MicrosoftDocs
diff --git a/‎articles/active-directory/develop/v2-oauth-ropc.md
Lines changed: 5 additions & 2 deletions b/‎articles/active-directory/develop/v2-oauth-ropc.md
Lines changed: 5 additions & 2 deletions
diff --git a/‎articles/active-directory/manage-apps/use-scim-to-provision-users-and-groups.md
Lines changed: 18 additions & 0 deletions b/‎articles/active-directory/manage-apps/use-scim-to-provision-users-and-groups.md
Lines changed: 18 additions & 0 deletions
diff --git a/‎articles/aks/includes/servicemesh/linkerd/install-client-binary-macos.md
Lines changed: 2 additions & 2 deletions b/‎articles/aks/includes/servicemesh/linkerd/install-client-binary-macos.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/azure-monitor/insights/container-insights-alerts.md
Lines changed: 1 addition & 1 deletion b/‎articles/azure-monitor/insights/container-insights-alerts.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-monitor/insights/container-insights-azure-redhat-setup.md
Lines changed: 203 additions & 0 deletions b/‎articles/azure-monitor/insights/container-insights-azure-redhat-setup.md
Lines changed: 203 additions & 0 deletions
@@ -20,9 +20,12 @@ ms.custom: aaddev
 ms.collection: M365-identity-device-management
 ---
 
-# Microsoft identity platform and the OAuth 2.0 resource owner password credential
+# Microsoft identity platform and the OAuth 2.0 Resource Owner Password Credentials
 
-Microsoft identity platform supports the [resource owner password credential (ROPC) grant](https://tools.ietf.org/html/rfc6749#section-4.3), which allows an application to sign in the user by directly handling their password. The ROPC flow requires a high degree of trust and user exposure and you should only use this flow when other, more secure, flows can't be used.
+Microsoft identity platform supports the [OAuth 2.0 Resource Owner Password Credentials (ROPC) grant](https://tools.ietf.org/html/rfc6749#section-4.3), which allows an application to sign in the user by directly handling their password.
+
+> [!WARNING]
+> Microsoft recommends you do _not_ use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used.
 
 > [!IMPORTANT]
 >
 
@@ -1308,6 +1308,24 @@ Once the initial cycle has started, you can select **Provisioning logs** in the
 
 If you're building an application that will be used by more than one tenant, you can make it available in the Azure AD application gallery. This will make it easy for organizations to discover the application and configure provisioning. Publishing your app in the Azure AD gallery and making provisioning available to others is easy. Check out the steps [here](https://docs.microsoft.com/azure/active-directory/develop/howto-app-gallery-listing). Microsoft will work with you to integrate your application into our gallery, test your endpoint, and release onboarding [documentation](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list) for customers to use. 
 
+
+### Authorization for provisioning connectors in the application gallery
+The SCIM spec does not define a SCIM-specific scheme for authentication and authorization. It relies on the use of existing industry standards. The Azure AD provisioning client supports two authorization methods for applications in the gallery. 
+
+**OAuth authorization code grant flow:** The provisioning service supports the [authorization code grant](https://tools.ietf.org/html/rfc6749#page-24). After submitting your request for publishing your app in the gallery, our team will work with you to collect the following information:
+*  Authorization URL: A URL by the client to obtain authorization from the resource owner via user-agent redirection. The user is redirected to this URL to authorize access. 
+*  Token exchange URL: A URL by the client to exchange an authorization grant for an access token, typically with client authentication.
+*  Client ID: The authorization server issues the registered client a client identifier, which is a unique string representing the registration information provided by the client.  The client identifier is not a secret; it is exposed to the resource owner and **must not** be used alone for client authentication.  
+*  Client secret: The client secret is a secret generated by the authorization server. It should be a unique value known only to the authorization server. 
+
+Best practices (recommended but not required):
+* Support multiple redirect URLs. Administrators can configure provisioning from both "portal.azure.com" and "aad.portal.azure.com". Supporting multiple redirect URLs will ensure that users can authorize access from either portal.
+* Support multiple secrets to ensure smooth secret renewal, without downtime. 
+
+**Long lived OAuth bearer tokens:** If your application does not support the OAuth authorization code grant flow, you can also generate a long lived OAuth bearer token than that an administrator can use to setup the provisioning integration. The token should be perpetual, or else the provisioning job will be [quarantined](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status) when the token expires. This token must be below 1KB in size.  
+
+For additional authentication and authorization methods, let us know on [UserVoice](https://aka.ms/appprovisioningfeaturerequest).
+
 ### Allow IP addresses used by the Azure AD provisioning service to make SCIM requests
 
 Certain apps allow inbound traffic to their app. In order for the Azure AD provisioning service to function as expected, the IP addresses used must be allowed. For a list of IP addresses for each service tag/region, see the JSON file - [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). You can download and program these IPs into your firewall as needed. The reserved IP ranges for Azure AD provisioning can be found under "AzureActiveDirectoryDomainServices."
 
