Merge branch 'main' of https://github.com/MicrosoftDocs/azure-stack-docs-pr into amlfs-templates

Author: pauljewellmsft

AKS-Hybrid/ad-sso.md

@@ -3,7 +3,7 @@ title: Use Active Directory single sign-on for secure connection to Kubernetes A
 description: Use Active Directory Authentication to securely connect to the API server with SSO credentials
 author: sethmanheim
 ms.topic: how-to
-ms.date: 06/24/2024
+ms.date: 08/07/2024
 ms.author: sethm 
 ms.lastreviewed: 1/14/2022
 ms.reviewer: sulahiri
@@ -30,7 +30,10 @@ AD integration uses AD kubeconfig, which is distinct from the certificate-based
 Another security benefit with AD integration is that the users and groups are stored as [security identifiers (SIDs)](/troubleshoot/windows-server/identity/security-identifiers-in-windows). Unlike group names, SIDs are immutable and unique and therefore present no naming conflicts.
 
 > [!NOTE]
-> Currently, AD SSO connectivity is only supported for workload clusters.
+> AD SSO connectivity is only supported for workload clusters.
+
+> [!NOTE]
+> The use of nested AD groups (creating an AD group within another AD group) is unsupported.
 
 This article guides you through the steps to set up Active Directory as the identity provider and to enable SSO via `kubectl`:
 

AKS-Hybrid/aks-hci-network-system-requirements.md

@@ -26,7 +26,8 @@ In this conceptual article, the following key components are introduced. These c
 Kubernetes nodes are deployed as specialized virtual machines in AKS enabled by Arc. These VMs are allocated IP addresses to enable communication between Kubernetes nodes. AKS Arc uses Azure Stack HCI logical networks to provide IP addresses and networking for the underlying VMs of the Kubernetes clusters. For more information about logical networks, see [Logical networks for Azure Stack HCI](/azure-stack/hci/manage/create-logical-networks?tabs=azurecli). You must plan to reserve one IP address per AKS cluster node VM in your Azure Stack HCI environment.
 
 > [!NOTE]
-> Static IP is the only supported mode for assigning an IP address to AKS Arc VMs. This is because Kubernetes requires the IP address assigned to a Kubernetes node to be constant throughout the lifecycle of the Kubernetes cluster.
+> Static IP is the only supported mode for assigning an IP address to AKS Arc VMs. This is because Kubernetes requires the IP address assigned to a Kubernetes node to be constant throughout the lifecycle of the Kubernetes cluster. 
+> Software defined virtual networks and SDN related features are currently not supported on AKS on Azure Stack HCI 23H2. 
 
 The following parameters are required in order to use a logical network for AKS Arc cluster create operation:
 

AKS-Hybrid/deploy-load-balancer-cli.md

@@ -14,12 +14,12 @@ ms.lastreviewed: 04/02/2024
 
 [!INCLUDE [hci-applies-to-23h2](includes/hci-applies-to-23h2.md)]
 
-The main purpose of a load balancer is to distribute traffic across multiple nodes in a Kubernetes cluster. This can help prevent downtime and improve overall performance of applications. AKS enabled by Azure Arc supports creating [MetalLB](https://metallb.universe.tf/) load balancer instance on your Kubernetes cluster using the `Arc Networking` k8s-extension.
+The main purpose of a load balancer is to distribute traffic across multiple nodes in a Kubernetes cluster. This can help prevent downtime and improve overall performance of applications. AKS enabled by Azure Arc supports creating [MetalLB](https://metallb.universe.tf/) load balancer instance on your Kubernetes cluster using the `Arc Kubernetes Runtime` k8s-extension.
 
