Merge pull request #6143 from MicrosoftDocs/main

1/7/2025 AM Publish

docs/get-started/whats-new.md

@@ -14,6 +14,71 @@ We build the Microsoft Cloud Adoption Framework collaboratively with our custome
 
 Partner with us in our ongoing effort to develop the Cloud Adoption Framework.
 
+## December 2024
+
+### New articles
+
+- [Authorization for cloud-scale analytics in Azure](../scenarios/cloud-scale-analytics/secure-authorization.md): Find guidance on managing data access and role-based access control (RBAC) for cloud-scale analytics. Learn how to use Microsoft Entra ID for centralized identity management, implementing RBAC and Access Control Lists (ACLs) for data services, and best practices for securing Azure Databases, Azure Data Lake Storage, and Azure Databricks.
+
+#### Azure HPC
+
+This month we refactored the Azure high-performance computing (HPC) scenario to provide refreshed guidance on compute, identity and access management, network topology and connectivity, and storage for HPC workloads in Azure. Explore the new content to see how you can apply these recommendations in your organization:
+
+- [Compute Large-Scale HPC Application Workloads in Azure Virtual Machines](../scenarios/azure-hpc/compute.md)
+- [Identity and Access Management for Azure HPC](../scenarios/azure-hpc/identity-access-management.md)
+- [Network Topology and Connectivity for Azure HPC](../scenarios/azure-hpc/network-topology-connectivity.md)
+- [Storage for Azure HPC Workloads](../scenarios/azure-hpc/storage.md)
+- [Azure HPC landing zone accelerator](../scenarios/azure-hpc/azure-hpc-landing-zone-accelerator.md)
+
+### Updated articles
+
+- [Enterprise-Scale Example Architectures for Connectivity to Azure VMware Solution](../scenarios/azure-vmware/example-architectures.md): We made changes to clarify various architectural considerations and requirements including traffic inspection requirements and recommended solution designs for different scenarios. We enhanced the description of key networking scenario points and added a new section on enabling Azure VMware Solution to on-premises traffic inspection with Azure Firewall.
+
+We made security updates to the following Cloud Scale Analytics articles:
+
+- [Common Data Model](../scenarios/cloud-scale-analytics/architectures/common-industry-data-models.md)
+- [Network topology and connectivity for connecting to environments privately](../scenarios/cloud-scale-analytics/architectures/connect-to-environments-privately.md)
+- [Cloud-scale analytics data applications (source-aligned)](../scenarios/cloud-scale-analytics/architectures/data-application-source-aligned.md)
+- [Data contracts](../scenarios/cloud-scale-analytics/architectures/data-contracts.md)
+- [Data domains](../scenarios/cloud-scale-analytics/architectures/data-domains.md)
+- [Cloud-scale analytics data products in Azure](../scenarios/cloud-scale-analytics/architectures/data-landing-zone-data-products.md)
+- [Data landing zones](../scenarios/cloud-scale-analytics/architectures/data-landing-zone.md)
+- [Data management landing zone overview](../scenarios/cloud-scale-analytics/architectures/data-management-landing-zone.md)
+- [Getting started checklist](../scenarios/cloud-scale-analytics/architectures/data-mesh-checklist.md)
+- [Data marketplace](../scenarios/cloud-scale-analytics/architectures/data-mesh-data-marketplace.md)
+- [Manage master data in data mesh](../scenarios/cloud-scale-analytics/architectures/data-mesh-master-data-management.md)
+- [A financial institution scenario for data mesh](../scenarios/cloud-scale-analytics/architectures/data-mesh-scenario.md)
+- [Data application reference patterns](../scenarios/cloud-scale-analytics/architectures/data-reference-patterns.md)
+- [Operationalize data mesh for AI/ML domain driven feature engineering](../scenarios/cloud-scale-analytics/architectures/operationalize-data-mesh-for-ai-ml.md)
+- [Adatum Corporation scenario for cloud-scale analytics in Azure](../scenarios/cloud-scale-analytics/architectures/reference-architecture-adatum.md)
+- [Lamna Healthcare scenario for cloud-scale analytics in Azure](../scenarios/cloud-scale-analytics/architectures/reference-architecture-lamna.md)
+- [Multiple data zones for cloud-scale analytics in Azure](../scenarios/cloud-scale-analytics/architectures/reference-architecture-multizone.md)
+- [Scale cloud-scale analytics in Azure](../scenarios/cloud-scale-analytics/architectures/scale-architectures.md)
+- [Data agnostic ingestion engine](../scenarios/cloud-scale-analytics/best-practices/automated-ingestion-pattern.md)
+- [The ingest process with cloud-scale analytics in Azure](../scenarios/cloud-scale-analytics/best-practices/data-ingestion.md)
+- [Business continuity and disaster recovery for cloud-scale analytics](../scenarios/cloud-scale-analytics/eslz-business-continuity-and-disaster-recovery.md)
+- [Identity and access management for cloud-scale analytics](../scenarios/cloud-scale-analytics/eslz-identity-and-access-management.md)
+- [Cross-region data landing zone connectivity](../scenarios/cloud-scale-analytics/eslz-network-considerations-cross-region.md)
+- [Single-region data landing zone connectivity](../scenarios/cloud-scale-analytics/eslz-network-considerations-single-region.md)
+- [Network topology and connectivity for cloud-scale analytics landing zones](../scenarios/cloud-scale-analytics/eslz-network-topology-and-connectivity.md)
+- [Policies in cloud-scale analytics](../scenarios/cloud-scale-analytics/eslz-policies.md)
+- [Security, governance, and compliance for enterprise-scale cloud-scale analytics](../scenarios/cloud-scale-analytics/eslz-security-governance-and-compliance.md)
+- [Data governance processes](../scenarios/cloud-scale-analytics/govern-components.md)
+- [Data quality](../scenarios/cloud-scale-analytics/govern-data-quality.md)
+- [Data lifecycle management](../scenarios/cloud-scale-analytics/govern-lifecycle.md)
+- [Data lineage](../scenarios/cloud-scale-analytics/govern-lineage.md)
+- [Manage master data](../scenarios/cloud-scale-analytics/govern-master-data.md)
+- [Metadata standards](../scenarios/cloud-scale-analytics/govern-metadata-standards.md)
+- [Requirements for governing data](../scenarios/cloud-scale-analytics/govern-requirements.md)
+- [Understand the roles and teams for cloud-scale analytics in Azure](../scenarios/cloud-scale-analytics/organize-roles-teams.md)
+- [Understand teams and functions for cloud-scale analytics in Azure](../scenarios/cloud-scale-analytics/organize-team-functions.md)
+- [Introduction to cloud-scale analytics](../scenarios/cloud-scale-analytics/overview-cloud-scale-analytics.md)
+- [Develop a plan for cloud-scale analytics](../scenarios/cloud-scale-analytics/plan.md)
+- [Review your environment for Azure landing zones for cloud-scale analytics](../scenarios/cloud-scale-analytics/ready.md)
+- [Authentication for cloud-scale analytics in Azure](../scenarios/cloud-scale-analytics/secure-authentication.md)
+- [Data privacy for cloud-scale analytics in Azure](../scenarios/cloud-scale-analytics/secure-data-privacy.md)
+- [Integrate cloud-scale analytics into your cloud adoption strategy](../scenarios/cloud-scale-analytics/strategy.md)
+
 ## November 2024
 
