Merge https://github.com/cynthn/azure-docs-pr into 49694

Author: Cynthia Nottingham

.openpublishing.redirection.json

@@ -6706,6 +6706,10 @@
       "redirect_url": "/azure/logic-apps/logic-apps-using-sap-connector",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/scheduler/get-started-portal.md",
+      "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
+    },
     {
       "source_path": "articles/connectors/connectors-create-api-googledrive.md",
       "redirect_url": "https://docs.microsoft.com/connectors/googledrive/",

articles/app-service/app-service-web-tutorial-dotnetcore-sqldb.md

@@ -36,7 +36,7 @@ What you learn how to:
 To complete this tutorial:
 
 * [Install Git](https://git-scm.com/)
-* [Install .NET Core](https://www.microsoft.com/net/core/)
+* [Install .NET Core SDK](https://dotnet.microsoft.com/download)
 
 ## Create local .NET Core app
 

articles/azure-resource-manager/templates/deploy-to-management-group.md

@@ -2,18 +2,24 @@
 title: Deploy resources to management group
 description: Describes how to deploy resources at the management group scope in an Azure Resource Manager template.
 ms.topic: conceptual
-ms.date: 03/02/2020
+ms.date: 03/06/2020
 ---
 
 # Create resources at the management group level
 
-Typically, you deploy Azure resources to a resource group in your Azure subscription. However, you can also create resources at the management group level. You use management group level deployments to take actions that make sense at that level, such as assigning [role-based access control](../../role-based-access-control/overview.md) or applying [policies](../../governance/policy/overview.md).
+Typically, you deploy Azure resources to a resource group in your Azure subscription. However, you can also create resources at the:
+
+* [subscription level](deploy-to-subscription.md)
+* management group level (covered in this article)
+* [tenant level](deploy-to-tenant.md)
+
+You use management group level deployments to take actions that make sense at that level, such as assigning [role-based access control](../../role-based-access-control/overview.md) or applying [policies](../../governance/policy/overview.md).
 
 ## Supported resources
 
 You can deploy the following resource types at the management group level:
 
-* [deployments](/azure/templates/microsoft.resources/deployments)
+* [deployments](/azure/templates/microsoft.resources/deployments) - for nested templates that deploy to subscriptions or resource groups.
 * [policyAssignments](/azure/templates/microsoft.authorization/policyassignments)
 * [policyDefinitions](/azure/templates/microsoft.authorization/policydefinitions)
 * [policySetDefinitions](/azure/templates/microsoft.authorization/policysetdefinitions)

articles/azure-resource-manager/templates/deploy-to-subscription.md

@@ -2,12 +2,18 @@
 title: Deploy resources to subscription
 description: Describes how to create a resource group in an Azure Resource Manager template. It also shows how to deploy resources at the Azure subscription scope.
 ms.topic: conceptual
-ms.date: 03/02/2020
+ms.date: 03/06/2020
 ---
 
 # Create resource groups and resources at the subscription level
 
-Typically, you deploy Azure resources to a resource group in your Azure subscription. However, you can also create resources at the subscription level. You use subscription level deployments to take actions that make sense at that level, such as creating resource groups, or assigning [role-based access control](../../role-based-access-control/overview.md).
+Typically, you deploy Azure resources to a resource group in your Azure subscription. However, you can also create resources at the:
+
+* subscription level (covered in this article)
+* [management group level](deploy-to-management-group.md)
+* [tenant level](deploy-to-tenant.md)
+
+You use subscription level deployments to take actions that make sense at that level, such as creating resource groups, or assigning [role-based access control](../../role-based-access-control/overview.md).
 
 To deploy templates at the subscription level, use Azure CLI, PowerShell, or REST API. The Azure portal doesn't support deployment in the subscription level.
 