 ## Prerequisites
 
-- A Kubernetes cluster with at least one Linux node. You can create a Kubernetes cluster on Azure Stack HCI 23H2 using the [Azure CLI](aks-create-clusters-cli.md) or the [Azure portal](aks-create-clusters-portal.md).
-- Make sure you have enough IP addresses for the load balancer. Ensure that the IP addresses reserved for the load balancer do not conflict with the IP addresses in Arc VM logical networks and control plane IPs. For more information about IP address planning and networking in Kubernetes, see [Networking requirements for AKS on Azure Stack HCI 23H2](aks-hci-network-system-requirements.md).
+- An Azure Arc enabled Kubernetes cluster with at least one Linux node. You can create a Kubernetes cluster on Azure Stack HCI 23H2 using the [Azure CLI](aks-create-clusters-cli.md) or the [Azure portal](aks-create-clusters-portal.md). AKS on Azure Stack HCI 23H2 clusters are Arc enabled by default.
+- Make sure you have enough IP addresses for the load balancer. For AKS on Azure Stack HCI 23H2, ensure that the IP addresses reserved for the load balancer do not conflict with the IP addresses in Arc VM logical networks and control plane IPs. For more information about IP address planning and networking in Kubernetes, see [Networking requirements for AKS on Azure Stack HCI 23H2](aks-hci-network-system-requirements.md).
 - This how-to guide assumes you understand how Metal LB works. For more information, see the [overview for MetalLB in Arc Kubernetes clusters](load-balancer-overview.md).
 
 ## Install the Azure CLI extension
@@ -30,25 +30,71 @@ Run the following command to install the necessary Azure CLI extension:
 az extension add -n k8s-runtime --upgrade
 ```
 
-## Enable load balancer Arc extension
+## Enable MetalLB Arc extension
 
 Configure the following variables before proceeding:
 
 | Parameter                      | Description             | 
 | ----------------------------- | ------------------------ |
 | `$subId`    | Azure subscription ID of your Kubernetes cluster. |
-| `$rgName` | Azure resource group for your Kubernetes cluster. |
-| `$clusterName` | The name of your AKS Arc cluster. |
+| `$rgName` | Azure resource group of your Kubernetes cluster. |
+| `$clusterName` | The name of your Kubernetes cluster. |
 
-Use the [`az k8s-runtime load-balancer enable`](/cli/azure/k8s-runtime/load-balancer#az-k8s-runtime-load-balancer-enable) command to install the Arc extension and register the resource provider for your Kubernetes cluster. The `--resource-uri` parameter refers to the resource manager ID of your AKS Arc cluster.
+### Option 1: Enable MetalLB Arc extension using `az k8s-runtime load-balancer enable` command
+
+To enable the MetalLB Arc extension using the following command, you must have [Graph permission Application.Read.All](/graph/permissions-reference#applicationreadall). You can check if you have this permission by logging into your Azure subscription, and running the following command: 
+
+```azurecli
+`az ad sp list --filter "appId eq '087fca6e-4606-4d41-b3f6-5ebdf75b8b4c'" --output json`
+```
+If the command fails, contact your Azure tenant administrator to get `Application.Read.All` role.
+
+If you do have the permission, you can use the [`az k8s-runtime load-balancer enable`](/cli/azure/k8s-runtime/load-balancer#az-k8s-runtime-load-balancer-enable) command to install the Arc extension and register the resource provider for your Kubernetes cluster. The `--resource-uri` parameter refers to the resource manager ID of your Kubernetes cluster.
 
