Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

.openpublishing.redirection.json

@@ -168,14 +168,41 @@ To add a credential to your web application:
 To add permission(s) to access resource APIs from your client:
 
 1. From the app's **Overview** page, select **API permissions**.
-1. Select the **Add a permission** button.
+1. Under the **Configured permissions** section, select the **Add a permission** button.
 1. By default, the view allows you to select from **Microsoft APIs**. Select the section of APIs that you're interested in:
     * **Microsoft APIs** - Lets you select permissions for Microsoft APIs such as Microsoft Graph.
     * **APIs my organization uses** - Lets you select permissions for APIs that have been exposed by your organization, or APIs that your organization has integrated with.
     * **My APIs** - Lets you select permissions for APIs that you have exposed.
 1. Once you've selected the APIs, you'll see the **Request API Permissions** page. If the API exposes both delegated and application permissions, select which type of permission your application needs.
 1. When finished, select **Add permissions**. You will return to the **API permissions** page, where the permissions have been saved and added to the table.
 
+## Understanding API permissions and admin consent UI
+
+### Configured permissions
+
+This section shows the permissions that have been explicitly configured on the application object (\the permissions that are part of the app's required resource access list). You may add or remove permissions from this table. As an admin, you can also grant/revoke admin consent for a set of an API's permissions or individual permissions in this section.
+
+### Other permissions granted
+
+If your application is registered in a tenant, you may see an additional section titled **Other permissions granted for Tenant**. This section shows permissions that have been granted for the tenant but have not been explicitly configured on the application object (e.g. permissions that were dynamically requested and consented). This section only appears if there is at least one permission that applies.
+
+You may add a set of an API's permissions or individual permissions that appear in this section to the **Configured permissions** section. As an admin, you can also revoke admin consent for individual APIs or permissions in this section.
+
+### Admin consent button
+
+If your application is registered in a tenant, you will see a **Grant admin consent for Tenant** button. It will be disabled if you are not an admin, or if no permissions have been configured for the application.
+This button allows an admin to easily grant admin consent to the permissions configured for the application. Clicking the admin consent button launches a new window with a consent prompt showing all the configured permissions.
+
+> [!NOTE]
+> There is a delay between permissions being configured for the application and them appearing on the consent prompt. If you do not see all the configured permissions in the consent prompt, close it and launch it again.
+
+If you have permissions that have been granted but not configured, when clicking the admin consent button you will be prompted to decide how to handle these permissions. You may add them to configured permissions or you may remove them.
+
+The consent prompt provides the option to **Accept** or **Cancel**. If you select **Accept**, admin consent is granted. If you select **Cancel**, admin consent is not granted, and you will see an error stating that consent has been declined.
+
+> [!NOTE]
+> There is a delay between granting admin consent (selecting **Accept** on the consent prompt) and the status of admin consent being reflected in the UI.
+
 ## Next steps
 
 Learn about these other related app management quickstarts for apps:

articles/active-directory/develop/quickstart-configure-app-access-web-apis.md

@@ -10,7 +10,7 @@ ms.assetid: 6d42fb79-d9cf-48da-8445-f482c4c536af
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/25/2019
+ms.date: 11/14/2019
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -82,7 +82,9 @@ After entering the forest name and clicking  **Add Directory**, a pop-up dialog
 ![Connect Directory](./media/how-to-connect-install-custom/connectdir02.png)
 
 #### Enterprise Admin and Domain Admin accounts not supported
-As of build 1.4.###.# it is no longer supported to use an Enterprise Admin or a Domain Admin account as the AD DS Connector account.  If you attempt to enter an account that is an enterprise admin or domain admin when specifying **use existing account**, you will receive an error.
+As of build 1.4.18.0 it is no longer supported to use an Enterprise Admin or a Domain Admin account as the AD DS Connector account.  If you attempt to enter an account that is an enterprise admin or domain admin when specifying **use existing account**, you will receive the following error:
+
+  **“Using  an Enterprise or Domain administrator account for your AD forest account is not allowed.  Let Azure AD Connect create the account for you or specify a synchronization account with the correct permissions.  <Learn More>”**
 
 ### Azure AD sign-in configuration
 This page allows you to review the UPN domains present in on-premises AD DS and which have been verified in Azure AD. This page also allows you to configure the attribute to use for the userPrincipalName.

articles/active-directory/hybrid/how-to-connect-install-custom.md

@@ -83,24 +83,32 @@ kubectl describe node [NODE_NAME]
 To maintain node performance and functionality, resources are reserved on each node by AKS. As a node grows larger in resources, the resource reservation grows due to a higher amount of user deployed pods needing management.
 
