Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: inward-eye

articles/active-directory/authentication/howto-authentication-temporary-access-pass.md

@@ -63,7 +63,7 @@ To configure the Temporary Access Pass authentication method policy:
    |---|---|---|---|
    | Minimum lifetime | 1 hour | 10 – 43,200 Minutes (30 days) | Minimum number of minutes that the Temporary Access Pass is valid. |
    | Maximum lifetime | 8 hours | 10 – 43,200 Minutes (30 days) | Maximum number of minutes that the Temporary Access Pass is valid. |
-   | Default lifetime | 1 hour | 10 – 43,200 Minutes (30 days) | Default values can be override by the individual passes, within the minimum and maximum lifetime configured by the policy. |
+   | Default lifetime | 1 hour | 10 – 43,200 Minutes (30 days) | Default values can be overridden by the individual passes, within the minimum and maximum lifetime configured by the policy. |
    | One-time use | False | True / False | When the policy is set to false, passes in the tenant can be used either once or more than once during its validity (maximum lifetime). By enforcing one-time use in the Temporary Access Pass policy, all passes created in the tenant will be created as one-time use. |
    | Length | 8 | 8-48 characters | Defines the length of the passcode. |
 

articles/active-directory/fundamentals/multi-tenant-user-management-introduction.md

@@ -58,7 +58,7 @@ These terms are used throughout this content:
 
 * **Home tenant**: The Azure AD tenant containing users requiring access to the resources in the resource tenant.
 
-* **User lifecycle management**: the process of provisioning, managing, and deprovisioning user access to resources.
+* **User lifecycle management**: The process of provisioning, managing, and deprovisioning user access to resources.
 
 * **Unified GAL**: Each user in each tenant can see users from each organization in their Global Address List (GAL).
 

articles/active-directory/governance/TOC.yml

@@ -250,7 +250,7 @@
   - name: Developer API reference Lifecycle Workflows- Azure Active Directory
     href: lifecycle-workflows-developer-reference.md
   - name: Set EmployeeLeaveDateTime for leaver workflows
-    href: /graph/tutorial-lifecycle-workflows-set-employeeleavedatetime    
+    href: /graph/tutorial-lifecycle-workflows-set-employeeleavedatetime?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json
   - name: Preparing user accounts for Lifecycle workflows tutorials (Preview)
     href: tutorial-prepare-azure-ad-user-accounts.md 
   - name: Configure a Logic App for Lifecycle Workflow use (Preview)

articles/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy.md

@@ -36,7 +36,7 @@ For more information on Azure AD multifactor authentication, see [What is Azure
 1. Browse to **Azure Active Directory** > **Security** > **Identity Protection** > **MFA registration policy**.
    1. Under **Assignments**
       1. **Users** - Choose **All users** or **Select individuals and groups** if limiting your rollout.
-         1. Optionally you can choose to exclude users from the policy.
+         1. Optionally you can choose to exclude users or groups from the policy.
 1. **Enforce Policy** - **On**
 1. **Save**
 

articles/active-directory/managed-identities-azure-resources/managed-identities-status.md

@@ -68,8 +68,8 @@ The following Azure services support managed identities for Azure resources:
 | Azure Service Fabric            | [Using Managed identities for Azure with Service Fabric](../../service-fabric/concepts-managed-identity.md)                                                                                                        |
 | Azure SignalR Service           | [Managed identities for Azure SignalR Service](../../azure-signalr/howto-use-managed-identity.md)                                                                                                     |
 | Azure Spring Apps               | [Enable system-assigned managed identity for an application in Azure Spring Apps](../../spring-apps/how-to-enable-system-assigned-managed-identity.md) |
-| Azure SQL                       | [Azure SQL Transparent Data Encryption with customer-managed key](/azure/azure-sql/database/transparent-data-encryption-byok-overview)                                                                                     |
-| Azure SQL Managed Instance      | [Azure SQL Transparent Data Encryption with customer-managed key](/azure/azure-sql/database/transparent-data-encryption-byok-overview)                                                                                       |
+| Azure SQL                       | [Managed identities in Azure AD for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity)                                                                                     |
+| Azure SQL Managed Instance      | [Managed identities in Azure AD for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity)                                                                                       |
 | Azure Stack Edge                | [Manage Azure Stack Edge secrets using Azure Key Vault](../../databox-online/azure-stack-edge-gpu-activation-key-vault.md#recover-managed-identity-access)
 | Azure Static Web Apps           | [Securing authentication secrets in Azure Key Vault](../../static-web-apps/key-vault-secrets.md)
 | Azure Stream Analytics          | [Authenticate Stream Analytics to Azure Data Lake Storage Gen1 using managed identities](../../stream-analytics/stream-analytics-managed-identities-adls.md)                                                                                         |

articles/azure-monitor/containers/container-insights-prometheus-metrics-addon.md

@@ -136,7 +136,7 @@ The output will be similar to the following:
 
 - Register the `AKS-PrometheusAddonPreview` feature flag in the Azure Kubernetes clusters subscription with the following command in Azure CLI: `az feature register --namespace Microsoft.ContainerService --name AKS-PrometheusAddonPreview`.
 - The Azure Monitor workspace and Azure Managed Grafana workspace must already be created.
-- The template needs to be deployed in the same resource group as the cluster.
+- The template needs to be deployed in the Azure Managed Grafana workspaces resource group.
 