@@ -16,7 +22,7 @@ To deploy templates at the subscription level, use Azure CLI, PowerShell, or RES
 You can deploy the following resource types at the subscription level:
 
 * [budgets](/azure/templates/microsoft.consumption/budgets)
-* [deployments](/azure/templates/microsoft.resources/deployments)
+* [deployments](/azure/templates/microsoft.resources/deployments) - for nested templates that deploy to resource groups.
 * [peerAsns](/azure/templates/microsoft.peering/peerasns)
 * [policyAssignments](/azure/templates/microsoft.authorization/policyassignments)
 * [policyDefinitions](/azure/templates/microsoft.authorization/policydefinitions)
@@ -83,12 +89,12 @@ For subscription-level deployments, there are some important considerations when
 
 * The [resourceGroup()](template-functions-resource.md#resourcegroup) function is **not** supported.
 * The [reference()](template-functions-resource.md#reference) and [list()](template-functions-resource.md#list) functions are supported.
-* The [resourceId()](template-functions-resource.md#resourceid) function is supported. Use it to get the resource ID for resources that are used at subscription level deployments. Don't provide a value for the resource group parameter.
+* Use the [subscriptionResourceId()](template-functions-resource.md#subscriptionresourceid) function to get the resource ID for resources that are deployed at subscription level.
 
   For example, to get the resource ID for a policy definition, use:
 
   ```json
-  resourceId('Microsoft.Authorization/roleDefinitions/', parameters('roleDefinition'))
+  subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', parameters('roleDefinition'))
   ```
 
