Merge pull request #94608 from MicrosoftDocs/master

Dana Sindona · web-flow · commit 9a30cb9435e3 · 2019-11-04T09:35:57.000-05:00
Build to live 11/4 early
diff --git a/articles/active-directory/develop/scenario-protected-web-api-app-configuration.md b/articles/active-directory/develop/scenario-protected-web-api-app-configuration.md
@@ -121,10 +121,12 @@ services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationSche
     // Instead of using the default validation (validating against a single tenant,
     // as we do in line-of-business apps),
     // we inject our own multitenant validation logic (which even accepts both v1 and v2 tokens).
-    options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.ValidateAadIssuer;
+    options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetIssuerValidator(options.Authority).Validate;;
 });
 ```
 
+This code snippet is extracted from the ASP.NET Core Web Api incremental tutorial in [Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs#L50-L63](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/blob/154282843da2fc2958fad151e2a11e521e358d42/Microsoft.Identity.Web/WebApiServiceCollectionExtensions.cs#L50-L63). The `AddProtectedWebApi` method, which does a lot more, is called from the Startup.cs
+
 ## Token validation
 
 The JwtBearer middleware, like the OpenID Connect middleware in web apps, is directed by `TokenValidationParameters` to validate the token. The token is decrypted (as needed), the claims are extracted, and the signature is verified. The middleware then validates the token by checking for this data:
diff --git a/articles/azure-maps/azure-maps-authentication.md b/articles/azure-maps/azure-maps-authentication.md
@@ -44,7 +44,7 @@ Azure Maps generates a *unique identifier (client ID)* for each Azure Maps accou
 | Azure Government    | https://login.microsoftonline.us |
 
 
-For more information about how to configure Azure AD and request tokens for Azure Maps, see [Manage authentication in Azure Maps](https://review.docs.microsoft.com/azure/azure-maps/how-to-manage-authentication).
+For more information about how to configure Azure AD and request tokens for Azure Maps, see [Manage authentication in Azure Maps](https://docs.microsoft.com/azure/azure-maps/how-to-manage-authentication).
 
 For general information about requesting tokens from Azure AD, see [What is authentication?](https://docs.microsoft.com/azure/active-directory/develop/authentication-scenarios).
 
@@ -87,6 +87,6 @@ For information about viewing your RBAC settings, see [How to configure RBAC for
 
 ## Next steps
 
-* To learn more about authenticating an application with Azure AD and Azure Maps, see [Manage authentication in Azure Maps](https://review.docs.microsoft.com/azure/azure-maps/how-to-manage-authentication).
+* To learn more about authenticating an application with Azure AD and Azure Maps, see [Manage authentication in Azure Maps](https://docs.microsoft.com/azure/azure-maps/how-to-manage-authentication).
 
-* To learn more about authenticating the Azure Maps Map Control and Azure AD, see [Use the Azure Maps Map Control](https://aka.ms/amaadmc).
+* To learn more about authenticating the Azure Maps Map Control and Azure AD, see [Use the Azure Maps Map Control](https://aka.ms/amaadmc).