 ### Retrieve list of Grafana integrations
 If you're using an existing Azure Managed Grafana instance that already has been linked to an Azure Monitor workspace then you need the list of Grafana integrations. Open the **Overview** page for the Azure Managed Grafana instance and select the JSON view. Copy the value of the `azureMonitorWorkspaceIntegrations` field. If it doesn't exist, then the instance hasn't been linked with any Azure Monitor workspace.
@@ -157,7 +157,7 @@ If you're using an existing Azure Managed Grafana instance that already has been
 ```
 
 ### Retrieve System Assigned identity for Grafana resource
-If you're using an existing Azure Managed Grafana instance that already has been linked to an Azure Monitor workspace then you need the list of Grafana integrations. Open the **Overview** page for the Azure Managed Grafana instance and select the JSON view. Copy the value of the `principalId` field for the `SystemAssigned` identity.
+The system assigned identity for the Azure Managed Grafana resource is also required. To get to it, open the **Overview** page for the Azure Managed Grafana instance and select the JSON view. Copy the value of the `principalId` field for the `SystemAssigned` identity.
 
 ```json
 "identity": {
@@ -166,8 +166,7 @@ If you're using an existing Azure Managed Grafana instance that already has been
         "type": "SystemAssigned"
     },
 ```
-
-Assign the `Monitoring Data Reader` role to the Grafana System Assigned Identity. This is the principalId on the Azure Monitor Workspace resource. This will let the Azure Managed Grafana resource read data from the Azure Monitor Workspace and is a requirement for viewing the metrics.
+Please assign the `Monitoring Data Reader` on the Azure Monitor Workspace for the Grafana System Identity i.e. take the principal ID that you got from the Azure Managed Grafana Resource, open the Access Control Blade for the Azure Monitor Workspace and assign the `Monitoring Data Reader` Built-In role to the principal ID (System Assigned MSI for the Azure Managed Grafana resource). This will let the Azure Managed Grafana resource read data from the Azure Monitor Workspace and is a requirement for viewing the metrics.
 
 ### Download and edit template and parameter file
 
@@ -207,14 +206,15 @@ Assign the `Monitoring Data Reader` role to the Grafana System Assigned Identity
                 },
                 {
                     "azureMonitorWorkspaceResourceId": "full_resource_id_2"
-                }
+                },
                 {
-                "azureMonitorWorkspaceResourceId": "[parameters('azureMonitorWorkspaceResourceId')]"
+                    "azureMonitorWorkspaceResourceId": "[parameters('azureMonitorWorkspaceResourceId')]"
                 }
             ]
             }
         }
     ````
+    For e.g. In the above code snippet `full_resource_id_1` and `full_resource_id_2` were already present on the Azure Managed Grafana resource and we're manually adding them to the ARM template. The final `azureMonitorWorkspaceResourceId` already exists in the template and is being used to link to the Azure Monitor Workspace resource ID provided in the parameters file. Please note, You do not have to replace `full_resource_id_1` and `full_resource_id_2` and any other resource id's if no integrations are found in the retrieval step.
 
 
 ### Deploy template
@@ -268,7 +268,9 @@ ama-metrics-ksm-5fcf8dffcd      1         1         1       11h
 
 
 ## Uninstall metrics addon
-Currently, Azure CLI is the only option to remove the metrics addon and stop sending Prometheus metrics to Azure Monitor managed service for Prometheus. The following command removes the agent from the cluster nodes and deletes the recording rules created for the data being collected from the cluster, it doesn't remove the DCE, DCR, or the data already collected and stored in your Azure Monitor workspace.
+
+Currently, Azure CLI is the only option to remove the metrics addon and stop sending Prometheus metrics to Azure Monitor managed service for Prometheus.
+The aks-preview extension needs to be installed using the command `az extension add --name aks-preview`. For more information on how to install a CLI extension, see [Use and manage extensions with the Azure CLI](/azure/azure-cli-extensions-overview). The following command removes the agent from the cluster nodes and deletes the recording rules created for the data being collected from the cluster, it doesn't remove the DCE, DCR, or the data already collected and stored in your Azure Monitor workspace.
 