@@ -20,7 +20,7 @@ curl -sLO "https://github.com/linkerd/linkerd2/releases/download/$LINKERD_VERSIO
 The `linkerd` client binary runs on your client machine and allows you to interact with the Linkerd service mesh. Use the following commands to install the Linkerd `linkerd` client binary in a bash-based shell on MacOS. These commands copy the `linkerd` client binary to the standard user program location in your `PATH`.
 
 ```bash
-sudo cp ./linkerd2-cli-$LINKERD_VERSION-linux /usr/local/bin/linkerd
+sudo cp ./linkerd2-cli-$LINKERD_VERSION-darwin /usr/local/bin/linkerd
 sudo chmod +x /usr/local/bin/linkerd
 ```
 
@@ -34,4 +34,4 @@ source ~/completions/linkerd.bash
 # Source the bash completion file in your .bashrc so that the command-line completions
 # are permanently available in your shell
 echo "source ~/completions/linkerd.bash" >> ~/.bashrc
-```
+```
@@ -304,4 +304,4 @@ Follow these steps to create a log alert in Azure Monitor by using one of the lo
 ## Next steps
 
 - View [log query examples](container-insights-log-search.md#search-logs-to-analyze-data) to see pre-defined queries and examples to evaluate or customize for alerting, visualizing, or analyzing your clusters.
-- To learn more about Azure Monitor and how to monitor other aspects of your AKS cluster, see [View Azure Kubernetes Service health](container-insights-analyze.md).
+- To learn more about Azure Monitor and how to monitor other aspects of your Kubernetes cluster, see [View Kubernetes cluster performance](container-insights-analyze.md) and [View Kubernetes cluster health](container-insights-health.md).
@@ -0,0 +1,203 @@
+---
+title: Configure Azure Red Hat OpenShift clusters with Azure Monitor for containers | Microsoft Docs
+description: This article describes how you can configure Azure Monitor for containers to monitor Kubernetes clusters hosted on Azure Red Hat OpenShift.
+ms.service:  azure-monitor
+ms.subservice: 
+ms.topic: conceptual
+author: mgoedtel
+ms.author: magoedte
+ms.date: 11/18/2019
+---
+
+# Configure Azure Red Hat OpenShift clusters with Azure Monitor for containers
+
+Azure Monitor for containers provides rich monitoring experience for the Azure Kubernetes Service (AKS) and AKS Engine clusters. This article describes how to enable monitoring of Kubernetes clusters hosted on [Azure Red Hat OpenShift](../../openshift/intro-openshift.md) to achieve a similar monitoring experience.
+
+Azure Monitor for containers can be enabled for new, or one or more existing deployments of Azure Red Hat OpenShift using the following supported methods:
+
+- For an existing cluster from the Azure portal or using Azure Resource Manager template
+- For a new cluster using Azure Resource Manager template 
+
+## Supported and unsupported features
+
+Azure Monitor for containers supports monitoring Azure Red Hat OpenShift as described in the [Overview](container-insights-overview.md) article, except for the following features:
+
+- Live data
+- Prometheus metrics scraping
+- Collecting metrics
+- Health feature
+
+## Prerequisites
+
+- To enable and access the features in Azure Monitor for containers, at a minimum you need to be a member of the Azure *Contributor* role in the Azure subscription, and a member of the [*Log Analytics Contributor*](../platform/manage-access.md#manage-access-using-azure-permissions) role of the Log Analytics workspace configured with Azure Monitor for containers.
+
+- To view the monitoring data, you are a member of the [*Log Analytics reader*](../platform/manage-access.md#manage-access-using-azure-permissions) role permission with the Log Analytics workspace configured with Azure Monitor for containers.
+
+## Enable for a new cluster using an Azure Resource Manager template
+
+Perform the following steps to deploy an Azure Red Hat OpenShift cluster with monitoring enabled. Before proceeding, review the tutorial [Create an Azure Red Hat OpenShift cluster](../../openshift/tutorial-create-cluster.md#prerequisites) to understand the dependencies that you need to configure so your environment is set up correctly.
+
+This method includes two JSON templates. One template specifies the configuration to deploy the cluster with monitoring enabled, and the other contains parameter values that you configure to specify the following:
+
+- The Azure Red Hat OpenShift cluster resource ID. 
+
+- The resource group the cluster is deployed in.
+
