Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into asc-melvyn-daily

Author: memildin

articles/active-directory/fundamentals/active-directory-deployment-plans.md

@@ -57,9 +57,10 @@ Widening the rollout to larger groups of users should be carried out by increasi
 
 | Capability | Description|
 | -| -|
-| [Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted)| Azure Multi-Factor Authentication (MFA) is Microsoft's two-step verification solution. Using admin-approved authentication methods, Azure MFA helps safeguard access to your data and applications while meeting the demand for a simple sign-in process. |
+| [Multi-Factor Authentication](https://aka.ms/deploymentplans/mfa)| Azure Multi-Factor Authentication (MFA) is Microsoft's two-step verification solution. Using admin-approved authentication methods, Azure MFA helps safeguard access to your data and applications while meeting the demand for a simple sign-in process. |
 | [Conditional Access](https://aka.ms/deploymentplans/ca)| With Conditional Access, you can implement automated access control decisions for who can access your cloud apps, based on conditions. |
 | [Self-service password reset](https://aka.ms/deploymentplans/sspr)| Self-service password reset helps your users reset their passwords without administrator intervention, when and where they need to. |
+| [Passwordless](https://aka.ms/deploymentplans/passwordless) | Implement passwordless authentication using the the Microsoft Authenticator app or FIDO2 Security keys in your organization |
 
 ## Deploy application management
 
@@ -82,7 +83,7 @@ Widening the rollout to larger groups of users should be carried out by increasi
 
 | Capability | Description|
 | -| -|
-| [User provisioning](https://aka.ms/UserProvisioningDPDownload)| Azure AD helps you automate the creation, maintenance, and removal of user identities in cloud (SaaS) applications, such as Dropbox, Salesforce, ServiceNow, and more. |
+| [User provisioning](https://aka.ms/deploymentplans/userprovisioning)| Azure AD helps you automate the creation, maintenance, and removal of user identities in cloud (SaaS) applications, such as Dropbox, Salesforce, ServiceNow, and more. |
 | [Workday-driven Inbound User Provisioning](https://aka.ms/WorkdayDeploymentPlan)| Workday-driven Inbound User Provisioning to Active Directory creates a foundation for ongoing identity governance and enhances the quality of business processes that rely on authoritative identity data. Using this feature, you can seamlessly manage the identity lifecycle of employees and contingent workers by configuring rules that map Joiner-Mover-Leaver processes (such as New Hire, Terminate, Transfer) to IT provisioning actions (such as Create, Enable, Disable) |
 
 ## Deploy governance and reporting

articles/active-directory/hybrid/reference-connect-faq.md

@@ -51,7 +51,7 @@ Yes. After you install the agent, you can complete the registration process by u
 
 `Register-AzureADConnectHealthADDSAgent -Credentials $cred`
 
-**Q: Does Azure AD Connect support syncing from two domains to on Azure AD?**  
+**Q: Does Azure AD Connect support syncing from two domains to an Azure AD?**  
 Yes, this scenario is supported. Refer to [Multiple Domains](how-to-connect-install-multiple-domains.md).
 