diff --git a/articles/index.md b/articles/index.md
@@ -5637,19 +5637,21 @@ featureFlags:
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
+                                                <div class="cardImageOuter">
                                                     <div class="cardImage">
                                                         <img src="media/index/peering-service.svg" alt="" />
                                                     </div>
-                                            </div>
-                                            <div class="cardText">
+                                                </div>
+                                                <div class="cardText">
                                                     <h3>Peering Service</h3>
                                                     <p>Get optimal internet connectivity to access the Microsoft network</p>
+                                                </div>
                                             </div>
                                         </div>
                                     </div>
                                 </a>
                             </li>
-                        </ul>
+                         </ul>
                     </li>
                     <li>
                         <a href="#security">Security</a>
diff --git a/articles/internet-analyzer/TOC.yml b/articles/internet-analyzer/TOC.yml
@@ -9,7 +9,7 @@
   - name: Create an Internet Analyzer test using Portal
     href: internet-analyzer-create-test-portal.md
   - name: Create an Internet Analyzer test using CLI
-    herf: internet-analyzer-cli.md
+    href: internet-analyzer-cli.md  
 - name: How-to guides
   items:
   - name: Embed client
diff --git a/articles/openshift/howto-setup-environment.md b/articles/openshift/howto-setup-environment.md
@@ -5,7 +5,7 @@ services: openshift
 keywords:  red hat openshift setup set up
 author: jimzim
 ms.author: jzim
-ms.date: 05/10/2019
+ms.date: 11/04/2019
 ms.topic: conceptual
 ms.service: container-service
 manager: jeconnoc
@@ -16,7 +16,6 @@ manager: jeconnoc
 
 To build and run Microsoft Azure Red Hat OpenShift applications, you'll need to:
 
-* Purchase Azure virtual machine reserved instances.
 * Install version 2.0.65 (or higher) of the Azure CLI (or use the Azure Cloud Shell).
 * Register for the `AROGA` feature and associated resource providers.
 * Create an Azure Active Directory (Azure AD) tenant.
@@ -25,16 +24,6 @@ To build and run Microsoft Azure Red Hat OpenShift applications, you'll need to:
 
 The following instructions will walk you through all of these prerequisites.
 
-## Purchase Azure Red Hat OpenShift application nodes reserved instances
-
-Before you can use Azure Red Hat OpenShift, you'll need to purchase a minimum of 4 Azure Red Hat OpenShift reserved application nodes, after which you'll be able to provision clusters.
-
-If you are an Azure customer, [purchase Azure Red Hat OpenShift reserved instances](https://aka.ms/openshift/buy) through the Azure portal. After purchasing, your subscription will be activated within 24 hours.
-
-If you are not an Azure customer, [contact sales](https://aka.ms/openshift/contact-sales) and fill out the sales form at the bottom of the page to start the process.
-
-Refer to the [Azure Red Hat OpenShift pricing page](https://aka.ms/openshift/pricing) for more information.
-
 ## Install the Azure CLI
 
 Azure Red Hat OpenShift requires version 2.0.65 or higher of the Azure CLI. If you've already installed the Azure CLI, you can check which version you have by running:
diff --git a/articles/openshift/openshift-faq.md b/articles/openshift/openshift-faq.md
@@ -7,23 +7,13 @@ ms.author: jzim
 manager: jeconnoc
 ms.service: container-service
 ms.topic: article
-ms.date: 05/08/2019
+ms.date: 11/04/2019
 ---
 
 # Azure Red Hat OpenShift FAQ
 
 This article addresses frequently asked questions (FAQs) about Microsoft Azure Red Hat OpenShift.
 
-## How do I get started?
-
-Before you can use Azure Red Hat OpenShift, you'll need to purchase a minimum of 4 Azure Red Hat OpenShift reserved application nodes.
-
-If you are an Azure customer,[purchase Azure Red Hat OpenShift reserved instances](https://aka.ms/openshift/buy) through the Azure portal. After purchasing, your subscription will be activated within 24 hours, after which you'll be able to provision clusters.
-
-If you are not an Azure customer, [contact sales](https://aka.ms/openshift/contact-sales) and fill out the sales form at the bottom of the page to start the process.
-
-Refer to the [Azure Red Hat OpenShift pricing page](https://aka.ms/openshift/pricing) for more information.
-
 ## Which Azure regions are supported?
 
 See [Supported resources](supported-resources.md#azure-regions) for a list of global regions where Azure Red Hat OpenShift is supported.
diff --git a/articles/openshift/tutorial-create-cluster.md b/articles/openshift/tutorial-create-cluster.md
@@ -7,7 +7,7 @@ ms.author: jzim
 manager: jeconnoc
 ms.topic: tutorial
 ms.service: container-service
-ms.date: 05/14/2019
+ms.date: 11/04/2019
 #Customer intent: As a developer, I want learn how to create an Azure Red Hat OpenShift cluster, scale it, and then clean up resources so that I am not charged for what I'm not using.
