Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-rbac-elevate-access-fixes

Author: rolyon

articles/active-directory/app-provisioning/customize-application-attributes.md

@@ -139,7 +139,10 @@ The SCIM RFC defines a core user and group schema, while also allowing for exten
    4. Select **Edit attribute list for AppName**.
    5. At the bottom of the attribute list, enter information about the custom attribute in the fields provided. Then select **Add Attribute**.
 
-For SCIM applications, the attribute name must follow the pattern shown in the example below. The "CustomExtensionName" and "CustomAttribute" can be customized per your application's requirements, for example:  urn:ietf:params:scim:schemas:extension:2.0:CustomExtensionName:CustomAttribute  or  urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User.CustomAttributeName:value
+For SCIM applications, the attribute name must follow the pattern shown in the example below. The "CustomExtensionName" and "CustomAttribute" can be customized per your application's requirements, for example:  
+ * urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User:CustomAttribute 
+ * urn:ietf:params:scim:schemas:extension:2.0:CustomExtensionName:CustomAttribute  
+ * urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User.CustomAttributeName:value
 
 These instructions are only applicable to SCIM-enabled applications. Applications such as ServiceNow and Salesforce are not integrated with Azure AD using SCIM, and therefore they don't require this specific namespace when adding a custom attribute.
 

articles/cognitive-services/Custom-Vision-Service/toc.yml

@@ -9,41 +9,33 @@
     href: whats-new.md
 - name: Quickstarts
   items:
-  - name: Using the web portal
+  - name: Build a classifier
     items:
-    - name: Build a classifier
+    - name: Using the web portal
       href: getting-started-build-a-classifier.md
-    - name: Build an object detector
-      href: get-started-build-detector.md
-  - name: Using the .NET SDK
-    items:
-    - name: Image classification
+    - name: Using the .NET SDK
       href: csharp-tutorial.md
-    - name: Object detection
-      href: csharp-tutorial-od.md
-  - name: Using the Python SDK
-    items:
-    - name: Image classification
+    - name: Using the Python SDK
       href: python-tutorial.md
-    - name: Object detection
-      href: python-tutorial-od.md
-  - name: Using the Java SDK
-    items:
-    - name: Image classification
+    - name: Using the Java SDK
       href: java-tutorial.md
-    - name: Object detection
-      href: java-tutorial-od.md
-  - name: Using the Node.js SDK
-    items:
-    - name: Image classification
+    - name: Using the Node.js SDK
       href: node-tutorial.md
-    - name: Object detection
-      href: node-tutorial-object-detection.md
-  - name: Using the Go SDK
-    items:
-    - name: Image classification
+    - name: Using the Go SDK
       href: go-tutorial.md
-    - name: Object detection
+  - name: Build an object detector
+    items:
+    - name: Using the web portal
+      href: get-started-build-detector.md
+    - name: Using the .NET SDK
+      href: csharp-tutorial-od.md
+    - name: Using the Python SDK
+      href: python-tutorial-od.md
+    - name: Using the Java SDK
+      href: java-tutorial-od.md
+    - name: Using the Node.js SDK
+      href: node-tutorial-object-detection.md
+    - name: Using the Go SDK
       href: go-tutorial-object-detection.md
 - name: Tutorials
   items:

articles/cosmos-db/managed-identity-based-authentication.md

@@ -1,6 +1,6 @@
 ---
 title: How to use a system-assigned managed identity to access Azure Cosmos DB data
-description: Learn how to configure an Azure AD system-assigned managed identity to access keys from Azure Cosmos DB. msi, managed service identity, aad, azure active directory, identity
+description: Learn how to configure an Azure Active Directory (Azure AD) system-assigned managed identity (managed service identity) to access keys from Azure Cosmos DB. 
 author: j-patrick
 ms.service: cosmos-db
 ms.topic: conceptual
@@ -10,71 +10,71 @@ ms.reviewer: sngun
 
 ---
 
-# How to use a system-assigned managed identity to access Azure Cosmos DB data
+# Use system-assigned managed identities to access Azure Cosmos DB data
 
-In this article you will set up a **robust, key rotation agnostic,** solution to access Azure Cosmos DB keys by leveraging [managed identities](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md). The example in this article uses an Azure Function. However, you can achieve this solution by using any service that supports managed identities. 
+In this article, you'll set up a *robust, key rotation agnostic* solution to access Azure Cosmos DB keys by using [managed identities](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md). The example in this article uses Azure Functions, but you can use any service that supports managed identities. 
 
