MicrosoftDocs
diff --git a/‎articles/active-directory/develop/identity-platform-integration-checklist.md
Lines changed: 4 additions & 1 deletion b/‎articles/active-directory/develop/identity-platform-integration-checklist.md
Lines changed: 4 additions & 1 deletion
diff --git a/‎articles/active-directory/hybrid/reference-connect-government-cloud.md
Lines changed: 80 additions & 59 deletions b/‎articles/active-directory/hybrid/reference-connect-government-cloud.md
Lines changed: 80 additions & 59 deletions
diff --git a/‎articles/aks/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/aks/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/aks/faq.md
Lines changed: 5 additions & 2 deletions b/‎articles/aks/faq.md
Lines changed: 5 additions & 2 deletions
diff --git a/‎articles/aks/uptime-sla.md
Lines changed: 88 additions & 0 deletions b/‎articles/aks/uptime-sla.md
Lines changed: 88 additions & 0 deletions
diff --git a/‎articles/azure-maps/map-add-custom-html.md
Lines changed: 2 additions & 2 deletions b/‎articles/azure-maps/map-add-custom-html.md
Lines changed: 2 additions & 2 deletions
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/11/2019
+ms.date: 05/08/2020
 ms.author: ryanwi
 ms.reviewer: lenalepa, sureshja, jesakowi
 ms.custom: aaddev, identityplatformtop40, scenarios:getting-started
@@ -24,6 +24,9 @@ If you’re just getting started, check out the [Microsoft identity platform doc
 
 Use the following checklist to ensure that your application is effectively integrated with the [Microsoft identity platform](https://docs.microsoft.com/azure/active-directory/develop/).
 
+> [!TIP]
+> The *Integration assistant* in the Azure portal can help you apply many of these best practices and recommendations. Select any of your [app registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) in the Azure portal, and then select the **Integration assistant (preview)** menu item to get started with the assistant.
+
 ## Basics
 
 |   |   |
 
@@ -1,6 +1,6 @@
 ---
-title: 'Azure AD Connect: Hybrid identity considerations for Azure Government'
-description: Special considerations for deploying Azure AD Connect with the government cloud.
+title: 'Azure AD Connect: Hybrid identity considerations for Azure Government cloud'
+description: Special considerations for deploying Azure AD Connect with the Azure Government cloud.
 services: active-directory
 author: billmath
 manager: daveba
@@ -13,68 +13,89 @@ ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
-# Hybrid identity considerations for Azure Government 
-The following document describes the considerations for implementing a hybrid environment with the Azure Government cloud.  This information is provided as reference for administrators and architects who are working with the Azure Government cloud.  
-> [!NOTE] 
-> In order to integrate an on-premises AD environment with the Azure Governemnt cloud, you need to upgrade to the latest release of [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594). 
+# Hybrid identity considerations for the Azure Government cloud
 
-> [!NOTE] 
-> For a full list of U.S. Government DoD Endpoints, refer to the [documentation](https://docs.microsoft.com/office365/enterprise/office-365-u-s-government-dod-endpoints) 
+This article describes considerations for integrating a hybrid environment with the Microsoft Azure Government cloud. This information is provided as a reference for administrators and architects who work with the Azure Government cloud.
 
-## Pass-Through Authentication 
-The following information is provided for implementation of pass-through authentication (PTA) and the Azure Government cloud.
+> [!NOTE]
+> To integrate an on-premises Microsoft Azure Active Directory (Azure AD) environment with the Azure Government cloud, you need to upgrade to the latest release of [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594).
+
+For a full list of United States government Department of Defense endpoints, refer to the [documentation](https://docs.microsoft.com/office365/enterprise/office-365-u-s-government-dod-endpoints).
+
+## Azure AD Pass-through Authentication
+
+The following information describes implementation of Pass-through Authentication and the Azure Government cloud.
+
+### Allow access to URLs
+
+Before you deploy the Pass-through Authentication agent, verify whether a firewall exists between your servers and Azure AD. If your firewall or proxy allows Domain Name System (DNS) blocked or safe programs, add the following connections.
 
