MicrosoftDocs
diff --git a/‎.openpublishing.redirection.aks.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.aks.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎.openpublishing.redirection.json
Lines changed: 16 additions & 1 deletion b/‎.openpublishing.redirection.json
Lines changed: 16 additions & 1 deletion
diff --git a/‎AKS-Hybrid/TOC.yml
Lines changed: 48 additions & 20 deletions b/‎AKS-Hybrid/TOC.yml
Lines changed: 48 additions & 20 deletions
diff --git a/‎AKS-Hybrid/ad-sso.md
Lines changed: 10 additions & 10 deletions b/‎AKS-Hybrid/ad-sso.md
Lines changed: 10 additions & 10 deletions
diff --git a/‎AKS-Hybrid/adapt-apps-mixed-os-clusters.md
Lines changed: 8 additions & 8 deletions b/‎AKS-Hybrid/adapt-apps-mixed-os-clusters.md
Lines changed: 8 additions & 8 deletions
@@ -1375,6 +1375,11 @@
         "redirect_url": "/azure/aks/hybrid/deploy-load-balancer-cli",
         "redirect_document_id": false
       },
+      {
+        "source_path": "AKS-Hybrid/offline-download.md",
+        "redirect_url": "/azure/aks/hybrid/aks-whats-new-23h2",
+        "redirect_document_id": false
+      },      
       {
         "source_path": "AKS-Hybrid/kubernetes-rbac-azure-ad.md",
         "redirect_url": "/azure/aks/hybrid/kubernetes-rbac-entra-id",
 