-You'll learn how to create an Azure Function that can access Azure Cosmos DB without needing to copy any Azure Cosmos DB keys. The function will wake up every minute and record the current temperature of an aquarium fish tank. To learn how to set up a timer triggered Azure Function see the [Create a function in Azure that is triggered by a timer](../azure-functions/functions-create-scheduled-function.md) article.
+You'll learn how to create a function app that can access Azure Cosmos DB data without needing to copy any Azure Cosmos DB keys. The function app will wake up every minute and record the current temperature of an aquarium fish tank. To learn how to set up a timer-triggered function app, see the [Create a function in Azure that is triggered by a timer](../azure-functions/functions-create-scheduled-function.md) article.
 
-To simplify the scenario, cleanup of older temperature documents is handled by an already configured [Time To Live](./time-to-live.md) setting. 
+To simplify the scenario, a [Time To Live](./time-to-live.md) setting is already configured to clean up older temperature documents. 
 
-## Assign a system-assigned managed identity to an Azure Function
+## Assign a system-assigned managed identity to a function app
 
-In this step, you'll assign a system-assigned managed identity to your Azure Function.
+In this step, you'll assign a system-assigned managed identity to your function app.
 
-1. In the [Azure portal](https://portal.azure.com/), open the **Azure Function** pane and navigate to your function app. 
+1. In the [Azure portal](https://portal.azure.com/), open the **Azure Function** pane and go to your function app. 
 
 1. Open the **Platform features** > **Identity** tab: 
 
-   ![Identity Tab](./media/managed-identity-based-authentication/identity-tab-selection.png)
+   ![Screenshot showing Platform features and Identity options for the function app.](./media/managed-identity-based-authentication/identity-tab-selection.png)
 
-1. On the **Identity** tab, turn **On** the **System Identity** status. Be sure to select **Save**, and confirm that you want to turn on the system identity. At the end the **System Identity** pane should look as follows:  
+1. On the **Identity** tab, turn **On** the system identity **Status** and select **Save**. The **Identity** pane should look as follows:  
 
-   ![System Identity turned on](./media/managed-identity-based-authentication/identity-tab-system-managed-on.png)
+   ![Screenshot showing system identity Status set to On.](./media/managed-identity-based-authentication/identity-tab-system-managed-on.png)
 
-## Grant the managed identity access to your Azure Cosmos account
+## Grant access to your Azure Cosmos account
 
-In this step, you'll assign a role to the Azure Function's system-assigned managed identity. Azure Cosmos DB has multiple built-in roles that you can assign to the managed identity. For this solution, you will use the following two roles:
+In this step, you'll assign a role to the function app's system-assigned managed identity. Azure Cosmos DB has multiple built-in roles that you can assign to the managed identity. For this solution, you'll use the following two roles:
 
 |Built-in role  |Description  |
 |---------|---------|
 |[DocumentDB Account Contributor](../role-based-access-control/built-in-roles.md#documentdb-account-contributor)|Can manage Azure Cosmos DB accounts. Allows retrieval of read/write keys. |
 |[Cosmos DB Account Reader](../role-based-access-control/built-in-roles.md#cosmos-db-account-reader-role)|Can read Azure Cosmos DB account data. Allows retrieval of read keys. |
 
 > [!IMPORTANT]
-> RBAC support in Azure Cosmos DB is applicable to control plane operations only. Data plane operations are secured using master keys or resource tokens. To learn more, see the [Secure access to data](secure-access-to-data.md) article.
+> Support for role-based access control in Azure Cosmos DB applies to control plane operations only. Data plane operations are secured through master keys or resource tokens. To learn more, see the [Secure access to data](secure-access-to-data.md) article.
 
