MicrosoftDocs
diff --git a/‎articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/saas-apps/expensein-tutorial.md
Lines changed: 28 additions & 18 deletions b/‎articles/active-directory/saas-apps/expensein-tutorial.md
Lines changed: 28 additions & 18 deletions
diff --git a/‎articles/active-directory/saas-apps/media/expensein-tutorial/config02.png
6.77 KB b/‎articles/active-directory/saas-apps/media/expensein-tutorial/config02.png
6.77 KB
diff --git a/‎articles/aks/node-updates-kured.md
Lines changed: 1 addition & 0 deletions b/‎articles/aks/node-updates-kured.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎articles/api-management/api-management-cross-domain-policies.md
Lines changed: 1 addition & 1 deletion b/‎articles/api-management/api-management-cross-domain-policies.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/app-service/app-service-hybrid-connections.md
Lines changed: 5 additions & 4 deletions b/‎articles/app-service/app-service-hybrid-connections.md
Lines changed: 5 additions & 4 deletions
diff --git a/‎articles/app-service/app-service-ip-restrictions.md
Lines changed: 10 additions & 10 deletions b/‎articles/app-service/app-service-ip-restrictions.md
Lines changed: 10 additions & 10 deletions
@@ -50,7 +50,7 @@ The Azure AD default for browser session persistence allows users on personal de
 Conditional access is an Azure AD Premium capability and requires a premium license. If you would like to learn more about conditional access, see [What is conditional access in Azure Active Directory?](overview.md#license-requirements)
 
 > [!WARNING]
-> If you are using the [configurable token lifetime](../develop/active-directory-configurable-token-lifetimes.md) feature currently in public preview, please note that we don’t support creating two different policies for the same user or app combination: one with this feature and another one with configurable token lifetime feature. Microsoft plans to retire the configurable token lifetime feature on October 15 and replace it with the conditional access authentication session management feature.  
+> If you are using the [configurable token lifetime](../develop/active-directory-configurable-token-lifetimes.md) feature currently in public preview, please note that we don’t support creating two different policies for the same user or app combination: one with this feature and another one with configurable token lifetime feature. Microsoft plans to retire the configurable token lifetime feature on November 1 and replace it with the conditional access authentication session management feature.  
 
 ### Policy 1: Sign-in frequency control
 
 
@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: tutorial
-ms.date: 05/31/2019
+ms.date: 06/11/2019
 ms.author: jeedes
 
 ms.collection: M365-identity-device-management
@@ -54,15 +54,15 @@ To configure the integration of ExpenseIn into Azure AD, you need to add Expense
 
 ## Configure and test Azure AD single sign-on
 
-Configure and test Azure AD SSO with ExpenseIn using a test user called **B. Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ExpenseIn.
+Configure and test Azure AD SSO with ExpenseIn using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ExpenseIn.
 
 To configure and test Azure AD SSO with ExpenseIn, complete the following building blocks:
 
 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
 2. **[Configure ExpenseIn](#configure-expensein)** to configure the SSO settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B. Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B. Simon to use Azure AD single sign-on.
-5. **[Create ExpenseIn test user](#create-expensein-test-user)** to have a counterpart of B. Simon in ExpenseIn that is linked to the Azure AD representation of user.
+3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with B.Simon.
+4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B.Simon to use Azure AD single sign-on.
+5. **[Create ExpenseIn test user](#create-expensein-test-user)** to have a counterpart of B.Simon in ExpenseIn that is linked to the Azure AD representation of user.
 6. **[Test SSO](#test-sso)** to verify whether the configuration works.
 