-### Allow access to URLs  
-Before deploying the pass-through authentication agent, verify if there is a firewall between your servers and Azure AD. If your firewall or proxy allows DNS whitelisting, add the following connections: 
 > [!NOTE]
-> The following guidance also applies to installing the [Application Proxy connector](https://aka.ms/whyappproxy) for Azure Government environments.
+> The following guidance also applies to installing the [Azure AD Application Proxy connector](https://aka.ms/whyappproxy) for Azure Government environments.
 
 |URL |How it's used|
-|-----|-----| 
-|*.msappproxy.us *.servicebus.usgovcloudapi.net|Communication between the agent and the Azure AD cloud service |
-|mscrl.microsoft.us:80 crl.microsoft.us:80 </br>ocsp.msocsp.us:80 www.microsoft.us:80| The agent uses these URLs to verify certificates.| 
-|login.windows.us secure.aadcdn.microsoftonline-p.com *.microsoftonline.us </br>*.microsoftonline-p.us </br>*.msauth.net </br>*.msauthimages.net </br>*.msecnd.net</br>*.msftauth.net </br>*.msftauthimages.net</br>*.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctdl.windowsupdate.us:80| The agent uses these URLs during the registration process.| 
-
-### Install the agent for the Azure Government cloud 
-In order to install the agent for the Azure Government cloud, you must follow these specific steps: 
-In the command line terminal, navigate to folder where the executable for installing the agent is located. 
-Run the following command which specifies the installation is for Azure Government. 
-
-For Passthrough Authentication: 
-```
-AADConnectAuthAgentSetup.exe ENVIRONMENTNAME="AzureUSGovernment"
-```
-
-For Application Proxy:
-```
-AADApplicationProxyConnectorInstaller.exe ENVIRONMENTNAME="AzureUSGovernment" 
-```
-
-## Single sign on 
-Set up your Azure AD Connect server: If you use Pass-through Authentication as your sign-in method, no additional prerequisite check is required. If you use password hash synchronization as your sign-in method, and if there is a firewall between Azure AD Connect and Azure AD, ensure that:
-- You use version 1.1.644.0 or later of Azure AD Connect. 
-- If your firewall or proxy allows DNS whitelisting, add the connections to the *.msapproxy.us URLs over port 443. If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite is applicable only when you enable the feature. It is not required for actual user sign-ins. 
-
-### Rolling out seamless SSO 
-You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: 
-https://autologon.microsoft.us 
-
-In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy. 
-Browser considerations 
-Mozilla Firefox (all platforms) 
-Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by using the following steps: 
-1. Run Firefox and enter about:config in the address bar. Dismiss any notifications that you see. 
-2. Search for the network.negotiate-auth.trusted-uris preference. This preference lists Firefox's trusted sites for Kerberos authentication. 
-3. Right-click and select Modify. 
-4. Enter https://autologon.microsoft.us in the field.
-5. Select OK and then reopen the browser. 
-
-### Microsoft Edge based on Chromium (all platforms) 
-If you have overridden the `AuthNegotiateDelegateAllowlist` or the `AuthServerAllowlist` policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoft.us) to them as well. 
-
-### Google Chrome (all platforms) 
-If you have overridden the `AuthNegotiateDelegateWhitelist` or the `AuthServerWhitelist` policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoft.us) to them as well. 
+|-----|-----|
+|&#42;.msappproxy.us</br>&#42;.servicebus.usgovcloudapi.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
+|mscrl.microsoft.us:80 </br>crl.microsoft.us:80 </br>ocsp.msocsp.us:80 </br>www.microsoft.us:80| The agent uses these URLs to verify certificates.|
+|login.windows.us </br>secure.aadcdn.microsoftonline-p.com </br>&#42;.microsoftonline.us </br>&#42;.microsoftonline-p.us </br>&#42;.msauth.net </br>&#42;.msauthimages.net </br>&#42;.msecnd.net</br>&#42;.msftauth.net </br>&#42;.msftauthimages.net</br>&#42;.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctdl.windowsupdate.us:80| The agent uses these URLs during the registration process.
+
+### Install the agent for the Azure Government cloud
+
+Follow these steps to install the agent for the Azure Government cloud:
+
+1. In the command-line terminal, go to the folder that contains the executable file that installs the agent.
+1. Run the following commands, which specify that the installation is for Azure Government.
+
+   For Pass-through Authentication:
+
+   ```
+   AADConnectAuthAgentSetup.exe ENVIRONMENTNAME="AzureUSGovernment"
+   ```
+
+   For Application Proxy:
+
+   ```
+   AADApplicationProxyConnectorInstaller.exe ENVIRONMENTNAME="AzureUSGovernment" 
+   ```
+
+## Single sign-on
+
+### Set up your Azure AD Connect server
+
+If you use Pass-through Authentication as your sign-on method, no additional prerequisite check is required. If you use password hash synchronization as your sign-on method and there is a firewall between Azure AD Connect and Azure AD, ensure that:
+
+- You use Azure AD Connect version 1.1.644.0 or later.
+- If your firewall or proxy allows DNS blocked or safe programs, add the connections to the &#42;.msappproxy.us URLs over port 443.
+
+  If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite applies only when you enable the feature. It isn't required for actual user sign-ons.
+
+### Roll out Seamless Single Sign-On
+
+You can gradually roll out Azure AD Seamless Single Sign-On to your users by using the following instructions. You start by adding the Azure AD URL [https://autologon.microsoft.us](https://autologon.microsoft.us) to all or selected users' Intranet zone settings by using Group Policy in Active Directory.
+
+You also need to enable the intranet zone policy setting **Allow updates to status bar via script through Group Policy**.
+
+## Browser considerations
+
+### Mozilla Firefox (all platforms)
+
+Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by following these steps:
+
+1. Run Firefox and enter **about:config** in the address bar. Dismiss any notifications that you might see.
+1. Search for the **network.negotiate-auth.trusted-uris** preference. This preference lists the sites trusted by Firefox for Kerberos authentication.
+1. Right-click the preference name and then select **Modify**.
+1. Enter [**https://autologon.microsoft.us**](https://autologon.microsoft.us**) in the box.
+1. Select **OK** and then reopen the browser.
+
+### Microsoft Edge based on Chromium (all platforms)
+
+If you have overridden the `AuthNegotiateDelegateAllowlist` or `AuthServerAllowlist` policy settings in your environment, ensure that you add the Azure AD URL [https://autologon.microsoft.us](https://autologon.microsoft.us) to them.
+
+### Google Chrome (all platforms)
+
+If you have overridden the `AuthNegotiateDelegateWhitelist` or `AuthServerWhitelist` policy settings in your environment, ensure that you add the Azure AD URL [https://autologon.microsoft.us](https://autologon.microsoft.us) to them.
 