 > [!TIP] 
-> When assigning roles, only assign the needed access. If your service only requires reading data, then assign the managed identity to **Cosmos DB Account Reader** role. For more information about the importance of least privilege access, see the [lower exposure of privileged accounts](../security/fundamentals/identity-management-best-practices.md#lower-exposure-of-privileged-accounts) article.
+> When you assign roles, assign only the needed access. If your service requires only reading data, then assign the **Cosmos DB Account Reader** role to the managed identity. For more information about the importance of least privilege access, see the [Lower exposure of privileged accounts](../security/fundamentals/identity-management-best-practices.md#lower-exposure-of-privileged-accounts) article.
 
-For your scenario, you will read the temperature, then write back that data to a container in Azure Cosmos DB. Because you have to write the data, you will use the **DocumentDB Account Contributor** role. 
+In this scenario, the function app will read the temperature of the aquarium, then write back that data to a container in Azure Cosmos DB. Because the function app must write the data, you'll need to assign the **DocumentDB Account Contributor** role. 
 
-1. Sign in to the Azure portal and navigate to your Azure Cosmos DB account. Open the **Access Management (IAM) Pane**, and then the **Role Assignments** tab:
+1. Sign in to the Azure portal and go to your Azure Cosmos DB account. Open the **Access control (IAM)** pane and then the **Role assignments** tab:
 
-   ![IAM Pane](./media/managed-identity-based-authentication/cosmos-db-iam-tab.png)
+   ![Screenshot showing the Access control pane and the Role assignments tab.](./media/managed-identity-based-authentication/cosmos-db-iam-tab.png)
 
-1. Select the **+ Add** button, then **add role assignment**.
+1. Select **+ Add** > **Add role assignment**.
 
-1. The **Add Role Assignment** panel opens to the right:
+1. The **Add role assignment** panel opens to the right:
 
-   ![Add Role](./media/managed-identity-based-authentication/cosmos-db-iam-tab-add-role-pane.png)
+   ![Screenshot showing the Add role assignment pane.](./media/managed-identity-based-authentication/cosmos-db-iam-tab-add-role-pane.png)
 
-   * **Role** - Select **DocumentDB Account Contributor**
-   * **Assign access to** - Under the Select **System-assigned managed identity** subsection, select  **Function App**.
-   * **Select** - The pane will be populated with all the function apps, in your subscription, that have a **Managed System Identity**. In our case I select the **SummaryService** function app: 
+   * **Role**: Select **DocumentDB Account Contributor**
+   * **Assign access to**: Under the **Select system-assigned managed identity** subsection, select **Function App**.
+   * **Select**: The pane will be populated with all the function apps in your subscription that have a **Managed System Identity**. In this case, select the **SummaryService** function app: 
 
-      ![Select Assignment](./media/managed-identity-based-authentication/cosmos-db-iam-tab-add-role-pane-filled.png)
+      ![Screenshot showing the Add role assignment pane populated with examples.](./media/managed-identity-based-authentication/cosmos-db-iam-tab-add-role-pane-filled.png)
 
-1. After the function app's identity is selected click **Save**.
+1. After you have selected your function app, select **Save**.
 
-## Programmatically access the Azure Cosmos DB keys from the Azure Function
+## Programmatically access the Azure Cosmos DB keys
 
-Now we have a function app that has a system-assigned managed identity. That identity is given the **DocumentDB Account Contributor** role in the Azure Cosmos DB permissions. The following function app code will get the Azure Cosmos DB keys, create a CosmosClient object, get the temperature, then save this to Cosmos DB.
+Now we have a function app that has a system-assigned managed identity with the **DocumentDB Account Contributor** role in the Azure Cosmos DB permissions. The following function app code will get the Azure Cosmos DB keys, create a CosmosClient object, get the temperature of the aquarium, and then save this to Azure Cosmos DB.
 
 This sample uses the [List Keys API](https://docs.microsoft.com/rest/api/cosmos-db-resource-provider/DatabaseAccounts/ListKeys) to access your Azure Cosmos DB account keys.
 
