Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into work-fslogix-containers

Author: Heidilohr

articles/active-directory/reports-monitoring/concept-provisioning-logs.md

@@ -86,23 +86,31 @@ Select an item in the list view to get more detailed information.
 
 ## Filter provisioning activities
 
-To narrow down the reported data to a level that works for you, you can filter the provisioning data using the following default fields. Note that the values in the filters are dynamically populated based on your tenant. If, for example, you don't have any create events in your tenant, there won't be a filter option for create.
+You can filter your provisioning data. Some filter values are dynamically populated based on your tenant. If, for example, you don't have any create events in your tenant, there won't be a filter option for create.
+In the default view, you can select the following filters:
 
 - Identity
-- Action
-- Source system
-- Target system
-- Status
 - Date
+- Status
+- Action
 
 
-![Filter](./media/concept-provisioning-logs/filter.png "Filter")
+![Filter](./media/concept-provisioning-logs/default-filter.png "Filter")
 
 The **Identity** filter enables you to specify the name or the identity that you care about. This identity could be a user, group, role, or other object. You can search by the name or ID of the object. The ID varies by scenario. For example, when provisioning an object from Azure AD to SalesForce, the Source ID is the object ID of the user in Azure AD while the TargetID is the ID of the user in Salesforce. When provisioning from Workday to Active Directory, the Source ID is the Workday worker employee ID. Note that the Name of the user may not always be present in the Identity column. There will always be one ID. 
 
-The **Source System** filter enables you to specify where the identity is getting provisioned from. For example, when provisioning an object from Azure AD to ServiceNow, the Source system is Azure AD. 
 
-The **Target System** filter enables you to specify where the identity is getting provisioned to. For example, when provisioning an object from Azure AD to ServiceNow, the Target System is ServiceNow. 
+The **Date** filter enables to you to define a timeframe for the returned data.  
+Possible values are:
+
+- 1 month
+- 7 days
+- 30 days
+- 24 hours
+- Custom time interval
+
+When you select a custom time frame, you can configure a start date and an end date.
+
 
 The **Status** filter enables you to select:
 
@@ -111,6 +119,8 @@ The **Status** filter enables you to select:
 - Failure
 - Skipped
 
+
+
 The **Action** filter enables you to filter the:
 
 - Create 
@@ -119,19 +129,18 @@ The **Action** filter enables you to filter the:
 - Disable
 - Other
 
-The **Date** filter enables to you to define a timeframe for the returned data.  
-Possible values are:
+In addition, to the filters of the default view, you can also set the following filters:
 
-- 1 month
-- 7 days
-- 30 days
-- 24 hours
-- Custom time interval
+- Job ID
+- Cycle ID
+- Change ID
+- Source ID
+- Target ID
+- Application
 
-When you select a custom time frame, you can configure a start date and an end date.
 
+![Pick a field](./media/concept-provisioning-logs/add-filter.png "Pick a field")
 
-In addition to the default fields, when selected, you can also include the following fields in your filter:
 
 - **Job ID** - A unique Job ID is associated with each application that you have enabled provisioning for.   
 
@@ -140,8 +149,13 @@ In addition to the default fields, when selected, you can also include the follo
 - **Change ID** - Unique identifier for the provisioning event. You can share this ID to support to look up the provisioning event.   
 
 
+- **Source System** - Enables you to specify where the identity is getting provisioned from. For example, when provisioning an object from Azure AD to ServiceNow, the Source system is Azure AD. 
+
+- **Target System** - Enables you to specify where the identity is getting provisioned to. For example, when provisioning an object from Azure AD to ServiceNow, the Target System is ServiceNow. 
+
+- **Application** - Enables you to show only records of applications with a display name that contains a specific string.
 
