Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into hubspokefwrewrite

Author: duongau

articles/defender-for-iot/organizations/sensor-health-messages.md

@@ -13,27 +13,41 @@ For more information, see [Understand sensor health](how-to-manage-sensors-on-th
 
 ## Critical messages
 
-|Title  |Message  |Description  |Recommendation  |
-|---------|---------|---------|---------|
-|**Disconnected**     |   This sensor isn't communicating with Azure     |      Sensor is disconnected   |   Try signing into the sensor to check for errors or networking failures. <br><br> We also recommend reviewing the sensor networking configuration and verifying the sensor’s ability to communicate with Azure.      |
-|**Sanity failed**     |    This sensor failed an internal consistency check     |      Sensor fails sanity   |       The sensor is in a degraded state. <br><br> Check the sensor for hardware failures and try restarting the sensor.  If the issue isn't resolved, open a support ticket.  |
-|**No traffic detected**     |   No traffic detected on the monitored network interfaces      |   No traffic detected      |  Check that the monitoring ports are connected to SPAN/monitor ports on the adjacent switch and that traffic is active on the link. At least one link with network traffic should be connected to the monitor ports.       |
+|Title  |Message  |Recommendation  |
+|---------|---------|---------|
+|**Disconnected**     |   This sensor isn't communicating with Azure     |   Try signing into the sensor to check for errors or networking failures. <br><br> We also recommend reviewing the sensor networking configuration and verifying the sensor’s ability to communicate with Azure.      |
+|**Sanity failed**     |    This sensor failed an internal consistency check     |       The sensor is in a degraded state. <br><br> Check the sensor for hardware failures and try restarting the sensor.  If the issue isn't resolved, open a support ticket.  |
+|**No traffic detected**     |   No traffic detected on the monitored network interfaces      |  Check that the monitoring ports are connected to SPAN/monitor ports on the adjacent switch and that traffic is active on the link. At least one link with network traffic should be connected to the monitor ports.       |
 
 ## Warning messages
 
-|Title  |Message  |Description  |Recommendation  |
-|---------|---------|---------|---------|
-|**Package upload failed** |There was an error uploading the file to the sensor |Upload error |Verify the sensor’s ability to communicate with download.microsoft.com and retry. <br><br> If the problem persists,  open a support ticket.|
-|**Sensor update failed** | There was an error installing the update.| Installation error |Open a support ticket. |
-| **Unstable traffic to Azure**|Sensor’s connection to Azure is unstable |Unstable traffic to Azure | We recommend that you check the sensor WAN connection, the BW limit settings, and validate network equipment that might be on the route between the sensor and the cloud.|
-| **Outdated**|Outdated software may result in a non-optimal experience |Sensor version is outdated |Upgrade your sensor software to the latest version to use the most recently available Defender for IoT features.|
+|Title  |Message  |Recommendation  |
+|---------|---------|---------|
+|**Failed to send update** |There was an error uploading the file to the sensor |Verify the sensor’s ability to communicate with download.microsoft.com and retry. <br><br> If the problem persists, open a support ticket.|
+|**Sensor update failed** | There was an error installing the update.|Open a support ticket. |
+| **Unstable traffic to Azure**|Sensor’s connection to Azure is unstable | We recommend that you check the sensor WAN connection, the BW limit settings, and validate network equipment that might be on the route between the sensor and the cloud.|
+| **Unsupported**|Outdated software may result in a non-optimal experience |Upgrade your sensor software to the latest version to use the most recently available Defender for IoT features.|
+|**Sensor is partially connected** |See [Sensor partially connected messages](#sensor-partially-connected-messages) | |
+|**Backup error** |Failed to backup to Azure storage. |The primary causes of backup failures are issues with the sensor's network connectivity or an overly large backup file. Please verify the sensor's network connection and ensure it is not overloaded. |
+
+### Sensor partially connected messages
+
+The "Sensor is partially connected" message includes one of the following endpoint errors:
+
+|Title  |Message  |Recommendation  |
+|---------|---------|---------|
+|**General endpoint error** | Failed to establish a connection with the endpoint/endpoints (specifying the domain name).|Verify that all the required endpoints are allowed in the firewall with your network team. |
+|**DNS endpoint error** | Failed to resolve the DNS name of the endpoint/endpoints (specifying the domain name).|If the DNS server is reachable, verify the DNS server configured on the sensor is correct. If it is, reach out to your DNS administrator. |
+|**SSL endpoint error** |Failed to establish a secure connection with the endpoint/endpoints (specifying the domain name). The presented certificate is not trusted.|- Make sure the time is configured correctly.<br>- Check if you are using SSL inspection service (usually in the proxy). If so, make sure to upload the relevant certificate in the System Settings screen. | 
+|**Proxy authentication endpoint error** |- For one endpoint: The proxy requires authentication but none or incorrect credentials were provided.<br>- For multiple endpoints: Verify the authentication credentials with your proxy administrator. Provide the required credentials in the System Settings screen.|Verify the authentication credentials with your proxy administrator. Provide the required credentials in the System Settings screen. | 
+|**Proxy unnecessary endpoint error** |- For one endpoint: Unnecessary credentials were provided to the proxy.<br>- For multiple endpoints: Remove the username and password provided in the proxy configuration. |Remove the username and password provided in the proxy configuration. |
 