 **Q: Can you have multiple connectors for the same Active Directory domain in Azure AD Connect?**  

articles/cognitive-services/LUIS/luis-boundaries.md

@@ -8,7 +8,7 @@ manager: nitinme
 ms.service: cognitive-services
 ms.subservice: language-understanding
 ms.topic: conceptual
-ms.date: 10/24/2019
+ms.date: 11/04/2019
 ms.author: diberry
 ms.custom: seodec18 
 ---
@@ -30,10 +30,11 @@ If your app exceeds the LUIS model limits and boundaries, consider using a [LUIS
 | [Intents][intents]|500 per application: 499 custom intents, and the required _None_ intent.<br>[Dispatch-based](https://aka.ms/dispatch-tool) application has corresponding 500 dispatch sources.|
 | [List entities](./luis-concept-entity-types.md) | Parent: 50, child: 20,000 items. Canonical name is *default character max. Synonym values have no length restriction. |
 | [Machine-learned entities + roles](./luis-concept-entity-types.md):<br> composite,<br>simple,<br>entity role|A limit of either 100 parent entities or 330 entities, whichever limit the user hits first. A role counts as an entity for the purpose of this boundary. An example is a composite with a simple entity, which has 2 roles is: 1 composite + 1 simple + 2 roles = 4 of the 330 entities.|
+|Model as a feature| Maximum number of models that can be used as a descriptor (feature) to a specific model to be 10 models. The maximum number of phrase lists used as a descriptor (feature) for a specific model to be 10 phrase lists.|
 | [Preview - Dynamic list entities](https://aka.ms/luis-api-v3-doc#dynamic-lists-passed-in-at-prediction-time)|2 lists of ~1k per query prediction endpoint request|
 | [Patterns](luis-concept-patterns.md)|500 patterns per application.<br>Maximum length of pattern is 400 characters.<br>3 Pattern.any entities per pattern<br>Maximum of 2 nested optional texts in pattern|
 | [Pattern.any](./luis-concept-entity-types.md)|100 per application, 3 pattern.any entities per pattern |
-| [Phrase list][phrase-list]|10 phrase lists, 5,000 items per list|
+| [Phrase list][phrase-list]|500 phrase lists. Non-interchangeable phraselist has max of 5,000 phrases. Interchangeable Phraselist has max of 50,000 phrases. Maximum number of total phrases per application  of 500,000 phrases.|
 | [Prebuilt entities](./luis-prebuilt-entities.md) | no limit|
 | [Regular expression entities](./luis-concept-entity-types.md)|20 entities<br>500 character max. per regular expression entity pattern|
 | [Roles](luis-concept-roles.md)|300 roles per application. 10 roles per entity|

articles/cognitive-services/LUIS/luis-concept-feature.md

@@ -9,7 +9,7 @@ ms.custom: seodec18
 ms.service: cognitive-services
 ms.subservice: language-understanding
 ms.topic: conceptual
-ms.date: 10/25/2019
+ms.date: 11/03/2019
 ms.author: diberry
 ---
 # Machine-learned features 
@@ -37,6 +37,14 @@ When you want to be able to recognize new instances, like a meeting scheduler th
 
 Phrase lists are like domain-specific vocabulary that help with enhancing the quality of understanding of both intents and entities. 
 
+## Considerations when using a phrase list
+
+A phrase list is applied, by default, to all models in the app. This will work for phrase lists that can cross all intents and entities. For decomposability, you should apply a phrase list to only the models it is relevant to. 
+
+If you create a phrase list (created globally by default), then later apply it as a descriptor (feature) to a specific model, it is removed from the other models. This removal adds relevance to the phrase list for the model it is applied to, helping improve the accuracy it provides in the model. 
+
+The `enabledForAllModels` flag controls this model scope in the API. 
+
 <a name="how-to-use-phrase-lists"></a>
 
 ### How to use a phrase list

articles/cognitive-services/LUIS/luis-how-to-add-features.md

@@ -9,7 +9,7 @@ ms.custom: seodec18
 ms.service: cognitive-services
 ms.subservice: language-understanding
 ms.topic: conceptual
-ms.date: 10/25/2019
+ms.date: 11/03/2019
 ms.author: diberry
 ---
 
@@ -21,6 +21,8 @@ A [phrase list](luis-concept-feature.md) includes a group of values (words or ph
 
 A phrase list adds to the vocabulary of the app domain as a second signal to LUIS about those words.
 
+Review [feature concepts](luis-concept-feature.md) to understand when and why to use a phrase list. 
+
 [!INCLUDE [Waiting for LUIS portal refresh](./includes/wait-v3-upgrade.md)]
 
 ## Add phrase list

articles/cognitive-services/LUIS/whats-new.md

@@ -9,7 +9,7 @@ services: cognitive-services
 ms.service: cognitive-services
 ms.subservice: language-understanding
 ms.topic: conceptual
-ms.date: 10/23/2019
+ms.date: 11/04/2019
 ms.author: diberry
 ---
 
@@ -30,17 +30,14 @@ Learn what's new in the service. These items include release notes, videos, blog
     * [Prebuilt domains](luis-reference-prebuilt-domains.md) is now generally available (GA)
     * Japanese [prebuilt entities](luis-reference-prebuilt-entities.md#japanese-entity-support) - age, currency, number, percentage are not support in V3.
     * Italian [prebuilt entities](luis-reference-prebuilt-entities.md#italian-entity-support) - age, currency, dimension, number, percentage resolution changed from V2.
-* Enhance user experience in [LUIS portal](https://www.luis.ai) - revamped labeling experience to enable building and debugging complex models.
+* Enhance user experience in [preview.luis.ai portal](https://preview.luis.ai) - revamped labeling experience to enable building and debugging complex models.
 * Advance language understanding capabilities - [building sophisticated language models](luis-concept-entity-types.md) with less effort. 
 * Defining machine learning features at the model level and enabling models to be used as signals to other model, like using entities as features to intents and to other entities.
+* New, expanded [limits](luis-boundaries.md) - higher max for phrase lists and total phrases, new model as a feature limits
 * Extract information from text in the format of deep hierarchy structure, making conversation applications more powerful.
 
