Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into aas-firewall

Author: Owen Duncan

articles/active-directory/develop/authentication-flows-app-scenarios.md

@@ -41,7 +41,7 @@ Applications can be categorized as in the following list:
 - [Protected resources vs. client applications](#protected-resources-vs-client-applications): Some scenarios are about protecting resources like web apps or web APIs. Other scenarios are about acquiring a security token to call a protected web API.
 - [With users or without users](#with-users-or-without-users): Some scenarios involve a signed-in user, but others, like daemon scenarios, don't involve a user.
 - [Single-page, public client, and confidential client applications](#single-page-public-client-and-confidential-client-applications): These types are three large categories of applications. Each is used with different libraries and objects.
-- [Sign-in audience](v2-supported-account-types.md#certain-authentication-flows-dont-support-all-the-account-types): The available authentication flows differ depending on the sign-in audience. Some flows are available only for work or school accounts. And some are available both for work or school accounts and for personal Microsoft accounts. The allowed audience depends on the authentication flows.
+- [Sign-in audience](v2-supported-account-types.md): The available authentication flows differ depending on the sign-in audience. Some flows are available only for work or school accounts. And some are available both for work or school accounts and for personal Microsoft accounts. The allowed audience depends on the authentication flows.
 - [Supported OAuth 2.0 flows](#scenarios-and-supported-authentication-flows):  Authentication flows are used to implement the application scenarios that are requesting tokens. There isn't a one-to-one mapping between application scenarios and authentication flows.
 - [Supported platforms](#scenarios-and-supported-platforms-and-languages): Not all application scenarios are available for every platform.
 

articles/active-directory/develop/v2-supported-account-types.md

@@ -1,5 +1,5 @@
 ---
-title: Supported accounts types - Microsoft identity platform | Azure
+title: Supported account types - Microsoft identity platform | Azure
 description: Conceptual documentation about audiences and supported account types in applications
 services: active-directory
 author: jmprieur
@@ -17,39 +17,37 @@ ms.custom: aaddev, identityplatformtop40
 
 # Supported account types
 
-This article explains what accounts types (sometimes named audiences) are supported in applications.
+This article explains what account types (sometimes called *audiences*) are supported in Microsoft identity platform applications.
 
 <!-- This section can be in an include for many of the scenarios (SPA, web app signing-in users, protecting a web API, Desktop (depending on the flows), Mobile -->
 
-## Supported accounts types in Microsoft Identity platform applications
+## Account types in the public cloud
 
-In the Microsoft Azure public Cloud, most types of apps can sign in users with any audience:
+In the Microsoft Azure public cloud, most types of apps can sign in users with any audience:
 
-- If you're writing a Line of Business (LOB) application, you can sign in users in your own organization. Such an application is sometimes named **single tenant**.
-- If you're an ISV, you can write an application which signs-in users:
+- If you're writing a line-of-business (LOB) application, you can sign in users in your own organization. Such an application is sometimes called *single-tenant*.
+- If you're an ISV, you can write an application that signs in users:
 
-  - In any organization. Such an application is named a **multi-tenant** web application. You'll sometimes read that it signs-in users with their work or school accounts.
-  - With their work or school or personal Microsoft account.
-  - With only personal Microsoft account.
-    > [!NOTE]
-    > Currently the Microsoft identity platform supports personal Microsoft accounts only by registering an app for **work or school or Microsoft personal accounts**, and then, restrict sign-in in the code for the application by specifying an Azure AD authority, when building the application, such as `https://login.microsoftonline.com/consumers`.
+  - In any organization. Such an application is called a *multitenant* web application. You'll sometimes read that it signs in users with their work or school accounts.
+  - With their work or school or personal Microsoft accounts.
+  - With only personal Microsoft accounts.
+    
+- If you're writing a business-to-consumer application, you can also sign in users with their social identities, by using Azure Active Directory B2C (Azure AD B2C).
 
