Merge pull request #292139 from MicrosoftDocs/main

12/18/2024 AM Publish

Author: Taojunshen

articles/app-service/overview-tls.md

@@ -79,7 +79,7 @@ For App Service Environments with `FrontEndSSLCipherSuiteOrder` cluster setting,
 
 ## End-to-end TLS Encryption
 
-End-to-end (E2E) TLS encryption is available in Standard App Service plans and higher. Front-end intra-cluster traffic between App Service front-ends and the workers running application workloads can now be encrypted.
+End-to-end (E2E) TLS encryption is available in Premium App Service plans (and legacy Standard App Service plans). Front-end intra-cluster traffic between App Service front-ends and the workers running application workloads can now be encrypted.
 
 ## Next steps
 * [Secure a custom DNS name with a TLS/SSL binding](configure-ssl-bindings.md)

articles/application-gateway/configuration-infrastructure.md

@@ -78,6 +78,24 @@ Check your [Azure role-based access control](../role-based-access-control/role-a
 
 You can use the built-in roles, such as [Network contributor](../role-based-access-control/built-in-roles.md#network-contributor), which already support these permissions. If a built-in role doesn't provide the right permission, you can [create and assign a custom role](../role-based-access-control/custom-roles-portal.md). Learn more about [managing subnet permissions](../virtual-network/virtual-network-manage-subnet.md#permissions).
 
+## Permissions
+Depending on whether you're creating new resources or using existing ones, add the appropriate permissions from the following list:
+
+|Resource | Resource status | Required Azure permissions |
+|---|---|---|
+| Subnet | Create new| Microsoft.Network/virtualNetworks/subnets/write<br>Microsoft.Network/virtualNetworks/subnets/join/action |
+| Subnet | Use existing| Microsoft.Network/virtualNetworks/subnets/read<br>Microsoft.Network/virtualNetworks/subnets/join/action |
+| IP addresses| Create new| Microsoft.Network/publicIPAddresses/write<br>Microsoft.Network/publicIPAddresses/join/action |
+| IP addresses  | Use existing| Microsoft.Network/publicIPAddresses/read<br>Microsoft.Network/publicIPAddresses/join/action |
+| ApplicationGatewayWebApplicationFirewallPolicies | Create new / Update existing | Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/write Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/join/action |
+
+For more information, see [Azure permissions for Networking](../role-based-access-control/permissions/networking.md) and [Virtual network permissions](../virtual-network/virtual-network-manage-subnet.md#permissions).
+## Roles scope
+In the process of custom role definition, you can specify a role assignment scope at four levels: management group, subscription, resource group, and resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.
+These scopes are structured in a parent-child relationship, with each level of hierarchy making the scope more specific. You can assign roles at any of these levels of scope, and the level you select determines how widely the role is applied.
+For example, a role assigned at the subscription level can cascade down to all resources within that subscription, while a role assigned at the resource group level will only apply to resources within that specific group. Learn more about scope level
+For more information, see [Scope levels](../role-based-access-control/scope-overview.md#scope-levels).
+
 > [!NOTE]
 > You might have to allow sufficient time for [Azure Resource Manager cache refresh](../role-based-access-control/troubleshooting.md?tabs=bicep#symptom---role-assignment-changes-are-not-being-detected) after role assignment changes.
 
@@ -221,3 +239,5 @@ Any scenario where 0.0.0.0/0 needs to be redirected through a virtual appliance,
 
 - [Learn about frontend IP address configuration](configuration-frontend-ip.md)
 - [Learn about private Application Gateway deployment](application-gateway-private-deployment.md)
+- [What is Azure Role Based Access](../role-based-access-control/overview.md)
+- [Azure Role Based Access Control](../role-based-access-control/role-assignments-list-portal.yml)

articles/azure-netapp-files/azure-netapp-files-network-topologies.md

@@ -111,7 +111,7 @@ Configuring UDRs on the source VM subnets with the address prefix of delegated s
 > To access an Azure NetApp Files volume from an on-premises network via a VNet gateway (ExpressRoute or VPN) and firewall, configure the route table assigned to the VNet gateway to include the `/32` IPv4 address of the Azure NetApp Files volume listed and point to the firewall as the next hop. Using an aggregate address space that includes the Azure NetApp Files volume IP address will not forward the Azure NetApp Files traffic to the firewall. 
 
