Merge pull request #91103 from MicrosoftDocs/master

10/09 AM Publish

Author: huypub

.vscode/extensions.json

@@ -133,7 +133,7 @@ New cmdlets were added to the AzureADPreview module, to help define and assign c
 **Service category:** Other  
 **Product capability:** Directory
 
-We've released an updated version of Azure AD Connect for auto-upgrade customers. This new version includes several new features, improvements, and bug fixes. For more information about this new version, see [Azure AD Connect: Version release history](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-version-history#14x0).
+We've released an updated version of Azure AD Connect for auto-upgrade customers. This new version includes several new features, improvements, and bug fixes. For more information about this new version, see [Azure AD Connect: Version release history](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-version-history#14250).
 
 ---
 

articles/active-directory/fundamentals/whats-new.md

@@ -20,10 +20,6 @@ ms.collection: M365-identity-device-management
 
 Azure Active Directory (Azure AD) supports bulk user import (create) operations.
 
-## Bulk download service limits
-
-Each bulk activity to create a list of users can run for up to one hour. This enables creation and download of a list of at least 500,000 users.
-
 ## Required permissions
 
 To download the list of users from the Azure AD admin center, you must be signed in with a user assigned to one or more organization-level administrator roles in Azure AD. Guest inviter and application developer are not considered administrator roles.
@@ -42,6 +38,10 @@ You can see the status of your pending bulk requests in the **Bulk operation res
 
    ![Check upload status in the Bulk Operations Results page](./media/users-bulk-download/bulk-center.png)
 
+## Bulk download service limits
+
+Each bulk activity to create a list of users can run for up to one hour. This enables creation and download of a list of at least 500,000 users.
+
 ## Next steps
 
 - [Bulk add users](users-bulk-add.md)

articles/active-directory/users-groups-roles/users-bulk-download.md

@@ -88,7 +88,7 @@ For more information about storage class options, see [storage reclaim policies]
 
 **Best practice guidance** - Back up your data using an appropriate tool for your storage type, such as Velero or Azure Site Recovery. Verify the integrity, and security, of those backups.
 
-When your applications store and consume data persisted on disks or in files, you need to take regular backups or snapshots of that data. Azure Disks can use built-in snapshot technologies. You may need to a hook for your applications to flush writes to disk before you perform the snapshot operation. [Velero][velero] can back up persistent volumes along with additional cluster resources and configurations. If you can't [remove state from your applications][remove-state], back up the data from persistent volumes and regularly test the restore operations to verify data integrity and the processes required.
+When your applications store and consume data persisted on disks or in files, you need to take regular backups or snapshots of that data. Azure Disks can use built-in snapshot technologies. You may need to look for your applications to flush writes to disk before you perform the snapshot operation. [Velero][velero] can back up persistent volumes along with additional cluster resources and configurations. If you can't [remove state from your applications][remove-state], back up the data from persistent volumes and regularly test the restore operations to verify data integrity and the processes required.
 
 Understand the limitations of the different approaches to data backups and if you need to quiesce your data prior to snapshot. Data backups don't necessarily let you restore your application environment of cluster deployment. For more information about those scenarios, see [Best practices for business continuity and disaster recovery in AKS][best-practices-multi-region].
 

articles/aks/operator-best-practices-storage.md

@@ -18,56 +18,83 @@ ms.custom: seodec18
 ms.custom: fasttrack-edit
 
 ---
-# Configure your App Service app to use Azure Active Directory sign-in
+
+# Configure your App Service app to use Azure AD login
 
 [!INCLUDE [app-service-mobile-selector-authentication](../../includes/app-service-mobile-selector-authentication.md)]
 
+This article shows you how to configure Azure App Service to use Azure Active Directory (Azure AD) as an authentication provider.
+
 > [!NOTE]
-> At this time, AAD V2 (including MSAL) is not supported for Azure App Service and Azure Functions.
->
+> At this time, Azure App Service and Azure Functions are only supported by Azure AD v1.0. They're not supported by the [Microsoft identity platform v2.0](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview), which includes Microsoft Authentication Libraries (MSAL).
 
-This article shows you how to configure Azure App Service to use Azure Active Directory as an authentication provider.
+Follow these best practices when setting up your app and authentication:
 
-It's recommended that you configure each App Service app with its own registration, so it has its own permissions and consent. Also, consider using separate app registrations for separate deployment slots. This avoids permission sharing between environments, so that an issue in new code you're testing does not affect production.
+- Give each App Service app its own permissions and consent.
+- Configure each App Service app with its own registration.
+- Avoid permission sharing between environments by using separate app registrations for separate deployment slots. When testing new code, this practice can help prevent issues from affecting the production app.
 
 ## <a name="express"> </a>Configure with express settings
 
-1. In the [Azure portal], navigate to your App Service app. In the left navigation, select **Authentication / Authorization**.
-2. If **Authentication / Authorization** is not enabled, select **On**.
-3. Select **Azure Active Directory**, and then select **Express** under **Management Mode**.
-4. Select **OK** to register the App Service app in Azure Active Directory. This creates a new app registration. If you want to choose an existing app registration instead, click **Select an existing app** and then search for the name of a previously created app registration within your tenant. Click the app registration to select it and click **OK**. Then click **OK** on the Azure Active Directory settings page.
-By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.
-5. (Optional) To restrict access to your app to only users authenticated by Azure Active Directory, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**. This requires that all requests be authenticated, and all unauthenticated requests are redirected to Azure Active Directory for authentication.
+1. In the [Azure portal], go to your App Service app.
+1. Select **Settings** > **Authentication / Authorization** in the left pane, and make sure that **App Service Authentication** is **On**.
+1. Select **Azure Active Directory**, and then select **Express** under **Management Mode**.
+1. Select **OK** to register the App Service app in Azure Active Directory. A new app registration is created.
 
-    > [!NOTE]
-    > Restricting access in this way applies to all calls to your app, which may not be desirable for apps wanting a publicly available home page, as in many single-page applications. For such applications, **Allow anonymous requests (no action)** may be preferred, with the app manually starting login itself, as described [here](overview-authentication-authorization.md#authentication-flow).
-6. Click **Save**.
+   If you want to choose an existing app registration instead:
+
+   1. Choose **Select an existing app** and then search for the name of a previously created app registration within your tenant.
+   1. Select the app registration and then select **OK**.
+   1. Then select **OK** on the Azure Active Directory settings page.
+
+   By default, App Service provides authentication but doesn't restrict authorized access to your site content and APIs. You must authorize users in your app code.
+1. (Optional) To restrict app access only to users authenticated by Azure Active Directory, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**. When you set this functionality, your app requires all requests to be authenticated. It also redirects all unauthenticated to Azure Active Directory for authentication.
+
+    > [!CAUTION]
+    > Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. For such applications, **Allow anonymous requests (no action)** might be preferred, with the app manually starting login itself. For more information, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
+1. Select **Save**.
 
 ## <a name="advanced"> </a>Configure with advanced settings
 
-You can also provide configuration settings manually, if the Azure Active Directory tenant you want to use is different from the tenant with which you sign into Azure. To complete the configuration, you must first create a registration in Azure Active Directory, and then you must provide some of the registration details to App Service.
+You can configure app settings manually if you want to use an Azure AD tenant that's different from the one you use to sign in to Azure. To complete this custom configuration, you'll need to:
+
+1. Create a registration in Azure AD.
+1. Provide some of the registration details to App Service.
 
 ### <a name="register"> </a>Create an app registration in Azure AD for your App Service app
 
-When creating an app registration manually, note three pieces of information that you will need later when configuring your App Service app: the client ID, the tenant ID, and optionally the client secret and the application ID URI.
+You'll need the following information when you configure your App Service app:
+
+- Client ID
+- Tenant ID
+- Client secret (optional)
+- Application ID URI
+
+Perform the following steps:
 
-1. In the [Azure portal], navigate to your App Service app and note your app's **URL**. You will use it to configure your Azure Active Directory app registration.
-1. In the [Azure portal], from the left menu, select **Active Directory** > **App registrations** > **New registration**. 
+1. Sign in to the [Azure portal] and go to your App Service app. Note your app's **URL**. You'll use it to configure your Azure Active Directory app registration.
+1. Select **Azure Active Directory** > **App registrations** > **New registration**.
 1. In the **Register an application** page, enter a **Name** for your app registration.
-1. In **Redirect URI**, select **Web** and type the URL of your App Service app and append the path `/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`. Then select **Create**.
-1. Once the app registration is created, copy the **Application (client) ID** and the **Directory (tenant) ID** for later.
-1. Select **Branding**. In **Home page URL**, type the URL of your App Service app and select **Save**.
+1. In **Redirect URI**, select **Web** and enter the URL of your App Service app and append the path `/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`. 
+1. Select **Create**.
+1. After the app registration is created, copy the **Application (client) ID** and the **Directory (tenant) ID** for later.
+1. Select **Branding**. In **Home page URL**, enter the URL of your App Service app and select **Save**.
 1. Select **Expose an API** > **Set**. Paste in the URL of your App Service app and select **Save**.
 