-  
+ 
 
 ## Provisioning details 
 

articles/active-directory/reports-monitoring/media/concept-provisioning-logs/add-filter.png

@@ -93,12 +93,12 @@ The above command creates a three node AKS cluster, but the user, who created th
 Once you've created a group and added yourself (and others) as a member, you can update the cluster with the Azure AD group using the following command
 
 ```azurecli-interactive
-az aks update -g MyResourceGroup -n MyManagedCluster [--aad-admin-group-object-ids <id1,id2>] [--aad-tenant-id <id>]
+az aks update -g MyResourceGroup -n MyManagedCluster [--aad-admin-group-object-ids <id>] [--aad-tenant-id <id>]
 ```
 Alternatively, if you first create a group and add members, you can enable the Azure AD group at create time using the following command,
 
 ```azurecli-interactive
-az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad [--aad-admin-group-object-ids <id1,id2>] [--aad-tenant-id <id>]
+az aks create -g MyResourceGroup -n MyManagedCluster --enable-aad [--aad-admin-group-object-ids <id>] [--aad-tenant-id <id>]
 ```
 
 A successful creation of an Azure AD v2 cluster has the following section in the response body

articles/active-directory/reports-monitoring/media/concept-provisioning-logs/default-filter.png

@@ -1006,7 +1006,41 @@
     items:
     - name: Security overview
       href: /azure/databricks/security/index
-      maintainContext: true 
+      maintainContext: true
+    - name: Access control
+      items:
+      - name: Access control overview
+        href: /azure/databricks/security/access-control/index
+        maintainContext: true
+      - name: Workspace access control
+        href: /azure/databricks/security/access-control/workspace-acl
+        maintainContext: true
+      - name: Cluster access control
+        href: /azure/databricks/security/access-control/cluster-acl
+        maintainContext: true
+      - name: Pool access control
+        href: /azure/databricks/security/access-control/pool-acl
+        maintainContext: true  
+      - name: Jobs access control
+        href: /azure/databricks/security/access-control/job-acl
+        maintainContext: true
+      - name: Table access control
+        items:
+        - name: Table access control overview
+          href: /azure/databricks/security/access-control/table-acls/index
+          maintainContext: true
+        - name: Enable table access control for a cluster
+          href: /azure/databricks/security/access-control/table-acls/table-acl
+          maintainContext: true
+        - name: Data object privileges
+          href: /azure/databricks/security/access-control/table-acls/object-privileges
+          maintainContext: true
+      - name: Secret access control
+        href: /azure/databricks/security/access-control/secret-acl
+        maintainContext: true
+    - name: Authenticate to Azure Data Lake Storage using Azure Active Directory credentials
+      href: /azure/databricks/security/credential-passthrough/adls-passthrough
+      maintainContext: true
     - name: Secrets
       items:
       - name: Keep data secure with secrets
@@ -1018,21 +1052,18 @@
       - name: Secrets
         href: /azure/databricks/security/secrets/secrets
         maintainContext: true
-      - name: Secret access control
-        href: /azure/databricks/security/secrets/secret-acl
-        maintainContext: true  
       - name: Secret redaction
         href: /azure/databricks/security/secrets/redaction
         maintainContext: true
       - name: Secret workflow example
         href: /azure/databricks/security/secrets/example-secret-workflow
         maintainContext: true
     - name: Encrypt traffic between cluster worker nodes
-      href: /azure/databricks/security/encrypt-otw
+      href: /azure/databricks/security/encryption/encrypt-otw
     - name: Enable customer-managed keys for notebooks
-      href: /azure/databricks/security/customer-managed-key-notebook
+      href: /azure/databricks/security/keys/customer-managed-key-notebook
     - name: Enable customer-managed keys for DBFS
-      href: /azure/databricks/security/customer-managed-keys-dbfs
+      href: /azure/databricks/security/keys/customer-managed-keys-dbfs
   - name: Administration
     items:
     - name: Administration overview
@@ -1054,7 +1085,7 @@
         maintainContext: true
       - name: Monitor usage using tags
         href: /azure/databricks/administration-guide/account-settings/usage-detail-tags-azure
-        maintainContext: true        
+        maintainContext: true
     - name: Manage users and groups
       items:
       - name: Users and groups overview
@@ -1080,30 +1111,22 @@
       - name: Access control overview
         href: /azure/databricks/administration-guide/access-control/index
         maintainContext: true
-      - name: Cluster access control
+      - name: Enable workspace access control
+        href: /azure/databricks/administration-guide/access-control/workspace-acl
+        maintainContext: true
+      - name: Enable cluster access control
         href: /azure/databricks/administration-guide/access-control/cluster-acl
         maintainContext: true
-      - name: Pool access control
+      - name: Enable pool access control
         href: /azure/databricks/administration-guide/access-control/pool-acl
         maintainContext: true
-      - name: Jobs access control
+      - name: Enable jobs access control
         href: /azure/databricks/administration-guide/access-control/jobs-acl
         maintainContext: true
-      - name: Table access control
-        items:
-        - name: Table access control overview
-          href: /azure/databricks/administration-guide/access-control/table-acls/index
-          maintainContext: true
-        - name: Enable Table access control
-          href: /azure/databricks/administration-guide/access-control/table-acls/table-acl
-          maintainContext: true
-        - name: Set Privileges  on a Data Object
-          href: /azure/databricks/administration-guide/access-control/table-acls/object-privileges 
-          maintainContext: true
-      - name: Workspace access control
-        href: /azure/databricks/administration-guide/access-control/workspace-acl
+      - name: Enable table access control
+        href: /azure/databricks/administration-guide/access-control/table-acl
         maintainContext: true
-      - name: Enable Token-based authentication
+      - name: Enable token-based authentication
         href: /azure/databricks/administration-guide/access-control/tokens
         maintainContext: true
       - name: Conditional access
@@ -1689,6 +1712,9 @@
       - name: Platform release notes 
         href: /azure/databricks/release-notes/product/index
         maintainContext: true
+      - name: April 2020
+        href: /azure/databricks/release-notes/product/2020/april
+        maintainContext: true
       - name: March 2020
         href: /azure/databricks/release-notes/product/2020/march
         maintainContext: true

