Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into normesta-sdk-interop

Author: normesta

articles/active-directory/authentication/howto-authentication-passwordless-security-key-windows.md

@@ -42,6 +42,7 @@ This document focuses on enabling FIDO2 security key based passwordless authenti
 - “Run as“ is **not supported** using security key.
 - Log in to a server using security key is **not supported**.
 - If you have not used your security key to sign in to your device while online, you will not be able to use it to sign in or unlock offline.
+- Signing in or unlocking a Windows 10 device with a security key containing multiple Azure AD accounts. This scenario will utilize the last account added to the security key. WebAuthN will allow users to choose the account they wish to use.
 
 ## Prepare devices for preview
 

articles/active-directory/conditional-access/require-managed-devices.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: article
-ms.date: 11/21/2019
+ms.date: 11/22/2019
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -77,7 +77,7 @@ The option to *require a device to be marked as compliant* is the strongest form
 
 This option requires a device to be registered with Azure AD, and also to be marked as compliant by:
 
-- Intune.
+- Intune
 - A third-party mobile device management (MDM) system that manages Windows 10 devices via Azure AD integration. Third-party MDM systems for device OS types other than Windows 10 are not supported.
 
 ![Device-based conditions](./media/require-managed-devices/46.png)
@@ -89,6 +89,9 @@ For a device that is marked as compliant, you can assume that:
 - Your company information is protected by helping to control the way your workforce accesses and shares it
 - The device and its apps are compliant with company security requirements
 
+> [!NOTE]
+> If you configure a policy to require compliant devices users may be prompted on Mac, iOS, and Android to select a device certificate during policy evaluation. This is a known behavior.
+
 ## Next steps
 
 Before configuring a device-based Conditional Access policy in your environment, you should take a look at the [best practices for Conditional Access in Azure Active Directory](best-practices.md).

articles/active-directory/identity-protection/index.yml

@@ -35,7 +35,7 @@ landingContent:
     linkLists:
       - linkListType: how-to-guide
         links:
-          - text: Configure risk polciies
+          - text: Configure risk policies
             url: howto-identity-protection-configure-risk-policies.md
           - text: Investigate risk
             url: howto-identity-protection-investigate-risk.md

articles/api-management/api-management-howto-aad-b2c.md

@@ -89,6 +89,9 @@ In the developer portal, sign-in with AAD B2C is possible with the **OAuth butto
 
 Although a new account will be automatically created whenever a new user signs in with AAD B2C, you may consider adding the same widget to the sign-up page.
 
+> [!IMPORTANT]
+> You need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the AAD changes to take effect.
+
 ## Legacy developer portal - how to sign up with Azure AD B2C
 
 [!INCLUDE [api-management-portal-legacy.md](../../includes/api-management-portal-legacy.md)]

articles/api-management/api-management-howto-aad.md

@@ -107,6 +107,9 @@ In the developer portal, sign-in with AAD is possible with the **OAuth buttons**
 
 Although a new account will be automatically created whenever a new user signs in with AAD, you may consider adding the same widget to the sign-up page.
 
+> [!IMPORTANT]
+> You need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the AAD changes to take effect.
+
 ## Legacy developer portal - how to sign in with Azure AD
 
 [!INCLUDE [api-management-portal-legacy.md](../../includes/api-management-portal-legacy.md)]

articles/api-management/api-management-howto-developer-portal-customize.md

@@ -11,7 +11,7 @@ ms.service: api-management
 ms.workload: mobile
 ms.tgt_pltfrm: na
 ms.topic: article
-ms.date: 11/04/2019
+ms.date: 11/22/2019
 ms.author: apimpm
 ---
 
@@ -107,14 +107,17 @@ In the video below we demonstrate how to edit the content of the portal, customi
 
 > [!VIDEO https://www.youtube.com/embed/5mMtUSmfUlw]
 
-## Publish the portal
+## <a name="publish"> </a>Publish the portal
 
 To make your portal and its latest changes available to visitors, you need to publish it.
 