 > [!IMPORTANT] 
-> If you want to [assign the **Cosmos DB Account Reader**](#grant-the-managed-identity-access-to-your-azure-cosmos-account) role, you will need to use the read only [List Keys api](https://docs.microsoft.com/rest/api/cosmos-db-resource-provider/DatabaseAccounts/ListReadOnlyKeys). This will only populate the read only keys.
+> If you want to [assign the Cosmos DB Account Reader](#grant-access-to-your-azure-cosmos-account) role, you'll need to use the [List Read Only Keys API](https://docs.microsoft.com/rest/api/cosmos-db-resource-provider/DatabaseAccounts/ListReadOnlyKeys). This will populate just the read-only keys.
 
 The List Keys API returns the `DatabaseAccountListKeysResult` object. This type isn't defined in the C# libraries. The following code shows the implementation of this class:  
 
@@ -91,7 +91,7 @@ namespace SummarizationService
 }
 ```
 
-The example also uses a simple document called "TemperatureRecord", which is defined as follows:
+The example also uses a simple document called "TemperatureRecord," which is defined as follows:
 
 ```csharp
 using System;
@@ -108,7 +108,8 @@ namespace Monitor
 }
 ```
 
-You will use the [Microsoft.Azure.Services.AppAuthentication](https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication) library to get the system-assigned managed identity token. To learn other ways to get the token and more information about the `Microsoft.Azure.Service.AppAuthentication` library, see the [Service To Service Authentication](../key-vault/general/service-to-service-authentication.md) article.
+You'll use the [Microsoft.Azure.Services.AppAuthentication](https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication) library to get the system-assigned managed identity token. To learn other ways to get the token and find out more information about the `Microsoft.Azure.Service.AppAuthentication` library, see the [Service-to-service authentication](../key-vault/general/service-to-service-authentication.md) article.
+
 
 ```csharp
 using System;
@@ -145,20 +146,20 @@ namespace Monitor
             // AzureServiceTokenProvider will help us to get the Service Managed token.
             var azureServiceTokenProvider = new AzureServiceTokenProvider();
 
-            // In order to get the Service Managed token we need to authenticate to the Azure Resource Manager.
+            // Authenticate to the Azure Resource Manager to get the Service Managed token.
             string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/");
 
-            // To get the Azure Cosmos DB keys setup the List Keys API:
+            // Setup the List Keys API to get the Azure Cosmos DB keys.
             string endpoint = $"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/listKeys?api-version=2019-12-12";
 
-            // setup an HTTP Client and add the access token.
+            // Setup an HTTP Client and add the access token.
             HttpClient httpClient = new HttpClient();
             httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
 
             // Post to the endpoint to get the keys result.
             var result = await httpClient.PostAsync(endpoint, new StringContent(""));
 
-            // Get the Result back as a DatabaseAccountListKeysResult.
+            // Get the result back as a DatabaseAccountListKeysResult.
             DatabaseAccountListKeysResult keys = await result.Content.ReadAsAsync<DatabaseAccountListKeysResult>();
 
             log.LogInformation("Starting to create the client");
@@ -183,18 +184,18 @@ namespace Monitor
 
         private static int GetTemperature()
         {
-            // fake the temperature sensor for this demo
+            // Fake the temperature sensor for this demo.
             Random r = new Random(DateTime.UtcNow.Second);
             return r.Next(0, 120);
         }
     }
 }
 ```
 
-You are now ready to [deploy your Azure Function](../azure-functions/functions-create-first-function-vs-code.md).
+You are now ready to [deploy your function app](../azure-functions/functions-create-first-function-vs-code.md).
 
 ## Next steps
 
-* [Certificate-based authentication with Azure Cosmos DB and Active Directory](certificate-based-authentication.md)
-* [Secure Azure Cosmos keys using Azure Key Vault](access-secrets-from-keyvault.md)
+* [Certificate-based authentication with Azure Cosmos DB and Azure Active Directory](certificate-based-authentication.md)
+* [Secure Azure Cosmos DB keys using Azure Key Vault](access-secrets-from-keyvault.md)
 * [Security baseline for Azure Cosmos DB](security-baseline.md)