   The returned resource ID has the following format:
@@ -97,8 +103,6 @@ For subscription-level deployments, there are some important considerations when
   /subscriptions/{subscriptionId}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
   ```
 
-  Or, use the [subscriptionResourceId()](template-functions-resource.md#subscriptionresourceid) function to get the resource ID for a subscription level resource.
-
 ## Create resource groups
 
 To create a resource group in an Azure Resource Manager template, define a [Microsoft.Resources/resourceGroups](/azure/templates/microsoft.resources/allversions) resource with a name and location for the resource group. You can create a resource group and deploy resources to that resource group in the same template.

articles/azure-resource-manager/templates/deploy-to-tenant.md

@@ -0,0 +1,180 @@
+---
+title: Deploy resources to tenant
+description: Describes how to deploy resources at the tenant scope in an Azure Resource Manager template.
+ms.topic: conceptual
+ms.date: 03/06/2020
+---
+
+# Create resources at the tenant level
+
+Typically, you deploy Azure resources to a resource group in your Azure subscription. However, you can also create resources at the:
+
+* [subscription level](deploy-to-subscription.md)
+* [management group level](deploy-to-management-group.md)
+* tenant level (covered in this article)
+
+You use tenant level deployments to take actions that make sense at that level, such as assigning [role-based access control](../../role-based-access-control/overview.md) or applying [policies](../../governance/policy/overview.md).
+
+## Supported resources
+
+You can deploy the following resource types at the tenant level:
+
+* [deployments](/azure/templates/microsoft.resources/deployments) - for nested templates that deploy to management groups or subscriptions.
+* [policyAssignments](/azure/templates/microsoft.authorization/policyassignments)
+* [policyDefinitions](/azure/templates/microsoft.authorization/policydefinitions)
+* [policySetDefinitions](/azure/templates/microsoft.authorization/policysetdefinitions)
+* [roleAssignments](/azure/templates/microsoft.authorization/roleassignments)
+* [roleDefinitions](/azure/templates/microsoft.authorization/roledefinitions)
+
+### Schema
+
+The schema you use for tenant deployments is different than the schema for resource group deployments.
+
+For templates, use:
+
+```json
+https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#
+```
+
+For parameter files, use:
+
+```json
+https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentParameters.json#
+```
+
+## Required access
+
+The principal deploying the template must have permissions to create resources at the tenant scope. The principal must have permission to execute the deployment actions (`Microsoft.Resources/deployments/*`) and to create the resources defined in the template. For example, to create a management group, the principal must have Contributor permission at the tenant scope. To create role assignments, the principal must have Owner permission.
+
+The Global Administrator for the Azure Active Directory doesn't automatically have permission to assign roles. To enable template deployments at the tenant scope, the Global Administrator must do the following steps:
+
+1. Elevate account access so the Global Administrator can assign roles. For more information, see [Elevate access to manage all Azure subscriptions and management Groups](../../role-based-access-control/elevate-access-global-admin.md).
+
+1. Assign Owner or Contributor to the principal that needs to deploy the templates.
+
+   ```azurepowershell-interactive
+   New-AzRoleAssignment -SignInName "[userId]" -Scope "/" -RoleDefinitionName "Owner"
+   ```
+
+   ```azurecli-interactive
+   az role assignment create --assignee "[userId]" --scope "/" --role "Owner"
+   ```
+
+The principal now has the required permissions to deploy the template.
+
+## Deployment commands
+
+The commands for tenant deployments are different than the commands for resource group deployments.
+
+For Azure PowerShell, use [New-AzTenantDeployment](/powershell/module/az.resources/new-aztenantdeployment).
+
+```azurepowershell-interactive
+New-AzTenantDeployment `
+  -Location "West US" `
+  -TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/tenant-level-deployments/new-mg/azuredeploy.json
+```
+
+For REST API, use [Deployments - Create Or Update At Tenant Scope](/rest/api/resources/deployments/createorupdateattenantscope).
+
+## Deployment location and name
+
+For tenant level deployments, you must provide a location for the deployment. The location of the deployment is separate from the location of the resources you deploy. The deployment location specifies where to store deployment data.
+
+You can provide a name for the deployment, or use the default deployment name. The default name is the name of the template file. For example, deploying a template named **azuredeploy.json** creates a default deployment name of **azuredeploy**.
+
+For each deployment name, the location is immutable. You can't create a deployment in one location when there's an existing deployment with the same name in a different location. If you get the error code `InvalidDeploymentLocation`, either use a different name or the same location as the previous deployment for that name.
+
+## Use template functions
+
+For tenant deployments, there are some important considerations when using template functions:
+
+* The [resourceGroup()](template-functions-resource.md#resourcegroup) function is **not** supported.
+* The [subscription()](template-functions-resource.md#subscription) function is **not** supported.
+* The [reference()](template-functions-resource.md#reference) and [list()](template-functions-resource.md#list) functions are supported.
+* Use the [tenantResourceId()](template-functions-resource.md#tenantresourceid) function to get the resource ID for resources that are deployed at tenant level.