 ### Configure Azure AD SSO
@@ -99,41 +99,51 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 
 ### Configure ExpenseIn
 
-1. In a different web browser window, sign in to ExpenseIn as an Administrator.
+1. To automate the configuration within ExpenseIn, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
 
-2. Click on **Admin** on the top of the page then navigate to **Single Sign-On** and click **Add provider**.
+	![My apps extension](common/install-myappssecure-extension.png)
+
+2. After adding extension to the browser, click on **Setup ExpenseIn** will direct you to the ExpenseIn application. From there, provide the admin credentials to sign into ExpenseIn. The browser extension will automatically configure the application for you and automate steps 3-5.
+
+	![Setup configuration](common/setup-sso.png)
+
+3. If you want to setup ExpenseIn manually, open a new web browser window and sign into your ExpenseIn company site as an administrator and perform the following steps:
+
+4. Click on **Admin** on the top of the page then navigate to **Single Sign-On** and click **Add provider**.
 
 	 ![ExpenseIn configuration](./media/expenseIn-tutorial/config01.png)
 
-3. On the **New Identity Provider** pop-up, Perform the following steps:
+5. On the **New Identity Provider** pop-up, Perform the following steps:
 
     ![ExpenseIn configuration](./media/expenseIn-tutorial/config02.png)
 
 	a. In the **Provider Name** text box, type the name like ex:Azure.
 
-	b. In the **Target Url** text box, paste the value of **Login URL**, which you have copied from Azure portal.
+	b. Select **Yes** as **Allow Provider Intitated Sign-On**.
+
+	c. In the **Target Url** text box, paste the value of **Login URL**, which you have copied from Azure portal.
 
-    c. In the **Issuer** text box, paste the value of **Azure AD Identifier**, which you have copied from Azure portal.
+    d. In the **Issuer** text box, paste the value of **Azure AD Identifier**, which you have copied from Azure portal.
 
-    d. Open the Certificate (Base64) in Notepad, copy its content and paste it in the **Certificate** text box.
+    e. Open the Certificate (Base64) in Notepad, copy its content and paste it in the **Certificate** text box.
 
-	e. Click **Create**.
+	f. Click **Create**.
 
 ### Create an Azure AD test user
 
-In this section, you'll create a test user in the Azure portal called B. Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
 
 1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
 1. Select **New user** at the top of the screen.
 1. In the **User** properties, follow these steps:
-   1. In the **Name** field, enter `B. Simon`.  
-   1. In the **User name** field, enter the [email protected]. For example, `BrittaSimon@contoso.com`.
+   1. In the **Name** field, enter `B.Simon`.  
+   1. In the **User name** field, enter the [email protected]. For example, `B.Simon@contoso.com`.
    1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
    1. Click **Create**.
 
 ### Assign the Azure AD test user
 
-In this section, you'll enable B. Simon to use Azure single sign-on by granting access to ExpenseIn.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ExpenseIn.
 
 1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
 1. In the applications list, select **ExpenseIn**.
@@ -145,7 +155,7 @@ In this section, you'll enable B. Simon to use Azure single sign-on by granting
 
 	![The Add User link](common/add-assign-user.png)
 
-1. In the **Users and groups** dialog, select **B. Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
 1. In the **Add Assignment** dialog, click the **Assign** button.
 
@@ -169,7 +179,7 @@ To enable Azure AD users to sign in to ExpenseIn, they must be provisioned into
 
     b. In **Last Name** text box, enter the last name of user like **Simon**.
 
-    c. In **Email** text box, enter the email of user like `B. [email protected]`.
+    c. In **Email** text box, enter the email of user like `[email protected]`.
 
     d. Click **Create**.
 