-- If you're writing a business to consumers application, you can also sign in users with their social identities, using Azure AD B2C.
+## Account type support in authentication flows
 
-## Certain authentication flows don't support all the account types
+Some account types can't be used with certain authentication flows. For instance, in desktop, UWP, or daemon applications:
 
-Some account types can't be used with certain authentication flows. For instance, in desktop, UWP applications, or daemon applications:
+- Daemon applications can be used only with Azure AD organizations. It doesn't make sense to try to use daemon applications to manipulate Microsoft personal accounts. The admin consent will never be granted.
+- You can use the Integrated Windows Authentication flow only with work or school accounts (in your organization or any organization). Integrated Windows Authentication works with domain accounts, it and requires the machines to be domain joined or Azure AD joined. This flow doesn't make sense for personal Microsoft accounts.
+- The [Resource Owner Password Credentials grant](./v2-oauth-ropc.md) (username/password) can't be used with personal Microsoft accounts. Personal Microsoft accounts require that the user consents to accessing personal resources at each sign-in session. That's why this behavior isn't compatible with non-interactive flows.
+- Device code flow doesn't work with personal Microsoft accounts.
 
-- Daemon applications can only be used with Azure Active Directory organizations. It doesn't make sense to attempt to use daemon applications to manipulate Microsoft personal accounts (the admin consent will never be granted).
-- You can only use the Integrated Windows Authentication flow with work or school accounts (in your organization or any organization). Indeed, Integrated Windows Authentication works with domain accounts, and requires the machines to be domain joined or Azure AD joined. This flow doesn't make sense for personal Microsoft Accounts.
-- The [Resource Owner Password Grant](./v2-oauth-ropc.md) (Username/Password), can't be used with personal Microsoft accounts. Indeed, personal Microsoft accounts require that the user consents to accessing personal resources at each sign-in session. That's why, this behavior isn't compatible with non-interactive flows.
-- Device code flow doesn't yet work with personal Microsoft accounts.
+## Account types in national clouds
 
-## Supported account types in national clouds
-
- Apps can also sign in users in [national clouds](authentication-national-cloud.md). However, Microsoft personal accounts aren't supported in these clouds (by definition of these clouds). That's why the supported account types are reduced, for these clouds, to your organization (single tenant) or any organizations (multi-tenant applications).
+Apps can also sign in users in [national clouds](authentication-national-cloud.md). However, Microsoft personal accounts aren't supported in these clouds. That's why the supported account types are reduced, for these clouds, to your organization (single tenant) or any organizations (multitenant applications).
 
 ## Next steps
 
-- Learn more about [Tenancy in Azure Active Directory](./single-and-multi-tenant-apps.md)
-- Learn more about [National Clouds](./authentication-national-cloud.md)
+- Learn more about [tenancy in Azure Active Directory](./single-and-multi-tenant-apps.md).
+- Learn more about [national clouds](./authentication-national-cloud.md).

articles/azure-resource-manager/management/azure-subscription-service-limits.md

@@ -2,6 +2,8 @@
 title: Azure subscription limits and quotas
 description: Provides a list of common Azure subscription and service limits, quotas, and constraints. This article includes information on how to increase limits along with maximum values.
 ms.topic: conceptual
+author: davidsmatlak
+ms.author: v-dasmat
 ms.date: 04/21/2020
 ---
 

articles/data-factory/data-flow-expression-functions.md

@@ -320,10 +320,11 @@ Based on a condition applies one value or the other. If other is unspecified it
 ___
 ### <code>iifNull</code>
 <code><b>iifNull(<i>&lt;value1&gt;</i> : any, [<i>&lt;value2&gt;</i> : any], ...) => any</b></code><br/><br/>
-Checks if the value is NOT NULL and returns it else returns the alternate. It tests for all inputs until it finds the first non-null value  
+Checks if the first parameter is null. If not null, the first parameter is returned. If null, the second parameter is returned. If three parameters are specified, the behavior is the same as iif(isNull(value1), value2, value3) and the third parameter is returned if the first value is not null.  
 * ``iifNull(10, 20) -> 10``  
 * ``iifNull(null, 20, 40) -> 20``  
-* ``iifNull('bojjus', 'bo', 'dumbo') -> 'dumbo'``  
+* ``iifNull('azure', 'data', 'factory') -> 'factory'``  
+* ``iifNull(null, 'data', 'factory') -> 'data'``  
 ___
 ### <code>in</code>
 <code><b>in(<i>&lt;array of items&gt;</i> : array, <i>&lt;item to find&gt;</i> : any) => boolean</b></code><br/><br/>

articles/event-grid/enable-diagnostic-logs-topic.md

@@ -1,38 +1,40 @@
 ---
-title: Azure Event Grid - Enable diagnostic logs for a topic
+title: Azure Event Grid - Enable diagnostic logs for topics or domains
 description: This article provides step-by-step instructions on how to enable diagnostic logs for an Azure event grid topic.
 services: event-grid
 author: spelluru
 
 ms.service: event-grid
 ms.topic: how-to
-ms.date: 01/30/2020
+ms.date: 04/27/2020
 ms.author: spelluru
 ---
 
