Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into freshness_c18

dagiro · dagiro · commit b393b59aeead · 2020-04-21T09:54:55.000-07:00
diff --git a/articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md b/articles/active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md
@@ -14,17 +14,17 @@ ms.date: 09/24/2018
 ms.author: kkrishna
 ms.reviewer: jmprieur
 ms.custom: aaddev
-#Customer intent: As an application developer, I want to restrict an application that I have registered in Azure AD to a select set of users available in my Azure AD tenant
+#Customer intent: As a tenant administrator, I want to restrict an application that I have registered in Azure AD to a select set of users available in my Azure AD tenant
 ---
-# How to: Restrict your Azure AD app to a set of users
+# How to: Restrict your Azure AD app to a set of users in an Azure AD tenant
 
 Applications registered in an Azure Active Directory (Azure AD) tenant are, by default, available to all users of the tenant who authenticate successfully.
 
 Similarly, in case of a [multi-tenant](howto-convert-app-to-be-multi-tenant.md) app, all users in the Azure AD tenant where this app is provisioned will be able to access this application once they successfully authenticate in their respective tenant.
 
 Tenant administrators and developers often have requirements where an app must be restricted to a certain set of users. Developers can accomplish the same by using popular authorization patterns like Role Based Access Control (RBAC), but this approach requires a significant amount of work on part of the developer.
 
-Azure AD allows tenant administrators and developers to restrict an app to a specific set of users or security groups in the tenant.
+Tenant administrators and developers can restrict an app to a specific set of users or security groups in the tenant by using this built-in feature of Azure AD as well.
 
 ## Supported app configurations
 
@@ -58,7 +58,7 @@ There are two ways to create an application with enabled user assignment. One re
 
 1. Select the application you want to assign a user or security group to from the list.
 1. On the application's **Overview** page, select **Properties** from the application’s left-hand navigation menu.
-1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users must first be assigned to this application before they can access it.
+1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users in the tenant must first be assigned to this application or they won't be able to sign-in to this application.
 1. Select **Save** to save this configuration change.
 
 ### App registration
@@ -71,7 +71,7 @@ There are two ways to create an application with enabled user assignment. One re
 1. Create or select the app you want to manage. You need to be **Owner** of this app registration.
 1. On the application's **Overview** page, follow the **Managed application in local directory** link under the essentials in the top of the page. This will take you to the _managed Enterprise Application_ of your app registration.
 1. From the navigation blade on the left, select **Properties**.
-1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users must first be assigned to this application before they can access it.
+1. Locate the setting **User assignment required?** and set it to **Yes**. When this option is set to **Yes**, users in the tenant must first be assigned to this application or they won't be able to sign-in to this application.
 1. Select **Save** to save this configuration change.
 
 ## Assign users and groups to the app
@@ -85,6 +85,14 @@ Once you've configured your app to enable user assignment, you can go ahead and
      A list of users and security groups will be shown along with a textbox to search and locate a certain user or group. This screen allows you to select multiple users and groups in one go.
 
 1. Once you are done selecting the users and groups, press the **Select** button on bottom to move to the next part.
+1. (Optional) If you have defined App roles in your application, you can use the **Select role** option to assign the selected users and groups to one of the application's roles. 
 1. Press the **Assign** button on the bottom to finish the assignments of users and groups to the app. 
 1. Confirm that the users and groups you added are showing up in the updated **Users and groups** list.
 
+## More information
+
+- [How to: Add app roles in your application](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps)
+- [Add authorization using app roles & roles claims to an ASP.NET Core web app](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles)
+- [Using Security Groups and Application Roles in your apps (Video)](https://www.youtube.com/watch?v=V8VUPixLSiM)
+- [Azure Active Directory, now with Group Claims and Application Roles](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-Active-Directory-now-with-Group-Claims-and-Application/ba-p/243862)
+- [Azure Active Directory app manifest](https://docs.microsoft.com/azure/active-directory/develop/reference-app-manifest)
diff --git a/articles/active-directory/saas-apps/dynatrace-tutorial.md b/articles/active-directory/saas-apps/dynatrace-tutorial.md
@@ -138,7 +138,7 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 ## Configure Dynatrace SSO
 