 >[!NOTE]
-> Using add-ons such as OMS will consume additional node resources.
+> Using AKS add-ons such as Container Insights (OMS) will consume additional node resources.
 
 - **CPU** - reserved CPU is dependent on node type and cluster configuration which may cause less allocatable CPU due to running additional features
 
 | CPU cores on host | 1	| 2	| 4	| 8	| 16 | 32|64|
 |---|---|---|---|---|---|---|---|
 |Kube-reserved (millicores)|60|100|140|180|260|420|740|
 
-- **Memory** - reservation of memory follows a progressive rate
-  - 25% of the first 4 GB of memory
-  - 20% of the next 4 GB of memory (up to 8 GB)
-  - 10% of the next 8 GB of memory (up to 16 GB)
-  - 6% of the next 112 GB of memory (up to 128 GB)
-  - 2% of any memory above 128 GB
+- **Memory** - reserved memory includes the sum of two values
 
-These reservations mean that the amount of available CPU and memory for your applications may appear less than the node itself contains. If there are resource constraints due to the number of applications that you run, these reservations ensure CPU and memory remains available for the core Kubernetes components. The resource reservations can't be changed.
+1. The kubelet daemon is installed on all Kubernetes agent nodes to manage container creation and termination. By default on AKS, this daemon has the following eviction rule: memory.available<750Mi, which means a node must always have at least 750 Mi allocatable at all times.  When a host is below that threshold of available memory, the kubelet will terminate one of the running pods to free memory on the host machine and protect it.
 
-The underlying node OS also requires some amount of CPU and memory resources to complete its own core functions.
+2. The second value is a progressive rate of memory reserved for the kubelet daemon to properly function (kube-reserved).
+    - 25% of the first 4 GB of memory
+    - 20% of the next 4 GB of memory (up to 8 GB)
+    - 10% of the next 8 GB of memory (up to 16 GB)
+    - 6% of the next 112 GB of memory (up to 128 GB)
+    - 2% of any memory above 128 GB
+
+As a result of these two defined rules imposed to keep Kubernetes and agent nodes healthy, the amount of allocatable CPU and memory will appear less than the node itself could offer. The resource reservations defined above cannot be changed.
+
+For example, if a node offers 7 GB, it will report 34% of memory not allocatable:
+
+`750Mi + (0.25*4) + (0.20*3) = 0.786GB + 1 GB + 0.6GB = 2.386GB / 7GB = 34% reserved`
+
+In addition to reservations for Kubernetes, the underlying node OS also reserves an amount of CPU and memory resources to maintain OS functions.
 
 For associated best practices, see [Best practices for basic scheduler features in AKS][operator-best-practices-scheduler].
 

articles/aks/concepts-clusters-workloads.md

@@ -6,7 +6,7 @@ author: zr-msft
 
 ms.service: container-service
 ms.topic: conceptual
-ms.date: 11/26/2018
+ms.date: 11/13/2019
 ms.author: zarhoads
 ---
 
@@ -27,16 +27,24 @@ This best practices article focuses on how to run your cluster and workloads fro
 
 A primary way to manage the compute resources within an AKS cluster is to use pod requests and limits. These requests and limits let the Kubernetes scheduler know what compute resources a pod should be assigned.
 