+
+  For example, to get the resource ID for a policy definition, use:
+  
+  ```json
+  tenantResourceId('Microsoft.Authorization/policyDefinitions/', parameters('policyDefinition'))
+  ```
+  
+  The returned resource ID has the following format:
+  
+  ```json
+  /providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
+  ```
+
+## Create management group
+
+The [following template](https://github.com/Azure/azure-quickstart-templates/tree/master/tenant-level-deployments/new-mg) creates a management group.
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "mgName": {
+      "type": "string",
+      "defaultValue": "[concat('mg-', uniqueString(newGuid()))]"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Management/managementGroups",
+      "apiVersion": "2019-11-01",
+      "name": "[parameters('mgName')]",
+      "properties": {
+      }
+    }
+  ]
+}
+```
+
+## Assign role
+
+The [following template](https://github.com/Azure/azure-quickstart-templates/tree/master/tenant-level-deployments/tenant-role-assignment) assigns a role at the tenant scope.
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "principalId": {
+      "type": "string",
+      "metadata": {
+        "description": "principalId if the user that will be given contributor access to the resourceGroup"
+      }
+    },
+    "roleDefinitionId": {
+      "type": "string",
+      "defaultValue": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
+      "metadata": {
+        "description": "roleDefinition for the assignment - default is owner"
+      }
+    }
+  },
+  "variables": {
+    // This creates an idempotent guid for the role assignment
+    "roleAssignmentName": "[guid('/', parameters('principalId'), parameters('roleDefinitionId'))]"
+  },
+  "resources": [
+    {
+      "name": "[variables('roleAssignmentName')]",
+      "type": "Microsoft.Authorization/roleAssignments",
+      "apiVersion": "2019-04-01-preview",
+      "properties": {
+        "roleDefinitionId": "[tenantResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
+        "principalId": "[parameters('principalId')]",
+        "scope": "/"
+      }
+    }
+  ]
+}
+```
+
+## Next steps
+
+* To learn about assigning roles, see [Manage access to Azure resources using RBAC and Azure Resource Manager templates](../../role-based-access-control/role-assignments-template.md).
+* To learn about creating Azure Resource Manager templates, see [Authoring templates](template-syntax.md).
+* For a list of the available functions in a template, see [Template functions](template-functions.md).

articles/azure-resource-manager/templates/toc.yml

@@ -145,10 +145,6 @@
       - name: Outputs
         displayName: iteration,copy
         href: copy-outputs.md
-    - name: Subscription level resources
-      href: deploy-to-subscription.md
-    - name: Management group level resources
-      href: deploy-to-management-group.md
   - name: Use authoring tools
     items:
     - name: VS Code
@@ -182,7 +178,15 @@
       href: rollback-on-error.md
     - name: Secure template with SAS token
       href: secure-template-with-sas-token.md
-    - name: Deploy to multiple resource groups or subscriptions
+  - name: Scoped deployments
+    items:
+    - name: Subscription
+      href: deploy-to-subscription.md
+    - name: Management group
+      href: deploy-to-management-group.md
+    - name: Tenant
+      href: deploy-to-tenant.md
+    - name: Multiple resource groups or subscriptions
       href: cross-resource-group-deployment.md
   - name: Provide parameters
     items:

articles/cognitive-services/Bing-Web-Search/includes/quickstarts/web-search-client-library-csharp.md

@@ -23,7 +23,7 @@ Here are a few things that you'll need before running this quickstart:
   * [NuGet Package Manager](https://github.com/jmrog/vscode-nuget-package-manager)
 * [.NET Core SDK](https://www.microsoft.com/net/download)
 
-[!INCLUDE [bing-web-search-quickstart-signup](../../../../../includes/bing-web-search-quickstart-signup.md)]
+[!INCLUDE [bing-web-search-quickstart-signup](~/includes/bing-web-search-quickstart-signup.md)]
 
 ## Create a project and install dependencies
 

articles/cognitive-services/Bing-Web-Search/includes/quickstarts/web-search-client-library-java.md

@@ -22,7 +22,7 @@ Here are a few things that you'll need before running this quickstart:
 * [Apache Maven](https://maven.apache.org/download.cgi) or your favorite build automation tool
 * A subscription key
 
-[!INCLUDE [bing-web-search-quickstart-signup](../../../../../includes/bing-web-search-quickstart-signup.md)]
+[!INCLUDE [bing-web-search-quickstart-signup](~/includes/bing-web-search-quickstart-signup.md)]
 
 ## Create a project and set up your POM file
 

articles/cognitive-services/Bing-Web-Search/includes/quickstarts/web-search-client-library-javascript.md

@@ -20,7 +20,7 @@ Here are a few things that you'll need before running this quickstart:
 * [Node.js 6](https://nodejs.org/en/download/) or later
 * A subscription key  
 
-[!INCLUDE [bing-web-search-quickstart-signup](../../../../../includes/bing-web-search-quickstart-signup.md)]
+[!INCLUDE [bing-web-search-quickstart-signup](~/includes/bing-web-search-quickstart-signup.md)]
 
 
 ## Set up your development environment

articles/cognitive-services/Bing-Web-Search/includes/quickstarts/web-search-client-library-python.md

@@ -22,7 +22,7 @@ The Bing Web Search SDK is compatible with Python 2.7, 3.3, 3.4, 3.5, and 3.6. W
 * [virtualenv](https://docs.python.org/3/tutorial/venv.html) for Python 2.7
 * [venv](https://pypi.python.org/pypi/virtualenv) for Python 3.x
 
-[!INCLUDE [bing-web-search-quickstart-signup](../../../../../includes/bing-web-search-quickstart-signup.md)]
+[!INCLUDE [bing-web-search-quickstart-signup](~/includes/bing-web-search-quickstart-signup.md)]
 
 ## Create and configure your virtual environment