-#  Diagnostic logs for an Azure event grid topic
-Diagnostic settings allow Event Grid users to capture and view publish and delivery failure Logs in one of the following places: an Azure storage account, an event hub, or a Log Analytics workspace. This article provides step-by-step instructions to enable diagnostic logs for an event grid topic.
+#  Enable Diagnostic logs for Azure event grid topics or domains
+Diagnostic Settings now allow Event Grid users to capture and view **publish and delivery failure** Logs in either a Storage account, an event hub, or a Log Analytics Workspace. This article provides step-by-step instructions to enable these settings on an Event Grid Topic.
 
 ## Prerequisites
 
 - A provisioned event grid topic
-- A provisioned destination for capturing diagnostic logs. It can one of the following destinations:
+- A provisioned destination for capturing diagnostic logs. It can one of the following destinations in the same location as the event grid topic:
     - Azure storage account
     - Event hub
     - Log Analytics workspace
 
-
 ## Steps for enabling diagnostic logs for a topic
 
+> [!NOTE]
+> The following procedure provides step-by-step instructions for enabling diagnostic logs for a topic. Steps for enabling diagnostic logs for a domain are very similar. In step 2, navigate to the event grid **domain** in the Azure portal.  
+
 1. Sign in to the [Azure portal](https://portal.azure.com).
 2. Navigate to the event grid topic for which you want to enable diagnostic log settings. 
 3. Select **Diagnostic settings** under **Monitoring** in the left menu.
 4. On the **Diagnostic settings** page, select **Add New Diagnostic Setting**. 
 
     ![Add diagnostic setting button](./media/enable-diagnostic-logs-topic/diagnostic-settings-add.png)
 5. Specify a **name** for the diagnostic setting. 
-
-    ![Diagnostic settings - name](./media/enable-diagnostic-logs-topic/diagnostic-settings-name.png)	 
+7. Select the **DeliveryFailures** and **PublishFailures** options in the **Log** section. 
+    ![Select the failures](./media/enable-diagnostic-logs-topic/log-failures.png)
 6. Enable one or more of the capture destinations for the logs, and then configure them by selecting a previous created capture resource. 
     - If you select **Archive to a storage account**, select **Storage account - Configure**, and then select the storage account in your Azure subscription. 
 
@@ -41,13 +43,43 @@ Diagnostic settings allow Event Grid users to capture and view publish and deliv
         ![Stream to an event hub](./media/enable-diagnostic-logs-topic/archive-event-hub.png)
     - If you select **Send to Log Analytics**, select the Log Analytics workspace.
         ![Send to Log Analytics](./media/enable-diagnostic-logs-topic/send-log-analytics.png)
-7. Select the **DeliveryFailures** and **PublishFailures** options in the **Log** section. 
-    ![Select the failures](./media/enable-diagnostic-logs-topic/log-failures.png)
-8. Select **Save**. Select **X** in the right-corner to close the page. 
+8. Select **Save**. Then, select **X** in the right-corner to close the page. 
 9. Now, back on the **Diagnostic settings** page, confirm that you see a new entry in the **Diagnostics Settings** table. 
     ![Diagnostic setting in the list](./media/enable-diagnostic-logs-topic/diagnostic-setting-list.png)
 
 	 You can also enable collection of all metrics for the topic. 
 
