Merge pull request #154034 from MicrosoftDocs/master

Merge master to live, 4 AM

Author: ttorble

.openpublishing.redirection.json

@@ -64969,6 +64969,11 @@
     {
       "source_path": "articles/app-service/quickstart-dotnet-framework.md",
       "redirect_url": "/azure/app-service/quickstart-dotnetcore?tabs=netframework48"
+    },
+    {
+      "source_path": "articles/virtual-desktop/rd-gateway-role.md",
+      "redirect_url": "/windows-server/remote/remote-desktop-services/remote-desktop-gateway-role",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory/authentication/howto-mfa-mfasettings.md

@@ -233,7 +233,7 @@ The _Trusted IPs_ feature of Azure AD Multi-Factor Authentication bypasses multi
 > [!NOTE]
 > The trusted IPs can include private IP ranges only when you use MFA Server. For cloud-based Azure AD Multi-Factor Authentication, you can only use public IP address ranges.
 >
-> IPv6 ranges are only supported in the [Named location (preview)](../conditional-access/location-condition.md#preview-features) interface.
+> IPv6 ranges are only supported in the [Named location (preview)](../conditional-access/location-condition.md) interface.
 
 If your organization deploys the NPS extension to provide MFA to on-premises applications note the source IP address will always appear to be the NPS server the authentication attempt flows through.
 

articles/active-directory/conditional-access/concept-continuous-access-evaluation.md

@@ -139,7 +139,7 @@ From this page, you can optionally limit the users and groups that will be subje
 For CAE, we only have insights into named IP-based named locations. We have no insights into other location settings like [MFA trusted IPs](../authentication/howto-mfa-mfasettings.md#trusted-ips) or country-based locations. When user comes from an MFA trusted IP or trusted locations that include MFA Trusted IPs or country location, CAE will not be enforced after user move to a different location. In those cases, we will issue a 1-hour CAE token without instant IP enforcement check.
 
 > [!IMPORTANT]
-> When configuring locations for continuous access evaluation, use only the [IP based Conditional Access location condition](../conditional-access/location-condition.md#preview-features) and configure all IP addresses, **including both IPv4 and IPv6**, that can be seen by your identity provider and resources provider. Do not use country location conditions or the trusted ips feature that is available in Azure AD Multi-Factor Authentication's service settings page.
+> When configuring locations for continuous access evaluation, use only the [IP based Conditional Access location condition](../conditional-access/location-condition.md) and configure all IP addresses, **including both IPv4 and IPv6**, that can be seen by your identity provider and resources provider. Do not use country location conditions or the trusted ips feature that is available in Azure AD Multi-Factor Authentication's service settings page.
 
 ### IP address configuration
 

articles/active-directory/conditional-access/location-condition.md

@@ -30,39 +30,37 @@ Organizations can use this network location for common tasks like:
 
 The network location is determined by the public IP address a client provides to Azure Active Directory. Conditional Access policies by default apply to all IPv4 and IPv6 addresses. 
 
-> [!TIP]
-> IPv6 ranges are only supported in the **[Named location (preview)](#preview-features)** interface. 
-
 ## Named locations
 
-Locations are designated in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. 
+Locations are designated in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. These named network locations may include locations like an organization's headquarters network ranges, VPN network ranges, or ranges that you wish to block. Named locations can be defined by IPv4/IPv6 address ranges or by countries/regions. 
 
 ![Named locations in the Azure portal](./media/location-condition/new-named-location.png)
 
-To configure a location, you will need to provide at least a **Name** and the IP range. 
-
-The number of named locations you can configure is constrained by the size of the related object in Azure AD. You can configure locations based on of the following limitations:
+### IP address ranges
 
-- One named location with up to 1200 IPv4 ranges.
-- A maximum of 90 named locations with one IP range assigned to each of them.
+To define a named location by IPv4/IPv6 address ranges, you will need to provide a **Name** and an IP range. 
 
-> [!TIP]
-> IPv6 ranges are only supported in the **[Named location (preview)](#preview-features)** interface. 
+Named locations defined by IPv4/IPv6 address ranges are subject to the following limitations: 
+- Configure up to 195 named locations
+- Configure up to 2000 IP ranges per named location
+- Both IPv4 and IPv6 ranges are supported
+- Private IP ranges connot be configured
+- The number of IP addresses contained in a range is limited. Only CIDR masks greater than /8 are allowed when defining an IP range. 
 