 ```azurecli
 az k8s-runtime load-balancer enable --resource-uri subscriptions/$subId/resourceGroups/$rgName/providers/Microsoft.Kubernetes/connectedClusters/$clusterName
 ```
 
+### Option 2: Enable MetalLB Arc Kubernetes extension using `az k8s-extension add` command
+
+If you don't have [Graph permission Application.Read.All](/graph/permissions-reference#applicationreadall), you can follow these steps:
+
+1. Register the `Microsoft.KubernetesRuntime RP` if you haven't already done so. Note that you only need to register once per Azure subscription. You can also register resource providers using the Azure portal. For more information about how to register resource providers and required permissions, see [how to register a resource provider](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider).
+
+```azurecli
+az provider register -n Microsoft.KubernetesRuntime
+```
+
+You can check if the resource provider has been registered successfully by running the following command.
+
+```azurecli
+az provider show -n Microsoft.KubernetesRuntime -o table
+```
+
+Expected output:
+```output
+Namespace                    RegistrationPolicy    RegistrationState
+---------------------------  --------------------  -------------------
+Microsoft.KubernetesRuntime  RegistrationRequired  Registered
+```
+
+2. To install the MetalLB Arc extension, obtain the AppID of the MetalLB extension resource provider, and then run the extension create command. You must run the following commands once per Arc Kubernetes cluster.
+
+Obtain the Application ID of the Arc extension by running [az ad sp list](/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-list). In order to run the following command, you must be a `user` member of your Azure tenant. For more information about user and guest membership, see [default user permissions in Microsoft Entra ID](/entra/fundamentals/users-default-permissions).
+
+```azurecli
+$objID = az ad sp list --filter "appId eq '087fca6e-4606-4d41-b3f6-5ebdf75b8b4c'" --query "[].id" --output tsv
+```
+
+Once you have the $objID, you can install the MetalLB Arc extension on your Kubernetes cluster. To run the below command, you need to have [**Kubernetes extension contributor**](/azure/role-based-access-control/built-in-roles/containers#kubernetes-extension-contributor) role.
+
+```azurecli
+az k8s-extension create --cluster-name $clusterName -g $rgName --cluster-type connectedClusters --extension-type microsoft.arcnetworking --config k8sRuntimeFpaObjectId=$objID -n arcnetworking
+```
+
 ## Deploy MetalLB load balancer on your Kubernetes cluster
 
-You can now create a load balancer for your Kubernetes cluster remotely by running the [`az k8s-runtime load-balancer create`](/cli/azure/k8s-runtime/load-balancer#az-k8s-runtime-load-balancer-create) command. This command creates a custom resource of kind `IPAddressPool` in namespace `kube-system`.
+You can now create a load balancer for your Kubernetes cluster remotely by running the [`az k8s-runtime load-balancer create`](/cli/azure/k8s-runtime/load-balancer#az-k8s-runtime-load-balancer-create) command. This command creates a custom resource of type `IPAddressPool` in the namespace `kube-system`. 
 
 Configure the following variables before proceeding:
 
@@ -83,4 +129,4 @@ az k8s-runtime bgp-peer create --bgp-peer-name $peerName --resource-uri subscrip
 
 ## Next steps
 
--[Use GitOps Flux v2 Arc extension to deploy applications on your Kubernetes cluster](/azure/azure-arc/kubernetes/monitor-gitops-flux-2)
+- [Use GitOps Flux v2 Arc extension to deploy applications on your Kubernetes cluster](/azure/azure-arc/kubernetes/monitor-gitops-flux-2)

AKS-Hybrid/kubernetes-rbac-entra-id.md

@@ -32,6 +32,8 @@ Before you set up Kubernetes RBAC using Microsoft Entra ID, you need the followi
   - **Azure CLI and the connectedk8s extension**. Azure CLI is a set of commands used to create and manage Azure resources. To check whether you have the Azure CLI, open a command line tool, and type: `az -v`. Also, install the [connectedk8s extension](https://github.com/Azure/azure-cli-extensions/tree/main/src/connectedk8s) in order to open a channel to your Kubernetes cluster. For installation instructions, see [How to install Azure CLI](/cli/azure/install-azure-cli).
   - **Kubectl**. This Kubernetes command-line tool enables you to run commands targeting your Kubernetes clusters. To check whether you installed kubectl, open a command prompt and type: `kubectl version --client`. Make sure your kubectl client version is at least version v1.24.0. For installation instructions, see [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl).
   - **PowerShell and the AksHci PowerShell module**. PowerShell is a cross-platform task automation solution comprised of a command-line shell, a scripting language, and a configuration management framework. If you installed AKS Arc, you have access to the **AksHci** PowerShell module.
+  - To access the Kubernetes cluster from anywhere with a proxy mode using `az connectedk8s proxy` command, you need the **Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action**, which is included in the **Azure Arc-enabled Kubernetes Cluster User** role permission. Meanwhile, you need to verify that the agents and the machine performing the onboarding process meet the network requirements in [Azure Arc-enabled Kubernetes network requirements](/azure/azure-arc/kubernetes/network-requirements?tabs=azure-cloud#details).
+
 
 ## Optional first steps
 

azure-stack/hci/deploy/deployment-prep-active-directory.md

