Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into 1678688-adding-zone-pivots-bing-video-search

Author: john-par

articles/active-directory/conditional-access/concept-conditional-access-grant.md

@@ -78,6 +78,7 @@ This setting applies to the following iOS and Android apps:
 - Microsoft Kaizala
 - Microsoft Launcher
 - Microsoft Office
+- Microsoft Office Hub
 - Microsoft OneDrive
 - Microsoft OneNote
 - Microsoft Outlook

articles/aks/TOC.yml

@@ -200,7 +200,7 @@
     items:
     - name: Create service principal
       href: kubernetes-service-principal.md
-    - name: Use managed identities (preview)
+    - name: Use managed identities
       href: use-managed-identity.md
     - name: Limit access to cluster configuration file
       href: control-kubeconfig-access.md

articles/aks/azure-disk-volume.md

@@ -26,7 +26,7 @@ You also need the Azure CLI version 2.0.59 or later installed and configured. Ru
 
 ## Create an Azure disk
 
-When you create an Azure disk for use with AKS, you can create the disk resource in the **node** resource group. This approach allows the AKS cluster to access and manage the disk resource. If you instead create the disk in a separate resource group, you must grant the Azure Kubernetes Service (AKS) service principal for your cluster the `Contributor` role to the disk's resource group.
+When you create an Azure disk for use with AKS, you can create the disk resource in the **node** resource group. This approach allows the AKS cluster to access and manage the disk resource. If you instead create the disk in a separate resource group, you must grant the Azure Kubernetes Service (AKS) service principal for your cluster the `Contributor` role to the disk's resource group. Alternatively, you can use the system assigned managed identity for permissions instead of the service principal. For more information, see [Use managed identities](use-managed-identity.md).
 
 For this article, create the disk in the node resource group. First, get the resource group name with the [az aks show][az-aks-show] command and add the `--query nodeResourceGroup` query parameter. The following example gets the node resource group for the AKS cluster name *myAKSCluster* in the resource group name *myResourceGroup*:
 

articles/aks/configure-azure-cni.md

@@ -22,6 +22,7 @@ This article shows you how to use *Azure CNI* networking to create and use a vir
 * The service principal used by the AKS cluster must have at least [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor) permissions on the subnet within your virtual network. If you wish to define a [custom role](../role-based-access-control/custom-roles.md) instead of using the built-in Network Contributor role, the following permissions are required:
   * `Microsoft.Network/virtualNetworks/subnets/join/action`
   * `Microsoft.Network/virtualNetworks/subnets/read`
+* Instead of a service principal, you can use the system assigned managed identity for permissions. For more information, see [Use managed identities](use-managed-identity.md).
 
 ## Plan IP addressing for your cluster
 

articles/aks/static-ip.md

@@ -69,6 +69,8 @@ az role assignment create \
     --scope /subscriptions/<subscription id>/resourceGroups/<resource group name>
 ```
 
+Alternatively, you can use the system assigned managed identity for permissions instead of the service principal. For more information, see [Use managed identities](use-managed-identity.md).
+
 To create a *LoadBalancer* service with the static public IP address, add the `loadBalancerIP` property and the value of the static public IP address to the YAML manifest. Create a file named `load-balancer-service.yaml` and copy in the following YAML. Provide your own public IP address created in the previous step. The following example also sets the annotation to the resource group named *myResourceGroup*. Provide your own resource group name.
 
 ```yaml

articles/aks/use-managed-identity.md

@@ -5,11 +5,11 @@ services: container-service
 author: saudas
 manager: saudas
 ms.topic: article
-ms.date: 09/11/2019
+ms.date: 03/10/2019
 ms.author: saudas
 ---
 
-# Preview - Use managed identities in Azure Kubernetes Service
+# Use managed identities in Azure Kubernetes Service
 
 Currently, an Azure Kubernetes Service (AKS) cluster (specifically, the Kubernetes cloud provider) requires a *service principal* to create additional resources like load balancers and managed disks in Azure. Either you must provide a service principal or AKS creates one on your behalf. Service principals typically have an expiration date. Clusters eventually reach a state in which the service principal must be renewed to keep the cluster working. Managing service principals adds complexity.
 
@@ -20,46 +20,13 @@ AKS creates two managed identities:
 - **System-assigned managed identity**: The identity that the Kubernetes cloud provider uses to create Azure resources on behalf of the user. The life cycle of the system-assigned identity is tied to that of the cluster. The identity is deleted when the cluster is deleted.
 - **User-assigned managed identity**: The identity that's used for authorization in the cluster. For example, the user-assigned identity is used to authorize AKS to use access control records (ACRs), or to authorize the kubelet to get metadata from Azure.
 