 1. Make sure you saved your changes by clicking on the **Save** icon.
 1. Click on **Publish website** in the **Operations** section of the menu. This operation may take a few minutes.  
     ![Publish portal](media/api-management-howto-developer-portal-customize/publish-portal.png)
 
+> [!NOTE]
+> The portal needs to be republished after API Management service configuration changes, such as assigning a custom domain, updating the identity providers, setting delegation, specifying sign-in and product terms, and more.
+
 ## Visit the published portal
 
 After you publish the portal, you can access it at the same URL as the administrative panel, for example `https://contoso-api.developer.azure-api.net`. View it in a separate browser session (incognito / private browsing mode) as an external visitor.

articles/api-management/api-management-howto-developer-portal.md

@@ -11,7 +11,7 @@ ms.service: api-management
 ms.workload: mobile
 ms.tgt_pltfrm: na
 ms.topic: article
-ms.date: 11/04/2019
+ms.date: 11/22/2019
 ms.author: apimpm
 ---
 
@@ -61,7 +61,7 @@ The portal components can be logically divided into two categories: *code* and *
 
 *API Management content* includes entities such as APIs, Operations, Products, Subscriptions.
 
-The portal is based on an adapted fork of the [Paperbits framework](https://paperbits.io/). The original Paperbits functionality has been extended to provide API Management-specific widgets (e.g., a list of APIs, a list of Products) and a connector to API Management service for saving and retrieving content.
+The portal is based on an adapted fork of the [Paperbits framework](https://paperbits.io/). The original Paperbits functionality has been extended to provide API Management-specific widgets (for example, a list of APIs, a list of Products) and a connector to API Management service for saving and retrieving content.
 
 ## <a name="faq"></a> Frequently asked questions
 
@@ -89,6 +89,8 @@ Portals are incompatible and you need to migrate the content manually.
 
 The new developer portal doesn't support *Applications* and *Issues*. If you have used *Issues* in the old portal and need them in the new one, post a comment in [a dedicated GitHub issue](https://github.com/Azure/api-management-developer-portal/issues/122).
 
+Authentication with OAuth in the interactive developer console is not yet supported. You can track the progress through [the GitHub issue](https://github.com/Azure/api-management-developer-portal/issues/208).
+
 ### Has the old portal been deprecated?
 
 The old developer and publisher portals are now *legacy* features - they will be receiving security updates only. New features will be implemented in the new developer portal only.
@@ -105,13 +107,31 @@ The API is documented in [the GitHub repository's wiki section][2]. It can also
 
 No.
 
-### Do I need to enable additional VNET connectivity for the managed portal dependencies?
+### Do I need to enable additional VNet connectivity for the new managed portal dependencies?
 
-No.
+In most cases - no.
+
+If your API Management service is in an internal VNet, your developer portal is only accessible from within the network. The management endpoint's host name must resolve to the internal VIP of the service from the machine you use to access the portal's administrative interface. Make sure the management endpoint is registered in the DNS. In case of misconfiguration, you will see an error: `Unable to start the portal. See if settings are specified correctly in the configuration (...)`.
+
+### I have assigned a custom API Management domain and the published portal doesn't work
+
+After you update the domain, you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect.
+
+### I have added an identity provider and I can't see it in the portal
 
-### I'm getting a CORS error when using the interactive console. What should I do?
+After you configure an identity provider (for example, AAD, AAD B2C), you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect.
 