     ![machine-learned entity image](./media/whats-new/deep-entity-extraction-example.png)
 
-
-
-
-
 ### September 3, 2019
 
 * Azure authoring resource - [migrate now](luis-migration-authoring.md).

articles/event-hubs/event-hubs-ip-filtering.md

@@ -48,7 +48,6 @@ IP filter rules are applied in order, and the first rule that matches the IP add
 > - Integration with Azure Event Grid
 > - Azure IoT Hub Routes
 > - Azure IoT Device Explorer
-> - Azure Data Explorer
 >
 > The below Microsoft services are required to be on a virtual network
 > - Azure Web Apps

articles/event-hubs/event-hubs-service-endpoints.md

@@ -35,7 +35,6 @@ The result is a private and isolated relationship between the workloads bound to
 > - Integration with Azure Event Grid
 > - Azure IoT Hub Routes
 > - Azure IoT Device Explorer
-> - Azure Data Explorer
 >
 > The below Microsoft services are required to be on a virtual network
 > - Azure Web Apps

articles/governance/policy/concepts/definition-structure.md

@@ -170,8 +170,7 @@ would be used by each assignment of the policy definition to limit the accepted
 
 ### Using a parameter value
 
-In the policy rule, you reference parameters with the following `parameters` deployment value
-function syntax:
+In the policy rule, you reference parameters with the following `parameters` function syntax:
 
 ```json
 {
@@ -330,7 +329,7 @@ The following fields are supported:
   - This bracket syntax supports tag names that have apostrophes in it by escaping with double
     apostrophes.
   - Where **'\<tagName\>'** is the name of the tag to validate the condition for.
-  - Example: `tags['''My.Apostrophe.Tag''']` where **'\<tagName\>'** is the name of the tag.
+  - Example: `tags['''My.Apostrophe.Tag''']` where **'My.Apostrophe.Tag'** is the name of the tag.
 - property aliases - for a list, see [Aliases](#aliases).
 
 > [!NOTE]
@@ -343,7 +342,7 @@ A parameter value can be passed to a tag field. Passing a parameter to a tag fie
 flexibility of the policy definition during policy assignment.
 
 In the following example, `concat` is used to create a tags field lookup for the tag named the
-value of the **tagName** parameter. If that tag doesn't exist, the **append** effect is used to add
+value of the **tagName** parameter. If that tag doesn't exist, the **modify** effect is used to add
 the tag using the value of the same named tag set on the audited resources parent resource group by
 using the `resourcegroup()` lookup function.
 
@@ -354,11 +353,17 @@ using the `resourcegroup()` lookup function.
         "exists": "false"
     },
     "then": {
-        "effect": "append",
-        "details": [{
-            "field": "[concat('tags[', parameters('tagName'), ']')]",
-            "value": "[resourcegroup().tags[parameters('tagName')]]"
-        }]
+        "effect": "modify",
+        "details": {
+            "operations": [{
+                "operation": "add",
+                "field": "[concat('tags[', parameters('tagName'), ']')]",
+                "value": "[resourcegroup().tags[parameters('tagName')]]"
+            }],
+            "roleDefinitionIds": [
+                "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+            ]
+        }
     }
 }
 ```
@@ -471,51 +476,17 @@ Azure Policy supports the following types of effect:
 
 - **Append**: adds the defined set of fields to the request
 - **Audit**: generates a warning event in activity log but doesn't fail the request
-- **AuditIfNotExists**: enables auditing if a resource doesn't exist
+- **AuditIfNotExists**: generates a warning event in activity log if a related resource doesn't
+  exist
 - **Deny**: generates an event in the activity log and fails the request
-- **DeployIfNotExists**: deploys a resource if it doesn't already exist
+- **DeployIfNotExists**: deploys a related resource if it doesn't already exist
 - **Disabled**: doesn't evaluate resources for compliance to the policy rule
-- **EnforceOPAConstraint**: configures the Open Policy Agent admissions controller with Gatekeeper
-  v3 for self-managed Kubernetes clusters on Azure (preview)
-- **EnforceRegoPolicy**: configures the Open Policy Agent admissions controller with Gatekeeper v2
-  in Azure Kubernetes Service (preview)
+- **EnforceOPAConstraint** (preview): configures the Open Policy Agent admissions controller with
+  Gatekeeper v3 for self-managed Kubernetes clusters on Azure (preview)
+- **EnforceRegoPolicy** (preview): configures the Open Policy Agent admissions controller with
+  Gatekeeper v2 in Azure Kubernetes Service
 - **Modify**: adds, updates, or removes the defined tags from a resource
 