articles/active-directory/reports-monitoring/media/concept-provisioning-logs/steps.png

@@ -52,7 +52,7 @@ To ensure that your `DiagnosticsConnectionString` setting is correct before you
   If you are developing your application by using Azure Tools for Microsoft Visual Studio, you can use the property pages to set this value.
 
 ## Exported certificate does not include private key
-To run a web role under SSL, you must ensure that your exported management certificate includes the private key. If you use the *Windows Certificate Manager* to export the certificate, be sure to select **Yes** for the **Export the private key** option. The certificate must be exported in the PFX format, which is the only format currently supported.
+To run a web role under TLS, you must ensure that your exported management certificate includes the private key. If you use the *Windows Certificate Manager* to export the certificate, be sure to select **Yes** for the **Export the private key** option. The certificate must be exported in the PFX format, which is the only format currently supported.
 
 ## Next steps
 View more [troubleshooting articles](https://azure.microsoft.com/documentation/articles/?tag=top-support-issue&product=cloud-services) for cloud services.

articles/aks/azure-ad-v2.md

@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: conceptual
-ms.date: 03/31/2020
+ms.date: 04/10/2020
 ms.author: victorh
 ---
 
@@ -167,17 +167,11 @@ No. Azure Firewall doesn't need a subnet bigger than /26.
 
 ## How can I increase my firewall throughput?
 
-Azure Firewall's initial throughput capacity is 2.5 - 3 Gbps and it scales out to 30 Gbps. It scales out based on CPU usage and throughput. Contact Support to increase your firewall's throughput capacity.
+Azure Firewall's initial throughput capacity is 2.5 - 3 Gbps and it scales out to 30 Gbps. It scales out automatically based on CPU usage and throughput.
 
 ## How long does it take for Azure Firewall to scale out?
 
-It takes from five to seven minutes for Azure Firewall to scale out. Contact Support to increase your firewall's initial throughput capacity if you have bursts that require a faster autoscale.
-
-The following points should be taken into account when you test the firewall autoscale:
-
-- Single TCP flow performance is limited to 1.4 Gbps. So, a performance test needs to establish multiple TCP flows.
-- Performance tools must continuously establish new connections for them to connect with the scaled-up backend Firewall instances. If the test establishes connections once at the start, then those will only connect with the initial backend instances. Even though the firewall scales up, you won't see any increased performance because the connections are associated with the initial instances.
-
+Azure Firewall gradually scales when average throughput or CPU consumption is at 60%. Scale out takes five to seven minutes. When performance testing, make sure you test for at least 10 to 15 minutes, and initiate new connections to take advantage of newly created Firewall nodes.
 
 ## Does Azure Firewall allow access to Active Directory by default?
 
@@ -207,7 +201,7 @@ Set-AzFirewall -AzureFirewall $fw
 
 ## Why can a TCP ping and similar tools successfully connect to a target FQDN even when no rule on Azure Firewall allows that traffic?
 
-A TCP ping is not actually connecting  to the target FQDN. This happens because Azure Firewall's transparent proxy listens on port 80/443 for outbound traffic. The TCP ping establishes a connection with the firewall, which then drops the packet and logs the connection. This behavior doesn't have any security impact. However, to avoid confusion we're investigating potential changes to this behavior.
+A TCP ping isn't actually connecting  to the target FQDN. This happens because Azure Firewall's transparent proxy listens on port 80/443 for outbound traffic. The TCP ping establishes a connection with the firewall, which then drops the packet and logs the connection. This behavior doesn't have any security impact. However, to avoid confusion we're investigating potential changes to this behavior.
 
 ## Are there limits for the number of IP addresses supported by IP Groups?
 

articles/azure-databricks/TOC.yml

@@ -5,23 +5,25 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: article
-ms.date: 03/10/2020
+ms.date: 04/10/2020
 ms.author: victorh
 ---
 
 # Azure Firewall rule processing logic
-You can configure NAT rules, network rules, and applications rules on Azure Firewall. The rules are processed according to the rule type. 
+You can configure NAT rules, network rules, and applications rules on Azure Firewall. Rule collections are processed according to the rule type in priority order, lower numbers to higher numbers from 100 to 65,000. A rule collection name can have only letters, numbers, underscores, periods, or hyphens. It must begin with a letter or number, and end with a letter, number or underscore. The maximum name length is 80 characters.
+
+It's best to initially space your rule collection priority numbers in 100 increments (100, 200, 300, and so on) so you have room to add more rule collections if needed.
 
 > [!NOTE]
 > If you enable threat intelligence-based filtering, those rules are highest priority and are always processed first. Threat-intelligence filtering may deny traffic before any configured rules are processed. For more information, see [Azure Firewall threat intelligence-based filtering](threat-intel.md).
 
-## Outbound
+## Outbound connectivity
 
 ### Network rules and applications rules
 
 If you configure network rules and application rules, then network rules are applied in priority order before application rules. The rules are terminating. So if a match is found in a network rule, no other rules are processed.  If there is no network rule match, and if the protocol is HTTP, HTTPS, or MSSQL, then the packet is then evaluated by the application rules in priority order. If still no match is found, then the packet is evaluated against the [infrastructure rule collection](infrastructure-fqdns.md). If there is still no match, then the packet is denied by default.
 
-## Inbound
+## Inbound connectivity
 
 ### NAT rules
 

articles/cloud-services/cloud-services-troubleshoot-common-issues-which-cause-roles-recycle.md

@@ -222,6 +222,7 @@ locations:
 
 ## Next steps
 
+- Learn how to view the details each setting from the [Guest Configuration compliance view](../how-to/determine-non-compliance.md#compliance-details-for-guest-configuration)
 - Review examples at [Azure Policy samples](../samples/index.md).
 - Review the [Azure Policy definition structure](definition-structure.md).
 - Review [Understanding policy effects](effects.md).