Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr into sec-hub-page

Author: TerryLanfear

articles/governance/blueprints/how-to/configure-for-blueprint-operator.md

@@ -0,0 +1,61 @@
+---
+title: Configure your environment for a Blueprint Operator
+description: Learn how to configure your Azure environment for use with the Blueprint Operator built-in role-based access control (RBAC) role.
+author: DCtheGeek
+ms.author: dacoulte
+ms.date: 08/26/2019
+ms.topic: conceptual
+ms.service: blueprints
+manager: carmonm
+---
+# Configure your environment for a Blueprint Operator
+
+The management of your blueprint definitions and blueprint assignments can be assigned to different
+teams. It's common for an architect or governance team to be responsible for the lifecycle
+management of your blueprint definitions while an operations team is responsible for managing
+assignments of those centrally controlled blueprint definitions.
+
+The **Blueprint Operator** built-in role-based access control (RBAC) is designed specifically for
+use in this type of scenario. The role allows for operations type teams to manage the assignment of
+the organizations blueprint definitions, but not the ability to modify them. Doing so requires some
+configuration in your Azure environment and this article explains the necessary steps.
+
+## Grant permission to the Blueprint Operator
+
+The first step is to grant the **Blueprint Operator** role to the account or security group
+(recommended) that is going to be assigning blueprints. This action should be done at the highest
+level in the management group hierarchy that encompasses all of the management groups and
+subscriptions the operations team should have blueprint assignment access to. It's recommended to
+follow the principle of least privilege when granting these permissions.
+
+1. (Recommended) [Create a security group and add members](../../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md)
+
+1. [Add a role assignment](../../../role-based-access-control/role-assignments-portal.md#add-a-role-assignment)
+   of **Blueprint Operator** to the account or security group
+
+## User-assign managed identity
+
+A blueprint definition can use either system-assigned or user-assigned managed identities. However,
+when using the **Blueprint Operator** role, the blueprint definition needs to be configured to use a
+user-assigned managed identity. Additionally, the account or security group being granted the
+**Blueprint Operator** role needs to be granted the **Managed Identity Operator** role on the
+user-assigned managed identity. Without this permission, blueprint assignments fail because of lack
+of permissions.
+
+1. [Create a user-assigned managed identity](../../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity)
+   for use by an assigned blueprint
+
+1. [Add a role assignment](../../../role-based-access-control/role-assignments-portal.md#add-a-role-assignment)
+   of **Managed Identity Operator** to the account or security group. Scope the role assignment to
+   the new user-assigned managed identity.
+
+1. As the **Blueprint Operator**, [assign a blueprint](../create-blueprint-portal.md#assign-a-blueprint)
+   that uses the new user-assigned managed identity.
+
+## Next steps
+
+- Learn about the [blueprint life-cycle](../concepts/lifecycle.md).
+- Understand how to use [static and dynamic parameters](../concepts/parameters.md).
+- Learn to customize the [blueprint sequencing order](../concepts/sequencing-order.md).
+- Find out how to make use of [blueprint resource locking](../concepts/resource-locking.md).
+- Resolve issues during the assignment of a blueprint with [general troubleshooting](../troubleshoot/general.md).

articles/governance/blueprints/overview.md

@@ -3,7 +3,7 @@ title: Overview of Azure Blueprints
 description: Understand how the Azure Blueprints service enables you to create, define, and deploy artifacts in your Azure environment.
 author: DCtheGeek
 ms.author: dacoulte
-ms.date: 02/08/2019
+ms.date: 08/26/2019
 ms.topic: overview
 ms.service: blueprints
 manager: carmonm
@@ -151,9 +151,16 @@ To assign or unassign a blueprint, your account needs the following permissions:
 > As blueprint assignments are created on a subscription, the blueprint assign and unassign
 > permissions must be granted on a subscription scope or be inherited onto a subscription scope.
 
-All of the above permissions are included in the **Owner** role. The **Contributor** role has
-create blueprint and delete blueprint permissions, but does not have blueprint assignment
-permissions. If these built-in roles don't fit your security needs, consider creating a [custom
+The following built-in roles are available:
+
+|RBAC Role | Description |
+|-|-|
+|[Owner](../../role-based-access-control/built-in-roles.md#owner) | In addition to other permissions, includes all Azure Blueprint related permissions. |
+|[Contributor](../../role-based-access-control/built-in-roles.md#contributor) | In addition to other permissions, can create and delete blueprint definitions, but doesn't have blueprint assignment permissions. |
+|Blueprint Contributor | Can manage blueprint definitions, but not assign them. |
+|Blueprint Operator | Can assign existing published blueprints, but can't create new blueprint definitions. Blueprint assignment only works if the assignment is done with a user-assigned managed identity. |
+
+If these built-in roles don't fit your security needs, consider creating a [custom
 role](../../role-based-access-control/custom-roles.md).
 
 > [!NOTE]
@@ -166,7 +173,7 @@ role](../../role-based-access-control/custom-roles.md).
 
 ## Naming limits
 
-The following is a list of limitations that exist for certain fields:
+The following limitations exist for certain fields:
 
 |Object|Field|Allowed Characters|Max. Length|
 |-|-|-|-|
@@ -185,4 +192,4 @@ visit [Azure Fridays - An overview of Azure Blueprints](https://channel9.msdn.co
 ## Next steps
 
 - [Create a blueprint - Portal](create-blueprint-portal.md)
-- [Create a blueprint - REST API](create-blueprint-rest-api.md)
+- [Create a blueprint - REST API](create-blueprint-rest-api.md)

articles/governance/blueprints/toc.yml

@@ -156,6 +156,9 @@
   - name: Update existing assignments from the portal
     displayName: lock, errors
     href: ./how-to/update-existing-assignments.md
+  - name: Configure your environment for a Blueprint Operator
+    displayName: rbac, user-assigned, managed, identity, management group
+    href: ./how-to/configure-for-blueprint-operator.md
   - name: Manage Blueprints as Code (community)
     href: https://github.com/Azure/azure-blueprints/blob/master/README.md
 - name: Troubleshoot

articles/iot-hub/iot-hub-c-c-module-twin-getstarted.md

@@ -26,7 +26,7 @@ At the end of this tutorial, you have two C apps:
 > [!NOTE]
 > For information about the Azure IoT SDKs that you can use to build both applications to run on devices, and your solution backend, see [Azure IoT SDKs](iot-hub-devguide-sdks.md).
 
-To complete this tutorial, you need the following:
+## Prerequisites
 
 * An active Azure account. (If you don't have an account, you can create an [Azure free account](https://azure.microsoft.com/pricing/free-trial/) in just a couple of minutes.)
 

articles/iot-hub/iot-hub-csharp-csharp-c2d.md

@@ -15,8 +15,6 @@ ms.author: robinsh
 
 [!INCLUDE [iot-hub-selector-c2d](../../includes/iot-hub-selector-c2d.md)]
 
-## Introduction
-
 Azure IoT Hub is a fully managed service that helps enable reliable and secure bi-directional communications between millions of devices and a solution back end. The [Send telemetry from a device to an IoT hub](quickstart-send-telemetry-dotnet.md) quickstart shows how to create an IoT hub, provision a device identity in it, and code a device app that sends device-to-cloud messages.
 
 [!INCLUDE [iot-hub-basic](../../includes/iot-hub-basic-whole.md)]
@@ -41,7 +39,7 @@ At the end of this tutorial, you run two .NET console apps.
 > IoT Hub has SDK support for many device platforms and languages, including C, Java, Python, and Javascript, through [Azure IoT device SDKs](iot-hub-devguide-sdks.md). For step-by-step instructions on how to connect your device to this tutorial's code, and generally to Azure IoT Hub, see the [IoT Hub developer guide](iot-hub-devguide.md).
 >
 
-To complete this tutorial, you need the following prerequisites:
+## Prerequisites
 
 * Visual Studio
 

articles/iot-hub/iot-hub-csharp-csharp-device-management-get-started.md

@@ -31,8 +31,6 @@ At the end of this tutorial, you have two .NET console apps:
 
 ## Prerequisites
 
-To complete this tutorial, you need:
-
 * Visual Studio.
 
 * An active Azure account. If you don't have an account, you can create a [free account](https://azure.microsoft.com/pricing/free-trial/) in just a couple of minutes.

articles/iot-hub/iot-hub-csharp-csharp-file-upload.md

@@ -42,7 +42,7 @@ At the end of this tutorial you run two .NET console apps:
 > [!NOTE]
 > IoT Hub supports many device platforms and languages, including C, Java, Python, and Javascript, through Azure IoT device SDKs. Refer to the [Azure IoT Developer Center](https://azure.microsoft.com/develop/iot) for step-by-step instructions on how to connect your device to Azure IoT Hub.
 
-To complete this tutorial, you need the following prerequisites:
+## Prerequisites
 
 * Visual Studio
 

articles/iot-hub/iot-hub-csharp-csharp-module-twin-getstarted.md

@@ -26,7 +26,7 @@ At the end of this tutorial, you have two .NET console apps:
 > [!NOTE]
 > For information about the Azure IoT SDKs that you can use to build both applications to run on devices, and your solution back end, see [Azure IoT SDKs](iot-hub-devguide-sdks.md).
 
-To complete this tutorial, you need the following prerequisites:
+## Prerequisites
 
 * Visual Studio.
 

articles/iot-hub/iot-hub-csharp-csharp-schedule-jobs.md

@@ -46,8 +46,6 @@ At the end of this tutorial, you have two .NET (C#) console apps:
 
 ## Prerequisites
 
-To complete this tutorial, you need:
-
 * Visual Studio.
 
 * An active Azure account. If you don't have an account, you can create a [free account](https://azure.microsoft.com/pricing/free-trial/) in just a couple of minutes.

articles/iot-hub/iot-hub-csharp-csharp-twin-getstarted.md

@@ -29,8 +29,6 @@ In this tutorial, you create these .NET console apps:
 
 ## Prerequisites
 
-To complete this tutorial, you need:
-
 * Visual Studio.
 
 * An active Azure account. If you don't have an account, you can create a [free account](https://azure.microsoft.com/pricing/free-trial/) in just a couple of minutes.