 ### Trusted locations
 
-When creating a network location, an administrator has the option to mark a location as a trusted location. 
+Administrators can designate named locations defined by IP address ranges to be trusted named locations. 
 
 ![Trusted locations in the Azure portal](./media/location-condition/new-trusted-location.png)
 
-This option can factor in to Conditional Access policies where you may, for example,  require registration for multi-factor authentication from a trusted network location. It also factors in to Azure AD Identity Protection's risk calculation, lowering a users' sign-in risk when coming from a location marked as trusted.
+Sign-ins from trusted named locations improve the accuracy of Azure AD Identity Protection's risk calculation, lowering a users' sign-in risk when they authenticate from a location marked as trusted. Additionally, trusted named locations can be targeted in Conditional Access policies. For example, you may require restrict multi-factor authentication registration to trusted named locations only. 
 
 ### Countries and regions
 
-Some organizations may choose to define entire countries or regions IP boundaries as named locations for Conditional Access policies. They may use these locations when blocking unnecessary traffic when they know valid users will never come from a location such as North Korea. These mappings of IP address to country are updated periodically. 
+Some organizations may choose to restrict access to certain countries or regions using Conditional Access. In addition to defining named locations by IP ranges, admins can define named locations by country or regions. When a user signs in, Azure AD resolves the user's IPv4 address to a country or region, and the mapping is updated periodically. Organizations can use named locations defined by countries to block traffic from countries where they do not do business, such as North Korea. 
 
 > [!NOTE]
-> IPv6 address ranges cannot be mapped to countries. Only IPv4 addresses map to countries.
+> Sign-ins from IPv6 addresses cannot be mapped to countries or regions, and are considered unknown areas. Only IPv4 addresses can be mapped to countries or regions.
 
 ![Create a new country or region-based location in the Azure portal](./media/location-condition/new-named-location-country-region.png)
 
@@ -89,33 +87,6 @@ For mobile and desktop applications, which have long lived session lifetimes, Co
 
 If both steps fail, a user is considered to be no longer on a trusted IP.
 
-## Preview features
-
-In addition to the generally available named location feature, there is also a named location (preview). You can access the named location preview by using the banner at the top of the current named location blade.
-
-![Try the named locations preview](./media/location-condition/preview-features.png)
-
-With the named location preview, you are able to
-
-- Configure up to 195 named locations
-- Configure up to 2000 IP Ranges per named location
-- Configure IPv6 addresses alongside IPv4 addresses
-
-We’ve also added some additional checks to help reduce the change of misconfiguration.
-
-- Private IP ranges can no longer be configured
-- The number of IP addresses that can be included in a range are limited. Only CIDR masks greater than /8 will be allowed when configuring an IP range.
-
-With the preview, there are now two create options: 
-
-- **Countries location**
-- **IP ranges location**
-
-> [!NOTE]
-> IPv6 address ranges cannot be mapped to countries. Only IPv4 addresses map to countries.
-
-![Named locations preview interface](./media/location-condition/named-location-preview.png)
-
 ## Location condition in policy
 
 When you configure the location condition, you have the option to distinguish between:
@@ -141,7 +112,7 @@ With this option, you can select one or more named locations. For a policy with
 
 ## IPv6 traffic
 
-By default, Conditional Access policies will apply to all IPv6 traffic. With the [named location preview](#preview-features), you can exclude specific IPv6 address ranges from a Conditional Access policy. This option is useful in cases where you don’t want policy to be enforced for specific IPv6 ranges. For example, if you want to not enforce a policy for uses on your corporate network, and your corporate network is hosted on public IPv6 ranges.  
+By default, Conditional Access policies will apply to all IPv6 traffic. You can exclude specific IPv6 address ranges from a Conditional Access policy if you don’t want policies to be enforced for specific IPv6 ranges. For example, if you want to not enforce a policy for uses on your corporate network, and your corporate network is hosted on public IPv6 ranges.  
 
