Merge pull request #267234 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 2/26

Author: ttorble

articles/aks/node-autoprovision.md

@@ -68,6 +68,7 @@ NAP is based on the Open Source [Karpenter](https://karpenter.sh) project, and t
 - Windows and Azure Linux node pools aren't supported yet
 - Kubelet configuration through Node pool configuration is not supported
 - NAP can only be enabled on new clusters currently
+- It is not currently possible to stop nodepools or clusters which use the NAP feature
 
 ## Enable node autoprovisioning
 

articles/aks/start-stop-cluster.md

@@ -21,6 +21,7 @@ This article assumes you have an existing AKS cluster. If you need an AKS cluste
 When using the cluster stop/start feature, the following conditions apply:
 
 - This feature is only supported for Virtual Machine Scale Set backed clusters.
+- You can't stop clusters which use the [Node Autoprovisioning (NAP)](node-autoprovision.md) feature.
 - The cluster state of a stopped AKS cluster is preserved for up to 12 months. If your cluster is stopped for more than 12 months, you can't recover the state. For more information, see the [AKS support policies](support-policies.md).
 - You can only perform start or delete operations on a stopped AKS cluster. To perform other operations, like scaling or upgrading, you need to start your cluster first.
 - If you provisioned PrivateEndpoints linked to private clusters, they need to be deleted and recreated again when starting a stopped AKS cluster.

articles/aks/start-stop-nodepools.md

@@ -17,6 +17,7 @@ You might not need to continuously run your AKS workloads. For example, you migh
 * Spot node pools are supported.
 * Stopped node pools can be upgraded.
 * The cluster and node pool must be running.
+* You can't stop node pools from clusters which use the [Node Autoprovisioning (NAP)](node-autoprovision.md) feature.
 
 ## Before you begin
 

articles/api-management/self-hosted-gateway-enable-azure-ad.md

@@ -57,7 +57,8 @@ When configuring the custom roles, update the [`AssignableScopes`](../role-based
       "Actions": [
         "Microsoft.Authorization/denyAssignments/read",
         "Microsoft.Authorization/roleAssignments/read",
-        "Microsoft.Authorization/roleDefinitions/read"
+        "Microsoft.Authorization/roleDefinitions/read",
+        "Microsoft.Authorization/checkAccess/read"
       ],
       "NotActions": [],
       "DataActions": [],

articles/azure-arc/system-center-virtual-machine-manager/overview.md

@@ -1,7 +1,7 @@
 ---
 title:  Overview of the Azure Connected System Center Virtual Machine Manager 
 description: This article provides a detailed overview of the Azure Arc-enabled System Center Virtual Machine Manager.
-ms.date: 02/23/2024
+ms.date: 02/26/2024
 ms.topic: conceptual
 ms.services: azure-arc
 ms.subservice: azure-arc-scvmm
@@ -93,7 +93,8 @@ In addition, SCVMM requires the following exception:
 
 | **Service** | **Port** | **URL** | **Direction** | **Notes**|
 | --- | --- | --- | --- | --- |
-| SCVMM management Server | 443 | URL of the SCVMM management server | Appliance VM IP and control plane endpoint need outbound connection. | Used by the SCVMM server to communicate with the Appliance VM and the control plane. |
+| SCVMM Management Server | 443 | URL of the SCVMM management server. | Appliance VM IP and control plane endpoint need outbound connection. | Used by the SCVMM server to communicate with the Appliance VM and the control plane. |
+| WinRM | WinRM Port numbers (Default: 5985 and 5986). | URL of the WinRM service. | IPs in the IP Pool used by the Appliance VM and control plane need connection with the VMM server. | Used by the SCVMM server to communicate with the Appliance VM. |
 
 [!INCLUDE [network-requirement-principles](../includes/network-requirement-principles.md)]
 

articles/azure-arc/system-center-virtual-machine-manager/quickstart-connect-system-center-virtual-machine-manager-to-arc.md

@@ -7,7 +7,7 @@ manager: jsuri
 ms.topic: quickstart
 ms.services: azure-arc
 ms.subservice: azure-arc-scvmm
-ms.date: 2/23/2024
+ms.date: 2/26/2024
 ms.custom: references_regions
 
 # Customer intent: As a VI admin, I want to connect my VMM management server to Azure Arc.
@@ -29,7 +29,7 @@ This Quickstart shows you how to connect your SCVMM management server to Azure A
 | **Requirement** | **Details** |
 | --- | --- |
 | **Azure** | An Azure subscription  <br/><br/> A resource group in the above subscription where you have the *Owner/Contributor* role. |
-| **SCVMM** | You need an SCVMM management server running version 2019 or later.<br/><br/> A private cloud or a host group with a minimum free capacity of 32 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> Only Static IP allocation is supported and VMM Static IP Pool is required. Follow [these steps](/system-center/vmm/network-pool?view=sc-vmm-2022&preserve-view=true) to create a VMM Static IP Pool and ensure that the Static IP Pool has at least four IP addresses. Dynamic IP allocation using DHCP isn't supported. <br/><br/> A library share with write permission for the SCVMM admin account through which Resource Bridge deployment is going to be performed.  |
+| **SCVMM** | You need an SCVMM management server running version 2019 or later.<br/><br/> A private cloud or a host group with a minimum free capacity of 32 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> Only Static IP allocation is supported and VMM Static IP Pool is required. Follow [these steps](/system-center/vmm/network-pool?view=sc-vmm-2022&preserve-view=true) to create a VMM Static IP Pool and ensure that the Static IP Pool has at least four IP addresses. If your SCVMM server is behind a firewall, all IPs in this IP Pool and the Control Plane IP should be allowed to communicate through WinRM ports. The default WinRM ports are 5985 and 5986. <br/><br/> Dynamic IP allocation using DHCP isn't supported. <br/><br/> A library share with write permission for the SCVMM admin account through which Resource Bridge deployment is going to be performed.  |
 | **SCVMM accounts** | An SCVMM admin account that can perform all administrative actions on all objects that VMM manages. <br/><br/> The user should be part of local administrator account in the SCVMM server. If the SCVMM server is installed in a High Availability configuration, the user should be a part of the local administrator accounts in all the SCVMM cluster nodes. <br/><br/>This will be used for the ongoing operation of Azure Arc-enabled SCVMM and the deployment of the Arc Resource bridge VM. |
 | **Workstation** | The workstation will be used to run the helper script.<br/><br/> A Windows/Linux machine that can access both your SCVMM management server and internet, directly or through proxy.<br/><br/> The helper script can be run directly from the VMM server machine as well.<br/><br/> To avoid network latency issues, we recommend executing the helper script directly in the VMM server machine.<br/><br/> Note that when you execute the script from a Linux machine, the deployment takes a bit longer and you might experience performance issues. |
 

articles/defender-for-cloud/configure-email-notifications.md

@@ -4,10 +4,10 @@ description: Learn how to fine-tune the Microsoft Defender for Cloud security al
 ms.topic: quickstart
 ms.author: dacurwin
 author: dcurwin
-ms.date: 07/23/2023
+ms.date: 02/25/2024
 ms.custom: mode-other
 ---
-# Quickstart: Configure email notifications for security alerts
+# Quickstart: configure email notifications for security alerts
 
 Security alerts need to reach the right people in your organization. By default, Microsoft Defender for Cloud emails subscription owners whenever a high-severity alert is triggered for their subscription. This page explains how to customize these notifications.
 
@@ -16,13 +16,13 @@ Use Defender for Cloud's **Email notifications** settings page to define prefere
 - ***who* should be notified** - Emails can be sent to select individuals or to anyone with a specified Azure role for a subscription.
 - ***what* they should be notified about** - Modify the severity levels for which Defender for Cloud should send out notifications.
 
-To avoid alert fatigue, Defender for Cloud limits the volume of outgoing mails. For each subscription, Defender for Cloud sends:
+To avoid alert fatigue, Defender for Cloud limits the volume of outgoing emails. For each email address, Defender for Cloud sends:
 
 - approximately **four emails per day** for **high-severity** alerts
 - approximately **two emails per day** for **medium-severity** alerts
 - approximately **one email per day** for **low-severity** alerts
 
-:::image type="content" source="./media/configure-email-notifications/email-notification-settings.png" alt-text="Configuring the details of the contact who is to receive emails about security alerts." :::
+:::image type="content" source="./media/configure-email-notifications/email-notification-settings.png" alt-text="Configuring the details of the contact who is to receive emails about security alerts." lightbox="media/configure-email-notifications/email-notification-settings.png":::
 
 ## Availability
 

articles/defender-for-cloud/defender-for-storage-introduction.md

@@ -102,7 +102,7 @@ Malware Scanning is charged on a per-gigabyte basis for scanned data. To ensure
 By default, the limit is set to 5,000 GB per month per storage account. Once this threshold is exceeded, scanning will cease for the remaining blobs, with a 20-GB confidence interval. For configuration details, refer to [configure Defender for Storage](../storage/common/azure-defender-storage-configure.md).
 
 > [!IMPORTANT]
-> Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+> Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/). Malware scanning will also incur additional charges for other Azure services - Azure Storage read operations, Azure Storage blob indexing and Azure Event Grid notifications.
 
 ### Enablement at scale with granular controls
 

articles/defender-for-cloud/recommendations-reference-devops.md

@@ -118,7 +118,7 @@ DevOps recommendations don't affect your [secure score](secure-score-security-co
 
 ### [GitHub repositories should have dependency vulnerability scanning findings resolved](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsWithRulesBlade/assessmentKey/945f7b1c-8def-4ab3-a44d-1416060104b3/showSecurityCenterCommandBar~/false)
 
-**Description**: GitHub repositories should have dependency vulnerability scanning findings resolved
+**Description**: GitHub repositories should have dependency vulnerability scanning findings resolved.
 
 **Severity**: Medium
 
@@ -192,7 +192,7 @@ DevOps recommendations don't affect your [secure score](secure-score-security-co
 
 ### [GitLab projects should have dependency vulnerability scanning findings resolved](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsWithRulesBlade/assessmentKey/1bc53aae-c92e-406b-9693-d46caf3934fa/showSecurityCenterCommandBar~/false)
 
-**Description**: GitHub repositories should have dependency vulnerability scanning findings resolved
+**Description**: GitHub repositories should have dependency vulnerability scanning findings resolved.
 
 **Severity**: Medium
 
@@ -213,7 +213,7 @@ DevOps recommendations don't affect your [secure score](secure-score-security-co
 
 ### [Code repositories should have secret scanning findings resolved](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsWithRulesBlade/assessmentKey/4e07c7d0-e06c-47d7-a4a9-8c7b748d1b27/showSecurityCenterCommandBar~/false)
 
-**Description**: DevOps security in Defender for Cloud has found a secret in code repositories.  This should be remediated immediately to prevent a security breach.  Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results may not reflect the complete status of secrets in your repositories.
+**Description**: DevOps security in Defender for Cloud has found a secret in code repositories. This should be remediated immediately to prevent a security breach. Secrets found in repositories can be leaked or discovered by adversaries, leading to compromise of an application or service. For Azure DevOps, the Microsoft Security DevOps CredScan tool only scans builds on which it has been configured to run. Therefore, results might not reflect the complete status of secrets in your repositories.
  (No related policy)
 
 **Severity**: High