 ## Next steps
-[Pass-through Authentication](how-to-connect-pta-quick-start.md#step-1-check-the-prerequisites)
-[Single Sign-on](how-to-connect-sso-quick-start.md#step-1-check-the-prerequisites) 
+
+- [Pass-through Authentication](how-to-connect-pta-quick-start.md#step-1-check-the-prerequisites)
+- [Single Sign-On](how-to-connect-sso-quick-start.md#step-1-check-the-prerequisites)
@@ -129,6 +129,8 @@
       href: scale-cluster.md
     - name: Upgrade an AKS cluster
       href: upgrade-cluster.md
+    - name: Use Uptime SLA
+      href: uptime-sla.md
     - name: Process node OS updates
       href: node-updates-kured.md
     - name: Configure an AKS cluster
 
@@ -123,6 +123,8 @@ Windows Server support for node pool includes some limitations that are part of
 
 ## Does AKS offer a service-level agreement?
 
+AKS provides the ability to achieve 99.95% availability for the API server with [Uptime SLA][uptime-sla.md].
+
 In a service-level agreement (SLA), the provider agrees to reimburse the customer for the cost of the service if the published service level isn't met. Since AKS is free, no cost is available to reimburse, so AKS has no formal SLA. However, AKS seeks to maintain availability of at least 99.5 percent for the Kubernetes API server.
 
 It is important to recognize the distinction between AKS service availability which refers to uptime of the Kubernetes control plane and the availability of your specific workload which is running on Azure Virtual Machines. Although the control plane may be unavailable if the control plane is not ready, your cluster workloads running on Azure VMs can still function. Given Azure VMs are paid resources they are backed by a financial SLA. Read [here for more details](https://azure.microsoft.com/support/legal/sla/virtual-machines/v1_8/) on the Azure VM SLA and how to increase that availability with features like [Availability Zones][availability-zones].
@@ -139,7 +141,7 @@ The `az aks update-credentials` command can be used to move an AKS cluster betwe
 
 Movement of clusters between subscriptions is currently unsupported.
 
-## Can I move my AKS clusters from the current azure subscription to another? 
+## Can I move my AKS clusters from the current Azure subscription to another? 
 
 Moving your AKS cluster and it's associated resources between Azure subscriptions is not supported.
 
@@ -205,11 +207,12 @@ No AKS is a managed service, and manipulation of the IaaS resources is not suppo
 [bcdr-bestpractices]: ./operator-best-practices-multi-region.md#plan-for-multiregion-deployment
 [availability-zones]: ./availability-zones.md
 [az-regions]: ../availability-zones/az-region.md
+[uptime-sla] ./uptime-sla.md
 
