MicrosoftDocs
diff --git a/‎articles/active-directory/conditional-access/media/block-legacy-authentication/01.png
-1.79 KB b/‎articles/active-directory/conditional-access/media/block-legacy-authentication/01.png
-1.79 KB
diff --git a/‎articles/active-directory/users-groups-roles/directory-admin-roles-secure.md
Lines changed: 153 additions & 114 deletions b/‎articles/active-directory/users-groups-roles/directory-admin-roles-secure.md
Lines changed: 153 additions & 114 deletions
diff --git a/‎articles/analysis-services/analysis-services-network-faq.md
Lines changed: 6 additions & 2 deletions b/‎articles/analysis-services/analysis-services-network-faq.md
Lines changed: 6 additions & 2 deletions
diff --git a/‎articles/application-gateway/application-gateway-faq.md
Lines changed: 1 addition & 37 deletions b/‎articles/application-gateway/application-gateway-faq.md
Lines changed: 1 addition & 37 deletions
@@ -4,7 +4,7 @@ description: This article provides answers to some of the more common questions
 author: minewiskan
 ms.service: azure-analysis-services
 ms.topic: conceptual
-ms.date: 04/29/2020
+ms.date: 05/05/2020
 ms.author: owend
 ms.reviewer: minewiskan
 ---
@@ -19,7 +19,11 @@ This article provides answers to common questions about connecting to storage ac
 **Answer** - Azure Analysis Services does not use fixed IP addresses or Service Tags. The range of IP addresses your Analysis Services servers use can be anything in the range of IP addresses for the *Azure region*. Because your server IP addresses are variable and can change over time, your firewall rules need to allow for the entire range of Azure region IP addresses your server is in.
 
 **Question** - My Azure storage account is in a different region from my Analysis Services server. How do I configure storage account firewall settings?   
-**Answer** - If the storage account is in a different region, firewall settings must be configured to allow access from **All networks**. Firewall settings configured for Selected networks with whitelisted IP addresses and Allow trusted Microsoft services exception is not supported.
+**Answer** - If the storage account is in a different region, configure storage account firewall settings to allow access from **Selected networks**. In Firewall **Address range**, specify the IP address range for the region the Analysis Services server is in. To get the IP ranges for Azure regions, see [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). Configuring storage account firewall settings to allow access from All networks is supported, however choosing Selected networks and specifying an IP address range is preferred. 
+
+**Question** - My Azure storage account is in the same region as my Analysis Services server. How can I configure storage account firewall settings?   
+**Answer** – Because your Analysis Services server and storage account are in the same region, communications between them use internal IP address ranges, therefore, configuring a firewall to use Selected networks and specifying an IP address range is not supported. If organization policies require a firewall, it must be configured to allow access from All networks.
+
 
 ## Data source connections
 
 
@@ -5,7 +5,7 @@ services: application-gateway
 author: vhorne
 ms.service: application-gateway
 ms.topic: article
-ms.date: 04/01/2020
+ms.date: 05/05/2020
 ms.author: victorh
 ---
 
@@ -326,42 +326,6 @@ For multiple domain-based (host-based) routing, you can create multisite listene
 
 No, use only alphanumeric characters in your .pfx file password.
 
-## Configuration - web application firewall (WAF)
-
-### Does the WAF SKU offer all the features available in the Standard SKU?
-
-Yes. WAF supports all the features in the Standard SKU.
-
-### How do I monitor WAF?
-
-Monitor WAF through diagnostic logging. For more information, see [Diagnostic logging and metrics for Application Gateway](application-gateway-diagnostics.md).
-
-### Does detection mode block traffic?
-
-No. Detection mode only logs traffic that triggers a WAF rule.
-
-### Can I customize WAF rules?
-
-Yes. For more information, see [Customize WAF rule groups and rules](application-gateway-customize-waf-rules-portal.md).
-
-### What rules are currently available for WAF?
-
-WAF currently supports CRS [2.2.9](../web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md#owasp229), [3.0](../web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md#owasp30), and [3.1](../web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md#owasp31). These rules provide baseline security against most of the top-10 vulnerabilities that Open Web Application Security Project (OWASP) identifies: 
-
-* SQL injection protection
-* Cross-site scripting protection
-* Protection against common web attacks such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attack
-* Protection against HTTP protocol violations
-* Protection against HTTP protocol anomalies such as missing host user-agent and accept headers
-* Prevention against bots, crawlers, and scanners
-* Detection of common application misconfigurations (that is, Apache, IIS, and so on)
-
-For more information, see [OWASP top-10 vulnerabilities](https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013).
-
-### Does WAF support DDoS protection?
-
-Yes. You can enable DDoS protection on the virtual network where the application gateway is deployed. This setting ensures that the Azure DDoS Protection service also protects the application gateway virtual IP (VIP).
-
 ## Configuration - ingress controller for AKS
 
 ### What is an Ingress Controller?