Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into normesta-migrate-gen1

Author: normesta

articles/active-directory/manage-apps/howto-saml-token-encryption.md

@@ -13,12 +13,12 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 02/06/2019
+ms.date: 03/13/2020
 ms.author: mimart
 ms.reviewer: paulgarn
 ms.collection: M365-identity-device-management
 ---
-# How to: Configure Azure AD SAML token encryption (Preview)
+# How to: Configure Azure AD SAML token encryption
 
 > [!NOTE]
 > Token encryption is an Azure Active Directory (Azure AD) premium feature. To learn more about Azure AD editions, features, and pricing, see [Azure AD pricing](https://azure.microsoft.com/pricing/details/active-directory/).
@@ -118,9 +118,6 @@ When you configure a keyCredential using Graph, PowerShell, or in the applicatio
 
 ### To configure token encryption using PowerShell
 
-This functionality is coming soon. 
-
-<!--
 1. Use the latest Azure AD PowerShell module to connect to your tenant.
 
 1. Set the token encryption settings using the **[Set-AzureApplication](https://docs.microsoft.com/powershell/module/azuread/set-azureadapplication?view=azureadps-2.0-preview)** command.
@@ -137,8 +134,6 @@ This functionality is coming soon.
     $app.TokenEncryptionKeyId
     ```
 
--->
-
 ### To configure token encryption using the application manifest
 
 1. From the Azure portal, go to **Azure Active Directory > App registrations**.

articles/active-directory/manage-apps/toc.yml

@@ -68,7 +68,7 @@
           href: manage-certificates-for-federated-single-sign-on.md
         - name: Tenant restrictions
           href: tenant-restrictions.md
-        - name: Configure SAML token encryption (Preview)
+        - name: Configure SAML token encryption
           href: howto-saml-token-encryption.md
         - name: End-user portals
           href: end-user-experiences.md

articles/active-directory/user-help/media/user-help-auth-app-faq/katy-signin.png

@@ -0,0 +1,118 @@
+---
+title: Encrypt your application source at rest
+description: Encrypt your application data in Azure Storage and deploy it as a package file.
+ms.topic: article
+ms.date: 03/06/2020
+---
+
+# Encryption at rest using customer-managed keys
+
+Encrypting your web app's application data at rest requires an Azure Storage Account and an Azure Key Vault. These services are used when you run your app from a deployment package.
+
+  - [Azure Storage provides encryption at rest](../storage/common/storage-service-encryption.md). You can use system-provided keys or your own, customer-managed keys. This is where your application data is stored when it's not running in a web app in Azure.
+  - [Running from a deployment package](deploy-run-package.md) is a deployment feature of App Service. It allows you to deploy your site content from an Azure Storage Account using a Shared Access Signature (SAS) URL.
+  - [Key Vault references](app-service-key-vault-references.md) are a security feature of App Service. It allows you to import secrets at runtime as application settings. Use this to encrypt the SAS URL of your Azure Storage Account.
+
+## Set up encryption at rest
+
+### Create an Azure Storage account
+
+First, [create an Azure Storage account](../storage/common/storage-account-create.md) and [encrypt it with customer managed keys](../storage/common/storage-service-encryption.md#customer-managed-keys-with-azure-key-vault). Once the storage account is created, use the [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) to upload package files.
+
+Next, use the Storage Explorer to [generate an SAS](../vs-azure-tools-storage-manage-with-storage-explorer.md?tabs=windows#generate-a-sas-in-storage-explorer). 
+
+> [!NOTE]
+> Save this SAS URL, this is used later to enable secure access of the deployment package at runtime.
+
+### Configure running from a package from your storage account
+  
+Once you upload your file to Blob storage and have an SAS URL for the file, set the `WEBSITE_RUN_FROM_PACKAGE` application setting to the SAS URL. The following example does it by using Azure CLI:
+
+```
+az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_RUN_FROM_PACKAGE="<your-SAS-URL>"
+```
+
+Adding this application setting causes your web app to restart. After the app has restarted, browse to it and make sure that the app has started correctly using the deployment package. If the application didn't start correctly, see the [Run from package troubleshooting guide](deploy-run-package.md#troubleshooting).
+
+### Encrypt the application setting using Key Vault references
+
+Now you can replace the value of the `WEBSITE_RUN_FROM_PACKAGE` application setting with a Key Vault reference to the SAS-encoded URL. This keeps the SAS URL encrypted in Key Vault, which provides an extra layer of security.
+
+1. Use the following [`az keyvault create`](/cli/azure/keyvault#az-keyvault-create) command to create a Key Vault instance.       
+
+    ```azurecli    
+    az keyvault create --name "Contoso-Vault" --resource-group <group-name> --location eastus    
+    ```    
+
+1. Follow [these instructions to grant your app access](app-service-key-vault-references.md#granting-your-app-access-to-key-vault) to your key vault:
+
+1. Use the following [`az keyvault secret set`](/cli/azure/keyvault/secret#az-keyvault-secret-set) command to add your external URL as a secret in your key vault:   
+
+    ```azurecli    
+    az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>"    
+    ```    
+
+1.  Use the following [`az webapp config appsettings set`](/cli/azure/webapp/config/appsettings#az-webapp-config-appsettings-set) command to create the `WEBSITE_RUN_FROM_PACKAGE` application setting with the value as a Key Vault reference to the external URL:
+
+    ```azurecli    
+    az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"    
+    ```
+
+    The `<secret-version>` will be in the output of the previous `az keyvault secret set` command.
+
+Updating this application setting causes your web app to restart. After the app has restarted, browse to it make sure it has started correctly using the Key Vault reference.
+
+## How to rotate the access token
+
+It is best practice to periodically rotate the SAS key of your storage account. To ensure the web app does not inadvertently loose access, you must also update the SAS URL in Key Vault.
+
+1. Rotate the SAS key by navigating to your storage account in the Azure portal. Under **Settings** > **Access keys**, click the icon to rotate the SAS key.
+
+1. Copy the new SAS URL, and use the following command to set the updated SAS URL in your key vault:
+
+    ```azurecli    
+    az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<SAS-URL>"    
+    ``` 
+
+1. Update the key vault reference in your application setting to the new secret version:
+
+    ```azurecli    
+    az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"    
+    ```
+
+    The `<secret-version>` will be in the output of the previous `az keyvault secret set` command.
+
+## How to revoke the web app's data access
+
+There are two methods to revoke the web app's access to the storage account. 
+
+### Rotate the SAS key for the Azure Storage account
+
+If the SAS key for the storage account is rotated, the web app will no longer have access to the storage account, but it will continue to run with the last downloaded version of the package file. Restart the web app to clear the last downloaded version.
+
+### Remove the web app's access to Key Vault
+
+You can revoke the web app's access to the site data by disabling the web app's access to Key Vault. To do this, remove the access policy for the web app's identity. This is the same identity you created earlier while configuring key vault references.
+
+## Summary
+
+Your application files are now encrypted at rest in your storage account. When your web app starts, it retrieves the SAS URL from your key vault. Finally, the web app loads the application files from the storage account. 
+
+If you need to revoke the web app's access to your storage account, you can either revoke access to the key vault or rotate the storage account keys, which invalidates the SAS URL.
+
+## Frequently Asked Questions
+
+### Is there any additional charge for running my web app from the deployment package?
+
+Only the cost associated with the Azure Storage Account and any applicable egress charges.
+
+### How does running from the deployment package affect my web app?
+
+- Running your app from the deployment package makes `wwwroot/` read-only. Your app receives an error when it attempts to write to this directory.
+- TAR and GZIP formats are not supported.
+- This feature is not compatible with local cache.
+
+## Next steps
+
+- [Key Vault references for App Service](app-service-key-vault-references.md)
+- [Azure Storage encryption for data at rest](../storage/common/storage-service-encryption.md)