-In this preview period, a service principal is still required. It's used for authorization of add-ons such as monitoring, virtual nodes, Azure Policy, and HTTP application routing. Work is underway to remove the dependency of add-ons on the service principal name (SPN). Eventually, the requirement of an SPN in AKS will be removed completely.
-
-> [!IMPORTANT]
-> AKS preview features are available on a self-service, opt-in basis. Previews are provided "as-is" and "as available," and are excluded from the Service Level Agreements and limited warranty. AKS previews are partially covered by customer support on best-effort basis. As such, these features are not meant for production use. For more information, see the following support articles:
->
-> - [AKS Support Policies](support-policies.md)
-> - [Azure Support FAQ](faq.md)
+Add-ons also authenticate using a managed identity. For each add-on, a managed identity is created by AKS and lasts for the life of the add-on. For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the MC_* resource group, use the PrincipalID of the cluster to perform a role assignment. For more information on role assignment, see [Delegate access to other Azure resources](kubernetes-service-principal.md#delegate-access-to-other-azure-resources).
 
 ## Before you begin
 
-You must have the following resources installed:
-
-- The Azure CLI, version 2.0.70 or later
-- The aks-preview 0.4.14 extension
-
-To install the aks-preview 0.4.14 extension or later, use the following Azure CLI commands:
-
-```azurecli
-az extension add --name aks-preview
-az extension list
-```
-
-> [!CAUTION]
-> After you register a feature on a subscription, you can't currently unregister that feature. When you enable some preview features, defaults might be used for all AKS clusters created afterward in the subscription. Don't enable preview features on production subscriptions. Instead, use a separate subscription to test preview features and gather feedback.
-
-```azurecli-interactive
-az feature register --name MSIPreview --namespace Microsoft.ContainerService
-```
+You must have the following resource installed:
 
-It might take several minutes for the status to show as **Registered**. You can check the registration status by using the [az feature list](https://docs.microsoft.com/cli/azure/feature?view=azure-cli-latest#az-feature-list) command:
-
-```azurecli-interactive
-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/MSIPreview')].{Name:name,State:properties.state}"
-```
-
-When the status shows as registered, refresh the registration of the `Microsoft.ContainerService` resource provider by using the [az provider register](https://docs.microsoft.com/cli/azure/provider?view=azure-cli-latest#az-provider-register) command:
-
-```azurecli-interactive
-az provider register --namespace Microsoft.ContainerService
-```
+- The Azure CLI, version 2.2.0 or later
 
 ## Create an AKS cluster with managed identities
 
@@ -78,6 +45,15 @@ Then, create an AKS cluster:
 az aks create -g MyResourceGroup -n MyManagedCluster --enable-managed-identity
 ```
 
+A successful cluster creation using managed identities contains this service principal profile information:
+
+```json
+"servicePrincipalProfile": {
+    "clientId": "msi",
+    "secret": null
+  }
+```
+
 Finally, get credentials to access the cluster:
 
 ```azurecli-interactive

articles/aks/use-multiple-node-pools.md

@@ -18,7 +18,7 @@ This article shows you how to create and manage multiple node pools in an AKS cl
 
 ## Before you begin
 
-You need the Azure CLI version 2.0.76 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
+You need the Azure CLI version 2.2.0 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
 
 ## Limitations
 
@@ -497,17 +497,6 @@ $ az aks nodepool list -g myResourceGroup --cluster-name myAKSCluster
 
 The taint information is visible in Kubernetes for handling scheduling rules for nodes.
 
-> [!IMPORTANT]
-> To use node pool labels and tags, you need the *aks-preview* CLI extension version 0.4.35 or higher. Install the *aks-preview* Azure CLI extension using the [az extension add][az-extension-add] command, then check for any available updates using the [az extension update][az-extension-update] command:
-> 
-> ```azurecli-interactive
-> # Install the aks-preview extension
-> az extension add --name aks-preview
-> 
-> # Update the extension to make sure you have the latest version installed
-> az extension update --name aks-preview
-> ```
-
 You can also add labels to a node pool during node pool creation. Labels set at the node pool are added to each node in the node pool. These [labels are visible in Kubernetes][kubernetes-labels] for handling scheduling rules for nodes.
 