 ```azurecli
 az aks update --disable-azuremonitormetrics -n <cluster-name> -g <cluster-resource-group>

articles/azure-vmware/deploy-disaster-recovery-using-jetstream.md

@@ -194,7 +194,7 @@ Azure VMware Solution supports the installation of JetStream using either static
    | **Datastore**  | Name of the datastore where you'll deploy the JetStream MSA.  |
    | **VMName** | Name of JetStream MSA VM, for example, **jetstreamServer**. |
    | **Cluster** | Name of the Azure VMware Solution private cluster where the JetStream MSA is deployed, for example, **Cluster-1**. |
-   | **Netmask** | Netmask of the MSA to be deployed, for example, **22** or **24**. |
+   | **Netmask** | Netmask of the MSA to be deployed, for example, **255.255.255.0**. |
    | **MSIp** | IP address of the JetStream MSA VM.   |
    | **Dns** | DNS IP that the JetStream MSA VM should use.   |
    | **Gateway** | IP address of the network gateway for the JetStream MSA VM.  |

articles/backup/blob-backup-support-matrix.md

@@ -22,7 +22,7 @@ Operational backup of blobs uses blob point-in-time restore, blob versioning, so
 
 **Other limitations:**
 
-- If you've deleted a container during the retention period, that container won't be restored with the point-in-time restore operation. If you attempt to restore a range of blobs that includes blobs in a deleted container, the point-in-time restore operation will fail. For more information about protecting containers from deletion, see [Soft delete for containers (preview)](../storage/blobs/soft-delete-container-overview.md).
+- If you've deleted a container during the retention period, that container won't be restored with the point-in-time restore operation. If you attempt to restore a range of blobs that includes blobs in a deleted container, the point-in-time restore operation will fail. For more information about protecting containers from deletion, see [Soft delete for containers](../storage/blobs/soft-delete-container-overview.md).
 - If a blob has moved between the hot and cool tiers in the period between the present moment and the restore point, the blob is restored to its previous tier. Restoring block blobs in the archive tier isn't supported. For example, if a blob in the hot tier was moved to the archive tier two days ago, and a restore operation restores to a point three days ago, the blob isn't restored to the hot tier. To restore an archived blob, first move it out of the archive tier. For more information, see [Rehydrate blob data from the archive tier](../storage/blobs/archive-rehydrate-overview.md).
 - A block that has been uploaded via [Put Block](/rest/api/storageservices/put-block) or [Put Block from URL](/rest/api/storageservices/put-block-from-url), but not committed via [Put Block List](/rest/api/storageservices/put-block-list), isn't part of a blob and so isn't restored as part of a restore operation.
 - A blob with an active lease can't be restored. If a blob with an active lease is included in the range of blobs to restore, the restore operation will fail automatically. Break any active leases before starting the restore operation.
@@ -31,4 +31,4 @@ Operational backup of blobs uses blob point-in-time restore, blob versioning, so
 
 ## Next steps
 
-[Overview of operational backup for Azure Blobs](blob-backup-overview.md)
+[Overview of operational backup for Azure Blobs](blob-backup-overview.md)

articles/chaos-studio/chaos-studio-permissions-security.md

@@ -55,8 +55,8 @@ All user interactions with Chaos Studio happen through Azure Resource Manager. I
 Azure Chaos Studio doesn't support Private Link for agent-based scenarios.
 
 ## Service tags 
-A service tag is a group of IP address prefixes that can be assigned to in-bound and out-bound NSG rules. It handles updates to the group of IP address prefixes  without any intervention. This benefits you because you can use service tags to explicitly allow in-bound traffic from Chaos Studio, without needing to know the IP addresses of the platform. Currently service tags can be enabled via PowerShell.
-* Limitation of service tags is that they can only be used with resources that have a public IP address. If a resource only has a private IP address, then service tags will not be able to allow traffic to route to it. 
+A [service tags](../virtual-network/service-tags-overview.md) is a group of IP address prefixes that can be assigned to in-bound and out-bound NSG rules. It automatically handles updates to the group of IP address prefixes without any intervention. This benefits you because you can use service tags to explicitly allow in-bound traffic from Chaos Studio without needing to know the IP addresses of the platform. Currently service tags can be enabled via PowerShell and support will soon be added to the Chaos Studio user interface.
+* Limitation of service tags is that they can only be used with applications that have a public IP address. If a resource only has a private IP address, then service tags will not be able to allow traffic to route to it. 
 
 ## Data encryption
 

articles/cognitive-services/personalizer/includes/quickstart-sdk-csharp.md

@@ -534,7 +534,7 @@ Run the application with the dotnet `run` command from your application director
 dotnet run
 ```
 
-## Generate sample events for analysis
+## Generate sample events for analysis (Optional)
 
 You can easily generate 5,000 events from this quickstart demo scenario, which is sufficient to get experience with using Apprentice mode, Online mode, running offline evaluations, and creating feature evaluations. Simply replace the `Main()` method of the above code in the `Run a Rank and Reward cycle` section with: