Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into smallFix

Author: roygara

articles/active-directory/manage-apps/howto-saml-token-encryption.md

@@ -13,12 +13,12 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 02/06/2019
+ms.date: 03/13/2020
 ms.author: mimart
 ms.reviewer: paulgarn
 ms.collection: M365-identity-device-management
 ---
-# How to: Configure Azure AD SAML token encryption (Preview)
+# How to: Configure Azure AD SAML token encryption
 
 > [!NOTE]
 > Token encryption is an Azure Active Directory (Azure AD) premium feature. To learn more about Azure AD editions, features, and pricing, see [Azure AD pricing](https://azure.microsoft.com/pricing/details/active-directory/).
@@ -118,9 +118,6 @@ When you configure a keyCredential using Graph, PowerShell, or in the applicatio
 
 ### To configure token encryption using PowerShell
 
-This functionality is coming soon. 
-
-<!--
 1. Use the latest Azure AD PowerShell module to connect to your tenant.
 
 1. Set the token encryption settings using the **[Set-AzureApplication](https://docs.microsoft.com/powershell/module/azuread/set-azureadapplication?view=azureadps-2.0-preview)** command.
@@ -137,8 +134,6 @@ This functionality is coming soon.
     $app.TokenEncryptionKeyId
     ```
 
--->
-
 ### To configure token encryption using the application manifest
 
 1. From the Azure portal, go to **Azure Active Directory > App registrations**.

articles/active-directory/manage-apps/toc.yml

@@ -68,7 +68,7 @@
           href: manage-certificates-for-federated-single-sign-on.md
         - name: Tenant restrictions
           href: tenant-restrictions.md
-        - name: Configure SAML token encryption (Preview)
+        - name: Configure SAML token encryption
           href: howto-saml-token-encryption.md
         - name: End-user portals
           href: end-user-experiences.md

articles/azure-functions/functions-create-function-app-portal.md

@@ -14,10 +14,6 @@ This topic shows you how to use Azure Functions to create a function app in the
 
 [!INCLUDE [functions-create-function-app-portal](../../includes/functions-create-function-app-portal.md)]
 
-When you create a function app, supply a valid **App name**, which can contain only letters, numbers, and hyphens. Underscore (**_**) is not an allowed character.
-
-Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. Your storage account name must be unique within Azure. 
-
 After the function app is created, you can create individual functions in one or more different languages. Create functions [by using the portal](functions-create-first-azure-function.md#create-function), [continuous deployment](functions-continuous-deployment.md), or by [uploading with FTP](https://github.com/projectkudu/kudu/wiki/Accessing-files-via-ftp).
 
 ## Service plans

articles/bastion/bastion-create-host-portal.md

@@ -1,6 +1,6 @@
 ---
-title: 'Create an Azure Bastion host  | Microsoft Docs'
-description: In this article, learn how to create an Azure Bastion host
+title: 'Create an Azure Bastion host: portal'
+description: In this article, learn how to create an Azure Bastion host using the portal
 services: bastion
 author: cherylmc
 
@@ -12,19 +12,19 @@ ms.author: cherylmc
 
 ---
 
-# Create an Azure Bastion host
+# Create an Azure Bastion host using the portal
 
 This article shows you how to create an Azure Bastion host using the Azure portal. Once you provision the Azure Bastion service in your virtual network, the seamless RDP/SSH experience is available to all of the VMs in the same virtual network. Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine.
 
-You can create a new bastion host resource in the portal either by specifying all of the settings manually, or by using the settings that correspond to an existing VM. Optionally, you can use [Azure Powershell](bastion-create-host-powershell.md) to create an Azure Bastion host.
+You can create a new bastion host resource in the portal either by specifying all of the settings manually, or by using the settings that correspond to an existing VM. To create a bastion host by using VM settings, see the [quickstart](quickstart-host-portal.md) article. Optionally, you can use [Azure PowerShell](bastion-create-host-powershell.md) to create an Azure Bastion host.
 
 ## Before you begin
 
 Bastion is available in the following Azure public regions:
 
 [!INCLUDE [available regions](../../includes/bastion-regions-include.md)]
 
-## <a name="createhost"></a>Create a bastion host - specify settings
+## <a name="createhost"></a>Create a bastion host
 
 This section helps you create a new Azure Bastion resource from the Azure portal.
 
@@ -41,7 +41,7 @@ This section helps you create a new Azure Bastion resource from the Azure portal
     ![create a bastion](./media/bastion-create-host-portal/settings.png)
 
     * **Subscription**: The Azure subscription you want to use to create a new Bastion resource.
-    * **Resource Group**: The Azure resource group in which the new Bastion resource will be created in. If you don’t have an existing resource group, you can create a new one.
+    * **Resource Group**: The Azure resource group in which the new Bastion resource will be created in. If you don't have an existing resource group, you can create a new one.
     * **Name**: The name of the new Bastion resource
     * **Region**: The Azure public region that the resource will be created in.
     * **Virtual network**: The virtual network in which the Bastion resource will be created in. You can create a new virtual network in the portal during this process, or use an existing virtual network. If you are using an existing virtual network, make sure the existing virtual network has enough free address space to accommodate the Bastion subnet requirements.
@@ -57,26 +57,6 @@ This section helps you create a new Azure Bastion resource from the Azure portal
 1. On the **Create a bastion** page, click **Create**.
 1. You will see a message letting you know that your deployment is underway. Status will display on this page as the resources are created. It takes about 5 minutes for the Bastion resource to be created and deployed.
 