 <!-- LINKS - external -->
 [aks-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=kubernetes-service
 [auto-scaler]: https://github.com/kubernetes/autoscaler
 [cordon-drain]: https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/
 [admission-controllers]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
 [private-clusters-github-issue]: https://github.com/Azure/AKS/issues/948
-[csi-driver]: https://github.com/Azure/secrets-store-csi-driver-provider-azure
+[csi-driver]: https://github.com/Azure/secrets-store-csi-driver-provider-azure
@@ -0,0 +1,88 @@
+---
+title: Azure Kubernetes Service (AKS) high availability with Uptime SLA
+description: Learn about the optional high availability Uptime SLA offering for the Azure Kubernetes Service (AKS) API Server.
+services: container-service
+ms.topic: conceptual
+ms.date: 05/11/2020
+---
+
+# Azure Kubernetes Service (AKS) Uptime SLA
+
+Uptime SLA is an optional feature to enable financially backed higher SLA for a cluster. Uptime SLA guarantees 99.95% availability of the Kubernetes API server endpoint for clusters that use [Availability Zone][availability-zones] and 99.9% of availability for clusters that don't use availability zones. AKS uses master node replicas across update and fault domains to ensure SLA requirements are met.
+
+Customers needing SLA for compliance reasons or extending SLA's to their customers should turn on this feature. Customers with critical workloads who need higher availability with an option of SLA benefit from enabling this feature. Enable the feature with Availability Zones to obtain higher availability of the Kubernetes API server.  
+
+Customers can create unlimited free clusters with a service level objective (SLO) of 99.5%.
+
+> [!Important]
+> For clusters with egress lockdown, see [limit egress traffic](limit-egress-traffic.md) to open appropriate ports for Uptime SLA.
+
+## SLA terms and conditions
+
+Uptime SLA is a paid feature and enabled per cluster. Uptime SLA pricing is determined by the number of clusters, and not by the size of the clusters. You can view [Uptime SLA pricing details](https://azure.microsoft.com/pricing/details/kubernetes-service/) for more information.
+
+## Region Availability
+
+Uptime SLA is available in the following regions:
+
+* Australia East
+* Canada Central
+* East US
+* East US 2
+* South Central US
+* South East Asia
+* West US 2
+
+## Before you begin
+
+* The Azure CLI version 2.7.0 or later
+
+## Creating a cluster with Uptime SLA
+
+To create a new cluster with the Uptime SLA, you use the Azure CLI.
+
+The following example creates a resource group named *myResourceGroup* in the *eastus* location.
+
+```azurecli-interactive
+az group create --name myResourceGroup --location eastus
+```
+Use the [az aks create][az-aks-create] command to create an AKS cluster. The following example creates a cluster named *myAKSCluster* with one node. Azure Monitor for containers is also enabled using the *--enable-addons monitoring* parameter.  This operation takes several minutes to complete.
+
+```azurecli-interactive
+az aks create --resource-group myResourceGroup --name myAKSCluster --uptime-sla --node-count 1 --enable-addons monitoring --generate-ssh-keys
+```
+After a few minutes, the command completes and returns JSON-formatted information about the cluster. The following JSON snippet shows the paid tier for the SKU, indicating your cluster is enabled with Uptime SLA.
+
+```output
+  },
+  "sku": {
+    "name": "Basic",
+    "tier": "Paid"
+  },
+  "tags": null,
+  "type": "Microsoft.ContainerService/ManagedClusters",
+  "windowsProfile": null
+```
+
+## Limitations
+
+* You can't currently add Uptime SLA to existing clusters.
+* Currently, there is no way to remove Uptime SLA from an AKS cluster.  
+
+## Next steps
+
+Use [Availability Zones][availability-zones] to increase high availability with your AKS cluster workloads.
+
+<!-- LINKS - External -->
+[azure-support]: https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest
+[region-availability]: https://azure.microsoft.com/global-infrastructure/services/?products=kubernetes-service
+
+<!-- LINKS - Internal -->
+[vm-skus]: ../virtual-machines/linux/sizes.md
+[nodepool-upgrade]: use-multiple-node-pools.md#upgrade-a-node-pool
+[faq]: ./faq.md
+[availability-zones]: ./availability-zones.md
+[az-aks-create]: /cli/azure/aks?view=azure-cli-latest#az-aks-create
+[limit-egress-traffic]: ./limit-egress-traffic.md
+[az-extension-add]: /cli/azure/extension#az-extension-add
+[az-extension-update]: /cli/azure/extension#az-extension-update
@@ -1,8 +1,8 @@
 ---
 title: Add an HTML Marker to map | Microsoft Azure Maps
 description: In this article, you will learn about how to add an HTML Marker to a map using the Microsoft Azure Maps Web SDK.
-author: jinzh-azureiot
-ms.author: jinzh
+author: Philmea
+ms.author: philmea
 ms.date: 07/29/2019
 ms.topic: conceptual
 ms.service: azure-maps