-The interactive console makes a client-side API request from the browser. You can resolve the CORS problem by adding [a CORS policy](https://docs.microsoft.com/azure/api-management/api-management-cross-domain-policies#CORS) on your API(s). You can specify all the parameters manually or use wildcard `*` values. For example:
+### I have set up delegation and the portal doesn't use it
+
+After you set up delegation, you need to [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect.
+
+### My other API Management configuration changes haven't been propagated in the developer portal
+
+Most configuration changes (for example, VNet, sign-in and product terms) require [republishing the portal](api-management-howto-developer-portal-customize.md#publish).
+
+### I'm getting a CORS error when using the interactive console
+
+The interactive console makes a client-side API request from the browser. You can resolve the CORS problem by adding [a CORS policy](api-management-cross-domain-policies.md#CORS) on your API(s). You can specify all the parameters manually or use wildcard `*` values. For example:
 
 ```XML
 <cors>
@@ -145,6 +165,46 @@ The interactive console makes a client-side API request from the browser. You ca
 >
 > As a workaround you can pass the subscription key in a query parameter.
 
+### What permissions do I need to edit the developer portal?
+
+If you're seeing the `Oops. Something went wrong. Please try again later.` error when you open the portal in the administrative mode, you may be lacking the required permissions (RBAC).
+
+The legacy portals required the permission `Microsoft.ApiManagement/service/getssotoken/action` at the service scope (`/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-service-name>`) to allow the user administrator access to the portals. The new portal requires the permission `Microsoft.ApiManagement/service/users/token/action` at the scope `/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-service-name>/users/1`.
+
+You can use the following PowerShell script to create a role with the required permission. Remember to change the `<subscription-id>` parameter. 
+
+```PowerShell
+#New Portals Admin Role 
+Import-Module Az 
+Connect-AzAccount 
+$contributorRole = Get-AzRoleDefinition "API Management Service Contributor" 
+$customRole = $contributorRole 
+$customRole.Id = $null
+$customRole.Name = "APIM New Portal Admin" 
+$customRole.Description = "This role gives the user ability to log in to the new Developer portal as administrator" 
+$customRole.Actions = "Microsoft.ApiManagement/service/users/token/action" 
+$customRole.IsCustom = $true 
+$customRole.AssignableScopes.Clear() 
+$customRole.AssignableScopes.Add('/subscriptions/<subscription-id>') 
+New-AzRoleDefinition -Role $customRole 
+```
+ 
+Once the role is created, it can be granted to any user from the **Access Control (IAM)** section in the Azure portal. Assigning this role to a user will assign the permission at the service scope. The user will be able to generate SAS tokens on behalf of *any* user in the service. At the minimum, this role needs to be assigned to the administrator of the service. The following PowerShell command demonstrates how to assign the role to a user `user1` at the lowest scope to avoid granting unnecessary permissions to the user: 
+
+```PowerShell
+New-AzRoleAssignment -SignInName "[email protected]" -RoleDefinitionName "APIM New Portal Admin" -Scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-service-name>/users/1" 
+```
+
+After the permissions have been granted to a user, the user must sign out and sign in again to the Azure portal for the new permissions to take effect.
+
+### I'm seeing the `Unable to start the portal. See if settings are specified correctly (...)` error
+
+This error is shown when a `GET` call to `https://<management-endpoint-hostname>/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ApiManagement/service/xxx/contentTypes/document/contentItems/configuration?api-version=2018-06-01-preview` fails. The call is issued from the browser by the administrative interface of the portal.
+
+If your API Management service is in a VNet - refer to the VNet connectivity question above.
+
+The call failure may also be caused by an SSL certificate, which is assigned to a custom domain and is not trusted by the browser. As a mitigation, you can remove the management endpoint custom domain - API Management will fall back to the default endpoint with a trusted certificate.
+
 ## Next steps
 
 Learn more about the new developer portal:

articles/api-management/api-management-howto-setup-delegation.md

@@ -18,13 +18,13 @@ ms.author: apimpm
 ---
 # How to delegate user registration and product subscription
 
-Delegation allows you to use your existing website for handling developer sign in/sign up and subscription to products, as opposed to using the built-in functionality in the developer portal. This enables your website to own the user data and perform the validation of these steps in a custom way.
+Delegation allows you to use your existing website for handling developer sign in/sign up and subscription to products, as opposed to using the built-in functionality in the developer portal. It enables your website to own the user data and perform the validation of these steps in a custom way.
 
 [!INCLUDE [premium-dev-standard-basic.md](../../includes/api-management-availability-premium-dev-standard-basic.md)]
 
-## <a name="delegate-signin-up"> </a>Delegating developer sign in and sign up
+## <a name="delegate-signin-up"> </a>Delegating developer sign-in and sign-up
 
-To delegate developer sign in and sign up to your existing website, you'll need to create a special delegation endpoint on your site. It needs to act as the entry-point for any such request initiated from the API Management developer portal.
+To delegate developer, sign in and sign up to your existing website, you'll need to create a special delegation endpoint on your site. It needs to act as the entry-point for any such request initiated from the API Management developer portal.
 
 The final workflow will be as follows:
 
@@ -170,6 +170,9 @@ var digest = hmac.update(salt + '\n' + returnUrl).digest();
 var signature = digest.toString('base64');
 ```
 