-## <a name="createvmset"></a>Create a bastion host - use VM settings
-
-If you create a bastion host in the portal by using an existing VM, various settings will automatically default to correspond to your virtual machine and/or virtual network.
-
-1. Open the [Azure portal](https://portal.azure.com). Go to your virtual machine, then click **Connect**.
-
-   ![VM Connect](./media/bastion-create-host-portal/vmsettings.png)
-1. On the right sidebar, click **Bastion**, then **Use Bastion**.
-
-   ![Bastion](./media/bastion-create-host-portal/vmbastion.png)
-1. On the Bastion page, fill out the following settings fields:
-
-   * **Name**: The name of the bastion host you want to create.
-   * **Subnet**: The subnet inside your virtual network to which Bastion resource will be deployed. The subnet must be created with the name **AzureBastionSubnet**. This lets Azure know which subnet to deploy the Bastion resource to. This is different than a Gateway subnet. You must use a subnet of at least /27 or larger (/27, /26, and so on). Create the subnet without any Network Security Groups, route tables, or delegations. If you later choose to use Network Security Groups on the **AzureBastionSubnet**, see [Work with NSGs](bastion-nsg.md).
-   
-     Click **Manage subnet configuration** to create the **AzureBastionSubnet**.  Click **Create** to create the subnet, then proceed with the next settings.
-   * **Public IP address**: The public IP of the Bastion resource on which RDP/SSH will be accessed (over port 443). Create a new public IP, or use an existing one. The public IP address must be in the same region as the Bastion resource you are creating.
-   * **Public IP address name**: The name of the public IP address resource.
-1. On the validation screen, click **Create**. Wait for about 5 minutes for the Bastion resource create and deploy.
-
 ## Next steps
 
 * Read the [Bastion FAQ](bastion-faq.md) for additional information.

articles/vpn-gateway/media/vpn-gateway-howto-always-on-user-tunnel/p2s4..jpg renamed to articles/vpn-gateway/media/vpn-gateway-howto-always-on-user-tunnel/disconnect.jpg

@@ -7,155 +7,23 @@ author: cherylmc
 
 ms.service: vpn-gateway
 ms.topic: conceptual
-ms.date: 12/11/2019
+ms.date: 03/12/2020
 ms.author: cherylmc
 
 ---
 # Configure an Always On VPN device tunnel
 
-One of the new features of the Windows 10 Virtual Private Network (VPN) client is the ability to maintain a VPN connection. Always On is a Windows 10 feature that enables the active VPN profile to connect automatically and remain connected based on triggers — namely, user sign-in, network state change, or device screen active.
+[!INCLUDE [intro](../../includes/vpn-gateway-vwan-always-on-intro.md)]
 
-Azure virtual network gateways can be used with Windows 10 Always On to establish persistent user tunnels as well as device tunnels to Azure. This article will help you configure an Always ON VPN device tunnel.
+## Configure the gateway
 
-Always On VPN connections include two types of tunnels:
+Configure the VPN gateway to use IKEv2 and certificate-based authentication using the [Configure a Point-to-Site VPN connection](vpn-gateway-howto-point-to-site-resource-manager-portal.md) article.
 
-* **Device tunnel** connects to specified VPN servers before users sign in the device. Pre-login connectivity scenarios and device management purposes use device tunnel.
+## Configure the device tunnel
 
-* **User tunnel** connects only after a user sign in the device. User tunnel allows users to access organization resources through VPN servers.
+[!INCLUDE [device tunnel](../../includes/vpn-gateway-vwan-always-on-device.md)]
 