 
@@ -56,6 +56,7 @@ To deploy the `kured` DaemonSet, apply the following sample YAML manifest from t
 
 ```console
 kubectl apply -f https://github.com/weaveworks/kured/releases/download/1.2.0/kured-1.2.0-dockerhub.yaml
+```
 
 You can also configure additional parameters for `kured`, such as integration with Prometheus or Slack. For more information about additional configuration parameters, see the [kured installation docs][kured-install].
 
 
@@ -140,7 +140,7 @@ This example demonstrates how to support pre-flight requests, such as those with
 This policy can be used in the following policy [sections](https://azure.microsoft.com/documentation/articles/api-management-howto-policies/#sections) and [scopes](https://azure.microsoft.com/documentation/articles/api-management-howto-policies/#scopes).
 
 - **Policy sections:** inbound
-- **Policy scopes:** global, API, operation
+- **Policy scopes:** global, product, API, operation
 
 ## <a name="JSONP"></a> JSONP
 The `jsonp` policy adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients. JSONP is a method used in JavaScript programs to request data from a server in a different domain. JSONP bypasses the limitation enforced by most web browsers where access to web pages must be in the same domain.
 
@@ -13,7 +13,7 @@ ms.workload: na
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 07/26/2018
+ms.date: 06/06/2019
 ms.author: ccompy
 ms.custom: seodec18
 
@@ -39,7 +39,6 @@ When your app makes a DNS request that matches a configured Hybrid Connection en
 > This means that you should try to always use a DNS name for your Hybrid Connection. Some client software does not do a DNS lookup if the endpoint uses an IP address instead.
 >
 
-
 ### App Service Hybrid Connection benefits ###
 
 There are a number of benefits to the Hybrid Connections capability, including:
@@ -137,7 +136,7 @@ To add one or more Hybrid Connections to your HCM:
 2. Select **Configure another Hybrid Connection**.
 ![Screenshot of Configure New Hybrid Connections][8]
 
-1. Sign in with your Azure account.
+1. Sign in with your Azure account to get your Hybrid Connections available with your subscriptions. The HCM does not continue to use your Azure account beyond that. 
 1. Choose a subscription.
 1. Select the Hybrid Connections that you want the HCM to relay.
 ![Screenshot of Hybrid Connections][9]
@@ -224,7 +223,9 @@ The status of "Connected" means that at least one HCM is configured with that Hy
 
 The primary reason that clients cannot connect to their endpoint is because the endpoint was specified by using an IP address instead of a DNS name. If your app cannot reach the desired endpoint and you used an IP address, switch to using a DNS name that is valid on the host where the HCM is running. Also check that the DNS name resolves properly on the host where the HCM is running. Confirm that there is connectivity from the host where the HCM is running to the Hybrid Connection endpoint.  
 
-In App Service, the tcpping tool can be invoked from the Advanced Tools (Kudu) console. This tool can tell you if you have access to a TCP endpoint, but it does not tell you if you have access to a Hybrid Connection endpoint. When you use the tool in the console against a Hybrid Connection endpoint, you are only confirming that it uses a host:port combination.  
+In App Service, the **tcpping** command line tool can be invoked from the Advanced Tools (Kudu) console. This tool can tell you if you have access to a TCP endpoint, but it does not tell you if you have access to a Hybrid Connection endpoint. When you use the tool in the console against a Hybrid Connection endpoint, you are only confirming that it uses a host:port combination.  
+
+If you have a command line client for your endpoint, you can test connectivity from the app console. For example, you can test access to web server endpoints by using curl.
 
 ## BizTalk Hybrid Connections ##
 
 
@@ -13,7 +13,7 @@ ms.workload: web
 ms.tgt_pltfrm: na
 ms.devlang: multiple
 ms.topic: article
-ms.date: 05/28/2019
+ms.date: 06/06/2019
 ms.author: ccompy
 ms.custom: seodec18
 
@@ -44,27 +44,27 @@ From the Access Restrictions UI, you can review the list of access restriction r
 
 The list will show all of the current restrictions that are on your app. If you have a VNet restriction on your app, the table will show if service endpoints are enabled for Microsoft.Web. When there are no defined restrictions on your app, your app will be accessible from anywhere.  
 
+## Adding IP address rules
+
 You can click on **[+] Add** to add a new access restriction rule. Once you add a rule, it will become effective immediately. Rules are enforced in priority order starting from the lowest number and going up. There is an implicit deny all that is in effect once you add even a single rule.
 
-### Adding IP address rules