 ---
 
@@ -30,8 +30,6 @@ In this tutorial series you learn how to:
 
 > [!IMPORTANT]
 > This tutorial requires version 2.0.65 of the Azure CLI.
->    
-> Before you can use Azure Red Hat OpenShift, you'll need to purchase a minimum of 4 Azure Red Hat OpenShift reserved application nodes as described in [Set up your Azure Red Hat OpenShift development environment](howto-setup-environment.md#purchase-azure-red-hat-openshift-application-nodes-reserved-instances).
 
 Before you begin this tutorial:
 
diff --git a/articles/security-center/security-center-alerts-overview.md b/articles/security-center/security-center-alerts-overview.md
@@ -8,7 +8,7 @@ manager: rkarlin
 ms.assetid: 1b71e8ad-3bd8-4475-b735-79ca9963b823
 ms.service: security-center
 ms.topic: conceptual
-ms.date: 10/16/2019
+ms.date: 11/04/2019
 ms.author: memildin
 ---
 # Security alerts in Azure Security Center
diff --git a/articles/security-center/security-center-iaas-advanced-data.md b/articles/security-center/security-center-iaas-advanced-data.md
@@ -59,7 +59,7 @@ To connect the SQL Server’s host to a workspace, follow the instructions in [C
 
 ## Set up email notification for ATP alerts 
 
-You can set a list of recipients to receive an email notification when ASC alerts are generated. The email contains a direct link to the alert in Azure Security Center with all the relevant details. 
+You can set a list of recipients to receive an email notification when Security Center alerts are generated. The email contains a direct link to the alert in Azure Security Center with all the relevant details. 
 
 1. Go to **Security Center** > **Pricing & settings** and click on the relevant subscription
 
diff --git a/articles/security-center/security-center-just-in-time.md b/articles/security-center/security-center-just-in-time.md
@@ -57,12 +57,12 @@ There are three ways to configure a JIT policy on a VM:
 - [Configure JIT access in an Azure VM blade](#jit-vm)
 - [Configure a JIT policy on a VM programmatically](#jit-program)
 
-## Configure JIT in ASC
+## Configure JIT in Security Center
 
-From ASC, you can configure a JIT policy and request access to a VM using a JIT policy
+From Security Center, you can configure a JIT policy and request access to a VM using a JIT policy
 
 
-### Configure JIT access on a VM in ASC <a name="jit-asc"></a>
+### Configure JIT access on a VM in Security Center <a name="jit-asc"></a>
 
 1. Open the **Security Center** dashboard.
 
@@ -110,9 +110,9 @@ From ASC, you can configure a JIT policy and request access to a VM using a JIT
 >When JIT VM Access is enabled for a VM, Azure Security Center creates "deny all inbound traffic" rules for the selected ports in the network security groups associated and Azure Firewall with it. If other rules had been created for the selected ports, then the existing rules take priority over the new “deny all inbound traffic” rules. If there are no existing rules on the selected ports, then the new “deny all inbound traffic” rules take top priority in the Network Security Groups and Azure Firewall.
 
 
-## Request JIT access via ASC
+## Request JIT access via Security Center
 
-To request access to a VM via ASC:
+To request access to a VM via Security Center:
 
 1. Under **Just-in-time VM access**, select the **Configured** tab.
 
@@ -136,7 +136,7 @@ To request access to a VM via ASC:
 > [!NOTE]
 > If a user who is requesting access is behind a proxy, the option **My IP** may not work. You may need to define the full IP address range of the organization.
 
-## Edit a JIT access policy via ASC
+## Edit a JIT access policy via Security Center
 
 You can change a VM's existing just-in-time policy by adding and configuring a new port to protect for that VM, or by changing any other setting related to an already protected port.