-For **append**, you must provide the following details:
-
-```json
-"effect": "append",
-"details": [{
-    "field": "field name",
-    "value": "value of the field"
-}]
-```
-
-The value can be either a string or a JSON format object.
-
-**AuditIfNotExists** and **DeployIfNotExists** evaluate the existence of a related resource and
-apply a rule. If the resource doesn't match the rule, the effect is implemented. For example, you
-can require that a network watcher is deployed for all virtual networks. For more information, see
-the [Audit if extension doesn't exist](../samples/audit-ext-not-exist.md) example.
-
-The **DeployIfNotExists** effect requires the **roleDefinitionId** property in the **details**
-portion of the policy rule. For more information, see [Remediation - Configure policy
-definition](../how-to/remediate-resources.md#configure-policy-definition).
-
-```json
-"details": {
-    ...
-    "roleDefinitionIds": [
-        "/subscription/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleGUID}",
-        "/providers/Microsoft.Authorization/roleDefinitions/{builtinroleGUID}"
-    ]
-}
-```
-
-Similarly, **Modify** requires **roleDefinitionId** property in the **details** portion of the
-policy rule for the [remediation task](../how-to/remediate-resources.md). **Modify** also requires
-an **operations** array to define what actions to take on the resources tags.
-
 For complete details on each effect, order of evaluation, properties, and examples, see
 [Understanding Azure Policy Effects](effects.md).
 

articles/governance/policy/concepts/guest-configuration.md

@@ -168,6 +168,46 @@ inside Linux and Windows machines* contains 18 policies. There are six **DeployI
 **AuditIfNotExists** pairs for Windows and three pairs for Linux. The [policy definition](definition-structure.md#policy-rule)
 logic validates that only the target operating system is evaluated.
 
+#### Auditing operating system settings following industry baselines
+
+One of the initiatives available in Azure Policy provides the ability to audit operating system settings
+inside virtual machines following a "baseline" from Microsoft.  The definition, 
+*[Preview]: Audit Windows VMs that do not match Azure security baseline settings*
+includes a complete set of audit rules based on settings from Active Directory Group Policy.
+
+Most of the settings are available as parameters.  This functionality allows you to customize
+what will be audited to align the policy with your organizational requirements,
+or to map the policy to 3rd party information such as industry regulatory standards.
+
+Some parameters support an integer value range.  For example, the Maximum Password Age
+parameter can be set using a range operator to give flexibility to machine
+owners.  You could audit that the effective Group Policy setting
+requiring user to change their passwords should be no more than 70 days,
+but shouldn't be less than 1 day.  As described in the info-bubble for the parameter,
+to make this the effective audit value, set the value to "1,70".
+
+If you assign the policy using an Azure Resource Manager dployment template,
+you can use a parameters file to manage these settings from source control.
+Using a tool such as Git to manage changes to Audit policies with comments
+at each check-in, will document evidence as to why an assignment
+should be in exception to the expected value.
+
+#### Applying configurations using Guest Configuration
+
+The latest feature of Azure Policy configures settings inside machines.
+The definition *Configure the time zone on Windows machines* will
+make changes to the machine by configuring the time zone.
+
+When assigning definitions that begin with *Configure*, you must also assign
+the definition *Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.*
+You can combine these definitions in an initiative if you choose.
+
+#### Assigning policies to machines outside of Azure
+
+The Audit policies available for Guest Configuration include the **Microsoft.HybridCompute/machines**
+resource type.  Any machines onboarded to Azure Arc that are in the scope of the assignment
+will automatically be included.
+
 ### Multiple assignments
 
 Guest Configuration policies currently only support assigning the same Guest Assignment once per
@@ -238,4 +278,4 @@ Samples for Policy Guest Configuration are available in the following locations:
 - Understand how to [programmatically create policies](../how-to/programmatically-create.md).
 - Learn how to [get compliance data](../how-to/getting-compliance-data.md).
 - Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
-- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).
+- Review what a management group is with [Organize your resources with Azure management groups](../../management-groups/overview.md).