@@ -1317,7 +1317,7 @@
     },
     {
       "source_path": "azure-stack/hci/manage/partition-gpu.md",
-      "redirect_url": "/windows-server/virtualization/hyper-v/gpu-partitioning?pivots=azure-stack-hci",
+      "redirect_url": "/windows-server/virtualization/hyper-v/gpu-partitioning?pivots=azure-stack-hci&toc=/azure-stack/hci/toc.json&bc=/azure-stack/breadcrumb/toc.json",
       "redirect_document_id": false
     },
     {
@@ -1329,6 +1329,21 @@
       "source_path": "azure-stack/user/container-registry-get-resource-id.md",
       "redirect_url": "/azure-stack/user/container-registry-troubleshoot#find-your-registry-resource-id-for-support",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-stack/hci/manage/use-gpu-with-clustered-vm.md",
+      "redirect_url": "/windows-server/virtualization/hyper-v/deploy/use-gpu-with-clustered-vm?pivots=azure-stack-hci&toc=/azure-stack/hci/toc.json&bc=/azure-stack/breadcrumb/toc.json",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-stack/user/vm-update-management.md",
+      "redirect_url": "/azure/azure-monitor/agents/agents-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-stack/hci/manage/processor-compatibility-mode.md",
+      "redirect_url": "/windows-server/virtualization/hyper-v/manage/dynamic-processor-compatibility-mode?pivots=azure-stack-hci",
+      "redirect_document_id": false
     }
   ]
 }
@@ -24,6 +24,8 @@
         href: aks-hci-network-system-requirements.md
       - name: Load balancer
         href: load-balancer-overview.md      
+    - name: Access and identity
+      href: concepts-security-access-identity.md
     - name: Supported scale requirements
       href: scale-requirements.md
     - name: Azure Hybrid Benefit
@@ -45,7 +47,11 @@
       - name: Azure CLI
         href: aks-create-clusters-cli.md
       - name: Azure portal
-        href: aks-create-clusters-portal.md      
+        href: aks-create-clusters-portal.md
+      - name: Bicep
+        href: create-clusters-bicep.md   
+      - name: Deploy to Azure using a quickstart template
+        href: /samples/azure/azure-quickstart-templates/aks-on-ashci
       - name: Azure Resource Manager template
         href: resource-manager-quickstart.md
     - name: Networking
@@ -60,18 +66,18 @@
           href: deploy-load-balancer-portal.md
         # - name: Troubleshoot issues
         #   href: load-balancer-troubleshoot.md
-    - name: Security and authentication
+    - name: Authentication and authorization
       items:
-      - name: Access and identity options
-        href: concepts-security-access-identity.md
+      - name: Enable Microsoft Entra ID authentication for Kubernetes clusters
+        href: enable-authentication-microsoft-entra-id.md
+      - name: Use Azure RBAC for Kubernetes authorization
+        href: azure-rbac-23h2.md
+      - name: Use Kubernetes RBAC with Microsoft Entra ID
+        href: kubernetes-rbac-23h2.md
       - name: Retrieve certificate-based admin kubeconfig
         href: retrieve-admin-kubeconfig.md
       - name: Restrict SSH access
         href: restrict-ssh-access.md
-      - name: Use Kubernetes RBAC with Microsoft Entra ID
-        href: kubernetes-rbac-23h2.md
-      - name: Use Azure RBAC for Kubernetes authorization
-        href: azure-rbac-23h2.md
     - name: Storage
       items:
       - name: CSI storage drivers
@@ -86,17 +92,19 @@
         href: manage-node-pools.md
       - name: Use GPUs
         href: deploy-gpu-node-pool.md
-      - name: Use labels in a Kubernetes cluster
+    - name: Cluster management
+      items:
+      - name: Labels
         href: cluster-labels.md
-    - name: Download Kubernetes VHDs manually
-      href: offline-download.md
+      - name: Taints
+        href: aks-arc-use-node-taints.md
     - name: Scale a Kubernetes cluster
       href: auto-scale-aks-arc.md
     - name: Upgrade Kubernetes clusters
       href: cluster-upgrade.md
     - name: Create Windows Server containers
       href: aks-create-containers.md
-    - name: Deploy container images using Azure Container Registry
+    - name: Integrate Azure Container Registry with a Kubernetes cluster
       href: deploy-container-registry.md
     - name: Monitoring and logging
       items:    
@@ -120,24 +128,22 @@
       href: aks-known-issues.md
     - name: Troubleshoot
       href: aks-troubleshoot.md
+    - name: Use diagnostic checker
+      href: aks-arc-diagnostic-checker.md
+    - name: KubeAPIServer unreachable error
+      href: kube-api-server-unreachable.md
   - name: Reference
     items:
     - name: Azure CLI
       href: /cli/azure/aksarc
     - name: REST API reference
       href: /rest/api/hybridcontainer/operation-groups
+  - name: Resources
+    items:
     - name: Azure Stack HCI
       href: /azure-stack/hci/index
     - name: Azure hybrid cloud
       href: /hybrid
-    - name: Release notes
-      href: https://aka.ms/AKS-hybrid-Releasenotes
-    - name: AKS Arc PowerShell
-      href: ./reference/ps/index.md
-    - name: Add-ons, extensions, and integrations
-      href: add-ons.md    
-  - name: Resources
-    items:
     - name: Azure Arc Jumpstart
       href: https://azurearcjumpstart.com/azure_arc_jumpstart/azure_arc_k8s/aks_stack_hci/
     - name: Azure roadmap
@@ -184,6 +190,8 @@
       href: aks-edge-howto-access-tpm.md
     - name: Additional configuration
       href: aks-edge-howto-more-configs.md
+    - name: Use GPU acceleration
+      href: aks-edge-gpu.md
     - name: Update AKS Edge Essentials
       items:
       - name: Update online
@@ -262,6 +270,20 @@
       href: aks-vmware-known-issues.md
     - name: Troubleshooting guide
       href: aks-vmware-troubleshooting-guide.md
+  - name: Reference
+    items:
+    - name: aksarc CLI version 1.0.0b1
+      items:
+      - name: Commands
+        href: aksarc.yml
+      - name: logs
+        href: logs.yml
+      - name: nodepool
+        href: nodepool.yml
+      - name: vmsize
+        href: vmsize.yml
+      - name: vnet
+        href: vnet.yml
 - name: AKS on Windows Server
   items:
   - name: Overview
@@ -535,6 +557,12 @@
       href: help-support.md
     - name: File bugs
       href: https://aka.ms/AKS-hybrid-issues
+    - name: Release notes
+      href: https://aka.ms/AKS-hybrid-Releasenotes
+    - name: AKS Arc PowerShell
+      href: ./reference/ps/index.md
+    - name: Add-ons, extensions, and integrations
+      href: add-ons.md    
   - name: Architecture
     items:
     - name: Baseline architecture for AKS
 
