Merge branch 'master' into oracle-db-functions

Author: lauradolan

articles/active-directory-b2c/tokens-overview.md

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 05/12/2020
+ms.date: 05/21/2020
 ms.author: mimart
 ms.subservice: B2C
 ---
@@ -33,8 +33,8 @@ The following tokens are used in communication with Azure AD B2C:
 
 A [registered application](tutorial-register-applications.md) receives tokens and communicates with Azure AD B2C by sending requests to these endpoints:
 
-- `https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/oauth2/v2.0/authorize`
-- `https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/oauth2/v2.0/token`
+- `https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize`
+- `https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token`
 
 Security tokens that your application receives from Azure AD B2C can come from the `/authorize` or `/token` endpoints. When ID tokens are acquired from the `/authorize` endpoint, it's done using the [implicit flow](implicit-flow-single-page-application.md), which is often used for users signing in to JavaScript-based web applications. When ID tokens are acquired from the `/token` endpoint, it's done using the [authorization code flow](openid-connect.md#get-a-token), which keeps the token hidden from the browser.
 

articles/active-directory/authentication/concept-mfa-licensing.md

@@ -6,7 +6,7 @@ services: multi-factor-authentication
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 02/20/2020
+ms.date: 05/20/2020
 
 ms.author: iainfou
 author: iainfoulds
@@ -28,9 +28,9 @@ Azure Multi-Factor Authentication can be used, and licensed, in a few different
 | If you're a user of | Capabilities and use cases |
 | --- | --- |
 | EMS or Microsoft 365 E3 and E5 | EMS E3 or Microsoft 365 E3 (that includes EMS and Office 365), includes Azure AD Premium P1. EMS E5 or Microsoft 365 E5 includes Azure AD Premium P2. You can use the same Conditional Access features noted in the following sections to provide multi-factor authentication to users. |
-| Azure AD Premium P1 | You can use [Azure AD Conditional Access](../conditional-access/overview.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. |
+| Azure AD Premium P1 | You can use [Azure AD Conditional Access](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. |
 | Azure AD Premium P2 | Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts. |
-| Office 365 Business Premium, E3, or E5 | Azure Multi-Factor Authentication is either enabled or disabled for all users, for all sign-in events. There is no ability to only enable multi-factor authentication for a subset of users, or only under certain scenarios. Management is through the Office 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see [secure Office 365 resources with multi-factor authentication](https://support.office.com/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6). |
+| Office 365 Business Premium, E3, or E5 | Azure Multi-Factor Authentication can be [enabled on a per-user basis](howto-mfa-userstates.md), or enabled or disabled for all users, for all sign-in events, using security defaults. Management of Azure Multi-Factor Authentication is through the Office 365 portal. For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see [secure Office 365 resources with multi-factor authentication](https://support.office.com/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6). |
 | Azure AD free | You can use [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) to enable multi-factor authentication for all users, every time an authentication request is made. You don't have granular control of enabled users or scenarios, but it does provide that additional security step.<br /> Even when security defaults aren't used to enable multi-factor authentication for everyone, users assigned the *Azure AD Global Administrator* role can be configured to use multi-factor authentication. This feature of the free tier makes sure the critical administrator accounts are protected by multi-factor authentication. |
 
 ## Feature comparison of versions
@@ -82,4 +82,6 @@ If you don't want to enable Azure Multi-Factor Authentication for all users and
 
 ## Next steps
 
-For more information on costs, see [Azure Multi-Factor Authentication pricing](https://azure.microsoft.com/pricing/details/multi-factor-authentication/).
+* For more information on costs, see [Azure Multi-Factor Authentication pricing](https://azure.microsoft.com/pricing/details/multi-factor-authentication/).
+* [What is Conditional Access](../conditional-access/overview.md)
+

articles/active-directory/authentication/howto-mfa-getstarted.md

@@ -52,7 +52,7 @@ Microsoft provides [communication templates](https://aka.ms/mfatemplates) and [e
 
 ## Deployment considerations
 
-Azure Multi-factor Authentication is deployed by enforcing policies with Conditional Access. A [Conditional Access policy](../conditional-access/overview.md) can require users to perform multi-factor authentication when certain criteria are met such as:
+Azure Multi-factor Authentication is deployed by enforcing policies with Conditional Access. A Conditional Access policy can require users to perform multi-factor authentication when certain criteria are met such as:
 
 * All users, a specific user, member of a group, or assigned role
 * Specific cloud application being accessed
@@ -218,7 +218,7 @@ Get-MsolUser -All | Set-MfaState -State Disabled
 
 ## Plan Conditional Access policies
 
-To plan your Conditional Access policy strategy, which will determine when MFA and other controls are required, refer to [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md).
+To plan your Conditional Access policy strategy, which will determine when MFA and other controls are required, refer to [Common Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md).
 
