Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into esanACS

Author: roygara

articles/ai-studio/how-to/costs-plan-manage.md

@@ -63,12 +63,15 @@ Before you delete an Azure AI hub resource in the Azure portal or with Azure CLI
 - Azure AI Search (for the data)
 - Virtual machines
 - Load Balancer
-- Virtual Network
+- Azure Virtual Network
 - Bandwidth
 
 Each VM is billed per hour it's running. Cost depends on VM specifications. VMs that are running but not actively working on a dataset will still be charged via the load balancer. For each compute instance, one load balancer is billed per day. Every 50 nodes of a compute cluster have one standard load balancer billed. Each load balancer is billed around $0.33/day. To avoid load balancer costs on stopped compute instances and compute clusters, delete the compute resource.
 
-Compute instances also incur P10 disk costs even in stopped state. This is because any user content saved there's persisted across the stopped state similar to Azure VMs. We're working on making the OS disk size/ type configurable to better control costs. For virtual networks, one virtual network is billed per subscription and per region. Virtual networks can't span regions or subscriptions. Setting up private endpoints in virtual network setups might also incur charges. Bandwidth is charged by usage; the more data transferred, the more you're charged.
+Compute instances also incur P10 disk costs even in stopped state. This is because any user content saved there's persisted across the stopped state similar to Azure VMs. We're working on making the OS disk size/ type configurable to better control costs. For Azure Virtual Networks, one virtual network is billed per subscription and per region. Virtual networks can't span regions or subscriptions. Setting up private endpoints in virtual network setups might also incur charges. If your virtual network uses an Azure Firewall, this might also incur charges. Bandwidth is charged by usage; the more data transferred, the more you're charged. 
+
+> [!TIP]
+> Using an managed virtual network is free. However some features of the managed network rely on Azure Private Link (for private endpoints) and Azure Firewall (for FQDN rules) and will incur charges. For more information, see [Managed virtual network isolation](configure-managed-network.md#pricing).
 
 ### Costs might accrue after resource deletion
 

articles/aks/ingress-tls.md

@@ -7,7 +7,7 @@ ms.custom: devx-track-azurecli, devx-track-azurepowershell, linux-related-conten
 author: asudbring
 ms.author: allensu
 ms.topic: how-to
-ms.date: 12/13/2023
+ms.date: 03/14/2024
 ROBOTS: NOINDEX
 #Customer intent: As a cluster operator or developer, I want to use TLS with an ingress controller to handle the flow of incoming traffic and secure my apps using my own certificates or automatically generated certificates.
 ---
@@ -73,6 +73,9 @@ To use TLS with [Let's Encrypt][lets-encrypt] certificates, you'll deploy [cert-
 
 * Use `Import-AzContainerRegistryImage` to import the following images into your ACR.
 
