Merge pull request #110831 from MicrosoftDocs/master

4/09 AM Publish

Author: huypub

.openpublishing.redirection.json

@@ -40082,12 +40082,12 @@
     },
     {
       "source_path": "articles/iot-central/tutorial-add-device-pnp.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device",
+      "redirect_url": "/azure/iot-central/core/tutorial-connect-pnp-device",
       "redirect_document_id": false
     },
     {
       "source_path": "articles/iot-central/tutorial-define-device-type-pnp.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device",
+      "redirect_url": "/azure/iot-central/core/howto-set-up-template",
       "redirect_document_id": false
     },
     {
@@ -46282,7 +46282,7 @@
     },
     {
       "source_path": "articles/iot-central/quick-create-pnp-device-pnp.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device/",
+      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
       "redirect_document_id": false
     },
     {
@@ -46347,7 +46347,12 @@
     },
     {
       "source_path": "articles/iot-central/core/quick-create-pnp-device-pnp.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device/",
+      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/iot-central/core/quick-create-pnp-device.md",
+      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
       "redirect_document_id": false
     },
     {
@@ -46782,7 +46787,7 @@
     },
     {
       "source_path": "articles/iot-central/preview/quick-create-pnp-device.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device/",
+      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
       "redirect_document_id": false
     },
     {
@@ -46880,6 +46885,66 @@
       "redirect_url": "/azure/iot-central/core/tutorial-connect-device-nodejs",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/iot-central/retail/architecture-connected-logistics-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/architecture-connected-logistics",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/architecture-digital-distribution-center-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/architecture-digital-distribution-center",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/architecture-micro-fulfillment-center-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/architecture-micro-fulfillment-center",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/architecture-smart-inventory-management-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/architecture-smart-inventory-management",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/overview-iot-central-retail-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/overview-iot-central-retail",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-in-store-analytics-create-app-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-in-store-analytics-create-app",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-in-store-analytics-customize-dashboard-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-in-store-analytics-customize-dashboard",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-in-store-analytics-export-data-visualize-insights-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-in-store-analytics-export-data-visualize-insights",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-iot-central-connected-logistics-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-iot-central-connected-logistics",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-iot-central-digital-distribution-center-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-iot-central-digital-distribution-center",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-iot-central-smart-inventory-management-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-iot-central-smart-inventory-management",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-micro-fulfillment-center-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-micro-fulfillment-center",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/iot-accelerators/iot-accelerators-arduino-iot-devkit-az3166-devkit-remote-monitoringV2.md",
       "redirect_url": "/azure/iot-accelerators/iot-accelerators-arduino-iot-devkit-az3166-devkit-remote-monitoring-v2",

articles/active-directory/hybrid/reference-connect-version-history.md

@@ -43,6 +43,13 @@ Not all releases of Azure AD Connect will be made available for auto upgrade. Th
 >
 >Please refer to [this article](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-upgrade-previous-version) to learn more about how to upgrade Azure AD Connect to the latest version.
 
+## 1.5.20.0
+
+### Release status
+04/09/2020: Released for download
+
+### Fixed issues
+This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filtering feature enabled and use mS-DS-ConsistencyGuid as the source anchor.
 
 ## 1.5.18.0
 

articles/aks/use-pod-security-policies.md

@@ -3,8 +3,7 @@ title: Use pod security policies in Azure Kubernetes Service (AKS)
 description: Learn how to control pod admissions by using PodSecurityPolicy in Azure Kubernetes Service (AKS)
 services: container-service
 ms.topic: article
-ms.date: 04/17/2019
-
+ms.date: 04/08/2020
 ---
 
 # Preview - Secure your cluster using pod security policies in Azure Kubernetes Service (AKS)
@@ -99,17 +98,17 @@ NAME         PRIV    CAPS   SELINUX    RUNASUSER          FSGROUP     SUPGROUP
 privileged   true    *      RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *     configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
 ```
 
-The *privileged* pod security policy is applied to any authenticated user in the AKS cluster. This assignment is controlled by ClusterRoles and ClusterRoleBindings. Use the [kubectl get clusterrolebindings][kubectl-get] command and search for the *default:privileged:* binding:
+The *privileged* pod security policy is applied to any authenticated user in the AKS cluster. This assignment is controlled by ClusterRoles and ClusterRoleBindings. Use the [kubectl get rolebindings][kubectl-get] command and search for the *default:privileged:* binding in the *kube-system* namespace:
 
 ```console
-kubectl get clusterrolebindings default:privileged -o yaml
+kubectl get rolebindings default:privileged -n kube-system -o yaml
 ```
 
 As shown in the following condensed output, the *psp:restricted* ClusterRole is assigned to any *system:authenticated* users. This ability provides a basic level of restrictions without your own policies being defined.
 
 ```
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   [...]
   name: default:privileged
@@ -121,7 +120,7 @@ roleRef:
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
-  name: system:authenticated
+  name: system:masters
 ```
 
 It's important to understand how these default policies interact with user requests to schedule pods before you start to create your own pod security policies. In the next few sections, let's schedule some pods to see these default policies in action.
@@ -191,7 +190,7 @@ The pod fails to be scheduled, as shown in the following example output:
 ```console
 $ kubectl-nonadminuser apply -f nginx-privileged.yaml
 
-Error from server (Forbidden): error when creating "nginx-privileged.yaml": pods "nginx-privileged" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
+Error from server (Forbidden): error when creating "nginx-privileged.yaml": pods "nginx-privileged" is forbidden: unable to validate against any pod security policy: []
 ```
 
 The pod doesn't reach the scheduling stage, so there are no resources to delete before you move on.
@@ -219,44 +218,15 @@ Create the pod using the [kubectl apply][kubectl-apply] command and specify the
 kubectl-nonadminuser apply -f nginx-unprivileged.yaml
 ```
 
-The Kubernetes scheduler accepts the pod request. However, if you look at the status of the pod using `kubectl get pods`, there's an error:
-
-```console
-$ kubectl-nonadminuser get pods
-
-NAME                 READY   STATUS                       RESTARTS   AGE
-nginx-unprivileged   0/1     CreateContainerConfigError   0          26s
-```
-
-Use the [kubectl describe pod][kubectl-describe] command to look at the events for the pod. The following condensed example shows the container and image require root permissions, even though we didn't request them:
+The pod fails to be scheduled, as shown in the following example output:
 
 ```console
-$ kubectl-nonadminuser describe pod nginx-unprivileged
+$ kubectl-nonadminuser apply -f nginx-unprivileged.yaml
 
-Name:               nginx-unprivileged
-Namespace:          psp-aks
-Priority:           0
-PriorityClassName:  <none>
-Node:               aks-agentpool-34777077-0/10.240.0.4
-Start Time:         Thu, 28 Mar 2019 22:05:04 +0000
-[...]
-Events:
-  Type     Reason     Age                     From                               Message
-  ----     ------     ----                    ----                               -------
-  Normal   Scheduled  7m14s                   default-scheduler                  Successfully assigned psp-aks/nginx-unprivileged to aks-agentpool-34777077-0
-  Warning  Failed     5m2s (x12 over 7m13s)   kubelet, aks-agentpool-34777077-0  Error: container has runAsNonRoot and image will run as root
-  Normal   Pulled     2m10s (x25 over 7m13s)  kubelet, aks-agentpool-34777077-0  Container image "nginx:1.14.2" already present on machine
+Error from server (Forbidden): error when creating "nginx-unprivileged.yaml": pods "nginx-unprivileged" is forbidden: unable to validate against any pod security policy: []
 ```
 
-Even though we didn't request any privileged access, the container image for NGINX needs to create a binding for port *80*. To bind ports *1024* and below, the *root* user is required. When the pod tries to start, the *restricted* pod security policy denies this request.
-
-This example shows that the default pod security policies created by AKS are in effect and restrict the actions a user can perform. It's important to understand the behavior of these default policies, as you may not expect a basic NGINX pod to be denied.
-
-Before you move on to the next step, delete this test pod using the [kubectl delete pod][kubectl-delete] command:
-
-```console
-kubectl-nonadminuser delete -f nginx-unprivileged.yaml
-```
+The pod doesn't reach the scheduling stage, so there are no resources to delete before you move on.
 
 ## Test creation of a pod with a specific user context
 
@@ -283,61 +253,15 @@ Create the pod using the [kubectl apply][kubectl-apply] command and specify the
 kubectl-nonadminuser apply -f nginx-unprivileged-nonroot.yaml
 ```
 
-The Kubernetes scheduler accepts the pod request. However, if you look at the status of the pod using `kubectl get pods`, there's a different error than the previous example:
-
-```console
-$ kubectl-nonadminuser get pods
-
-NAME                         READY   STATUS              RESTARTS   AGE
-nginx-unprivileged-nonroot   0/1     CrashLoopBackOff    1          3s
-```
-
-Use the [kubectl describe pod][kubectl-describe] command to look at the events for the pod. The following condensed example shows the pod events:
-
-```console
-$ kubectl-nonadminuser describe pods nginx-unprivileged
-
-Name:               nginx-unprivileged
-Namespace:          psp-aks
-Priority:           0
-PriorityClassName:  <none>
-Node:               aks-agentpool-34777077-0/10.240.0.4
-Start Time:         Thu, 28 Mar 2019 22:05:04 +0000
-[...]
-Events:
-  Type     Reason     Age                   From                               Message
-  ----     ------     ----                  ----                               -------
-  Normal   Scheduled  2m14s                 default-scheduler                  Successfully assigned psp-aks/nginx-unprivileged-nonroot to aks-agentpool-34777077-0
-  Normal   Pulled     118s (x3 over 2m13s)  kubelet, aks-agentpool-34777077-0  Container image "nginx:1.14.2" already present on machine
-  Normal   Created    118s (x3 over 2m13s)  kubelet, aks-agentpool-34777077-0  Created container
-  Normal   Started    118s (x3 over 2m12s)  kubelet, aks-agentpool-34777077-0  Started container
-  Warning  BackOff    105s (x5 over 2m11s)  kubelet, aks-agentpool-34777077-0  Back-off restarting failed container
-```
-
-The events indicate that the container was created and started. There's nothing immediately obvious as to why the pod is in a failed state. Let's look at the pod logs using the [kubectl logs][kubectl-logs] command:
-
-```console
-kubectl-nonadminuser logs nginx-unprivileged-nonroot --previous
-```
-
-The following example log output gives an indication that within the NGINX configuration itself, there's a permissions error when the service tries to start. This error is again caused by needing to bind to port 80. Although the pod specification defined a regular user account, this user account isn't sufficient in the OS-level for the NGINX service to start and bind to the restricted port.
+The pod fails to be scheduled, as shown in the following example output:
 
 ```console
-$ kubectl-nonadminuser logs nginx-unprivileged-nonroot --previous
+$ kubectl-nonadminuser apply -f nginx-unprivileged-nonroot.yaml
 
-2019/03/28 22:38:29 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
-nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
-2019/03/28 22:38:29 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
-nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
+Error from server (Forbidden): error when creating "nginx-unprivileged-nonroot.yaml": pods "nginx-unprivileged-nonroot" is forbidden: unable to validate against any pod security policy: []
 ```
 
-Again, it's important to understand the behavior of the default pod security policies. This error was a little harder to track down, and again, you may not expect a basic NGINX pod to be denied.
-
-Before you move on to the next step, delete this test pod using the [kubectl delete pod][kubectl-delete] command:
-
-```console
-kubectl-nonadminuser delete -f nginx-unprivileged-nonroot.yaml
-```
+The pod doesn't reach the scheduling stage, so there are no resources to delete before you move on.
 
 ## Create a custom pod security policy
 
@@ -379,7 +303,7 @@ $ kubectl get psp
 
 NAME                  PRIV    CAPS   SELINUX    RUNASUSER          FSGROUP     SUPGROUP    READONLYROOTFS   VOLUMES
 privileged            true    *      RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *
-psp-deny-privileged   false          RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *          configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
+psp-deny-privileged   false          RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *          
 ```
 
 ## Allow user account to use the custom pod security policy

articles/azure-monitor/app/status-monitor-v2-api-disable-instrumentation-engine.md

@@ -1,5 +1,5 @@
 ---
-title: Azure Application Insights Agent API reference
+title: Azure Application Insights Agent Disable-InstrumentationEngine
 description: Application Insights Agent API reference. Disable-InstrumentationEngine. Monitor website performance without redeploying the website. Works with ASP.NET web apps hosted on-premises, in VMs, or on Azure.
 ms.topic: conceptual
 author: TimothyMothra

articles/azure-monitor/platform/media/customer-managed-keys/cmk-overview-8bit.png

@@ -76,6 +76,14 @@ When using Visual Studio to prepare your project, you have the option of enablin
 
 Currently, Azure Dev Spaces does not support using [pod managed identities][aks-pod-managed-id] on AKS clusters with Azure Dev Spaces enabled. If you have pod managed identities installed and would like to uninstall it, you can find more details in the [uninstall notes][aks-pod-managed-id-uninstall].
 
+## Can I use Azure Dev Spaces with multiple microservices in an application?
+
+Yes, you can use Azure Dev Spaces in an application with multiple microservices, but you must prepare and run the individual microservices at their root. The Azure Dev Spaces CLI, Azure Dev Spaces VS Code extension, and Visual Studio Azure Development workload expect the *azds.yaml* file to be at the root of the microservice in order to run and debug. See the [Bike Sharing sample application][bike-sharing] for an example of multiple microservices in a single application.
+
+In Visual Studio Code, it is possible to [open separate projects in a single workspace][vs-code-multi-root-workspaces] and debug them separately through Azure Dev Spaces. Each of the projects must be self-contained and prepared for Azure Dev Spaces.
+
+In Visual Studio, it is possible to configure .NET Core solutions for debugging through Azure Dev Spaces.
+
 [aks-auth-range]: ../aks/api-server-authorized-ip-ranges.md
 [aks-auth-range-create]: ../aks/api-server-authorized-ip-ranges.md#create-an-aks-cluster-with-api-server-authorized-ip-ranges-enabled
 [aks-auth-range-ranges]: https://github.com/Azure/dev-spaces/tree/master/public-ips
@@ -84,6 +92,7 @@ Currently, Azure Dev Spaces does not support using [pod managed identities][aks-
 [aks-pod-managed-id]: ../aks/developer-best-practices-pod-security.md#use-pod-managed-identities
 [aks-pod-managed-id-uninstall]: https://github.com/Azure/aad-pod-identity#uninstall-notes
 [aks-restrict-egress-traffic]: ../aks/limit-egress-traffic.md
+[bike-sharing]: https://github.com/Azure/dev-spaces/tree/master/samples/BikeSharingApp
 [dev-spaces-prep]: how-dev-spaces-works-prep.md
 [dev-spaces-routing]: how-dev-spaces-works-routing.md#how-routing-works
 [ingress-nginx]: how-to/ingress-https-nginx.md#configure-a-custom-nginx-ingress-controller
@@ -92,4 +101,5 @@ Currently, Azure Dev Spaces does not support using [pod managed identities][aks-
 [ingress-https-traefik]: how-to/ingress-https-traefik.md#configure-the-traefik-ingress-controller-to-use-https
 [quickstart-cli]: quickstart-cli.md
 [supported-regions]: https://azure.microsoft.com/global-infrastructure/services/?products=kubernetes-service
+[vs-code-multi-root-workspaces]: https://code.visualstudio.com/docs/editor/multi-root-workspaces
 [windows-containers]: how-to/run-dev-spaces-windows-containers.md

articles/azure-monitor/platform/media/customer-managed-keys/soft-purge-protection.png

@@ -108,6 +108,16 @@ Group](../../../virtual-network/manage-network-security-group.md#create-a-securi
 The [service tag](../../../virtual-network/service-tags-overview.md)
 "GuestAndHybridManagement" can be used to reference the Guest Configuration service.
 
+## Azure managed identity requirements
+
+The **DeployIfNotExists** policies that add the extension to virtual machines also
+enable a system assigned managed identity, if one doesn't exist.
+
+> [!WARNING]
+> Avoid enabling user assigned managed identity to virtual machines in scope
+> for policies that enable system assigned managed identity. The user assigned
+> identity will be replaced and could machine become unresponsive.
+
 ## Guest Configuration definition requirements
 
 Each audit run by Guest Configuration requires two policy definitions, a **DeployIfNotExists**

articles/dev-spaces/faq.md

@@ -12,7 +12,7 @@
     - name: 1. Create a new application
       href: quick-deploy-iot-central.md
     - name: 2. Add a simulated device
-      href: quick-create-pnp-device.md
+      href: quick-create-simulated-device.md
     - name: 3. Configure rules and actions
       href: quick-configure-rules.md
     - name: 4. Monitor your devices