articles/active-directory/user-help/media/user-help-auth-app-faq/verification-code.png

@@ -59,33 +59,6 @@ az webapp config appsettings set --name <app-name> --resource-group <resource-gr
 
 If you publish an updated package with the same name to Blob storage, you need to restart your app so that the updated package is loaded into App Service.
 
-### Use Key Vault References
-
-For added security, you can use Key Vault References in conjunction with your external URL. This keeps the URL encrypted at rest and allows to leverage Key Vault for secret management and rotation. It is recommended to use Azure Blob storage so you can easily rotate the associated SAS key. Azure Blob storage is encrypted at rest, which keeps your application data secure when it is not deployed on App Service.
-
-1. Create an Azure Key Vault.
-
-    ```azurecli
-    az keyvault create --name "Contoso-Vault" --resource-group <group-name> --location eastus
-    ```
-
-1. Add your external URL as a secret in Key Vault.
-
-    ```azurecli
-    az keyvault secret set --vault-name "Contoso-Vault" --name "external-url" --value "<insert-your-URL>"
-    ```
-
-1. Create the `WEBSITE_RUN_FROM_PACKAGE` app setting and set the value as a Key Vault Reference to the external URL.
-
-    ```azurecli
-    az webapp config appsettings set --settings WEBSITE_RUN_FROM_PACKAGE="@Microsoft.KeyVault(SecretUri=https://Contoso-Vault.vault.azure.net/secrets/external-url/<secret-version>"
-    ```
-
-See the following articles for more information.
-
-- [Key Vault references for App Service](app-service-key-vault-references.md)
-- [Azure Storage encryption for data at rest](../storage/common/storage-service-encryption.md)
-
 ## Troubleshooting
 
 - Running directly from a package makes `wwwroot` read-only. Your app will receive an error if it tries to write files to this directory.

articles/app-service/configure-encrypt-at-rest-using-cmk.md

@@ -175,6 +175,8 @@
       href: configure-ssl-certificate-in-code.md
     - name: Configure TLS mutual authentication
       href: app-service-web-configure-tls-mutual-auth.md
+    - name: Encrypt site data
+      href: configure-encrypt-at-rest-using-cmk.md
   - name: Scale app
     items:
     - name: Scale up server capacity

articles/app-service/deploy-run-package.md

@@ -22,7 +22,7 @@ Using private endpoints for your App Configuration store enables you to:
 > [!NOTE]
 > Azure App Configuration offers the use of private endpoints as a public preview. Public preview offerings allow customers to experiment with new features prior to their official release.  Public preview features and services are not meant for production use.
 