-    > [!NOTE]
-    > This value is the **Application ID URI** of the app registration. If you want to have a front-end web app to access a back-end API, for example, and you want the back end to explicitly grant access to the front end, you need the **Application ID URI** of the *front end* when you configure the App Service app resource of the *back end*.
-1. Select **Add a scope**. In **Scope name**, type *user_impersonation*. In the text boxes, type the consent scope name and description you want users to see on the consent page, such as *Access my app*. When finished, click **Add scope**.
-1. (Optional) To create a client secret, select **Certificates & secrets** > **New client secret** > **Add**. Copy the client secret value shown in the page. Once you navigate away, it won't be shown again.
-1. (Optional) To add multiple **Reply URLs**, select **Authentication** in the menu.
+   > [!NOTE]
+   > This value is the **Application ID URI** of the app registration. If your web app requires access to an API in the cloud, you need the **Application ID URI** of the web app when you configure the cloud App Service resource. You can use this, for example, if you want the cloud service to explicitly grant access to the web app.
+
+1. Select **Add a scope**.
+   1. In **Scope name**, enter *user_impersonation*.
+   1. In the text boxes, enter the consent scope name and description you want users to see on the consent page. For example, enter *Access my app*. 
+   1. Select **Add scope**.
+1. (Optional) To create a client secret, select **Certificates & secrets** > **New client secret** > **Add**. Copy the client secret value shown in the page. It won't be shown again.
+1. (Optional) To add multiple **Reply URLs**, select **Authentication**.
 
 ### <a name="secrets"> </a>Add Azure Active Directory information to your App Service app
 
-1. In the [Azure portal], navigate to your App Service app. From the left menu, select **Authentication / Authorization**. If the Authentication/Authorization feature is not enabled, select **On**. 
+1. In the [Azure portal], go to your App Service app. 
+1. Select **Settings > Authentication / Authorization** in the left pane, and make sure that **App Service Authentication** is **On**.
 1. (Optional) By default, App Service authentication allows unauthenticated access to your app. To enforce user authentication, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**.
 1. Under Authentication Providers, select **Azure Active Directory**.
 1. In **Management mode**, select **Advanced** and configure App Service authentication according to the following table:
@@ -77,31 +104,33 @@ When creating an app registration manually, note three pieces of information tha
     |Client ID| Use the **Application (client) ID** of the app registration. |
     |Issuer ID| Use `https://login.microsoftonline.com/<tenant-id>`, and replace *\<tenant-id>* with the **Directory (tenant) ID** of the app registration. |
     |Client Secret (Optional)| Use the client secret you generated in the app registration.|
-    |Allowed Token Audiences| If this is a *back-end* app and you want to allow authentication tokens from a front-end app, add the **Application ID URI** of the *front end* here. |
+    |Allowed Token Audiences| If this is a cloud or server app and you want to allow authentication tokens from a web app, add the **Application ID URI** of the web app here. |
 
     > [!NOTE]
     > The configured **Client ID** is *always* implicitly considered to be an allowed audience, regardless of how you configured the **Allowed Token Audiences**.
-1. Select **OK**, then select **Save**.
+1. Select **OK**, and then select **Save**.
 
-You are now ready to use Azure Active Directory for authentication in your App Service app.
+You're now ready to use Azure Active Directory for authentication in your App Service app.
 
 ## Configure a native client application
-You can register native clients if you wish to perform sign-ins using a client library such as the **Active Directory Authentication Library**.
 
-1. In the [Azure portal], from the left menu, select **Active Directory** > **App registrations** > **New registration**. 
+You can register native clients to allow authentication using a client library such as the **Active Directory Authentication Library**.
+
+1. In the [Azure portal], select **Active Directory** > **App registrations** > **New registration**.
 1. In the **Register an application** page, enter a **Name** for your app registration.
-1. In **Redirect URI**, select **Public client (mobile & desktop)** and type the URL of your App Service app and append the path `/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`. Then select **Create**.
+1. In **Redirect URI**, select **Public client (mobile & desktop)** and enter the URL of your App Service app and append the path `/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`.
+1. Select **Create**.
 
     > [!NOTE]
     > For a Windows application, use the [package SID](../app-service-mobile/app-service-mobile-dotnet-how-to-use-client-library.md#package-sid) as the URI instead.
-1. Once the app registration is created, copy the value of **Application (client) ID**.
-1. From the left menu, select **API permissions** > **Add a permission** > **My APIs**.
-1. Select the app registration you created earlier for your App Service app. If you don't see the app registration, check that you've added the **user_impersonation** scope in [Create an app registration in Azure AD for your App Service app](#register).
-1. Select **user_impersonation** and click **Add permissions**.
+1. After the app registration is created, copy the value of **Application (client) ID**.
+1. Select **API permissions** > **Add a permission** > **My APIs**.
+1. Select the app registration you created earlier for your App Service app. If you don't see the app registration, make sure that you've added the **user_impersonation** scope in [Create an app registration in Azure AD for your App Service app](#register).
+1. Select **user_impersonation**, and then select **Add permissions**.
 
 You have now configured a native client application that can access your App Service app.
 
-## <a name="related-content"> </a>Related Content
+## <a name="related-content"> </a>Next steps
 
 [!INCLUDE [app-service-mobile-related-content-get-started-users](../../includes/app-service-mobile-related-content-get-started-users.md)]