Merge pull request #291526 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: rmca14

articles/cost-management-billing/reservations/exchange-and-refund-azure-reservations.md

@@ -39,6 +39,8 @@ Not all reservations are eligible for exchange. For example, you can't exchange
 - Synapse Analytics Pre-purchase plan
 - Red Hat plans
 - SUSE Linux plans
+- Microsoft Defender for Cloud Pre-Purchase Plan
+- Microsoft Sentinel Pre-Purchase Plan
 
 You can also refund reservations, but the sum total of all canceled reservation commitment in your billing scope (such as EA, Microsoft Customer Agreement, and Microsoft Partner Agreement) can't exceed USD 50,000 in a 12 month rolling window.
 
@@ -51,6 +53,8 @@ The following reservations aren't eligible for refunds:
 - Azure VMware solution by CloudSimple
 - Red Hat plans
 - SUSE Linux plans
+- Microsoft Defender for Cloud Pre-Purchase Plan
+- Microsoft Sentinel Pre-Purchase Plan
 
 ## Prerequisites
 

articles/firewall/media/premium-deploy-certificates-enterprise-ca/certificate-template-key-usage-extension.png

@@ -28,12 +28,28 @@ To use an Enterprise CA to generate a certificate to use with Azure Firewall Pre
 - an [Azure Key Vault](premium-certificates.md#azure-key-vault) 
 - a Managed Identity with Read permissions to **Certificates and Secrets** defined in the Key Vault Access Policy 
 
+## Create a new Subordinate Certificate Template
+
+1. Run `certtmpl.msc` to open the Certificate Template Console.
+2. Find the **Subordinate Certification Authority** template in the console.
+3. Right-click on the **Subordinate Certification Authority** template and select **Duplicate Template**.
+4. In the **Properties of New Template** window, go to the **Compatibility** tab and set the appropriate compatibility settings or leave them as default.
+5. Go to the **General** tab, set the **Template Display Name** (for example: `My Subordinate CA`), and adjust the validity period if necessary. Optionally, select the **Publish certificate in Active Directory** checkbox.
+6. In the **Settings** tab, ensure the required users and groups have read and `enroll` permissions.
+7. Navigate to the **Extensions** tab, select **Key Usage**, and select **Edit**.
+   - Ensure that the **Digital signature**, **Certificate signing**, and **CRL signing** checkboxes are selected.
+   - Select the **Make this extension critical** checkbox and select **OK**.
+   
+   :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/certificate-template-key-usage-extension.png" alt-text="Screenshot of certificate template key usage extensions.":::
+8. Select **OK** to save the new certificate template.
+9. Ensure the new template is enabled so it can be used to issue certificates.
+
 ## Request and export a certificate
 
 1. Access the web enrollment site on the Root CA, usually `https://<servername>/certsrv` and select **Request a Certificate**.
 1. Select **Advanced Certificate Request**.
 1. Select **Create and Submit a Request to this CA**.
-1. Fill out the form using the Subordinate Certification Authority template.
+1. Fill out the form using the Subordinate Certification Authority template created in the previous section.
    :::image type="content" source="media/premium-deploy-certificates-enterprise-ca/advanced-certificate-request.png" alt-text="Screenshot of advanced certificate request":::
 1. Submit the request and install the certificate.
 1. Assuming this request is made from a Windows Server using Internet Explorer, open **Internet Options**.

articles/firewall/premium-deploy-certificates-enterprise-ca.md

@@ -1109,6 +1109,10 @@ Connect-AzAccount -ServicePrincipal -Credential $cred -Tenant $tenantId
 
 New-AzSynapseRoleAssignment -WorkspaceName "<workspaceName>" -RoleDefinitionName "Synapse Administrator" -ObjectId "<app_id_to_add_as_admin>" [-Debug]
 ```
+> [!NOTE]
+> In this case, the synapse data studio UI will not display the role assignment added by the above method, so it is recommended to add the role assignment to both object ID and application ID at the same time so that it can be displayed on the UI as well.
+> 
+> New-AzSynapseRoleAssignment -WorkspaceName "\<workspaceName\>" -RoleDefinitionName "Synapse Administrator" -ObjectId "\<object_id_to_add_as_admin\>" [-Debug]
 
 **Validation**