 ## Healthy messages
 
-|Title  |Message  |Description  |Recommendation  |
-|---------|---------|---------|---------|
-|**Pending activation** |Waiting for sensor to connect for the first time |Pending activation | Upload the activation file to the sensor. If this doesn't resolve the problem, verify the sensor’s ability to communicate with Azure.|
-|**Pending reactivation** |Waiting for reactivation with new license |Pending reactivation |Upload the new activation file to the sensor. If this doesn't resolve the problem, verify the sensor’s ability to communicate with Azure. |
+|Title  |Message  |Recommendation  |
+|---------|---------|---------|
+|**Pending activation** |Waiting for sensor to connect for the first time | Upload the activation file to the sensor. If this doesn't resolve the problem, verify the sensor’s ability to communicate with Azure.|
+|**Pending reactivation** |Waiting for reactivation with new license |Upload the new activation file to the sensor. If this doesn't resolve the problem, verify the sensor’s ability to communicate with Azure. |
 
 ## Next steps
 

articles/healthcare-apis/azure-api-for-fhir/autoscale-azure-api-fhir.md

@@ -41,11 +41,11 @@ When autoscale is enabled, the system calculates and sets the initial `Tmax` val
 
 You can increase the max `RU/s` or `Tmax` value and go as high as the service supports. When the service is busy, the throughput `RU/s` are scaled up to the `Tmax` value. When the service is idle, the throughput `RU/s` are scaled down to 10% `Tmax` value.
 
-You can also decrease the max `RU/s` or `Tmax` value. When you lower the max `RU/s`, the minimum value you can set it to is: `MAX (4000, highest max RU/s ever provisioned / 10, current storage in GB * 400)` rounded to the nearest 1000 `RU/s`.
+You can also decrease the max `RU/s` or `Tmax` value. When you lower the max `RU/s`, the minimum value you can set it to is: `MAX (400, highest max RU/s ever provisioned / 10, current storage in GB * 40)` rounded to the nearest 100 `RU/s`.
 
-* **Example 1**: You have 1-GB data and the highest provisioned `RU/s` is 10,000. The minimum value is Max (**4000**, 10,000/10, 1x400) = 4000. The first number, **4000**, is used.
-* **Example 2**: You have 20-GB data and the highest provisioned `RU/s` is 100,000. The minimum value is Max (4000, **100,000/10**, 20x400) = 10,000. The second number, **100,000/10 =10,000**, is used.
-* **Example 3**: You have 80-GB data and the highest provisioned RU/s is 300,000. The minimum value is Max (4000, 300,000/10, **80x400**) = 32,000. The third number, **80x400=32,000**, is used.
+* **Example 1**: You have 1-GB data and the highest provisioned `RU/s` is 10,000. The minimum value is Max (400, **10,000/10**, 1x40) = 1000. The second number, **10,000/10 = 1000**, is used.
+* **Example 2**: You have 20-GB data and the highest provisioned `RU/s` is 100,000. The minimum value is Max (400, **100,000/10**, 20x40) = 10,000. The second number, **100,000/10 =10,000**, is used.
+* **Example 3**: You have 80-GB data and the highest provisioned RU/s is 300,000. The minimum value is Max (400, **300,000/10**, 80x40) = 30,000. The second number, **300,000/10 = 30,000**, is used.
 
 You can adjust the max `RU/s` or `Tmax` value through the portal if it's a valid number and no greater than 100,000 `RU/s`. You can create a support ticket to request `Tmax` value larger than 100,000.
 