-* **Pod requests** define a set amount of CPU and memory that the pod needs. These requests should be the amount of compute resources the pod needs to provide an acceptable level of performance.
-    * When the Kubernetes scheduler tries to place a pod on a node, the pod requests are used to determine which node has sufficient resources available.
-    * Monitor the performance of your application to adjust these requests to make sure you don't define less resources that required to maintain an acceptable level of performance.
-* **Pod limits** are the maximum amount of CPU and memory that a pod can use. These limits help prevent one or two runaway pods from taking too much CPU and memory from the node. This scenario would reduce the performance of the node and other pods that run on it.
+* **Pod CPU/Memory requests** define a set amount of CPU and memory that the pod needs on a regular basis.
+    * When the Kubernetes scheduler tries to place a pod on a node, the pod requests are used to determine which node has sufficient resources available for scheduling.
+    * Not setting a pod request will default it to the limit defined.
+    * It is very important to monitor the performance of your application to adjust these requests. If insufficient requests are made, your application may receive degraded performance due to over scheduling a node. If requests are overestimated, your application  may have increased difficulty getting scheduled.
+* **Pod CPU/Memory limits** are the maximum amount of CPU and memory that a pod can use. These limits help define which pods should be killed in the event of node instability due to insufficient resources. Without proper limits set pods will be killed until resource pressure is lifted.
+    * Pod limits help define when a pod has lost of control of resource consumption. When a limit is exceeded, the pod is prioritized for killing to maintain node health and minimize impact to pods sharing the node.
+    * Not setting a pod limit defaults it to the highest available value on a given node.
     * Don't set a pod limit higher than your nodes can support. Each AKS node reserves a set amount of CPU and memory for the core Kubernetes components. Your application may try to consume too many resources on the node for other pods to successfully run.
-    * Again, monitor the performance of your application at different times during the day or week. Determine when the peak demand is, and align the pod limits to the resources required to meet the application's needs.
+    * Again, it is very important to monitor the performance of your application at different times during the day or week. Determine when the peak demand is, and align the pod limits to the resources required to meet the application's max needs.
 
-In your pod specifications, it's best practice to define these requests and limits. If you don't include these values, the Kubernetes scheduler doesn't understand what resources are needed. The scheduler may schedule the pod on a node without sufficient resources to provide acceptable application performance. The cluster administrator may set *resource quotas* on a namespace that requires you to set resource requests and limits. For more information, see [resource quotas on AKS clusters][resource-quotas].
+In your pod specifications, it's **best practice and very important** to define these requests and limits based on the above information. If you don't include these values, the Kubernetes scheduler cannot take into account the resources your applications require to aid in scheduling decisions.
 
-When you define a CPU request or limit, the value is measured in CPU units. *1.0* CPU equates to one underlying virtual CPU core on the node. The same measurement is used for GPUs. You can also define a fractional request or limit, typically in millicpu. For example, *100m* is *0.1* of an underlying virtual CPU core.
+If the scheduler places a pod on a node with insufficient resources, application performance will be degraded. It is highly recommended for cluster administrators to set *resource quotas* on a namespace that requires you to set resource requests and limits. For more information, see [resource quotas on AKS clusters][resource-quotas].
+
+When you define a CPU request or limit, the value is measured in CPU units. 
+* *1.0* CPU equates to one underlying virtual CPU core on the node. 
+* The same measurement is used for GPUs.
+* You can define fractions measured in millicores. For example, *100m* is *0.1* of an underlying vCPU core.
 
 In the following basic example for a single NGINX pod, the pod requests *100m* of CPU time, and *128Mi* of memory. The resource limits for the pod are set to *250m* CPU and *256Mi* memory:
 

articles/aks/developer-best-practices-resource-management.md

@@ -71,7 +71,7 @@ This section shows how to import and publish an OpenAPI specification backend AP
 > [!TIP]
 > If you are experiencing problems with import of your own API definition, [see the list of known issues and restrictions](api-management-api-import-restrictions.md).
 
-## Test the new APIM API in the Azure portal
+## Test the new API in the Azure portal
 
 ![Test API map](./media/api-management-get-started/01-import-first-api-01.png)
 
@@ -84,31 +84,13 @@ Operations can be called directly from the Azure portal, which provides a conven
 
     Backend responds with **200 OK** and some data.
 
-## <a name="call-operation"> </a>Call an operation from the developer portal
-
-Operations can also be called from the **Developer portal** to test APIs.
-
-1. Navigate to the **Developer portal**.
-
-    ![Developer portal](./media/api-management-get-started/developer-portal.png)
-
-2. Select **APIS**, click on **Demo Conference API** and then **GetSpeakers**.
-
-    The page displays fields for query parameters, in this case none, and headers. One of the headers is "Ocp-Apim-Subscription-Key", for the subscription key of the product that is associated with this API. If you created the APIM instance, you are an administrator already, so the key is filled in automatically.
-
-3. Press **Try it**.
-4. Press **Send**.
-
-    After an operation is invoked, the developer portal shows the responses.  
-
 ## <a name="next-steps"> </a>Next steps
 
 In this tutorial, you learned how to:
 
 > [!div class="checklist"]
 > * Import your first API
 > * Test the API in the Azure portal
-> * Test the API in the Developer portal
 
 Advance to the next tutorial:
 

articles/api-management/import-and-publish.md

@@ -54,7 +54,7 @@ In this article, you learn how to:
     * **Unlimited**   
 7. Select **Create**.
 