@@ -3,7 +3,7 @@ title: Use Active Directory single sign-on for secure connection to Kubernetes A
 description: Use Active Directory Authentication to securely connect to the API server with SSO credentials
 author: sethmanheim
 ms.topic: how-to
-ms.date: 02/15/2024
+ms.date: 06/24/2024
 ms.author: sethm 
 ms.lastreviewed: 1/14/2022
 ms.reviewer: sulahiri
@@ -21,7 +21,7 @@ You can create a secure connection to your Kubernetes API server in AKS enabled
 
 ## Overview of AD in AKS enabled by Arc
 
-Without Active Directory authentication, users must rely on a certificate-based _kubeconfig_ file when connecting to the API server via the `kubectl` command. The kubeconfig file contains secrets such as private keys and certificates that need to be carefully distributed, which can be a significant security risk.
+Without Active Directory authentication, you must rely on a certificate-based _kubeconfig_ file when you connect to the API server via the `kubectl` command. The **kubeconfig** file contains secrets such as private keys and certificates that need to be carefully distributed, which can be a significant security risk.
 
 As an alternative to using certificate-based kubeconfig, you can use AD SSO credentials as a secure way to connect to the API server. AD integration with AKS Arc lets users on a Windows domain-joined machine connect to the API server via `kubectl` using their SSO credentials. This removes the need to manage and distribute certificate-based kubeconfig files that contain private keys.
 
@@ -32,7 +32,7 @@ Another security benefit with AD integration is that the users and groups are st
 > [!NOTE]
 > Currently, AD SSO connectivity is only supported for workload clusters.
 
-This article guides you through the following steps to set up Active Directory as the identity provider and to enable SSO via `kubectl`:
+This article guides you through the steps to set up Active Directory as the identity provider and to enable SSO via `kubectl`:
 
 - Create the AD account for the API server, and then create the [keytab](https://web.mit.edu/kerberos/krb5-devel/doc/basic/keytab_def.html) file associated with the account. See [Create AD Auth using the keytab file](#create-ad-auth-using-the-keytab-file) to create the AD account and generate the keytab file.
 - Use the [keytab](https://web.mit.edu/kerberos/krb5-devel/doc/basic/keytab_def.html) file to install AD Auth on the Kubernetes cluster. As part of this step, a default role-based access control (RBAC) configuration is automatically created.
@@ -87,21 +87,21 @@ Install-AksHciAdAuth -name mynewcluster1 -keytab .\current.keytab -SPN k8s/apise
 
 If the cluster host isn't domain-joined, use the admin user name or group name in SID format, as shown in the following example.
 
-If using an admin user:
+Admin user:
 
 ```powershell
 Install-AksHciAdAuth -name mynewcluster1 -keytab .\current.keytab -SPN k8s/[email protected] -adminUserSID <User SID>
 ```  
 
-If using an admin group:
+Admin group:
 
 ```powershell
 Install-AksHciAdAuth -name mynewcluster1 -keytab .\current.keytab -SPN k8s/[email protected] -adminGroupSID <Group SID>
 ```
 
 To find the SID for the user account, see [Determine the user or group security identifier](#determine-the-user-or-group-security-identifier).
 
-Before proceeding to the next steps, make note of the following items:
+Before you proceed to the next steps, make note of the following items:
 
 - Make sure the keytab file is named **current.keytab**.
 - Replace the SPN that corresponds to your environment.
@@ -154,19 +154,19 @@ You should copy the following three files from the AKS workload cluster to your
 
 ### Step 6: Connect to the API server from the client machine
 
-After you've completed the previous steps, use your SSO credentials to sign in to your Windows domain-joined client machine. Open PowerShell, and then attempt to access the API server using `kubectl`. If the operation completes successfully, you have set up AD SSO correctly.
+After you complete the previous steps, use your SSO credentials to sign in to your Windows domain-joined client machine. Open PowerShell, and then attempt to access the API server using `kubectl`. If the operation completes successfully, you set up AD SSO correctly.
 
 ## Create and update the AD group role binding
 
-As mentioned in Step 2, a default role binding with cluster admin privileges is created for the user and/or the group that was provided during installation. Role binding in Kubernetes defines the access policies for AD groups. This step describes how to use RBAC to create new AD group role bindings in Kubernetes and to edit existing role bindings. For example, the cluster admin may want to grant additional privileges to users by using AD groups (which makes the process more efficient). For more information about RBAC, see [using RBAC authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
+As mentioned in Step 2, a default role binding with cluster admin privileges is created for the user and/or the group that was provided during installation. Role binding in Kubernetes defines the access policies for AD groups. This step describes how to use RBAC to create new AD group role bindings in Kubernetes and to edit existing role bindings. For example, the cluster admin might want to grant additional privileges to users by using AD groups (which makes the process more efficient). For more information about RBAC, see [using RBAC authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
 
 When you create or edit other AD group RBAC entries, the subject name should have the **microsoft:activedirectory:CONTOSO\group name** prefix. Note that the names must contain a domain name and a prefix that are enclosed by double quotes.
 