+- [Azure Active Directory tenant ID](../../openshift/howto-create-tenant.md#create-a-new-azure-ad-tenant) noted after performing the steps to create one or one already created.
+
+- [Azure Active Directory client application ID](../../openshift/howto-aad-app-configuration.md#create-an-azure-ad-app-registration) noted after performing the steps to create one or one already created.
+
+- [Azure Active Directory Client secret](../../openshift/howto-aad-app-configuration.md#create-a-client-secret) noted after performing the steps to create one or one already created.
+
+- [Azure AD security group](../../openshift/howto-aad-app-configuration.md#create-an-azure-ad-security-group) noted after performing the steps to create one or one already created.
+
+- Resource ID of an existing Log Analytics workspace.
+
+- The number of master nodes to create in the cluster.
+
+- The number of compute nodes in the agent pool profile.
+
+- The number of infrastructure nodes in the agent pool profile. 
+
+If you are unfamiliar with the concept of deploying resources by using a template, see:
+
+- [Deploy resources with Resource Manager templates and Azure PowerShell](../../azure-resource-manager/resource-group-template-deploy.md)
+
+- [Deploy resources with Resource Manager templates and the Azure CLI](../../azure-resource-manager/resource-group-template-deploy-cli.md)
+
+If you choose to use the Azure CLI, you first need to install and use the CLI locally. You must be running the Azure CLI version 2.0.65 or later. To identify your version, run `az --version`. If you need to install or upgrade the Azure CLI, see [Install the Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli). 
+
+The Log Analytics workspace has to be created before you enable monitoring using Azure PowerShell or CLI. To create the workspace, you can set it up through [Azure Resource Manager](../../azure-monitor/platform/template-workspace-configuration.md), through [PowerShell](../scripts/powershell-sample-create-workspace.md?toc=%2fpowershell%2fmodule%2ftoc.json), or in the [Azure portal](../../azure-monitor/learn/quick-create-workspace.md).
+
+1. Download and save to a local folder, the Azure Resource Manager template and parameter file, to create a cluster with the monitoring add-on using the following commands:
+
+    `curl -LO https://raw.githubusercontent.com/microsoft/OMS-docker/ci_feature/docs/aro/enable_monitoring_to_new_cluster/newClusterWithMonitoring.json`
+
+    `curl -LO https://raw.githubusercontent.com/microsoft/OMS-docker/ci_feature/docs/aro/enable_monitoring_to_new_cluster/newClusterWithMonitoringParam.json` 
+
+2. Sign in to Azure 
+
+    ```azurecli
+    az login    
+    ```
+    
+    If you have access to multiple subscriptions, run `az account set -s {subscription ID}` replacing `{subscription ID}` with the subscription you want to use.
+ 
+3. Create a resource group for your cluster if you don't already have one. For a list of Azure regions that supports OpenShift on Azure, see [Supported Regions](../../openshift/supported-resources.md#azure-regions). 
+
+    ```azurecli
+    az group create -g <clusterResourceGroup> -l <location> 
+    ```
+
+4. Edit the JSON parameter file **newClusterWithMonitoringParam.json** and update the following values:
+
+    - *location*
+    - *clusterName*
+    - *aadTenantId*
+    - *aadClientId*
+    - *aadClientSecret* 
+    - *aadCustomerAdminGroupId* 
+    - *workspaceResourceId*
+    - *masterNodeCount*
+    - *computeNodeCount*
+    - *infraNodeCount*
+
+5. The following step deploys the cluster with monitoring enabled by using the Azure CLI. 
+
+    ```azurecli
+    az group deployment create --resource-group <ClusterResourceGroupName> --template-file ./newClusterWithMonitoring.json --parameters @./newClusterWithMonitoringParam.json 
+    ```
+ 
+    The output resembles the following:
+
+    ```azurecli
+    provisioningState       : Succeeded
+    ```
+
+## Enable for an existing cluster
+
+Perform the following steps to enable monitoring of an Azure Red Hat OpenShift cluster deployed in Azure. You can accomplish this from the Azure portal or using the provided templates.
+
+### From the Azure portal
+ 
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+2. On the Azure portal menu or from the Home page, select **Azure Monitor**. Under the **Insights** section, select **Containers**. 
+
+3. On the **Monitor - containers** page, select **Non-monitored clusters**.
+
+4. From the list of non-monitored clusters, find the cluster in the list and click **Enable**. You can identify the results in the list by looking for the value **ARO** under the column **CLUSTER TYPE**.
+
+5. On the **Onboarding to Azure Monitor for containers** page, if you have an existing Log Analytics workspace in the same subscription as the cluster, select it from the drop-down list.  
+    The list preselects the default workspace and location that the cluster is deployed to in the subscription. 
+
+    ![Enable monitoring for non-monitored clusters](./media/container-insights-onboard/kubernetes-onboard-brownfield-01.png)
+
+    >[!NOTE]
+    >If you want to create a new Log Analytics workspace for storing the monitoring data from the cluster, follow the instructions in [Create a Log Analytics workspace](../../azure-monitor/learn/quick-create-workspace.md). Be sure to create the workspace in the same subscription that the RedHat OpenShift cluster is deployed to. 
+ 
+After you've enabled monitoring, it might take about 15 minutes before you can view health metrics for the cluster. 
+
+### Enable using an Azure Resource Manager template
+
+This method includes two JSON templates. One template specifies the configuration to enable monitoring, and the other contains parameter values that you configure to specify the following:
+
+- The Azure RedHat OpenShift cluster resource ID. 
+
+- The resource group the cluster is deployed in.
+
+- A Log Analytics workspace.
+
+If you are unfamiliar with the concept of deploying resources by using a template, see:
+
+- [Deploy resources with Resource Manager templates and Azure PowerShell](../../azure-resource-manager/resource-group-template-deploy.md)
+
+- [Deploy resources with Resource Manager templates and the Azure CLI](../../azure-resource-manager/resource-group-template-deploy-cli.md)
+
+If you choose to use the Azure CLI, you first need to install and use the CLI locally. You must be running the Azure CLI version 2.0.65 or later. To identify your version, run `az --version`. If you need to install or upgrade the Azure CLI, see [Install the Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli). 
+
+The Log Analytics workspace has to be created before you enable monitoring using Azure PowerShell or CLI. To create the workspace, you can set it up through [Azure Resource Manager](../../azure-monitor/platform/template-workspace-configuration.md), through [PowerShell](../scripts/powershell-sample-create-workspace.md?toc=%2fpowershell%2fmodule%2ftoc.json), or in the [Azure portal](../../azure-monitor/learn/quick-create-workspace.md).
+
+1. Download the template and parameter file to update your cluster with the monitoring add-on using the following commands:
+
+    `curl -LO https://raw.githubusercontent.com/microsoft/OMS-docker/ci_feature/docs/aro/enable_monitoring_to_existing_cluster/existingClusterOnboarding.json`
+
+    `curl -LO https://raw.githubusercontent.com/microsoft/OMS-docker/ci_feature/docs/aro/enable_monitoring_to_existing_cluster/existingClusterParam.json` 
+
+2. Sign in to Azure 
+
+    ```azurecli
+    az login    
+    ```
+
+    If you have access to multiple subscriptions, run `az account set -s {subscription ID}` replacing `{subscription ID}` with the subscription you want to use.
+
+3. Specify the subscription of the Azure RedHat OpenShift cluster.
+
+    ```azurecli
+    az account set --subscription "Subscription Name"  
+    ```
+
+4. Run the following command to identify the cluster location and resource ID:
+
+    ```azurecli
+    az openshift show -g <clusterResourceGroup> -n <clusterName> 
+    ```
+
+5. Edit the JSON parameter file **existingClusterParam.json** and update the values *araResourceId* and *araResoruceLocation*. The value for **workspaceResourceId** is the full resource ID of your Log Analytics workspace, which includes the workspace name. 
+
+6. To deploy with Azure CLI, run the following commands: 
+
+    ```azurecli
+    az group deployment create --resource-group <ClusterResourceGroupName> --template-file ./ExistingClusterOnboarding.json --parameters @./existingClusterParam.json 
+    ```
+
+    The output resembles the following:
+
+    ```azurecli
+    provisioningState       : Succeeded
+    ```
+
+## Next steps
+
+With monitoring enabled to collect health and resource utilization of your RedHat OpenShift cluster and workloads running on them, learn [how to use](container-insights-analyze.md) Azure Monitor for containers.