@@ -3,7 +3,7 @@ title: Prepare Active Directory for new Azure Stack HCI, version 23H2 deployment
 description: Learn how to prepare Active Directory before you deploy Azure Stack HCI, version 23H2.
 author: alkohli
 ms.topic: how-to
-ms.date: 06/13/2024
+ms.date: 08/05/2024
 ms.author: alkohli
 ms.reviewer: alkohli
 ms.subservice: azure-stack-hci
@@ -46,7 +46,7 @@ Before you begin, make sure you've done the following:
 
 ## Active Directory preparation module
 
-The *AsHciADArtifactsPreCreationTool.ps1* module is used to prepare Active Directory. Here are the required parameters associated with the cmdlet:
+The `New-HciAdObjectsPreCreation` cmdlet of the AsHciADArtifactsPreCreationTool PowerShell module is used to prepare Active Directory for Azure Stack HCI deployments. Here are the required parameters associated with the cmdlet:
 
 |Parameter|Description|
 |--|--|
@@ -60,14 +60,13 @@ The *AsHciADArtifactsPreCreationTool.ps1* module is used to prepare Active Direc
 |`-Deploy`|Select this scenario for a brand new deployment instead of an upgrade of an existing system.|-->
 
 > [!NOTE]
-> - The `-AsHciOUName` path doesn't support the following special characters anywhere within the path `- &,”,’,<,>`.
+> - The `-AsHciOUName` path doesn't support the following special characters anywhere within the path: `&,",',<,>`.
 > - Moving the computer objects to a different OU after the deployment is complete is also not supported.
 
 ## Prepare Active Directory
 
 When you prepare Active Directory, you create a dedicated Organizational Unit (OU) to place the Azure Stack HCI related objects such as deployment user.
 
-
 To create a dedicated OU, follow these steps:
 
 1. Sign in to a computer that is joined to your Active Directory domain.

azure-stack/hci/deploy/deployment-prerequisites.md

@@ -3,7 +3,7 @@ title: Prerequisites to deploy Azure Stack HCI, version 23H2
 description: Learn about the prerequisites to deploy Azure Stack HCI, version 23H2.
 author: alkohli
 ms.topic: conceptual
-ms.date: 05/02/2024
+ms.date: 08/05/2024
 ms.author: alkohli
 ms.reviewer: alkohli
 ms.subservice: azure-stack-hci
@@ -34,7 +34,7 @@ Use the following checklist to gather the required information ahead of the actu
 |Component|What is needed|
 |--|--|
 |Server names|Unique name for each server you wish to deploy.|
-|Active directory OU|A new organizational unit (OU) to store all the objects for the Azure Stack HCI deployment. The OU is created during the [Active Directory preparation](./deployment-prep-active-directory.md).<br>The OU must be specified as the distinguished name (DN). The OU path doesn't support the following special characters anywhere within the path `- &,”,’,<,>`. For more information, see the format of [Distinguished Names](/previous-versions/windows/desktop/ldap/distinguished-names).|
+|Active directory OU|A new organizational unit (OU) to store all the objects for the Azure Stack HCI deployment. The OU is created during the [Active Directory preparation](./deployment-prep-active-directory.md).<br>The OU must be specified as the distinguished name (DN). The OU path doesn't support the following special characters anywhere within the path: `&,",',<,>`. For more information, see the format of [Distinguished Names](/previous-versions/windows/desktop/ldap/distinguished-names).|
 |Active Directory Domain|Fully-qualified domain name (FQDN) for the Active Directory Domain Services prepared for deployment.|
 |Active Directory LCM User credential|A new username and password that is created with the appropriate  permissions for deployment. This account is the same as the user account used by the Azure Stack HCI deployment.<br>The password must conform to the Azure length and complexity requirements. Use a password that is at least 12 characters long. The password must contain the following: a lowercase character, an uppercase character, a numeral, and  a special character.<br> The name must be unique for each deployment and you can't use *admin* as the username.|
 |IPv4 network range subnet for management network intent|A subnet used for management network intent. You need an address range for management network with  a minimum of 6 available, contiguous IPs in this subnet. These IPs are used for infrastructure services with the first IP assigned to fail over clustering.<br> For more information, see the **Specify network settings** page in [Deploy via Azure portal](./deploy-via-portal.md#specify-network-settings).|

azure-stack/hci/manage/virtual-machine-image-centos.md

@@ -7,11 +7,14 @@ ms.topic: how-to
 ms.service: azure-stack
 ms.subservice: azure-stack-hci
 ms.custom: devx-track-azurecli, linux-related-content
-ms.date: 05/15/2024
+ms.date: 08/06/2024
 ---
 
 # Prepare a CentOS Linux image for Azure Stack HCI virtual machines (preview)
 
+> [!CAUTION]
+> This article references CentOS, a Linux distribution that's reached end-of-life (EOL). Consider your use of CentOS and plan accordingly. For more information, see [CentOS end-of-life guidance](/azure/virtual-machines/workloads/centos/centos-end-of-life).
+
 [!INCLUDE [hci-applies-to-23h2](../../includes/hci-applies-to-23h2.md)]
 
 This article describes how to prepare a CentOS Linux image to create a virtual machine (VM) on your Azure Stack HCI cluster. You use the Azure CLI for the VM image creation.

azure-stack/hci/update/update-troubleshooting-23h2.md

@@ -98,13 +98,13 @@ We highly recommend using the Azure portal, to browse to your failed update and
 If you're using PowerShell and need to resume a previously failed update run, use the following command:
 