 ### When will my tenant have IPv6 traffic?
 

articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md

@@ -285,7 +285,7 @@ Refer to the following list to configure managed identity for Azure Policy (in r
 - [PowerShell](../../governance/policy/how-to/remediate-resources.md#create-managed-identity-with-powershell)
 - [Azure CLI](/cli/azure/policy/assignment#az-policy-assignment-create)
 - [Azure Resource Manager templates](/azure/templates/microsoft.authorization/policyassignments)
-- [REST](/rest/api/resources/policyassignments/create)
+- [REST](/rest/api/policy/policyassignments/create)
 
 
 ### Azure Service Fabric

articles/azure-cache-for-redis/cache-high-availability.md

@@ -16,9 +16,9 @@ Azure Cache for Redis implements high availability by using multiple VMs, called
 
 | Option | Description | Availability | Standard | Premium | Enterprise |
 | ------------------- | ------- | ------- | :------: | :---: | :---: |
-| [Standard replication](#standard-replication)| Dual-node replicated configuration in a single datacenter with automatic failover | 99.9% |✔|✔|-|
-| [Zone redundancy](#zone-redundancy) | Multi-node replicated configuration across AZs, with automatic failover | 99.95% (Premium tier), 99.99% (Enterprise tiers) |-|Preview|Preview|
-| [Geo-replication](#geo-replication) | Linked cache instances in two regions, with user-controlled failover | 99.999% (Enterprise tier) |-|✔|Preview|
+| [Standard replication](#standard-replication)| Dual-node replicated configuration in a single datacenter with automatic failover | 99.9% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_0/)) |✔|✔|-|
+| [Zone redundancy](#zone-redundancy) | Multi-node replicated configuration across AZs, with automatic failover | Up to 99.99% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_0/)) |-|Preview|Preview|
+| [Geo-replication](#geo-replication) | Linked cache instances in two regions, with user-controlled failover | Up to 99.999% (see [details](https://azure.microsoft.com/support/legal/sla/cache/v1_0/)) |-|✔|Preview|
 
 ## Standard replication
 

articles/azure-monitor/alerts/alerts-action-rules.md

@@ -2,7 +2,7 @@
 title: Action rules for Azure Monitor alerts
 description: Understanding what action rules in Azure Monitor are and how to configure and manage them.
 ms.topic: conceptual
-ms.date: 03/15/2021
+ms.date: 04/08/2021
 
 ---
 
@@ -63,7 +63,7 @@ The available filters are:
 
 * **Severity**  
 This rule will apply only to alerts with the selected severities.  
-For example, **severity = Sev1** means that the rule will apply only to alerts with Sev1 severity.
+For example, **severity = "Sev1"** means that the rule will apply only to alerts with Sev1 severity.
 * **Monitor service**  
 This rule will apply only to alerts coming from the selected monitoring services.  
 For example, **monitor service = “Azure Backup”** means that the rule will apply only to backup alerts (coming from  Azure Backup).
@@ -75,15 +75,22 @@ This rule will apply only to alerts coming from a specific alert rule. The value
 For example, **alert rule ID = "/subscriptions/SubId1/resourceGroups/RG1/providers/microsoft.insights/metricalerts/API-Latency"** means this rule will apply only to alerts coming from "API-Latency" metric alert rule.  
 _NOTE - you can get the proper alert rule ID by listing your alert rules from the CLI, or by opening a specific alert rule in the portal, clicking "Properties", and copying the "Resource ID" value._
 * **Monitor condition**  
-This rule will apply only to alert events with the specified monitor condition - either **Fired** or **Resolved**.
+This rule will apply only to alert events with the specified monitor condition - either **"Fired"** or **"Resolved"**.
 * **Description**  
 This rule will apply only to alerts that contains a specific string in the alert description field. That field contains the alert rule description.  
-For example, **description contains 'prod'** means that the rule will only match alerts that contain the string "prod" in their description.
+For example, **description contains "prod"** means that the rule will only match alerts that contain the string "prod" in their description.
 * **Alert context (payload)**  
 This rule will apply only to alerts that contain any of one or more specific values in the alert context fields.  
-For example, **alert context (payload) contains 'Computer-01'** means that the rule will only apply to alerts whose payload contain the string "Computer-01".
+For example, **alert context (payload) contains "Computer-01"** means that the rule will only apply to alerts whose payload contain the string "Computer-01".
 