-## Test the new APIM API in the Azure portal
+## Test the new API in the Azure portal
 
 Operations can be called directly from the Azure portal, which provides a convenient way to view and test the operations of an API.  
 
@@ -67,21 +67,6 @@ Operations can be called directly from the Azure portal, which provides a conven
 
     Backend responds with **200 OK** and some data.
 
-## <a name="call-operation"> </a>Call an operation from the developer portal
-
-Operations can also be called **Developer portal** to test APIs. 
-
-1. Select the API you created in the "Import and publish a back-end API" step.
-2. Press **Developer portal**.
-
-    The "Developer portal" site opens up.
-3. Select the **API** that you created.
-4. Click the operation you want to test.
-5. Press **Try it**.
-6. Press **Send**.
-    
-    After an operation is invoked, the developer portal displays the **Response status**, the **Response headers**, and any **Response content**.
-
 [!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-append-apis.md)]
 
 [!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)]

articles/api-management/import-api-app-as-api.md

@@ -39,6 +39,7 @@ Complete the following quickstart: [Create an Azure API Management instance](get
 
 1. Select **APIs** from under **API MANAGEMENT**.
 2. Select **OpenAPI specification** from the **Add a new API** list.
+
     ![OpenAPI specification](./media/import-api-from-oas/oas-api.png)
 3. Enter appropriate settings. You can set all the API values during creation. Alternately, you can set some of them later by going to the **Settings** tab. <br/> If you press **tab** some (or all) of the fields get filled up with the info from the specified back-end service.
 
@@ -59,41 +60,19 @@ Complete the following quickstart: [Create an Azure API Management instance](get
 > [!NOTE]
 > The API import limitations are documented in [another article](api-management-api-import-restrictions.md).
 
-## Test the new APIM API in the Azure portal
+## Test the new API in the Azure portal
 
-Operations can be called directly from the Azure portal, which provides a convenient way to view and test the operations of an API.
+![Test API map](./media/api-management-get-started/01-import-first-api-01.png)
 
-![Test API](./media/api-management-get-started/01-import-first-api-01.png)
+Operations can be called directly from the Azure portal, which provides a convenient way to view and test the operations of an API.
 
-1. Select the API you created in the previous step.
+1. Select the API you created in the previous step (from the **APIs** tab).
 2. Press the **Test** tab.
-3. Click on **GetSpeakers**.
-
-    The page displays fields for query parameters but in this case we don't have any. The page also displays fields for the headers. One of the headers is "Ocp-Apim-Subscription-Key", for the subscription key of the product that is associated with this API. If you created the APIM instance, you are an administrator already, so the key is filled in automatically.
+3. Click on **GetSpeakers**. The page displays fields for query parameters, in this case none, and headers. One of the headers is "Ocp-Apim-Subscription-Key", for the subscription key of the product that is associated with this API. The key is filled in automatically.
 4. Press **Send**.
 
     Backend responds with **200 OK** and some data.
 
-## <a name="call-operation"> </a>Call an operation from the Developer portal
-
-Operations can also be called **Developer portal** to test APIs.
-
-1. Select the API you created in the "Import and publish a back-end API" step.
-2. Press **Developer portal**.
-
-    ![Test in Developer portal](./media/api-management-get-started/developer-portal.png)
-
-    The "Developer portal" site opens up.
-3. Select **API**.
-4. Select **Demo Conference API**.
-5. Click **GetSpeakers**.
-
-    The page displays fields for query parameters but in this case we don't have any. The page also displays fields for the headers. One of the headers is "Ocp-Apim-Subscription-Key", for the subscription key of the product that is associated with this API. If you created the APIM instance, you are an administrator already, so the key is filled in automatically.
-6. Press **Try it**.
-7. Press **Send**.
-
-    After an operation is invoked, the developer portal displays the **Response status**, the **Response headers**, and any **Response content**.
-
 [!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-append-apis.md)]
 
 [!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)]