+   >[!NOTE]
+   >When performing the steps to import the images into your ACR when working in Azure Government, you need to include the [`targetTag`][parameter-targettag] parameter with the value representing the tag of the image you want to import. 
+
     ```azurepowershell
     $RegistryName = "<REGISTRY_NAME>"
     $ResourceGroup = (Get-AzContainerRegistry | Where-Object {$_.name -eq $RegistryName} ).ResourceGroupName
@@ -659,4 +662,5 @@ You can also:
 [acr-helm]: ../container-registry/container-registry-helm-repos.md
 [get-az-aks-cluster]: /powershell/module/az.aks/get-azakscluster
 [new-az-public-ip-address]: /powershell/module/az.network/new-azpublicipaddress
-[aks-app-add-on]: app-routing.md
+[aks-app-add-on]: app-routing.md
+[parameter-targettag]: /powershell/module/az.containerregistry/import-azcontainerregistryimage

articles/azure-portal/media/set-preferences/settings-my-information.png

@@ -1,7 +1,7 @@
 ---
 title: Manage Azure portal settings and preferences
 description: Change Azure portal settings such as default subscription/directory, timeouts, menu mode, contrast, theme, notifications, language/region and more.
-ms.date: 01/23/2024
+ms.date: 03/14/2024
 ms.topic: how-to
 ---
 
@@ -146,13 +146,27 @@ Once you have made the desired changes to your language and regional format sett
 
 ## My information
 
-**My information** lets you update the email address that is used for updates on Azure services, billing, support, or security issues. You can also opt in or out from additional emails about Microsoft Azure and other products and services.
+**My information** lets you provide information specific to your Azure experience.
+
+### Email setting
+
+The email address you provide here will be used if we need to contact you for updates on Azure services, billing, support, or security issues. You can change this address at any time.
+
+Here, you can also indicate whether you'd like to receive additional emails about Microsoft Azure and other Microsoft products and services.
+
+### Portal personalization
+
+In this section, you can optionally share information about how you plan to use Azure. This information helps us provide tips, tools, and recommendations that are relevant to the tasks and services that you're interested in.
+
+To provide this information, select one or more items from the list. You can change your selections at any time.
+
+### Export, restore, and delete user settings
 
 Near the top of **My information**, you'll see options to export, restore, or delete settings.
 
 :::image type="content" source="media/set-preferences/settings-my-information.png" alt-text="Screenshot of My information settings." lightbox="media/set-preferences/settings-my-information.png":::
 
-### Export user settings
+#### Export user settings
 
 Information about your custom settings is stored in Azure. You can export the following user data:
 
@@ -164,11 +178,11 @@ To export your portal settings, select **Export settings** from the top of the *
 
 Due to the dynamic nature of user settings and risk of data corruption, you can't import settings from the JSON file. However, you can use this file to review the settings you selected. It can be useful to have a backup of your selections if you choose to delete your settings and private dashboards.
 
-### Restore default settings
+#### Restore default settings
 
 If you've made changes to the Azure portal settings and want to discard them, select **Restore default settings** from the top of the **My information** pane. You'll be prompted to confirm this action. When you do so, any changes you've made to your Azure portal settings will be lost. This option doesn't affect dashboard customizations.
 
-### Delete user settings and dashboards
+#### Delete user settings and dashboards
 
 Information about your custom settings is stored in Azure. You can delete the following user data:
 

articles/azure-portal/set-preferences.md

@@ -0,0 +1,148 @@
+---
+title: Configure Microsoft Intune Endpoint Privilege Management
+description: Learn how to configure Microsoft Intune Endpoint Privilege Management for dev boxes so that dev box users don't need local administrative privileges.
+author: RoseHJM
+ms.author: rosemalcolm
+ms.service: dev-box
+ms.topic: how-to
+ms.date: 02/27/2024
+
+#customer intent: As a platform engineer, I want to configure elevated privilege management for dev boxes so that dev box users do not need local administrative privileges.
+---
+
+# Configure Microsoft Intune Endpoint Privilege Management for dev boxes 
+
+In this article, you learn how to configure Microsoft Intune Endpoint Privilege Management (EPM) for dev boxes so that dev box users don't need local administrative privileges.
+
+Microsoft Intune Endpoint Privilege Management allows your organization’s users to run as a standard user (without administrator rights) and complete tasks that require elevated privileges. Tasks that commonly require administrative privileges are application installs (like Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics.
+
+Endpoint Privilege Management is built into Microsoft Intune, which means that all configuration is completed within the Microsoft Intune Admin Center. To get started with EPM, use the high-level process outlined as follows:
+
+- *License Endpoint Privilege Management* - Before you can use Endpoint Privilege Management policies, you must license EPM in your tenant as an Intune add-on. For licensing information, see Use Intune Suite add-on capabilities.
+
+- *Deploy an elevation settings policy* - An elevation settings policy activates EPM on the client device. This policy also allows you to configure settings that are specific to the client but aren't necessarily related to the elevation of individual applications or tasks.
+
+## Prerequisites
+
+- A dev center with a dev box project.
+- Microsoft Intune subscription.
+
+## License Endpoint Privilege Management
+
+Endpoint Privilege Management requires either a stand-alone license that adds only EPM, or license EPM as part of the Microsoft Intune Suite.
+
+In this section, you configure EPM licensing and assign the EPM license to a user.
+
+1. License EPM in your tenant as an Intune add-on:
+
+    1. Open the [Microsoft Intune admin center](https://intune.microsoft.com), and navigate to **Tenant admin** >  **Intune add-ons**.
+    1. Select **Endpoint Privilege Management**.
+
+1. Configure Intune admin role for EPM administration: 
+
+    1. In the Intune admin center, go to **Users**, and select the user you want to assign the role to. 
+    1. Select **Add assignments** and assign the **Global Administrator** role, and the **Intune Administrator** role.