 ### New articles
@@ -411,26 +476,4 @@ Find new articles about Azure landing zones in the Ready methodology.
   - [Cloud adoption journey](../adopt/cloud-adoption.md): Learn about rearchitecting or rebuilding applications that can't be replaced by SaaS or low-code solutions.
   - [Migration tools decision guide](../migrate/azure-migration-guide/migration-tools-decision-guide.md): Explore tools for application migration and modernization and tools for replatforming or rehosting.
 
-## December 2023
-
-### New articles
-
-Find new guidance about Azure landing zones:
-
-- [Manage application development environments in Azure landing zones](../ready/landing-zone/design-area/management-application-environments.md)
-- [Modify an Azure landing zone architecture to meet requirements across multiple locations](../ready/landing-zone/landing-zone-multinational.md)
-- [Incorporate Zero Trust practices in your landing zone](../ready/landing-zone/design-area/security-zero-trust.md)
-
-### Updated articles
-
-In the following articles, find updated guidance about workload discovery processes that help you understand the many dimensions involved in migrating a workload. You can use that information to help you effectively migrate cloud workloads to another region.
-
-- [Evaluate a cloud workload for relocation](../relocate/evaluate.md)
-- [Migrate a cloud workload to another region](../relocate/migrate.md)
-- [How to initiate a cloud relocation project](../relocate/initiate.md)
-
-In [Centralized security operations with external identities for multitenant defense organizations](../scenarios/defense/identity/multi-tenant/security-operations.md), we updated our guidance for centralized security operations.
-
-In [Identity and access management for Azure Virtual Desktop](../scenarios/azure-virtual-desktop/eslz-identity-and-access-management.md), we added updates for Azure Virtual Desktop design considerations and supported identity scenarios.
-
 <!-- docutune:ignoreNextStep -->

docs/manage/azure-server-management/update-schedules.md

@@ -12,7 +12,7 @@ ms.custom: internal
 
 You can manage update schedules by using the Azure portal or the new PowerShell cmdlet modules.
 