-To configure single sign-on on the **Dynatrace** side, you need to send the downloaded **Federation Metadata XML** file and the appropriate copied URLs from the Azure portal to the [Dynatrace support team](https://www.dynatrace.com/services-support/). They configure this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on the **Dynatrace** side, you need to send the downloaded **Federation Metadata XML** file and the appropriate copied URLs from the Azure portal to [Dynatrace](https://www.dynatrace.com/support/help/shortlink/users-sso-hub). You can follow the instructions on the Dynatrace website to configure the SAML SSO connection on both sides.
 
 ### Create Dynatrace test user
 
diff --git a/articles/active-directory/users-groups-roles/roles-delegate-by-task.md b/articles/active-directory/users-groups-roles/roles-delegate-by-task.md
@@ -73,9 +73,9 @@ Configure company properties | Global Administrator |
 
 Task | Least privileged role | Additional roles
 ---- | --------------------- | ----------------
-Passthrough authentication | Global Administrator | 
-Read all configuration | Global reader | 
-Seamless single sign-on | Global Administrator | 
+Passthrough authentication | Hybrid Identity Administrator | 
+Read all configuration | Global reader | Hybrid Identity Administrator |
+Seamless single sign-on | Hybrid Identity Administrator | 
 
 ## Connect Health
 
diff --git a/articles/app-service/containers/configure-language-php.md b/articles/app-service/containers/configure-language-php.md
@@ -83,7 +83,7 @@ The default PHP image for App Service uses Apache, and it doesn't let you custom
 <IfModule mod_rewrite.c>
     RewriteEngine on
 
-    RewriteRule ^.*$ /public/$1 [NC,L,QSA]
+    RewriteRule ^(.*)$ /public/$1 [NC,L,QSA]
 </IfModule>
 ```
 
diff --git a/articles/application-gateway/application-gateway-faq.md b/articles/application-gateway/application-gateway-faq.md
@@ -67,7 +67,7 @@ For the v2 SKU, open the public IP resource and select **Configuration**. The **
 
 *Keep-Alive timeout* governs how long the Application Gateway will wait for a client to send another HTTP request on a persistent connection before reusing it or closing it. *TCP idle timeout* governs how long a TCP connection is kept open in case of no activity. 
 
-The *Keep-Alive timeout* in the Application Gateway v1 SKU is 120 seconds and in the v2 SKU it's 75 seconds. The *TCP idle timeout* is a 4-minute default on the frontend virtual IP (VIP) of both v1 and v2 SKU of Application Gateway. 
+The *Keep-Alive timeout* in the Application Gateway v1 SKU is 120 seconds and in the v2 SKU it's 75 seconds. The *TCP idle timeout* is a 4-minute default on the frontend virtual IP (VIP) of both v1 and v2 SKU of Application Gateway. You can't change these values.
 
 ### Does the IP or DNS name change over the lifetime of the application gateway?
 
diff --git a/articles/hdinsight/kafka/rest-proxy.md b/articles/hdinsight/kafka/rest-proxy.md
@@ -69,7 +69,7 @@ For REST proxy endpoint requests, client applications should get an OAuth token.
 You can use the python code below to interact with the REST proxy on your Kafka cluster. To use the code sample, follow these steps:
 
 1. Save the sample code on a machine with Python installed.
-1. Install required python dependencies by executing `pip3 install adal` and `pip install msrestazure`.
+1. Install required python dependencies by executing `pip3 install msal`.
 1. Modify the code section **Configure these properties** and update the following properties for your environment:
 
     |Property |Description |
@@ -79,7 +79,7 @@ You can use the python code below to interact with the REST proxy on your Kafka
     |Client Secret|The secret for the application that you registered in the security group.|
     |Kafkarest_endpoint|Get this value from the **Properties** tab in the cluster overview as described in the [deployment section](#create-a-kafka-cluster-with-rest-proxy-enabled). It should be in the following format – `https://<clustername>-kafkarest.azurehdinsight.net`|
 
-1. From the command line, execute the python file by executing `python <filename.py>`
+1. From the command line, execute the python file by executing `sudo python3 <filename.py>`
 
 This code does the following action:
 
@@ -90,13 +90,9 @@ For more information on getting OAuth tokens in python, see [Python Authenticati
 