@@ -87,7 +87,7 @@ Keep in mind that this is only an estimate based on data size and that there are
 
 ### I enabled autoscale how can I migrate to scaling manually?
 
-A support ticket is required to change autoscale to manual scale and specify the throughput RU/s. The minimum value for manual scale you can set is: `MAX (400, highest max RU/s ever provisioned / 100, current storage in GB * 40)` rounded to the nearest 1000 `RU/s`. The numbers used here are different from those used in autoscale.
+A support ticket is required to change autoscale to manual scale and specify the throughput RU/s. The minimum value for manual scale you can set is: `MAX (400, highest max RU/s ever provisioned / 10, current storage in GB * 40)` rounded to the nearest 100 `RU/s`. The numbers used here are different from those used in autoscale.
 
 Once the change is completed, the new billing rates are based on manual scale.
 

articles/healthcare-apis/azure-api-for-fhir/export-data.md

@@ -70,6 +70,7 @@ The Azure API for FHIR supports the following query parameters. All of these par
 | \_till | No |  Allows you to only export resources that have been modified up to the time provided. This parameter is only applicable to System-Level export. In this case, if historical versions haven't been disabled or purged, export guarantees a true snapshot view. In other words, enables time travel. |
 |includeAssociatedData | No | Allows you to export history and soft deleted resources. This filter doesn't work with the '_typeFilter' query parameter. Include the value as '_history' to export history (non-latest versioned) resources. Include the value as '_deleted' to export soft deleted resources. |
 |\_isparallel| No |The "_isparallel" query parameter can be added to the export operation to enhance its throughput. The value needs to be set to true to enable parallelization. Note: Using this parameter may result in an increase in request units consumption over the life of export. |
+|\_maxCount| No |The "_maxCount" allows you to reduce the number of resources exported by a single job. The default value is 10,000. The export operation requires memory to serialize data when writing to the lake. To avoid out-of-memory exceptions caused by high memory usage, you can reduce the _maxCount value in decrements of 1,000. It is also beneficial to increase the compute memory on the FHIR server. |
 
 ## Secure Export to Azure Storage
 

articles/healthcare-apis/business-continuity-disaster-recovery.md

@@ -39,4 +39,8 @@ Learn more: [Create an Azure support request](/azure/azure-portal/supportability
 
 For a large or active database, the restore might take several hours to several days. The restoration process involves taking a snapshot of your database at a certain time and then creating a new database to point your FHIR service to. During the restoration process, the server may return an HTTP Status code response with 503, meaning the service is temporarily unavailable and can't handle the request at the moment. After the restoration process completes, the support team updates the ticket with a status that the operation has been completed to restore the requested service.
 
+## Cross-Region DR
+
+Azure Health Data Services does not currently offer cross region DR (disaster recovery) built-in to the service. However, you can utilize native capabilities, such as $export and $import, to achieve cross-region disaster recovery. An OSS sample is provided for you [here](https://github.com/Azure/apiforfhir-migration-tool/blob/main/FHIR-data-migration-tool-docs/disaster-recovery.md). Note: The samples are open-source code and subject to Github's licensing terms and you should review the information and licensing terms before using it. They are not part of the Azure Health Data Service and are not supported by Microsoft Support. These samples are used to demonstrate how Azure Health Data Services (AHDS) and other open-source tools can be used together for cross-region replication.
+
 [!INCLUDE [FHIR and DICOM trademark statement](./includes/healthcare-apis-fhir-dicom-trademark.md)]

articles/healthcare-apis/configure-private-link.md

@@ -97,4 +97,14 @@ To ensure your Private Endpoint can send traffic to your server:
 2. Remote Desktop Protocols (RDP) into the VM.
 3. Access your FHIR server’s `/metadata` endpoint from the VM. You should receive the capability statement as a response.
 
+## FAQ
+
+### 1. From logs, requests failing with HTTP 403 are not due to bad tokens but instead they are rejected by Private Links, as their origin is not allowed to access the FHIR service.
+
+Validate the below points:
+
+-  Check if the request origin of those requests is part of the same Virtual Network (VNET) where the FHIR service is.  
+
+-  Check if the Private Endpoint and/or Private DNS zone are shared with multiple VNETs at the same time. This is a known misconfiguration that can cause turbulence on the IP resolution and result in requests being rejected.
+
 [!INCLUDE [FHIR and DICOM trademark statement](./includes/healthcare-apis-fhir-dicom-trademark.md)]

articles/healthcare-apis/fhir/fhir-best-practices.md

@@ -64,6 +64,9 @@ Logical Identifiers are considered "deterministic" because FHIR operations perfo
 * **Avoid** the use of `_revinclude` in search queries, as they can result in unbounded result sets and higher latencies.
 * **Avoid** using complex searches (for example: `_has`, or chained search parameters), as they impact query performance.
 