+## View diagnostic logs in Azure Storage 
+
+1. Once you enable a storage account as a capture destination and Event Grid starts emitting diagnostic logs, you should see new containers named **insights-logs-deliveryfailures** and **insights-logs-publishfailures** in the storage account. 
+
+    ![Storage - containers for diagnostic logs](./media/enable-diagnostic-logs-topic/storage-containers.png)
+2. As you navigate through one of the containers, you will end up at a blob in JSON format. The file contains log entries for either a delivery failure or a publish failure. The navigation path represents the **ResourceId** of the event grid topic and the timestamp (minute level) as to when the log entries were emitted. The blob/JSON file, which is downloadable, in the end adheres to the schema described in the next section. 
+
+    [ ![JSON file in the storage](./media/enable-diagnostic-logs-topic/select-json.png) ](./media/enable-diagnostic-logs-topic/select-json.png)
+3. You should see content in the JSON file similar to the following example: 
+
+    ```json
+    {
+        "time": "2019-11-01T00:17:13.4389048Z",
+        "resourceId": "/SUBSCRIPTIONS/SAMPLE-SUBSCTIPTION-ID /RESOURCEGROUPS/SAMPLE-RESOURCEGROUP-NAME/PROVIDERS/MICROSOFT.EVENTGRID/TOPICS/SAMPLE-TOPIC-NAME ",
+        "eventSubscriptionName": "SAMPLEDESTINATION",
+        "category": "DeliveryFailures",
+        "operationName": "Deliver",
+        "message": "Message:outcome=NotFound, latencyInMs=2635, systemId=17284f7c-0044-46fb-84b7-59fda5776017, state=FilteredFailingDelivery, deliveryTime=11/1/2019 12:17:10 AM, deliveryCount=0, probationCount=0, deliverySchema=EventGridEvent, eventSubscriptionDeliverySchema=EventGridEvent, fields=InputEvent, EventSubscriptionId, DeliveryTime, State, Id, DeliverySchema, LastDeliveryAttemptTime, SystemId, fieldCount=, requestExpiration=1/1/0001 12:00:00 AM, delivered=False publishTime=11/1/2019 12:17:10 AM, eventTime=11/1/2019 12:17:09 AM, eventType=Type, deliveryTime=11/1/2019 12:17:10 AM, filteringState=FilteredWithRpc, inputSchema=EventGridEvent, publisher=DIAGNOSTICLOGSTEST-EASTUS.EASTUS-1.EVENTGRID.AZURE.NET, size=363, fields=Id, PublishTime, SerializedBody, EventType, Topic, Subject, FilteringHashCode, SystemId, Publisher, FilteringTopic, TopicCategory, DataVersion, MetadataVersion, InputSchema, EventTime, fieldCount=15, url=sb://diagnosticlogstesting-eastus.servicebus.windows.net/, deliveryResponse=NotFound: The messaging entity 'sb://diagnosticlogstesting-eastus.servicebus.windows.net/eh-diagnosticlogstest' could not be found. TrackingId:c98c5af6-11f0-400b-8f56-c605662fb849_G14, SystemTracker:diagnosticlogstesting-eastus.servicebus.windows.net:eh-diagnosticlogstest, Timestamp:2019-11-01T00:17:13, referenceId: ac141738a9a54451b12b4cc31a10dedc_G14:"
+    }
+    ```
+
+## Schema for publish/delivery failure logs
+
+| Property name | Data type | Description |
+| ------------- | --------- | ----------- | 
+| Time | DateTime | The time when the log entry was generated <p>**Example value:**  01-29-2020 09:52:02.700</p> |
+| EventSubscriptionName | String | The name of the event subscription <p>**Example value:** "EVENTSUB1"</p> <p>This property exists only for delivery failure logs.</p>  |
+| Category | String | The log category name. <p>**Example values:** "DeliveryFailures" or "PublishFailures" | 
+| OperationName | String | The name of the operation performed while encountering the failure.<p>**Example Values:** "Deliver" for delivery failures. |
+| Message | String | The log message for the user explaining the reason for the failure and other additional details. |
+| ResourceId | String | The resource ID for the topic/domain resource<p>**Example Values:** `/SUBSCRIPTIONS/SAMPLE-SUBSCRIPTION-ID/RESOURCEGROUPS/SAMPLE-RESOURCEGROUP/PROVIDERS/MICROSOFT.EVENTGRID/TOPICS/TOPIC1` |
+
 ## Next steps
-If you need more help, post your issue in the [Stack Overflow forum](https://stackoverflow.com/questions/tagged/azure-eventgrid) or open a [support ticket](https://azure.microsoft.com/support/options/). 
+See the following article: [Create diagnostic setting to collect resource logs and metrics in Azure](../azure-monitor/platform/diagnostic-settings.md)