 ```python
 #Required python packages
-#pip3 install adal
-#pip install msrestazure
+#pip3 install msal
 
-import adal
-from msrestazure.azure_active_directory import AdalAuthentication
-from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD
-import requests
+import msal
 
 #--------------------------Configure these properties-------------------------------#
 # Tenant ID for your Azure Subscription
@@ -109,19 +105,24 @@ client_secret = 'password'
 kafkarest_endpoint = "https://<clustername>-kafkarest.azurehdinsight.net"
 #--------------------------Configure these properties-------------------------------#
 
-#getting token
-login_endpoint = AZURE_PUBLIC_CLOUD.endpoints.active_directory
-resource = "https://hib.azurehdinsight.net"
-context = adal.AuthenticationContext(login_endpoint + '/' + tenant_id)
+# Scope
+scope = 'https://hib.azurehdinsight.net/.default'
+#Authority
+authority = 'https://login.microsoftonline.com/' + tenant_id
 
-token = context.acquire_token_with_client_credentials(
-    resource,
-    client_id,
-    client_secret)
+# Create a preferably long-lived app instance which maintains a token cache.
+app = msal.ConfidentialClientApplication(
+    client_id , client_secret, authority,
+    #cache - For details on how look at this example: https://github.com/Azure-Samples/ms-identity-python-webapp/blob/master/app.py
+    )
 
-accessToken = 'Bearer ' + token['accessToken']
+# The pattern to acquire a token looks like this.
+result = None
 
-print(accessToken)
+result = app.acquire_token_for_client(scopes=[scope])
+
+print(result)
+accessToken = result['access_token']
 
 # relative url
 getstatus = "/v1/metadata/topics"
@@ -132,10 +133,10 @@ response = requests.get(request_url, headers={'Authorization': accessToken})
 print(response.content)
 ```
 
-Find below another sample on how to get a token from Azure for REST proxy using a curl command. Notice that we need the `resource=https://hib.azurehdinsight.net` specified while getting a token.
+Find below another sample on how to get a token from Azure for REST proxy using a curl command. **Notice that we need the `scope=https://hib.azurehdinsight.net/.default` specified while getting a token.**
 