 ```powershell
-get-solutionupdate | start-solutionupdate
+Get-SolutionUpdate | Start-SolutionUpdate
 ```
 
 To resume a previously failed update due to update health checks in a **Warning** state, use the following command:
 
 ```powershell
-get-solutionUpdate | start-solutionUpdate -IgnoreWarnings
+Get-SolutionUpdate | Start-SolutionUpdate -IgnoreWarnings
 ```
 
 ## Next steps

azure-stack/hci/update/update-via-powershell-23h2.md

@@ -357,7 +357,7 @@ You can download the updates, perform a set of checks to verify your cluster's u
     - To download and install the update, run the following command:
 
         ```powershell
-        Get-SolutionUpdate | ? version -eq "10.2302.0.31"
+        Get-SolutionUpdate | ? version -eq "10.2302.0.31" | Start-SolutionUpdate
         ```
 
     - To only download the updates without starting the installation, use the `-PrepareOnly` flag with `Start-SolutionUpdate`.
@@ -469,13 +469,13 @@ After the updates are installed, verify the solution version of the environment
 To resume a previously failed update run via PowerShell, use the following command:
 
 ```powershell
-get-solutionupdate | start-solutionupdate
+Get-SolutionUpdate | Start-SolutionUpdate
 ```
 
 To resume a previously failed update due to update health checks in a **Warning** state, use the following command:
 
 ```powershell
-get-solutionUpdate | start-solutionUpdate -IgnoreWarnings
+Get-SolutionUpdate | Start-SolutionUpdate -IgnoreWarnings
 ```
 
 To troubleshoot other update run issues, see [Troubleshoot updates](./update-troubleshooting-23h2.md).

azure-stack/zone-pivot-groups.yml

@@ -74,7 +74,14 @@ groups:
     title: Version 23H2
   - id: aks-22h2
     title: Version 22H2
-
+- id: windows-os
+  title: Products
+  prompt: "Choose your product:"
+  pivots:
+  - id: windows-server
+    title: Windows Server
+  - id: azure-stack-hci
+    title: Azure Stack HCI
 # BELOW: entries inherited from github.com/microsoftdocs/azure-docs-pr/articles/zone-pivot-groups.yml for reuse.
 # For consistency across Docs. This includes: client OSes, languages, etc.