-type` can be `AzureBlob` or `AzureFiles`. `AzureBlob` is read-only.
@@ -158,14 +157,10 @@ az webapp config storage-account add --resource-group <group-name> --name <app-n
 
 Verify your storage is mounted by running the following command:
 
-```azurecli
+```azurecli-interactive
 az webapp config storage-account list --resource-group <resource-group> --name <app-name>
 ```
 
-> [!CAUTION]
-> The directory specified in `--mount-path` in the container should be empty. Any content stored in this directory is deleted when the Azure Storage is mounted (if you specify a directory under `/home`, for example). If you are migrating files for an existing app, make a backup of the app and its content before you begin.
->
-
 Verify your configuration by running the following command:
 
 ```azurecli
@@ -201,9 +196,6 @@ To validate that the Azure Storage is mounted successfully for the app:
 ## Best practices
 
 - To avoid potential issues related to latency, place the app and the Azure Storage account in the same Azure region. Note, however, if the app and Azure Storage account are in same Azure region, and if you grant access from App Service IP addresses in the [Azure Storage firewall configuration](../storage/common/storage-network-security.md), then these IP restrictions are not honored.
-::: zone pivot="container-windows"
-- The mount directory in the custom container should be empty. Any content stored at this path is deleted when the Azure Storage is mounted. If you are migrating files for an existing app, make a backup of the app and its content before you begin.
-::: zone-end
 ::: zone pivot="container-linux"
 - The mount directory in the custom container should be empty. Any content stored at this path is deleted when the Azure Storage is mounted (if you specify a directory under `/home`, for example). If you are migrating files for an existing app, make a backup of the app and its content before you begin.
 
@@ -217,19 +209,29 @@ To validate that the Azure Storage is mounted successfully for the app:
 
 - If you delete an Azure Storage account, container, or share, remove the corresponding storage mount configuration in the app to avoid possible error scenarios. 
 
+::: zone pivot="container-windows"
+- The mounted Azure Storage account can be either Standard or Premium performance tier. Based on the app capacity and throughput requirements, choose the appropriate performance tier for the storage account. See [the scalability and performance targets for Files](../storage/files/storage-files-scale-targets.md)
+::: zone-end
+::: zone pivot="container-linux"
 - The mounted Azure Storage account can be either Standard or Premium performance tier. Based on the app capacity and throughput requirements, choose the appropriate performance tier for the storage account. See the scalability and performance targets that correspond to the storage type:
 
-    - [For Files](../storage/files/storage-files-scale-targets.md) (Windows and Linux containers)
-    - [For Blobs](../storage/blobs/scalability-targets.md) (Linux containers only)
+    - [For Files](../storage/files/storage-files-scale-targets.md)
+    - [For Blobs](../storage/blobs/scalability-targets.md)
+::: zone-end
 
 - If your app [scales to multiple instances](../azure-monitor/autoscale/autoscale-get-started.md), all the instances connect to the same mounted Azure Storage account. To avoid performance bottlenecks and throughput issues, choose the appropriate performance tier for the storage account.  
 
 - It's not recommended to use storage mounts for local databases (such as SQLite) or for any other applications and components that rely on file handles and locks. 
 
-- When using Azure Storage [private endpoints](../storage/common/storage-private-endpoints.md) with the app, you need to set the following two app settings:
+::: zone pivot="container-windows"
+- When using Azure Storage [private endpoints](../storage/common/storage-private-endpoints.md) with the app, you need to [enable the **Route All** setting](configure-vnet-integration-routing.md).
 
-    - `WEBSITE_DNS_SERVER` = `168.63.129.16`
-    - `WEBSITE_VNET_ROUTE_ALL` = `1`
+    > [!NOTE]
+    > In App Service environment V3, the **Route All** setting is disabled by default and must be explicitly enabled.
+::: zone-end
+::: zone pivot="container-linux"
+- When using Azure Storage [private endpoints](../storage/common/storage-private-endpoints.md) with the app, you need to [enable the **Route All** setting](configure-vnet-integration-routing.md).
+::: zone-end
 
 - If you [initiate a storage failover](../storage/common/storage-initiate-account-failover.md) and the storage account is mounted to the app, the mount will fail to connect until you either restart the app or remove and add the Azure Storage mount. 
 

articles/automation/automation-hrw-run-runbooks.md

@@ -375,7 +375,6 @@ When starting a runbook using PowerShell, use the `RunOn` parameter with the [St
 ```azurepowershell-interactive
 Start-AzAutomationRunbook -AutomationAccountName "MyAutomationAccount" -Name "Test-Runbook" -RunOn "MyHybridGroup"
 ```
-
 ## Logging
 
 To help troubleshoot issues with your runbooks running on a hybrid runbook worker, logs are stored locally in the following location:

articles/automation/automation-linux-hrw-install.md

@@ -16,6 +16,10 @@ The Linux Hybrid Runbook Worker executes runbooks as a special user that can be
 
 After you successfully deploy a runbook worker, review [Run runbooks on a Hybrid Runbook Worker](automation-hrw-run-runbooks.md) to learn how to configure your runbooks to automate processes in your on-premises datacenter or other cloud environment.
 
+> [!NOTE]
+> A hybrid worker can co-exist with both platforms: **Agent based (V1)** and **Extension based (V2)**. If you install Extension based (V2) on a hybrid worker already running Agent based (V1), then you would see two entries of the Hybrid Runbook Worker in the group. One with Platform Extension based (V2) and the other Agent based (V1). [**Learn more**](/azure/automation/extension-based-hybrid-runbook-worker-install#install-extension-based-v2-on-existing-agent-based-v1-hybrid-worker).
+
+
 ## Prerequisites
 
 Before you start, make sure that you have the following.