 
@@ -147,7 +147,7 @@ To edit an existing just-in-time policy of a VM:
 1. Under **JIT VM access configuration**, you can either edit the existing settings of an already protected port or add a new custom port. 
   ![jit vm access](./media/security-center-just-in-time/edit-policy.png)
 
-## Audit JIT access activity in ASC
+## Audit JIT access activity in Security Center
 
 You can gain insights into VM activities using log search. To view logs:
 
@@ -164,11 +164,11 @@ Modify the filters and click **Apply** to create a search and log.
 
 
 
-## Configure JIT access in an Azure VM blade <a name="jit-vm"></a>
+## Configure JIT access from an Azure VM's page <a name="jit-vm"></a>
 
-For your convenience, you can connect to a VM using JIT directly from within the VM blade in Azure.
+For your convenience, you can connect to a VM using JIT directly from within the VM's page in Security Center.
 
-### Configure JIT access on a VM via the Azure VM blade
+### Configure JIT access on a VM via the Azure VM page
 
 To make it easy to roll out just-in-time access across your VMs, you can set a VM to allow only just-in-time access directly from within the VM.
 
diff --git a/articles/security-center/security-center-management-groups.md b/articles/security-center/security-center-management-groups.md
@@ -164,7 +164,7 @@ Once the RBAC roles have been assigned to the users, the tenant administrator sh
 
 
 
-## Adding subscriptions to a management groups
+## Adding subscriptions to a management group
 You can add subscriptions to the management group that you created. These steps aren't mandatory for gaining tenant-wide visibility and global policy and access management.
 
 1. Under **Management Groups**, select a management group to add your subscription to.
diff --git a/articles/security-center/security-center-powershell-onboarding.md b/articles/security-center/security-center-powershell-onboarding.md
@@ -26,13 +26,13 @@ This article provides a sample PowerShell script that can be modified and used i
 
 In this example, we will enable Security Center on a subscription with ID: d07c0080-170c-4c24-861d-9c817742786c and apply the recommended settings that provide a high level of protection, by implementing the Standard tier of Security Center, which provides advanced threat protection and detection capabilities:
 
-1. Set the [ASC standard level of protection](https://azure.microsoft.com/pricing/details/security-center/). 
+1. Set the [Security Center standard level of protection](https://azure.microsoft.com/pricing/details/security-center/). 
  
 2. Set the Log Analytics workspace to which the Microsoft Monitoring Agent will send the data it collects on the VMs associated with the subscription – in this example, an existing user defined workspace (myWorkspace).
 
 3. Activate Security Center’s automatic agent provisioning which [deploys the Microsoft Monitoring Agent](security-center-enable-data-collection.md#auto-provision-mma).
 
-5. Set the organization’s [CISO as the security contact for ASC alerts and notable events](security-center-provide-security-contact-details.md).
+5. Set the organization’s [CISO as the security contact for Security Center alerts and notable events](security-center-provide-security-contact-details.md).
 