-To create an update schedule via the Azure portal, see [Schedule an update deployment](/azure/automation/update-management/deploy-updates#schedule-an-update-deployment).
+To create an update schedule via the Azure portal, see [Schedule recurring updates on a single VM](/azure/update-manager/scheduled-patching#schedule-recurring-updates-on-a-single-vm).
 
 The `Az.Automation` module now supports configuring Update Management by using Azure PowerShell. The [`New-AzAutomationUpdateManagementAzureQuery`](/powershell/module/az.automation/new-azautomationupdatemanagementazurequery) cmdlet allows you to use tags, location, and saved searches to configure update schedules for a flexible group of machines.
 

docs/ready/landing-zone/design-area/multi-tenant/automation.md

@@ -3,7 +3,7 @@ title: Automate Azure landing zones across multiple tenants
 description: Learn about the automation considerations and recommendations when handling multiple Microsoft Entra tenants alongside Azure landing zones.
 author: jtracey93
 ms.author: jatracey
-ms.date: 11/28/2024
+ms.date: 01/07/2025
 ms.topic: conceptual
 ms.custom: think-tank
 ---
@@ -49,7 +49,9 @@ In this approach, the primary objective is to keep each Microsoft Entra tenant i
 In this approach, there are more components to manage that are duplicated per a Microsoft Entra tenant. Some organizations might have regulatory compliance controls enforced on them that mandates this type of segregation and isolation.
 
 >[!NOTE]
-> If your organization only allows the use of managed identities for platform automation, you must use this approach or an approach that logs into each tenant individually. Managed identities don't support cross-tenant scenarios. For more information, see [this FAQ](/azure/active-directory/managed-identities-azure-resources/managed-identities-faq#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant).
+> If your organization only allows the use of managed identities for platform automation, you must use this approach or an approach that logs into each tenant individually. Managed identities don't support cross-tenant scenarios in a generally available state today. For more information, see [this FAQ](/azure/active-directory/managed-identities-azure-resources/managed-identities-faq#can-i-use-a-managed-identity-to-access-a-resource-in-a-different-directorytenant).
+> 
+> However, this is now available in public preview for User-Assigned Managed Identites by configuring a trust between itself and an Entra ID multitenant application. See more information on configuring this in [Configure an application to trust a managed identity (preview)](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity). This may now make [Approach 2 – Shared application registration (multitenant) with multiple service principals](#approach-2--shared-application-registration-multitenant-with-multiple-service-principals) a viable option for your deployment.
 
 #### Identities for platform administrators and developers - Approach 1
 
@@ -69,7 +71,10 @@ In this approach, an application registration is created in the managing Microso
 >[!IMPORTANT]
 > In this approach, the single application registration and the associated enterprise applications (service principals) should be monitored for any abnormal activity in your security information and event management (SIEM) tooling because this is a highly privileged account. It should send alerts and potentially automatically take action, depending on the alert severity.
 
-In the previous example, a single app registration is in the `contoso.onmicrosoft.com` Microsoft Entra tenant, and an enterprise application is in each of the Microsoft Entra tenants that's linked to the app registration. This setup allows a pipeline to authenticate and authorize to all the Microsoft Entra tenants by using the single app registration. For more information, see [Making your application multitenant](/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant).
+In the previous example, a single app registration is in the `contoso.onmicrosoft.com` Microsoft Entra tenant, and an enterprise application is in each of the Microsoft Entra tenants that's linked to the app registration. This setup allows a pipeline to authenticate and authorize to all the Microsoft Entra tenants by using the single app registration. For more information, see [Making your application multitenant](/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant) and [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent).
+
+>[!TIP]
+> User Assigned Managed Identites, in public preview, can now support multitenant scenarios by configuring a trust between itself and an Entra ID multitenant application. See more information on configuring this in [Configure an application to trust a managed identity (preview)](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity).
 
 When you use a centralized pipeline, you might need to build a small mapping table that contains data correlating the Microsoft Entra tenants and other metadata, such as the environment, associated subscriptions, organization name, and identity object ID used for authentication and authorization. This data can be called on during the run of the pipeline in a step that uses some logic and conditions to control which Microsoft Entra tenant it's deployed to and with which identities. The data can be stored in services, such as Azure Cosmos DB or Azure Table storage.