+> [!IMPORTANT]
+> You need to [republish the developer portal](api-management-howto-developer-portal-customize.md#publish) for the delegation changes to take effect.
+
 ## Next steps
 For more information on delegation, see the following video:
 

articles/blockchain/service/configure-aad.md

@@ -1,13 +1,13 @@
 ---
 title: Configure Azure Active Directory access - Azure Blockchain Service
 description: How to configure Azure Blockchain Service with Azure Active Directory access
-ms.date: 05/02/2019
+ms.date: 11/22/2019
 ms.topic: article
 ms.reviewer: janders
 #Customer intent: As a node operator, I want to configure Azure Blockchain Service with Azure Active Directory access.
 ---
 
-# How to configure Azure Active Directory access
+# How to configure Azure Active Directory access for Azure Blockchain Service
 
 In this article, you learn how to grant access and connect to Azure Blockchain Service nodes using Azure Active Directory (Azure AD) user, group, or application IDs.
 
@@ -31,7 +31,7 @@ To grant access permission at the member level.
 
     | Azure AD object | Example |
     |-----------------|---------|
-    | Azure AD user   | `frank@contoso.onmicrosoft.com` |
+    | Azure AD user   | `kim@contoso.onmicrosoft.com` |
     | Azure AD group  | `[email protected]` |
     | Application ID  | `13925ab1-4161-4534-8d18-812f5ca1ab1e` |
 
@@ -41,8 +41,11 @@ To grant access permission at the member level.
 
 ### Grant node level access
 
-1. You can grant access at the node level by navigating to node security and click on the node name that you wish to grant access.
-1. Select the Blockchain Member Node Access (Preview) role and add the Azure AD ID object you wish to grant access to. 
+You can grant access at the node level by navigating to node security and click on the node name that you wish to grant access.
+
+Select the Blockchain Member Node Access (Preview) role and add the Azure AD ID object you wish to grant access to.
+
+For more information, see [Configure Azure Blockchain Service transaction nodes](configure-transaction-nodes.md#azure-active-directory-access-control).
 
 ## Connect using Azure Blockchain Connector
 
@@ -100,7 +103,4 @@ connector.exe -remote <myBlockchainEndpoint>  -method aaddevice -tenant-id <myAA
 
 ## Next steps
 
-For more information about data security in Azure Blockchain Service, see:
-
-> [!div class="nextstepaction"]
-> [Azure Blockchain Service security](data-security.md)
+For more information about data security in Azure Blockchain Service, see [Azure Blockchain Service security](data-security.md).

articles/blockchain/service/connect-geth.md

@@ -60,4 +60,4 @@ You can get the Geth connection string for an Azure Blockchain Service transacti
 In this quickstart, you used the Geth client to attach to a Geth instance on an Azure Blockchain Service transaction node. Try the next tutorial to use Azure Blockchain Development Kit for Ethereum to create, build, deploy, and execute a smart contract function via a transaction.
 
 > [!div class="nextstepaction"]
-> [Use Visual Studio Code to create, build, and deploy smart contracts](send-transaction.md)
+> [Create, build, and deploy smart contracts on Azure Blockchain Service](send-transaction.md)