 It is important that you prevent being inadvertently locked out of your Azure AD tenant. You can mitigate the impact of this inadvertent lack of administrative access by [creating two or more emergency access accounts in your tenant](../users-groups-roles/directory-emergency-access.md) and excluding them from your Conditional Access policy.
 

articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md

@@ -36,7 +36,7 @@ Conditional Access policies are powerful tools, we recommend excluding the follo
 
 ## Create a Conditional Access policy
 
-The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multi-factor authentication.
+The following steps will help create a Conditional Access policy to require those with access to the [Microsoft Azure Management](concept-conditional-access-cloud-apps.md#microsoft-azure-management) app to perform multi-factor authentication.
 
 1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
 1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.

articles/active-directory/hybrid/choose-ad-authn.md

@@ -86,7 +86,7 @@ Details on decision questions:
 
 * **Advanced scenarios**. If organizations choose to, it's possible to use insights from identities with Azure AD Identity Protection reports with Azure AD Premium P2. An example is the leaked credentials report. Windows Hello for Business has [specific requirements when you use password hash synchronization](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-identity-verification). [Azure AD Domain Services](../../active-directory-domain-services/active-directory-ds-getting-started-password-sync.md) requires password hash synchronization to provision users with their corporate credentials in the managed domain.
 
-	Organizations that require multifactor authentication with password hash synchronization must use Azure AD multifactor authentication or [Conditional Access custom controls](../../active-directory/conditional-access/controls.md#custom-controls-preview). Those organizations can't use third-party or on-premises multifactor authentication methods that rely on federation.
+	Organizations that require multifactor authentication with password hash synchronization must use Azure Multi-Factor Authentication or [Conditional Access custom controls](../../active-directory/conditional-access/controls.md#custom-controls-preview). Those organizations can't use third-party or on-premises multifactor authentication methods that rely on federation.
 
 > [!NOTE]
 > Azure AD Conditional Access require [Azure AD Premium P1](https://azure.microsoft.com/pricing/details/active-directory/) licenses.

articles/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications.md

@@ -21,7 +21,7 @@ When you [add a gallery app](add-gallery-app.md) or a [non-gallery web app](add-
 > [!NOTE]
 > Adding a gallery app? Find step-by-step setup instructions in the [list of SaaS app tutorials](../saas-apps/tutorial-list.md)
 
-To configure SAML single sign-on for a non-gallery application without writing code, you need to have a subscription along with an Azure AD Premium license and the application must support SAML 2.0. For more information about Azure AD versions, visit [Azure AD pricing](https://azure.microsoft.com/pricing/details/active-directory/).
+To configure SAML single sign-on for a non-gallery application without writing code, you need to have an Azure AD subscription and the application must support SAML 2.0. For more information about Azure AD versions, visit [Azure AD pricing](https://azure.microsoft.com/pricing/details/active-directory/).
 
 ## Before you begin
 

articles/active-directory/users-groups-roles/roles-create-custom.md

@@ -135,6 +135,9 @@ $roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -Rol
    }
     ```
 
+  > [!Note]
+  > The "templateId": "GUID" is an optional parameter being sent in the body depending on requirement. If you have a requirement for creating multiple different custom role with common parameters , it is best to create a template and define a templateId . You can generate a templateId beforehand using the powershell cmdlet (New-Guid).Guid . 
+
 1. Create the role assignment.
 
     HTTP request to create a custom role definition.
@@ -155,6 +158,7 @@ $roleAssignment = New-AzureADMSRoleAssignment -ResourceScope $resourceScope -Rol
    }
     ```
 
+
 ## Assign a custom role scoped to a resource
 
 Like built-in roles, custom roles are assigned by default at the default organization-wide scope to grant access permissions over all app registrations in your organization. But unlike built-in roles, custom roles can also be assigned at the scope of a single Azure AD resource. This allows you to give the user the permission to update credentials and basic properties of a single app without having to create a second custom role.

articles/azure-arc/kubernetes/use-gitops-connected-cluster.md

@@ -27,7 +27,7 @@ This getting started guide will walk you through applying a set of configuration
 
 ## Create a configuration
 
-- Example repository: <https://github.com/slack/cluster-config>
+- Example repository: <https://github.com/Azure/arc-k8s-demo>
 
 The example repository is structured around the persona of a cluster operator who would like to provision a few namespaces, deploy a common workload, and provide some team-specific configuration. Using this repository creates the following resources on your cluster:
 

articles/azure-functions/functions-monitoring.md

@@ -606,7 +606,7 @@ When you choose **Create**, an Application Insights resource is created with you
 <a id="manually-connect-an-app-insights-resource"></a>
 ### Add to an existing function app 
 
-When you create a function app using [Visual Studio](functions-create-your-first-function-visual-studio.md), you must create the Application Insights resource. You can then add the instrumentation key from that resource as an application setting in your function app.
+When you create a function app using [Visual Studio](functions-create-your-first-function-visual-studio.md), you must create the Application Insights resource. You can then add the instrumentation key from that resource as an [application setting](functions-how-to-use-azure-function-app-settings.md#settings) in your function app.
 
 [!INCLUDE [functions-connect-new-app-insights.md](../../includes/functions-connect-new-app-insights.md)]
 

articles/azure-monitor/platform/delete-workspace.md

@@ -5,13 +5,13 @@ ms.subservice: logs
 ms.topic: conceptual
 author: bwren
 ms.author: bwren
-ms.date: 04/30/2020
+ms.date: 05/19/2020
 
 ---
 
 # Delete and recover Azure Log Analytics workspace
 
-This article explains the concept of Azure Log Analytics workspace soft-delete and how to recover deleted workspace. 
+This article explains the concept of Azure Log Analytics workspace soft-delete and how to recover deleted workspace.
 
 ## Considerations when deleting a workspace
 
@@ -42,12 +42,12 @@ You can delete a workspace using [PowerShell](https://docs.microsoft.com/powersh
 
 ### Azure portal
 
-1. To sign in, go to the [Azure portal](https://portal.azure.com). 
+1. Sign in to the [Azure portal](https://portal.azure.com). 
 2. In the Azure portal, select **All services**. In the list of resources, type **Log Analytics**. As you begin typing, the list filters based on your input. Select **Log Analytics workspaces**.
 3. In the list of Log Analytics workspaces, select a workspace and then click **Delete**  from the top of the middle pane.
-   ![Delete option from Workspace properties pane](media/delete-workspace/log-analytics-delete-workspace.png)
-4. When the confirmation message window appears asking you to confirm deletion of the workspace, click **Yes**.
-   ![Confirm deletion of workspace](media/delete-workspace/log-analytics-delete-workspace-confirm.png)
+4. A confirmation page appears that shows the data ingestion to the workspace over the past week. Type in the name of the workspace to confirm and then click **Delete**.
+
+   ![Confirm deletion of workspace](media/delete-workspace/workspace-delete.png)
 
 ### PowerShell
 ```PowerShell
@@ -89,10 +89,27 @@ To permanently delete your workspace, use the [Workspaces - Delete REST]( https:
 Where 'eyJ0eXAiOiJKV1Qi…' represents the full authorization token.
 
 ## Recover workspace
+When you delete a Log Analytics workspace accidentally or intentionally, the service places the workspace in a soft-delete state making it inaccessible to any operation. The name of the deleted workspace is preserved during the soft-delete period and can't be used for creating a new workspace. After the soft-delete period, the workspace is non-recoverable, it is scheduled for permanent deletion and its name it released and can be used for creating a new workspace.
+
+You can recover your workspace during the soft-delete period including its data, configuration and connected agents. You need to have Contributor permissions to the subscription and resource group where the workspace was located before the soft-delete operation. The workspace recover is performed by creating a Log Analytics workspace with the details of the deleted workspace including:
+
+- Subscription ID
+- Resource Group name
+- Workspace name
+- Region
+
+### Azure portal
+
+1. Sign in to the [Azure portal](https://portal.azure.com). 
+2. In the Azure portal, select **All services**. In the list of resources, type **Log Analytics**. As you begin typing, the list filters based on your input. Select **Log Analytics workspaces**. You see the list of workspaces you have in the selected scope.
+3. Click **Recover** on the top left menu to open a page with workspaces in soft-delete state that can be recovered.
+
+   ![Recover workspace](media/delete-workspace/recover-menu.png)
+
+4. Select the workspace and click **Recover** to recover that workspace.
 
-If you have Contributor permissions to the subscription and resource group where the workspace was associated before the soft-delete operation, you can recover it during its soft-delete period including its data, configuration and connected agents. After the soft-delete period, the workspace is non-recoverable and assigned for permanent deletion. Names of deleted workspaces are preserved during the soft-delete period and can't be used when attempting to create a new workspace.  
+   ![Recover workspace](media/delete-workspace/recover-workspace.png)
 
-You can recover your workspace by creating a workspace with the details of the deleted workspace, these include *Subscription ID*, *Resource Group name*, *Workspace name* and *Region*. If your resource group was also deleted and doesn’t exist, create a resource group with the same name that was used before the delete, then create a workspace using any of these methods: [Azure portal](https://docs.microsoft.com/azure/azure-monitor/learn/quick-create-workspace), [PowerShell](https://docs.microsoft.com/powershell/module/az.operationalinsights/New-AzOperationalInsightsWorkspace) or [REST API](https://docs.microsoft.com/rest/api/loganalytics/workspaces/createorupdate).
 
 ### PowerShell
 ```PowerShell