+When creating a rule, you must select allow/deny and also the type of rule. You are also required to provide the priority value and what you are restricting access to.  You can optionally add a name, and description to the rule.  
 
 ![add an IP access restriction rule](media/app-service-ip-restrictions/access-restrictions-ip-add.png)
 
-When creating a rule, you must select allow/deny and also the type of rule. You are also required to provide the priority value and what you are restricting access to.  You can optionally add a name, and description to the rule.  
-
 To set an IP address based rule, select a type of IPv4 or IPv6. IP Address notation must be specified in CIDR notation for both IPv4 and IPv6 addresses. To specify an exact address, you can use something like 1.2.3.4/32 where the first four octets represent your IP address and /32 is the mask. The IPv4 CIDR notation for all addresses is 0.0.0.0/0. To learn more about CIDR notation, you can read [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). 
 
-### Service endpoints
+## Service endpoints
 
-![add a VNet access restriction rule](media/app-service-ip-restrictions/access-restrictions-vnet-add.png)
+Service endpoints enables you to restrict access to selected Azure virtual network subnets. To restrict access to a specific subnet, create a restriction rule with a type of Virtual Network. You can pick the subscription, VNet, and subnet you wish to allow or deny access with. If service endpoints are not already enabled with Microsoft.Web for the subnet that you selected, it will automatically be enabled for you unless you check the box asking not to do that. The situation where you would want to enable it on the app but not the subnet is largely related to if you have the permissions to enable service endpoints on the subnet or not. If you need to get somebody else to enable service endpoints on the subnet, you can check the box and have your app configured for service endpoints in anticipation of it being enabled later on the subnet. 
 
-To restrict access to selected subnets, select a type of Virtual Network. Below that you will be able to pick the subscription, VNet, and subnet you wish to allow or deny access with. If service endpoints are not already enabled with Microsoft.Web for the subnet that you selected, it will automatically be enabled for you unless you check the box asking not to do that. The situation where you would want to enable it on the app but not the subnet is largely related to if you have the permissions to enable service endpoints on the subnet or not. If you need to get somebody else to enable service endpoints on the subnet, you can check the box and have your app configured for service endpoints in anticipation of it being enabled later on the subnet. 
+![add a VNet access restriction rule](media/app-service-ip-restrictions/access-restrictions-vnet-add.png)
 
 Service endpoints cannot be used to restrict access to apps that run in an App Service Environment. When your app is in an App Service Environment, you can control access to your app with IP access rules. 
 
 With service endpoints, you can configure your app with Application Gateways or other WAF devices. You can also configure multi-tier applications with secure backends. For more details on some of the possibilities, read [Networking features and App Service](networking-features.md).
 
-### Managing access restriction rules
+## Managing access restriction rules
 
 You can click on any row to edit an existing access restriction rule. Edits are effective immediately including changes in priority ordering.
 
@@ -78,15 +78,15 @@ To delete a rule, click the **...** on your rule and then click **remove**.
 
 ![delete access restriction rule](media/app-service-ip-restrictions/access-restrictions-delete.png)
 
-### Blocking a single IP Address ##
+## Blocking a single IP Address ##
 
 When adding your first IP Restriction rule, the service will add an explicit **deny all** rule with a priority of 2147483647. In practice, the explicit **deny all** rule will be last rule executed and will block access to any IP address that is not explicitly allowed using an **Allow** rule.
 
 For the scenario where users want to explicitly block a single IP address or IP address block, but allow everything else access, it is necessary to add an explicit **Allow All** rule.
 
 ![block single ip address](media/app-service-ip-restrictions/block-single-address.png)
 
-### SCM site 
+## SCM site 
 
 In addition to being able to control access to your app, you can also restrict access to the scm site used by your app. The scm site is the web deploy endpoint and also the Kudu console. You can separately assign access restrictions to the scm site from the app or use the same set for both the app and the scm site. When you check the box to have the same restrictions as your app, everything is blanked out. If you uncheck the box, whatever settings you had earlier on the scm site are applied.