 Here are two examples:
 
 ### Example 1
 
-```yml
+```yaml
 apiVersion: rbac.authorization.k8s.io/v1 
 kind: ClusterRoleBinding 
 metadata: 
@@ -185,7 +185,7 @@ subjects:
 
 The following example shows how to create a custom role and role binding for a [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) with an AD group. In the example, `SREGroup` is a pre-existing group in the Contoso Active Directory. When users are added to the AD group, they're immediately granted privileges.
 
-```yml
+```yaml
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
 
@@ -1,9 +1,9 @@
 ---
 title: Adapt applications for use in mixed-OS Kubernetes clusters
-description: How to use node selectors or taints and tolerations on Azure Kubernetes Service to ensure applications in mixed OS Kubernetes clusters running on AKS Arc are scheduled on the correct worker node operating system.
+description: Learn how to use node selectors or taints and tolerations on Azure Kubernetes Service to ensure applications in mixed OS Kubernetes clusters running on AKS Arc are scheduled on the correct worker node operating system.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 11/03/2022
+ms.date: 06/27/2024
 ms.author: sethm 
 ms.lastreviewed: 1/14/2022
 ms.reviewer: abha
@@ -16,29 +16,29 @@ ms.reviewer: abha
 
 [!INCLUDE [applies-to-azure stack-hci-and-windows-server-skus](includes/aks-hci-applies-to-skus/aks-hybrid-applies-to-azure-stack-hci-windows-server-sku.md)]
 
-AKS enabled by Azure Arc enables you to run Kubernetes clusters with both Linux and Windows nodes, but you must make small edits to your apps for use in these mixed-OS clusters. In this how-to guide, you learn how to ensure your application gets scheduled on the right host OS using either node selectors or taints and tolerations.
+AKS enabled by Arc enables you to run Kubernetes clusters with both Linux and Windows nodes, but you must make small edits to your apps for use in these mixed-OS clusters. This how-to guide describes how to ensure your application gets scheduled on the right host OS using either node selectors or taints and tolerations.
 
 This article assumes a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for AKS enabled by Arc](kubernetes-concepts.md).
 
 ## Node selectors
 
 A *node selector* is a simple field in the pod specification YAML that constrains pods to only be scheduled onto healthy nodes matching the operating system. In your pod specification YAML, specify a `nodeSelector` value of Windows or Linux, as shown in the following examples:
 
-```yml
+```yaml
 kubernetes.io/os = Windows
 ```
 
 or,
 
-```yml
+```yaml
 kubernetes.io/os = Linux
 ```
 
-For more information about nodeSelectors, see [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
+For more information about node selectors, see [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
 
 ## Taints and tolerations
 
-**Taints** and **tolerations** work together to ensure that pods aren't scheduled on nodes unintentionally. A node can be "tainted" to reject pods that don't explicitly tolerate its taint through a "toleration" in the pod specification YAML.
+**Taints** and **tolerations** work together to ensure that pods aren't unintentionally scheduled on nodes. A node can be "tainted" to reject pods that don't explicitly tolerate its taint through a "toleration" in the pod specification YAML.
 
 Windows OS nodes in AKS Arc can be tainted when created with the [New-AksHciNodePool](./reference/ps/new-akshcinodepool.md) or the [New-AksHciCluster](./reference/ps/new-akshcicluster.md) commands. You can also use these commands to taint Linux OS nodes. The following example taints Windows nodes.
 
@@ -82,7 +82,7 @@ Taints       : {sku=Windows:NoSchedule}
 
 You can specify a toleration for a pod in the pod specification YAML. The following toleration "matches" the taint created by the `kubectl` taint line shown in the previous example. The result is that a pod with the toleration can schedule onto the tainted nodes.
 
-```yml
+```yaml
 tolerations:
 - key: node.kubernetes.io/os
   operator: Equal