 >[!NOTE]
-> If you want to configure a route table (UDR route) to control the routing of packets through a network virtual alliance or firewall destined to an Azure NetApp Files standard volume from a source in the same VNet or a peered VNet, the UDR prefix must be more specific or equal to the delegated subnet size of the Azure NetApp Files volume. If the UDR prefix is less specific than the delegated subnet size, it isn't be effective. 
+> If you want to configure a route table (UDR route) to control the routing of packets through a network virtual appliance or firewall destined to an Azure NetApp Files standard volume from a source in the same VNet or a peered VNet, the UDR prefix must be more specific or equal to the delegated subnet size of the Azure NetApp Files volume. If the UDR prefix is less specific than the delegated subnet size, it isn't be effective. 
 >
 > For example, if your delegated subnet is `x.x.x.x/24`, you must configured your UDR to `x.x.x.x/24` (equal) or `x.x.x.x/32` (more specific). If you configure the UDR route to be `x.x.x.x/16`, undefined behaviors such as asymmetric routing can cause a network drop at the firewall. 
 

articles/backup/backup-azure-diagnostic-events.md

@@ -17,6 +17,9 @@ Azure Backup sends diagnostics events that can be collected and used for the pur
 
 You can configure diagnostics settings for a Recovery Services vault via the Azure portal by going to the vault and selecting **Diagnostics settings**. Selecting **+ Add Diagnostic Setting** lets you send one or more diagnostic events to a storage account, an event hub, or a Log Analytics workspace.
 
+> [!NOTE]
+> Recovery Services vaults can send diagnostic logs to a storage account located in the same region. They can also send these logs to a Log Analytics workspace that may be situated in either the same or a different region.
+
 ![Diagnostics settings pane](./media/backup-azure-diagnostics-events/diagnostics-settings-blade.png)
 
 ## Diagnostics events available for Azure Backup users

articles/backup/blob-backup-support-matrix.md

@@ -2,7 +2,7 @@
 title: Support matrix for Azure Blobs backup
 description: Provides a summary of support settings and limitations when backing up Azure Blobs.
 ms.topic: reference
-ms.date: 12/03/2024
+ms.date: 12/18/2024
 ms.custom: references_regions, engagement-fy24
 ms.service: azure-backup
 author: AbhishekMallick-MS
@@ -67,9 +67,10 @@ Operational backup of blobs uses blob point-in-time restore, blob versioning, so
 - When you delete and recreate a storage account with the same name, **Object Replication** doesn't recognize the change. As a result, future Recovery Points continue to include the older blobs and their versions.
 - Similarly, if you delete and recreate a container with the same name, **Object Replication** doesn't track the change, and future Recovery Points still include the previous blobs and versions.
 - If you suspend and resume protection or delete the **Object Replication policy** on the **source storage account**, the policy triggers a full backup.
-
+- Backup vaults with User-Assigned Managed Identity (UAMI) aren't compatible with Azure Blob Vaulted backups. Only System-Assigned Managed Identity (SAMI) works, because the vault needs to access the storage account where the blobs are stored. The vault uses its system-assigned managed identity for this access.
 
 ---
+
 ## Next steps
 
 [Overview of Azure Blobs backup for Azure Blobs](blob-backup-overview.md)

articles/backup/manage-afs-backup.md

@@ -2,7 +2,7 @@
 title: Manage Azure File share backups
 description: This article describes common tasks for managing and monitoring the Azure File shares that are backed up by Azure Backup.
 ms.topic: how-to
-ms.date: 09/11/2024
+ms.date: 12/18/2024
 ms.service: azure-backup
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
@@ -198,7 +198,7 @@ To delete backup data for the Azure File share:
 
 ## Unregister a storage account
 
-To protect your file shares in a particular storage account by using a different Recovery Services vault, first [stop protection for all file shares](#stop-protection-on-a-file-share) in that storage account. Then unregister the account from the current Recovery Services vault used for protection.
+To protect your file shares in a particular storage account by using a different Recovery Services vault, first [stop protection for all file shares](#stop-protection-on-a-file-share) with the **Delete backup data** option in that storage account. Then unregister the account from the current Recovery Services vault used for protection.
 
 The following procedure assumes that the protection was stopped for all file shares in the storage account you want to unregister.
 

articles/cdn/edgio-retirement-faq.md

@@ -42,8 +42,6 @@ Consider whether Akamai or another CDN provider might be compatible with your ne
 
 If you find that Azure Front Door isn't suitable for your workload, we offer an alternative service called [Routing Preference Unmetered](../virtual-network/ip-services/routing-preference-unmetered.md), also known as "CDN Interconnect." This service might allow free data transfer for traffic egressing from your Azure resources to another CDN of your choice.
 
-Additionally, you can choose to continue working directly with Edgio to minimize interruptions, keeping your origins on Azure while utilizing Edgio's services. For further information, contact Microsoft Support or reach out to [Edgio](https://edg.io/contact-us/).
-
 ### Does Microsoft validate my workloads work on Azure Front Door?
 
 You need to determine if Azure Front Door suits your workloads. We recommend setting up a test environment to validate that your services are compatible with Azure Front Door.

articles/cost-management-billing/manage/cloud-subscription.md

@@ -17,7 +17,7 @@ A cloud subscription is a way to manage the products and services that you buy f
 
 The term cloud subscription is synonymous with Azure subscription.
 
-- **No cost for cloud subscriptions** - Cloud subscriptions themselves don't cost any money. They're used to organizing and managing the things you buy. While products like virtual machines or Enterprise Support managed within a cloud subscription might incur charges, the subscription itself doesn't.
+- **No cost for cloud subscriptions** - Cloud subscriptions themselves don't cost any money. They're used to organize and manage the things you buy. While products like virtual machines or Enterprise Support managed within a cloud subscription might incur charges, the subscription itself doesn't.
 - **Multiple subscriptions** - You can create multiple cloud subscriptions to delegate management to different users in your organization or to apply policies for security, budgeting, and compliance.
 - **Familiar management tools** - If you used Azure subscriptions before, you can manage cloud subscriptions similarly, with more manageability for a broader set of products and services.
 
@@ -36,7 +36,7 @@ If you're signing in for the first time, search for **Subscriptions** in the sea
 
 ### Do I get charged for creating and using cloud subscriptions?
 
-No, cloud subscriptions are created silently and are used to manage the things that you buy. They don't incur charges or cost money.
+No. Cloud subscriptions get created on the back end and are used to manage the things that you buy. They don't incur charges or cost money.
 
 ### How do I manage my cloud subscriptions?
 

articles/cost-management-billing/manage/download-azure-invoice-daily-usage-date.md

@@ -87,7 +87,7 @@ You can opt out of getting your invoice by email by following the preceding step
 
 ### Get your Microsoft Customer Agreement invoices in email
 
-If you have a Microsoft Customer Agreement, you can opt in to get your invoice in an email. All billing profile Owners, Contributors, Readers, and Invoice managers will get the invoice by email. Readers can't update the email invoice preference.
+If you have a Microsoft Customer Agreement, you can opt in to get your invoice in an email. All billing profile Owners, Contributors, Readers, and Invoice managers will get the invoice by email. Readers can't update the email invoice preference. Please note that if you have inherited a role from the Billing Account, you will not receive invoices. Access must be granted explicitly under the Billing profile.
 
 1. Search for **Cost Management + Billing**.
 1. Select a billing profile.

articles/cost-management-billing/manage/understand-ea-roles.md

@@ -69,7 +69,7 @@ Use Cost Management in the [Azure portal](https://portal.azure.com) so you can m
 
 Direct EA customers can complete all administrative tasks in the Azure portal. You can use the [Azure portal](https://portal.azure.com) to manage billing, costs, and Azure services.
 
-User roles are associated with a user account. To validate user authenticity, each user must have a valid work, school, or Microsoft account. Ensure that each account is associated with an email address to actively monitor it. Enrollment notifications are sent to the email address.
+EA Billing roles can only be assigned to individual user accounts. Assigning these roles to Distribution Groups (DGs) and Security Groups (SGs) is not supported. To validate user authenticity, each user must have a valid work, school, or Microsoft account. Ensure that each account is associated with an email address to actively monitor it. Enrollment notifications are sent to the email address.
 
 > [!NOTE]
 > The Account Owner role is often assigned to a service account that doesn't have an actively monitored email.