+> [!NOTE]
+> For the rare outliers or 1% of queries can be impacted due to transient conditions, maintenance or network variability. We recommend implementing retry logic to ensure reliability without degrading your application and user experience.
+
 ## Data extraction
 
 For data extraction, use the bulk `$export` operation as specified in the [HL7 FHIR Build Data Access specification](https://www.hl7.org/fhir/uv/bulkdata/).

articles/healthcare-apis/fhir/import-data.md

@@ -41,7 +41,7 @@ The following table shows the difference between import modes.
 |------------- |-------------|-----|
 |Capability|Initial load of data into FHIR service|Continuous ingestion of data into FHIR service (Incremental or Near Real Time).|
 |Concurrent API calls|Blocks concurrent write operations|Data can be ingested concurrently while executing API CRUD operations on the FHIR server.|
-|Ingestion of versioned resources|Not supported|Enables ingestion of  multiple versions of FHIR resources in single batch while maintaining resource history.|
+|Ingestion of versioned resources|Not supported, only the latest version is retained, and lastUpdated is set to the time of import|Supported. Enables ingestion of multiple versions of FHIR resources in single batch while maintaining resource history and original lastUpdated values. <br>**Note**: Use incremental import mode if you need to retain historical versions or preserve original lastUpdated timestamps|
 |Retain lastUpdated field value|Not supported|Retain the lastUpdated field value in FHIR resources during the ingestion process.|
 |Billing| Doesn't incur any charge|Incurs charges based on successfully ingested resources. Charges are incurred per API pricing.|
 

articles/iot-central/core/howto-manage-and-monitor-iot-central.md

@@ -6,7 +6,7 @@ ms.service: azure-iot-central
 ms.custom: devx-track-azurepowershell
 author: dominicbetts
 ms.author: dobett
-ms.date: 04/02/2024
+ms.date: 08/06/2025
 ms.topic: how-to
 #customer intent: As an administrator, I want to learn how to manage and monitor IoT Central applications using Azure portal, Azure CLI, and Azure PowerShell so that I can maintain my set of IoT Central applications.
 ---

articles/iot-central/core/howto-manage-deployment-manifests.md

@@ -5,7 +5,7 @@ services: iot-central
 ms.service: azure-iot-central
 author: dominicbetts
 ms.author: dobett
-ms.date: 03/04/2024
+ms.date: 08/06/2025
 ms.topic: how-to
 ---
 
@@ -44,7 +44,7 @@ When you create a new deployment manifest, you can upload the deployment manifes
 1. Select **Create**. The **Edge manifests** page now includes the new deployment manifest.
 
 > [!TIP]
-> If you have a large number of deployment manifest, you can sort and filter the list shown on the **Edge manifests** page.
+> If you have a large number of deployment manifests, you can sort and filter the list shown on the **Edge manifests** page.
 
 ### Edit the JSON source of a deployment manifest
 

articles/iot-central/core/howto-manage-device-templates-with-rest-api.md

@@ -3,7 +3,7 @@ title: Add device templates in Azure IoT Central with the REST API
 description: How to use the IoT Central REST API to add, update, delete, and manage device templates in an application
 author: dominicbetts
 ms.author: dobett
-ms.date: 07/12/2024
+ms.date: 08/06/2025
 ms.topic: how-to
 ms.service: azure-iot-central
 services: iot-central
@@ -182,7 +182,7 @@ The request body has some required fields:
 * `capabilityModel` : Every device template has a capability model. A relationship is established between each module capability model and a device model. A capability model implements one or more module interfaces.
 
 > [!TIP]
-> The device template JSON is not a standard DTDL document. The device template JSON includes IoT Central specific data such as cloud property definitions and display units. You can use the device template JSON format to import and export device templates in IoT Central by using the REST API, the CLI, and the UI.
+> The device template JSON isn't a standard DTDL document. The device template JSON includes IoT Central specific data such as cloud property definitions and display units. You can use the device template JSON format to import and export device templates in IoT Central by using the REST API, the CLI, and the UI.
 
 There are some optional fields you can use to add more details to the capability model, such as display name and description.