-If you set multiple filters in a rule, all of them apply. For example, if you set **resource type' = Virtual Machines** and **severity' = Sev0**, then the rule will apply only for Sev0 alerts on virtual machines.
+> [!NOTE]
+> Each filter may include up to five values.  
+> For example, a filter on monitor service may include up to five monitor service names.
+
+
+
+
+If you set multiple filters in a rule, all of them apply. For example, if you set **resource type = "Virtual Machines"** and **severity = "Sev0"**, then the rule will apply only for Sev0 alerts on virtual machines.
 
 ![Action rule filters](media/alerts-action-rules/action-rules-new-rule-creation-flow-filters.png)
 

articles/azure-monitor/app/sampling.md

@@ -179,7 +179,7 @@ The above code will disable adaptive sampling. Follow the steps below to add sam
 Use extension methods of `TelemetryProcessorChainBuilder` as shown below to customize sampling behavior.
 
 > [!IMPORTANT]
-> If you use this method to configure sampling, please make sure to set the `aiOptions.EnableAdaptiveSampling` property to `false` when calling `AddApplicationInsightsTelemetry()`.
+> If you use this method to configure sampling, please make sure to set the `aiOptions.EnableAdaptiveSampling` property to `false` when calling `AddApplicationInsightsTelemetry()`. After making this change, you then need to follow the instructions in the code block below **exactly** in order to re-enable adaptive sampling with your customizations in place. Failure to do so can result in excess data ingestion. Always test post changing sampling settings, and set an appropriate [daily data cap](pricing.md#set-the-daily-cap) to help control your costs.
 
 ```csharp
 using Microsoft.ApplicationInsights.Extensibility

articles/azure-monitor/logs/cross-workspace-query.md

@@ -4,7 +4,7 @@ description: This article describes how you can query against resources from mul
 ms.topic: conceptual
 author: bwren
 ms.author: bwren
-ms.date: 09/22/2020
+ms.date: 04/11/2021
 
 ---
 
@@ -23,7 +23,7 @@ There are two methods to query data that is stored in multiple workspace and app
 ## Cross-resource query limits 
 
 * The number of Application Insights resources and Log Analytics workspaces that you can include in a single query is limited to 100.
-* Cross-resource query is not supported in View Designer. You can Author a query in Log Analytics and pin it to Azure dashboard to [visualize a log query](../visualize/tutorial-logs-dashboards.md). 
+* Cross-resource query is not supported in View Designer. You can Author a query in Log Analytics and pin it to Azure dashboard to [visualize a log query](../visualize/tutorial-logs-dashboards.md) or include in [Workbooks](../visualize/workbooks-overview.md).
 * Cross-resource queries in log alerts are only supported in the current [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrules). If you're using the legacy Log Analytics Alerts API, you'll need to [switch to the current API](../alerts/alerts-log-api-switch.md).
 
 
@@ -37,15 +37,17 @@ Identifying a workspace can be accomplished one of several ways:
 
 * Resource name - is a human-readable name of the workspace, sometimes referred to as *component name*. 
 
+    >[!Note]
+    >Because app and workspace names are not unique, this identifier might be ambiguous. When there are multiple instances of the resource name, reference should be by Qualified name, Resource ID, or Azure Resource ID.
+
     `workspace("contosoretail-it").Update | count`
 
-* Qualified name - is the “full name” of the workspace, composed of the subscription name, resource group, and component name in this format: *subscriptionName/resourceGroup/componentName*. 
+* Qualified name - is the "full name" of the workspace, composed of the subscription name, resource group, and component name in this format: *subscriptionName/resourceGroup/componentName*. 
 
     `workspace('contoso/contosoretail/contosoretail-it').Update | count`
 
     >[!NOTE]
-    >Because Azure subscription names are not unique, this identifier might be ambiguous. 
-    >
+    >Because Azure subscription names are not unique, this identifier might be ambiguous.
 
 * Workspace ID - A workspace ID is the unique, immutable, identifier assigned to each workspace represented as a globally unique identifier (GUID).