+     
+       :::image type="content" source="media/how-to-elevate-privilege-dev-box/tenant-admin.png" alt-text="Screenshot of the Microsoft Intune admin center, showing the available tenant admin roles." lightbox="media/how-to-elevate-privilege-dev-box/tenant-admin.png":::
+ 
+1. Apply the EPM license in Microsoft 365:
+
+    In the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home?#/catalog), go to **Billing** > **Purchase services** > **Endpoint Privilege Management**, and then select your EPM license.
+
+1. Assign E5 and EPM licenses to target user in Microsoft Entra ID:
+ 
+    1. In the Intune admin center, go to **Users**, and select the user you want to assign the E5 and EPM licenses to. 
+    1. Select **Assignments** and assign the licenses.
+    
+       :::image type="content" source="media/how-to-elevate-privilege-dev-box/assign-license.png" alt-text="Screenshot of the Microsoft Intune admin center, showing the available licenses." lightbox="media/how-to-elevate-privilege-dev-box/assign-license.png":::
+
+## Deploy an elevation settings policy 
+
+A dev box must have an elevation settings policy that enables support for EPM to process an elevation rules policy or manage elevation requests. When support is enabled, the EPM Microsoft Agent, which processes the EPM policies, is installed.
+
+In this section, you create a dev box and an Intune group that you use to test the EPM policy configuration. Then, you create an EPM elevation settings policy and assign the policy to the group.
+
+1. Create a dev box definition
+
+    1. In the Azure portal, create a [dev box definition](how-to-manage-dev-box-definitions.md). Specify a supported OS, like *Windows 11, version 22H2*. 
+    
+       > [!NOTE]
+       > EPM supports the following operating systems:
+       > - Windows 11 (versions 23H2, 22H2, and 21H2)
+       > - Windows 10 (versions 22H2, 21H2, and 20H2)
+
+   1. In your project, create a [dev box pool](how-to-manage-dev-box-pools.md) that uses the new dev box definition.
+
+   1. Assign [Dev Box User](how-to-dev-box-user.md) role to the test user.
+
+1. Create a dev box for testing the policy
+
+   1. Sign in to the [developer portal](https://aka.ms/devbox-portal).
+
+   1. Create a dev box using the dev box pool you created in the previous step.
+
+   1. Determine the dev box hostname. You'll use this hostname add the dev box to and Intune group in the next step.
+ 
+1. Create an Intune group and add the dev box to the group
+
+   1. Open the [Microsoft Intune admin center](https://intune.microsoft.com), select **Groups** > **New group**.
+
+   1. In the **Group type** dropdown box, select **Security**.
+
+   1. In the **Group name** field, enter the name for the new group (for example, Contoso Testers).
+
+   1. Add a **Group description** for the group.
+
+   1. Set the **Membership type** to **Assigned**.
+
+   1. Under **Members**, select the dev box you created.
+
+1. Create an EPM elevation settings policy and assign it to the group.
+ 
+    1. In the Microsoft Intune admin center, select **Endpoint security** > **Endpoint Privilege Management** > **Policies** > **Create Policy**.
+     
+       :::image type="content" source="media/how-to-elevate-privilege-dev-box/intune-endpoint-security.png" alt-text="Screenshot of Microsoft Intune admin center, showing the Endpoint security | Endpoint Privilege Management pane." lightbox="media/how-to-elevate-privilege-dev-box/intune-endpoint-security.png":::
+
+    1. In the **Create a profile** pane, select the following settings: 
+       - **Platform**: Windows 10 and later
+       - **Profile type**: Elevation settings policy
+
+    1. On the **Basics** tab, enter a name for the policy.
+     
+       :::image type="content" source="media/how-to-elevate-privilege-dev-box/create-profile-name.png" alt-text="Screenshot showing the Create profile basics tab with Policy name highlighted." lightbox="media/how-to-elevate-privilege-dev-box/create-profile-name.png":::
+
+    1. On the **Configuration settings** tab, in **Default elevation response**, select **Deny all elevation requests**.
+     
+       :::image type="content" source="media/how-to-elevate-privilege-dev-box/deny-all-requests.png" alt-text="Screenshot showing the Configuration settings tab, with Endpoint Privilege Management enabled and Default elevation response set to Deny all requests." lightbox="media/how-to-elevate-privilege-dev-box/deny-all-requests.png":::
+
+    1. On the **Assignments** tab, select **Add groups**, add the group you created earlier, and then select **Create**.
+     
+       :::image type="content" source="media/how-to-elevate-privilege-dev-box/assign-defined-group.png" alt-text="Screenshot showing the Create profile Assignments tab, with Add groups highlighted." lightbox="media/how-to-elevate-privilege-dev-box/assign-defined-group.png":::
+
+## Verify administrative privilege restrictions
+
+In this section, you validate that the Microsoft EPM Agent is installed and the policy is applied to the dev box.
+
+1. Verify that the policy is applied to the dev box:
+
+    1. In the Microsoft Intune admin center, select **Devices** > the dev box you created earlier > **Device configuration** > the policy you created earlier.
+     
+         :::image type="content" source="media/how-to-elevate-privilege-dev-box/intune-device-configuration.png" alt-text="Screenshot showing the Microsoft Intune admin center, with the Devices pane and Device configuration highlighted." lightbox="media/how-to-elevate-privilege-dev-box/intune-device-configuration.png"::: 
+     
+    1. Wait until all the settings report as **Succeeded**.
+     
+         :::image type="content" source="media/how-to-elevate-privilege-dev-box/device-profile-settings.png" alt-text="Screenshot showing the Profile Settings, with Setting status highlighted." lightbox="media/how-to-elevate-privilege-dev-box/device-profile-settings.png"::: 
+
+1. Verify that the Microsoft EPM Agent is installed on the dev box:
+
+    1. Sign in to the dev box you created earlier.
+    1. Navigate to *c:\Program Files*, and verify that a folder named **Microsoft EPM Agent** exists.
+
+1. Attempt to run an application with administrative privileges. 
+
+    On your dev box, right-click an application and select **Run with elevated access**. You receive a message that the installation is blocked.
+
+## Related content
+
+* [Use Intune Suite add-on capabilities](/mem/intune/fundamentals/intune-add-ons).
+* [Use Endpoint Privilege Management with Microsoft Intune](/mem/intune/protect/epm-overview).