-Both Device tunnel and User tunnel operate independently with their VPN profiles. They can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate.
-
-## 1. Configure the gateway
-
-Configure the VPN gateway to use IKEv2 and certificate-based authentication using this [point-to-site article](vpn-gateway-howto-point-to-site-resource-manager-portal.md).
-
-## 2. Configure the device tunnel
-
-The following requirements must be met in order to successfully establish a device tunnel:
-
-* The device must be a domain joined computer running Windows 10 Enterprise or Education version 1809 or later.
-* The tunnel is only configurable for the Windows built-in VPN solution and is established using IKEv2 with computer certificate authentication. 
-* Only one device tunnel can be configured per device.
-
-1. Install client certificates on the Windows 10 client as shown in this [point-to-site VPN client article](point-to-site-how-to-vpn-client-install-azure-cert.md). The certificate needs to be in the Local Machine store.
-1. Use [these instructions](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config#vpn-device-tunnel-configuration) to create a VPN Profile and configure device tunnel in the context of the LOCAL SYSTEM account.
-
-### Configuration example for device tunnel
-
-After you have configured the virtual network gateway and installed the client certificate in the Local Machine store on the Windows 10 client, use the following examples to configure a client device tunnel.
-
-1. Copy the following text and save it as ***devicecert.ps1***.
-
-   ```
-   Param(
-   [string]$xmlFilePath,
-   [string]$ProfileName
-   )
-
-   $a = Test-Path $xmlFilePath
-   echo $a
-
-   $ProfileXML = Get-Content $xmlFilePath
-
-   echo $XML
-
-   $ProfileNameEscaped = $ProfileName -replace ' ', '%20'
-
-   $Version = 201606090004
-
-   $ProfileXML = $ProfileXML -replace '<', '&lt;'
-   $ProfileXML = $ProfileXML -replace '>', '&gt;'
-   $ProfileXML = $ProfileXML -replace '"', '&quot;'
-
-   $nodeCSPURI = './Vendor/MSFT/VPNv2'
-   $namespaceName = "root\cimv2\mdm\dmmap"
-   $className = "MDM_VPNv2_01"
-
-   $session = New-CimSession
-
-   try
-   {
-   $newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName
-   $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", "$nodeCSPURI", 'String', 'Key')
-   $newInstance.CimInstanceProperties.Add($property)
-   $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", "$ProfileNameEscaped", 'String', 'Key')
-   $newInstance.CimInstanceProperties.Add($property)
-   $property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ProfileXML", "$ProfileXML", 'String', 'Property')
-   $newInstance.CimInstanceProperties.Add($property)
-
-   $session.CreateInstance($namespaceName, $newInstance)
-   $Message = "Created $ProfileName profile."
-   Write-Host "$Message"
-   }
-   catch [Exception]
-   {
-   $Message = "Unable to create $ProfileName profile: $_"
-   Write-Host "$Message"
-   exit
-   }
-   $Message = "Complete."
-   Write-Host "$Message"
-   ```
-1. Copy the following text and save it as ***VPNProfile.xml*** in the same folder as **devicecert.ps1**. Edit the following text to match your environment.
-
-   * `<Servers>azuregateway-1234-56-78dc.cloudapp.net</Servers> <= Can be found in the VpnSettings.xml in the downloaded profile zip file`
-   * `<Address>192.168.3.5</Address> <= IP of resource in the vnet or the vnet address space`
-   * `<Address>192.168.3.4</Address> <= IP of resource in the vnet or the vnet address space`
-
-   ```
-   <VPNProfile>  
-     <NativeProfile>  
-   <Servers>azuregateway-1234-56-78dc.cloudapp.net</Servers>  
-   <NativeProtocolType>IKEv2</NativeProtocolType>  
-   <Authentication>  
-     <MachineMethod>Certificate</MachineMethod>  
-   </Authentication>  
-   <RoutingPolicyType>SplitTunnel</RoutingPolicyType>  
-    <!-- disable the addition of a class based route for the assigned IP address on the VPN interface -->
-   <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>  
-     </NativeProfile> 
-     <!-- use host routes(/32) to prevent routing conflicts -->  
-     <Route>  
-   <Address>192.168.3.5</Address>  
-   <PrefixSize>32</PrefixSize>  
-     </Route>  
-     <Route>  
-   <Address>192.168.3.4</Address>  
-   <PrefixSize>32</PrefixSize>  
-     </Route>  
-   <!-- need to specify always on = true --> 
-     <AlwaysOn>true</AlwaysOn> 
-   <!-- new node to specify that this is a device tunnel -->  
-    <DeviceTunnel>true</DeviceTunnel>
-   <!--new node to register client IP address in DNS to enable manage out -->
-   <RegisterDNS>true</RegisterDNS>
-   </VPNProfile>
-   ```
-1. Download **PsExec** from [Sysinternals](https://docs.microsoft.com/sysinternals/downloads/psexec) and extract the files to **C:\PSTools**.
-1. From an Admin CMD prompt, launch PowerShell by running:
-
-   ```
-   PsExec.exe Powershell for 32-bit Windows
-   PsExec64.exe Powershell for 64-bit Windows
-   ```
-
-   ![powershell](./media/vpn-gateway-howto-always-on-device-tunnel/powershell.png)
-1. In PowerShell, switch to the folder where **devicecert.ps1** and **VPNProfile.xml** are located, and run the following command:
-
-   ```powershell
-   .\devicecert.ps1 .\VPNProfile.xml MachineCertTest
-   ```
-   
-   ![MachineCertTest](./media/vpn-gateway-howto-always-on-device-tunnel/machinecerttest.png)
-1. Run **rasphone**.
-
-   ![rasphone](./media/vpn-gateway-howto-always-on-device-tunnel/rasphone.png)
-1. Look for the **MachineCertTest** entry and click **Connect**.
-
-   ![Connect](./media/vpn-gateway-howto-always-on-device-tunnel/connect.png)
-1. If the connection succeeds, reboot the computer. The tunnel will connect automatically.
-
-## Cleanup
+## To remove a profile
 
 To remove the profile, run the following command: