Merge pull request #112323 from MicrosoftDocs/master

4/22 AM Publish

Author: huypub

articles/active-directory/devices/overview.md

@@ -52,6 +52,9 @@ To get a device in Azure AD, you have multiple options:
 
 ![Devices displayed in Azure AD Devices blade](./media/overview/azure-active-directory-devices-all-devices.png)
 
+> [!NOTE]
+> A hybrid state refers to more than just the state of a device. For a hybrid state to be valid, a valid Azure AD user also is required.
+
 ## Device management
 
 Devices in Azure AD can be managed using Mobile Device Management (MDM) tools like Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy (hybrid Azure AD join), Mobile Application Management (MAM) tools, or other third-party tools.
@@ -63,6 +66,8 @@ Registering and joining devices to Azure AD gives your users Seamless Sign-on (S
 > [!NOTE]
 > Device-based Conditional Access policies require either hybrid Azure AD joined devices or compliant Azure AD joined or Azure AD registered devices.
 
+The primary refresh token (PRT) contains information about the device and is required for SSO. If you have a device-based Conditional Access policy set on an application, without the PRT, access is denied. Hybrid Conditional Access policies require a hybrid state device and a valid user who is signed in.
+
 Devices that are Azure AD joined or hybrid Azure AD joined benefit from SSO to your organization's on-premises resources as well as cloud resources. More information can be found in the article, [How SSO to on-premises resources works on Azure AD joined devices](azuread-join-sso.md).
 
 ## Device security

articles/active-directory/saas-apps/ally-tutorial.md

@@ -81,15 +81,15 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
 
     a. In the **Identifier** text box, type a URL using the following pattern:
-    `https://app.ally.io/saml/consume/<CUSTOM_GUID>`
+    `https://app.ally.io/saml/consume/<CUSTOM_UUID>`
 
     b. In the **Reply URL** text box, type a URL using the following pattern:
-    `https://app.ally.io/saml/consume/<CUSTOM_GUID>`
+    `https://app.ally.io/saml/consume/<CUSTOM_UUID>`
 
 1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
 
     In the **Sign-on URL** text box, type a URL:
-    `https://app.ally.io/saml/consume/<CUSTOM_GUID>`
+    `https://app.ally.io/saml/consume/<CUSTOM_UUID>`
 
 	> [!NOTE]
 	> These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Ally Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

articles/active-directory/saas-apps/mongodb-cloud-tutorial.md

@@ -34,7 +34,7 @@ To learn more about software as a service (SaaS) app integration with Azure AD,
 To get started, you need:
 
 * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* A MongoDB Cloud subscription that is enabled for single sign-on (SSO).
+* A MongoDB Cloud organization that is enabled for single sign-on (SSO), you can signup for a [free cluster](https://www.mongodb.com/cloud)
 
 ## Scenario description
 
@@ -146,7 +146,7 @@ In this section, you enable B.Simon to use Azure single sign-on by granting acce
 
 ## Configure MongoDB Cloud SSO
 
-To configure single sign-on on the MongoDB Cloud side, you need the appropriate URLs copied from the Azure portal. You also need to configure the Federation Application for your MongoDB Cloud Organization. Follow the instructions in the [MongoDB Cloud documentation](https://docs.atlas.mongodb.com/security/federated-authentication/index.html). If you have a problem, contact the [MongoDB Cloud support team](https://support.mongodb.com/).
+To configure single sign-on on the MongoDB Cloud side, you need the appropriate URLs copied from the Azure portal. You also need to configure the Federation Application for your MongoDB Cloud Organization. Follow the instructions in the [MongoDB Cloud documentation](https://docs.atlas.mongodb.com/security/federated-auth-azure-ad/). If you have a problem, contact the [MongoDB Cloud support team](https://support.mongodb.com/).
 
 ### Create a MongoDB Cloud test user
 

articles/aks/use-managed-identity.md

@@ -20,7 +20,7 @@ AKS creates two managed identities:
 - **System-assigned managed identity**: The identity that the Kubernetes cloud provider uses to create Azure resources on behalf of the user. The life cycle of the system-assigned identity is tied to that of the cluster. The identity is deleted when the cluster is deleted.
 - **User-assigned managed identity**: The identity that's used for authorization in the cluster. For example, the user-assigned identity is used to authorize AKS to use Azure Container Registries (ACRs), or to authorize the kubelet to get metadata from Azure.
 
-Add-ons also authenticate using a managed identity. For each add-on, a managed identity is created by AKS and lasts for the life of the add-on. For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the MC_* resource group, use the PrincipalID of the cluster to perform a role assignment. For more information on role assignment, see [Delegate access to other Azure resources](kubernetes-service-principal.md#delegate-access-to-other-azure-resources).
+Add-ons also authenticate using a managed identity. For each add-on, a managed identity is created by AKS and lasts for the life of the add-on. 
 
 ## Before you begin
 
@@ -54,6 +54,9 @@ A successful cluster creation using managed identities contains this service pri
   }
 ```
 
+> [!NOTE]
+> For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the MC_* resource group, use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment. For more information on role assignment, see [Delegate access to other Azure resources](kubernetes-service-principal.md#delegate-access-to-other-azure-resources).
+
 Finally, get credentials to access the cluster:
 
 ```azurecli-interactive

articles/app-service/app-service-web-get-started-html.md

@@ -38,16 +38,12 @@ git clone https://github.com/Azure-Samples/html-docs-hello-world.git
 
 ## Create a web app
 
-Change to the directory that contains the sample code and run the `az webapp up` command.
-
-In the following example, replace <app_name> with a unique app name.
+Change to the directory that contains the sample code and run the `az webapp up` command. In the following example, replace <app_name> with a unique app name. Static content is indicated by the `--html` flag.
 
 ```bash
 cd html-docs-hello-world
-```
 
-```azurecli
-az webapp up --location westeurope --name <app_name> 
+az webapp up --location westeurope --name <app_name> --html
 ```
 
 The `az webapp up` command does the following actions:
@@ -98,7 +94,7 @@ Save your changes and exit nano. Use the command `^O` to save and `^X` to exit.
 
 You'll now redeploy the app with the same `az webapp up` command.
 
-```azurecli
+```bash
 az webapp up --location westeurope --name <app_name> --html
 ```
 
@@ -126,7 +122,7 @@ The left menu provides different pages for configuring your app.
 
 In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell. Remember that the resource group name was automatically generated for you in the [create a web app](#create-a-web-app) step.
 
-```azurecli
+```bash
 az group delete --name appsvc_rg_Windows_westeurope
 ```
 

articles/app-service/configure-authentication-provider-aad.md

@@ -95,7 +95,7 @@ Perform the following steps:
     |Field|Description|
     |-|-|
     |Client ID| Use the **Application (client) ID** of the app registration. |
-    |Issuer Url| Use `https://login.microsoftonline.com/<tenant-id>/v2.0`, and replace *\<tenant-id>* with the **Directory (tenant) ID** of the app registration. This value is used to redirect users to the correct Azure AD tenant, as well as to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. The `/v2.0` section may be omitted for applications using AAD v1. |
+    |Issuer Url| Use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (e.g., "https://login.microsoft.com" for global Azure), also replacing *\<tenant-id>* with the **Directory (tenant) ID** in which the app registration was created. This value is used to redirect users to the correct Azure AD tenant, as well as to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. The `/v2.0` section may be omitted for applications using AAD v1. |
     |Client Secret (Optional)| Use the client secret you generated in the app registration.|
     |Allowed Token Audiences| If this is a cloud or server app and you want to allow authentication tokens from a web app, add the **Application ID URI** of the web app here. The configured **Client ID** is *always* implicitly considered to be an allowed audience. |
 

articles/application-gateway/create-ssl-portal.md

@@ -5,10 +5,11 @@ services: application-gateway
 author: vhorne
 ms.service: application-gateway
 ms.topic: tutorial
-ms.date: 11/13/2019
+ms.date: 04/22/2019
 ms.author: victorh
 #Customer intent: As an IT administrator, I want to use the Azure portal to configure Application Gateway with TLS termination so I can secure my application traffic.
 ---
+
 # Tutorial: Configure an application gateway with TLS termination using the Azure portal
 
 You can use the Azure portal to configure an [application gateway](overview.md) with a certificate for TLS termination that uses virtual machines for backend servers.
@@ -51,13 +52,11 @@ Thumbprint                                Subject
 E1E81C23B3AD33F9B4D1717B20AB65DBB91AC630  CN=www.contoso.com
 ```
 
-Use [Export-PfxCertificate](https://docs.microsoft.com/powershell/module/pkiclient/export-pfxcertificate) with the Thumbprint that was returned to export a pfx file from the certificate:
+Use [Export-PfxCertificate](https://docs.microsoft.com/powershell/module/pkiclient/export-pfxcertificate) with the Thumbprint that was returned to export a pfx file from the certificate. Make sure your password is 4 - 12 characters long:
 
-> [!NOTE]
-> Do not use any special characters in your .pfx file password. Only alphanumeric characters are supported.
 
 ```powershell
-$pwd = ConvertTo-SecureString -String "Azure123456" -Force -AsPlainText
+$pwd = ConvertTo-SecureString -String <your password> -Force -AsPlainText
 Export-PfxCertificate `
   -cert cert:\localMachine\my\E1E81C23B3AD33F9B4D1717B20AB65DBB91AC630 `
   -FilePath c:\appgwcert.pfx `
@@ -145,7 +144,7 @@ On the **Configuration** tab, you'll connect the frontend and backend pool you c
 
    - **PFX certificate file** - Browse to and select the c:\appgwcert.pfx file that you create earlier.
    - **Certificate name** - Type *mycert1* for the name of the certificate.
-   - **Password** - Type *Azure123456* for the password.
+   - **Password** - Type your password.
 
         Accept the default values for the other settings on the **Listener** tab, then select the **Backend targets** tab to configure the rest of the routing rule.
 
@@ -189,10 +188,10 @@ To do this, you'll:
     - **Resource group**: Select **myResourceGroupAG** for the resource group name.
     - **Virtual machine name**: Enter *myVM* for the name of the virtual machine.
     - **Username**: Enter *azureuser* for the administrator user name.
-    - **Password**: Enter *Azure123456* for the administrator password.
-4. Accept the other defaults and then select **Next: Disks**.  
-5. Accept the **Disks** tab defaults and then select **Next: Networking**.
-6. On the **Networking** tab, verify that **myVNet** is selected for the **Virtual network** and the **Subnet** is set to **myBackendSubnet**. Accept the other defaults and then select **Next: Management**.
+    - **Password**: Enter a password for the administrator account.
+1. Accept the other defaults and then select **Next: Disks**.  
+2. Accept the **Disks** tab defaults and then select **Next: Networking**.
+3. On the **Networking** tab, verify that **myVNet** is selected for the **Virtual network** and the **Subnet** is set to **myBackendSubnet**. Accept the other defaults and then select **Next: Management**.
 
    Application Gateway can communicate with instances outside of the virtual network that it is in, but you need to ensure there's IP connectivity.
 1. On the **Management** tab, set **Boot diagnostics** to **Off**. Accept the other defaults and then select **Review + create**.

articles/azure-monitor/insights/solution-office-365.md

@@ -13,7 +13,6 @@ ms.date: 03/30/2020
 
 ![Office 365 logo](media/solution-office-365/icon.png)
 
-
 > [!IMPORTANT]
 > ## Solution update
 > This solution has been replaced by the [Office 365](../../sentinel/connect-office-365.md) General Availability solution in [Azure Sentinel](../../sentinel/overview.md) and the [Azure AD reporting and monitoring solution](../../active-directory/reports-monitoring/plan-monitoring-and-reporting.md). Together they provide an updated version of the previous Azure Monitor Office 365 solution with an improved configuration experience. You can continue to use the existing solution until July 30, 2020.
@@ -32,8 +31,8 @@ ms.date: 03/30/2020
 >
 > ## Frequently asked questions
 > 
-> ### Q: Is it possible to on-board the Office 365 Azure Monitor solution between now and April 30th?
-> No, the Azure Monitor Office 365 solution onboarding scripts are no longer available. The solution will be removed on April 30th.
+> ### Q: Is it possible to on-board the Office 365 Azure Monitor solution between now and July 30th?
+> No, the Azure Monitor Office 365 solution onboarding scripts are no longer available. The solution will be removed on July 30th.
 > 
 > ### Q: Will the tables and schemas be changed?
 > The **OfficeActivity** table name and schema will remain the same as in the current solution. You can continue using the same queries in the new solution excluding queries that reference Azure AD data.
@@ -99,11 +98,11 @@ ms.date: 03/30/2020
 > ### Q: Does Azure Sentinel provide additional connectors as part of the solution?
 > Yes, see [Azure Sentinel connect data sources](../../sentinel/connect-data-sources.md).
 > 
-> ###    Q: What will happen on April 30? Do I need to offboard beforehand?
+> ###    Q: What will happen on July 30? Do I need to offboard beforehand?
 > 
 > - You won't be able to receive data from the **Office365** solution. The solution will no longer be available in the Marketplace
 > - For Azure Sentinel customers, the Log Analytics workspace solution **Office365** will be included in the Azure Sentinel **SecurityInsights** solution.
-> - If you don't offboard your solution manually, your data will be disconnected automatically on April 30.
+> - If you don't offboard your solution manually, your data will be disconnected automatically on July 30.
 > 
 > ### Q: Will my data transfer to the new solution?
 > Yes. When you remove the **Office 365** solution from your workspace, its data will become temporarily unavailable because the schema is removed. When you enable the new **Office 365** connector in Sentinel, the schema is restored to the workspace and any data already collected will become available. 

articles/backup/backup-azure-delete-vault.md

@@ -1,12 +1,12 @@
 ---
 title: Delete a Microsoft Azure Recovery Services vault 
-description: In this article, learn how to remove dependencies and then delete a Microsoft Azure Backup Recovery Services (MARS) vault.
+description: In this article, learn how to remove dependencies and then delete an Azure Backup Recovery Services vault.
 ms.topic: conceptual
 ms.date: 09/20/2019
 ---
 # Delete an Azure Backup Recovery Services vault
 
-This article describes how to delete a Microsoft [Azure Backup](backup-overview.md) Recovery Services (MARS) vault. It contains instructions for removing dependencies and then deleting a vault.
+This article describes how to delete an [Azure Backup](backup-overview.md) Recovery Services vault. It contains instructions for removing dependencies and then deleting a vault.
 
 ## Before you start
 

articles/backup/backup-azure-manage-mars.md

@@ -73,8 +73,8 @@ You can add exclusion rules to skip files and folders that you don't want to be
 
     ![Select the items](./media/backup-azure-manage-mars/select-items-remove.png)
 
-> [!NOTE]
-> Proceed with caution when you completely remove a volume from the policy.  If you need to add it again, then it will be treated as a new volume. The next scheduled backup will perform an Initial Backup (full backup) instead of Incremental Backup. If you need to temporarily remove and add items later, then it is recommended to use **Exclusions Settings** instead of **Remove Items** to ensure incremental backup instead of full backup.
+    > [!NOTE]
+    > Proceed with caution when you completely remove a volume from the policy.  If you need to add it again, then it will be treated as a new volume. The next scheduled backup will perform an Initial Backup (full backup) instead of Incremental Backup. If you need to temporarily remove and add items later, then it is recommended to use **Exclusions Settings** instead of **Remove Items** to ensure incremental backup instead of full backup.
 
 2. Complete the subsequent steps and click **Finish** to complete the operation.
 
@@ -84,7 +84,7 @@ There are two ways to stop protecting Files and Folders backup:
 
 - **Stop protection and retain backup data**.
   - This option will stop all future backup jobs from protection.
-  - Azure Backup service will retain all existing recovery points indefinitely. Recovery points will not be checked for expiration until protection is resumed.
+  - Azure Backup service will continue to retain all the existing recovery points.  
   - You'll be able to restore the backed-up data for unexpired recovery points.
   - If you decide to resume protection, then you can use the *Re-enable backup schedule* option. After that, data would be retained based on the new retention policy.
 - **Stop protection and delete backup data**.
@@ -162,7 +162,6 @@ A passphrase is used to encrypt and decrypt data while backing up or restoring y
     ![Generate passphrase.](./media/backup-azure-manage-mars/passphrase2.png)
 - Ensure that the passphrase is securely saved in an alternate location (other than the source machine), preferably in the Azure Key Vault. Keep track of all the passphrases if you have multiple machines being backed up with the MARS agents.
 
-
 ## Next steps
 
 - For information about supported scenarios and limitations, refer to the [Support Matrix for the MARS Agent](https://docs.microsoft.com/azure/backup/backup-support-matrix-mars-agent).