-## Conceptual Overview
+## Conceptual overview
 
 A private endpoint is a special network interface for an Azure service in your [Virtual Network](../virtual-network/virtual-networks-overview.md) (VNet). When you create a private endpoint for your App Config store, it provides secure connectivity between clients on your VNet and your configuration store. The private endpoint is assigned an IP address from the IP address range of your VNet. The connection between the private endpoint and the configuration store uses a secure private link.
 
@@ -34,26 +34,18 @@ When you create a private endpoint for a service in your VNet, a consent request
 
 Service account owners can manage consent requests and private endpoints through the `Private Endpoints` tab of the config store in the [Azure portal](https://portal.azure.com).
 
-### Private Endpoints for App Configuration 
+### Private endpoints for App Configuration 
 
 When creating a private endpoint, you must specify the App Configuration store to which it connects. If you have multiple App Configuration instances within an account, you need a separate private endpoint for each store.
 
-#### Resources for creating private endpoints
-
-For more detailed information on creating a private endpoint for your App Configuration store, refer to the following articles:
-
-- [Create a private endpoint using the Private Link Center in the Azure portal](../private-link/create-private-endpoint-portal.md)
-- [Create a private endpoint using Azure CLI](../private-link/create-private-endpoint-cli.md)
-- [Create a private endpoint using Azure PowerShell](../private-link/create-private-endpoint-powershell.md)
-
-### Connecting to Private Endpoints
+### Connecting to private endpoints
 
 Azure relies upon DNS resolution to route connections from the VNet to the configuration store over a private link. You can quickly find connections strings in the Azure portal by selecting your App Configuration store, then selecting **Settings** > **Access Keys**.  
 
 > [!IMPORTANT]
 > Use the same connection string to connect to your App Configuration store using private endpoints as you would use for a public endpoint. Don't connect to the storage account using its `privatelink` subdomain URL.
 
-## DNS changes for Private Endpoints
+## DNS changes for private endpoints
 
 When you create a private endpoint, the DNS CNAME resource record for the configuration store is updated to an alias in a subdomain with the prefix `privatelink`. Azure also creates a [private DNS zone](../dns/private-dns-overview.md) corresponding to the `privatelink` subdomain, with the DNS A resource records for the private endpoints.
 
@@ -68,13 +60,19 @@ If you are using a custom DNS server on your network, clients must be able to re
 > [!TIP]
 > When using a custom or on-premises DNS server, you should configure your DNS server to resolve the store name in the `privatelink` subdomain to the private endpoint IP address. You can do this by delegating the `privatelink` subdomain to the private DNS zone of the VNet, or configuring the DNS zone on your DNS server and adding the DNS A records.
 
-#### Resources for configuring your DNS server with private endpoints
+## Pricing
 
-For more information, see:
+Enabling private endpoints requires a [Standard tier](https://azure.microsoft.com/pricing/details/app-configuration/) App Configuration store.  To learn about private link pricing details, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link).
 
-- [Name resolution for resources in Azure virtual networks](/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-uses-your-own-dns-server)
-- [DNS configuration for Private Endpoints](/azure/private-link/private-endpoint-overview#dns-configuration)
+## Next steps
 
-## Pricing
+Learn more about creating a private endpoint for your App Configuration store, refer to the following articles:
+
+- [Create a private endpoint using the Private Link Center in the Azure portal](../private-link/create-private-endpoint-portal.md)
+- [Create a private endpoint using Azure CLI](../private-link/create-private-endpoint-cli.md)
+- [Create a private endpoint using Azure PowerShell](../private-link/create-private-endpoint-powershell.md)
+
+Learn to configure your DNS server with private endpoints:
 
-Enabling private endpoints requires a [Standard tier](https://azure.microsoft.com/pricing/details/app-configuration/) App Configuration store.  To learn about private link pricing details, see [Azure Private Link pricing](https://azure.microsoft.com/pricing/details/private-link).
+- [Name resolution for resources in Azure virtual networks](/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#name-resolution-that-uses-your-own-dns-server)
+- [DNS configuration for Private Endpoints](/azure/private-link/private-endpoint-overview#dns-configuration)

articles/app-service/toc.yml

@@ -288,6 +288,8 @@
       href: ../app-service/overview-managed-identity.md?toc=%2fazure%2fazure-functions%2ftoc.json
     - name: Reference secrets from Key Vault
       href: ../app-service/app-service-key-vault-references.md?toc=%2fazure%2fazure-functions%2ftoc.json
+    - name: Encrypt site data
+      href: configure-encrypt-at-rest-using-cmk.md
   - name: Integrate
     items:
     - name: Add bindings