 To create a node pool with a label, use [az aks nodepool add][az-aks-nodepool-add]. Specify the name *labelnp* and use the `--labels` parameter to specify *dept=IT* and *costcenter=9999* for labels.

articles/azure-resource-manager/management/azure-subscription-service-limits.md

@@ -1,10 +1,8 @@
 ---
 title: Azure subscription limits and quotas
 description: Provides a list of common Azure subscription and service limits, quotas, and constraints. This article includes information on how to increase limits along with maximum values.
-
-
 ms.topic: conceptual
-ms.date: 02/24/2020
+ms.date: 03/20/2020
 ---
 
 # Azure subscription and service limits, quotas, and constraints

articles/cosmos-db/TOC.yml

@@ -29,7 +29,7 @@
         href: create-sql-api-xamarin-dotnet.md
   - name: Tutorials
     items:
-    - name: 1 - Create & manage data
+    - name: 1 - Create and manage data
       items:
       - name: Build a console app
         items:
@@ -53,7 +53,7 @@
           href: mobile-apps-with-xamarin.md
     - name: 2 - Migrate data
       items:
-       - name: Using Data migration tool
+       - name: Using the Data Migration tool
          href: import-data.md
        - name: Using .NET bulk support
          href: tutorial-sql-api-dotnet-bulk-import.md
@@ -85,11 +85,11 @@
       href: resource-manager-samples.md
   - name: Concepts
     items:
-    - name: NoSQL Vs relational databases
+    - name: NoSQL vs. relational databases
       href: relational-nosql.md
     - name: Global distribution
       items:
-      - name: Global distribution Overview
+      - name: Global distribution overview
         displayName: replication, replicate, geo distribution
         href: distribute-data-globally.md
       - name: Consistency levels
@@ -582,7 +582,7 @@
           href: create-cassandra-python.md
       - name: Tutorials
         items:
-        - name: 1 - Create & manage data
+        - name: 1 - Create and manage data
           href: create-cassandra-api-account-java.md
         - name: 2 - Load data
           href: cassandra-api-load-data.md
@@ -601,15 +601,15 @@
           href: cassandra-change-feed.md
         - name: Store and manage Spring Data 
           href: https://docs.microsoft.com/azure/java/spring-framework/configure-spring-data-apache-cassandra-with-cosmos-db?context=/azure/cosmos-db/context/context
-        - name: Cassandra & Spark
+        - name: Cassandra and Spark
           items:
           - name: Introduction
             href: cassandra-spark-generic.md
           - name: Connect using Databricks
             href: cassandra-spark-databricks.md
           - name: Connect using HDInsight
             href: cassandra-spark-hdinsight.md
-          - name: Create keyspace & table
+          - name: Create keyspace and table
             href: cassandra-spark-ddl-ops.md
           - name: Insert data
             href: cassandra-spark-create-ops.md
@@ -656,7 +656,7 @@
           href: create-mongodb-golang.md
       - name: Tutorials
         items:
-        - name: 1 - Create & manage data
+        - name: 1 - Create and manage data
           items:
           - name: Node.js console app
             href: mongodb-samples.md
@@ -802,7 +802,7 @@
           href: create-table-python.md
       - name: Tutorials
         items:
-        - name: 1 - Create & manage data
+        - name: 1 - Create and manage data
           href: tutorial-develop-table-dotnet.md
         - name: 2 - Migrate data
           displayName: import
@@ -989,11 +989,11 @@
         href: use-notebook-features-and-commands.md
     - name : Server-side programming
       items:
-      - name: Write stored procedures, triggers, & UDFs
+      - name: Write stored procedures, triggers, and UDFs
         href: how-to-write-stored-procedures-triggers-udfs.md
-      - name: Write stored procedures & triggers with JavaScript query API
+      - name: Write stored procedures and triggers with JavaScript query API
         href: how-to-write-javascript-query-api.md
-      - name: Use stored procedures, triggers, & UDFs
+      - name: Use stored procedures, triggers, and UDFs
         href: how-to-use-stored-procedures-triggers-udfs.md
     - name: Security
       items:

articles/cosmos-db/stored-procedures-triggers-udfs.md

@@ -51,7 +51,7 @@ In Azure Cosmos DB, JavaScript runtime is hosted inside the database engine. Hen
 
 ### Scope of a transaction
 
-If a stored procedure is associated with an Azure Cosmos container, then the stored procedure is executed in the transaction scope of a logical partition key. Each stored procedure execution must include a logical partition key value that corresponds to the scope of the transaction. For more information, see [Azure Cosmos DB partitioning](partition-data.md) article.
+Stored procedures are associated with an Azure Cosmos container and stored procedure execution is scoped to a logical partition key. Stored procedures must include a logical partition key value during execution that defines the logical partition for the scope of the transaction. For more information, see [Azure Cosmos DB partitioning](partition-data.md) article.
 
 ### Commit and rollback