 6. Assign Security Center’s [default security policies](tutorial-security-policy.md).
 
diff --git a/articles/security-center/security-center-remediate-recommendations.md b/articles/security-center/security-center-remediate-recommendations.md
@@ -11,7 +11,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 08/18/2019
+ms.date: 11/04/2019
 ms.author: memildin
 
 ---
diff --git a/articles/sql-database/transparent-data-encryption-azure-sql.md b/articles/sql-database/transparent-data-encryption-azure-sql.md
@@ -10,7 +10,7 @@ ms.topic: conceptual
 author: aliceku
 ms.author: aliceku
 ms.reviewer: vanto
-ms.date: 08/27/2019
+ms.date: 11/01/2019
 ---
 # Transparent data encryption for SQL Database and Data Warehouse
 
@@ -36,10 +36,10 @@ Microsoft also seamlessly moves and manages the keys as needed for geo-replicati
 
 ## Customer-managed transparent data encryption - Bring Your Own Key
 
-[TDE with customer-managed keys in Azure Key Vault](transparent-data-encryption-byok-azure-sql.md) allows to encrypt the Database Encryption Key (DEK) with a customer-managed asymmetric key called TDE Protector.  This is also generally referred to as Bring Your Own Key (BYOK) support for Transparent Data Encryption. In the BYOK scenario, the TDE Protector is stored in a customer-owned and managed [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/key-vault-secure-your-key-vault), Azure’s cloud-based external key management system. The TDE Protector can be [generated by the key vault or transferred to the key vault](https://docs.microsoft.com/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys) from an on premises HSM device. The TDE DEK, which is stored on the boot page of a database, is encrypted and decrypted by the TDE Protector, which is stored in Azure Key Vault and never leaves the key vault.  SQL Database needs to be granted permissions to the customer-owned key vault to decrypt and encrypt the DEK. If permissions of the logical SQL server to the key vault are revoked, a database will be inaccessible and all data is encrypted. For Azure SQL Database, the TDE protector is set at the logical SQL server level and is inherited by all databases associated with that server. For [Azure SQL Managed Instance](https://docs.microsoft.com/azure/sql-database/sql-database-howto-managed-instance) (BYOK feature in preview), the TDE protector is set at the instance level and it is inherited by all *encrypted* databases on that instance. The term *server* refers both to server and instance throughout this document, unless stated differently.
+[TDE with customer-managed keys in Azure Key Vault](transparent-data-encryption-byok-azure-sql.md) allows to encrypt the Database Encryption Key (DEK) with a customer-managed asymmetric key called TDE Protector.  This is also generally referred to as Bring Your Own Key (BYOK) support for Transparent Data Encryption. In the BYOK scenario, the TDE Protector is stored in a customer-owned and managed [Azure Key Vault](https://docs.microsoft.com/azure/key-vault/key-vault-secure-your-key-vault), Azure’s cloud-based external key management system. The TDE Protector can be [generated by the key vault or transferred to the key vault](https://docs.microsoft.com/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys) from an on premises HSM device. The TDE DEK, which is stored on the boot page of a database, is encrypted and decrypted by the TDE Protector, which is stored in Azure Key Vault and never leaves the key vault.  SQL Database needs to be granted permissions to the customer-owned key vault to decrypt and encrypt the DEK. If permissions of the logical SQL server to the key vault are revoked, a database will be inaccessible and all data is encrypted. For Azure SQL Database, the TDE protector is set at the logical SQL server level and is inherited by all databases associated with that server. For [Azure SQL Managed Instance](https://docs.microsoft.com/azure/sql-database/sql-database-howto-managed-instance), the TDE protector is set at the instance level and it is inherited by all *encrypted* databases on that instance. The term *server* refers both to server and instance throughout this document, unless stated differently.
 
 With TDE with Azure Key Vault integration, users can control key management tasks including key rotations, key vault permissions, key backups, and enable auditing/reporting on all TDE protectors using Azure Key Vault functionality. Key Vault provides central key management, leverages tightly monitored hardware security modules (HSMs), and enables separation of duties between management of keys and data to help meet compliance with security policies.
-To learn more about transparent data encryption with Azure Key Vault integration (Bring Your Own Key support) for Azure SQL Database, SQL Managed Instance (BYOK feature in preview), and Data Warehouse, see [Transparent data encryption with Azure Key Vault integration](transparent-data-encryption-byok-azure-sql.md).
+To learn more about transparent data encryption with Azure Key Vault integration (Bring Your Own Key support) for Azure SQL Database, SQL Managed Instance, and Data Warehouse, see [Transparent data encryption with Azure Key Vault integration](transparent-data-encryption-byok-azure-sql.md).
 
 To start using transparent data encryption with Azure Key Vault integration (Bring Your Own Key support), see the how-to guide [Turn on transparent data encryption by using your own key from Key Vault by using PowerShell](transparent-data-encryption-byok-azure-sql-configure.md).
 