 ```cmd
-curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=<clientid>&client_secret=<clientsecret>&grant_type=client_credentials&resource=https://hib.azurehdinsight.net' 'https://login.microsoftonline.com/<tenantid>/oauth2/token'
+curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=<clientid>&client_secret=<clientsecret>&grant_type=client_credentials&scope=https://hib.azurehdinsight.net/.default' 'https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/token'
 ```
 
 ## Next steps
diff --git a/articles/iot-hub/iot-hub-portal-csharp-module-twin-getstarted.md b/articles/iot-hub/iot-hub-portal-csharp-module-twin-getstarted.md
@@ -9,13 +9,14 @@ services: iot-hub
 ms.devlang: csharp
 ms.topic: conceptual
 ms.date: 08/20/2019
+ms.custom: amqp
 ---
 # Get started with IoT Hub module identity and module twin using the portal and .NET device
 
 [!INCLUDE [iot-hub-selector-module-twin-getstarted](../../includes/iot-hub-selector-module-twin-getstarted.md)]
 
 > [!NOTE]
-> [Module identities and module twins](iot-hub-devguide-module-twins.md) are similar to Azure IoT Hub device identity and device twin, but provide finer granularity. While Azure IoT Hub device identity and device twin enable the back-end application to configure a device and provide visibility on the device’s conditions, a module identity and module twin provide these capabilities for individual components of a device. On capable devices with multiple components, such as operating system based devices or firmware devices, module identities and module twins allow for isolated configuration and conditions for each component.
+> [Module identities and module twins](iot-hub-devguide-module-twins.md) are similar to Azure IoT Hub device identity and device twin, but provide finer granularity. While Azure IoT Hub device identity and device twin enable the back-end application to configure a device and provide visibility on the device's conditions, a module identity and module twin provide these capabilities for individual components of a device. On capable devices with multiple components, such as operating system based devices or firmware devices, module identities and module twins allow for isolated configuration and conditions for each component.
 >
 
 In this tutorial, you will learn:
diff --git a/articles/iot-hub/iot-hub-protocol-gateway.md b/articles/iot-hub/iot-hub-protocol-gateway.md
@@ -8,6 +8,7 @@ ms.service: iot-hub
 services: iot-hub
 ms.topic: conceptual
 ms.date: 07/11/2017
+ms.custom: [amqp, mqtt]
 ---
 
 # Support additional protocols for IoT Hub
diff --git a/articles/iot-hub/iot-hub-python-python-c2d.md b/articles/iot-hub/iot-hub-python-python-c2d.md
@@ -8,6 +8,7 @@ ms.devlang: python
 ms.topic: conceptual
 ms.date: 04/09/2020
 ms.author: robinsh
+ms.custom: mqtt
 ---
 
 # Send cloud-to-device messages with IoT Hub (Python)
diff --git a/articles/iot-hub/iot-hub-python-python-device-management-get-started.md b/articles/iot-hub/iot-hub-python-python-device-management-get-started.md
@@ -8,6 +8,7 @@ ms.devlang: python
 ms.topic: conceptual
 ms.date: 01/17/2020
 ms.author: robinsh
+ms.custom: mqtt
 ---
 
 # Get started with device management (Python)
diff --git a/articles/iot-hub/iot-hub-python-python-file-upload.md b/articles/iot-hub/iot-hub-python-python-file-upload.md
@@ -8,6 +8,7 @@ ms.devlang: python
 ms.topic: conceptual
 ms.date: 03/31/2020
 ms.author: robinsh
+ms.custom: mqtt
 ---
 
 # Upload files from your device to the cloud with IoT Hub (Python)
diff --git a/articles/iot-hub/iot-hub-python-twin-getstarted.md b/articles/iot-hub/iot-hub-python-twin-getstarted.md
@@ -8,6 +8,7 @@ ms.devlang: python
 ms.topic: conceptual
 ms.date: 03/11/2020
 ms.author: robinsh
+ms.custom: mqtt
 ---
 # Get started with device twins (Python)
 
diff --git a/articles/iot-hub/iot-hub-reliability-features-in-sdks.md b/articles/iot-hub/iot-hub-reliability-features-in-sdks.md
@@ -7,6 +7,7 @@ ms.author: robinsh
 ms.date: 07/07/2018
 ms.topic: article
 ms.service: iot-hub
+ms.custom: [amqp, mqtt]
 ---
 
 # Manage connectivity and reliable messaging by using Azure IoT Hub device SDKs
diff --git a/articles/iot-hub/iot-hub-scaling.md b/articles/iot-hub/iot-hub-scaling.md
@@ -8,6 +8,7 @@ services: iot-hub
 ms.topic: conceptual
 ms.date: 06/28/2019
 ms.author: wesmc
+ms.custom: [amqp, mqtt]
 ---
 # Choose the right IoT Hub tier for your solution
 
diff --git a/articles/iot-hub/iot-hub-security-x509-get-started.md b/articles/iot-hub/iot-hub-security-x509-get-started.md
@@ -8,6 +8,7 @@ ms.service: iot-hub
 services: iot-hub
 ms.topic: conceptual
 ms.date: 08/20/2019
+ms.custom: amqp
 ---
 
 # Set up X.509 security in your Azure IoT hub
@@ -77,7 +78,7 @@ These steps show you how to add a new Certificate Authority to your IoT hub thro
 
 ## Authenticate your X.509 device with the X.509 certificates
 
-To authenticate your X.509 device, you need to first sign the device with the CA certificate. Signing of leaf devices is normally done at the manufacturing plant, where manufacturing tools have been enabled accordingly. As the device goes from one manufacturer to another, each manufacturer’s signing action is captured as an intermediate certificate within the chain. The result is a certificate chain from the CA certificate to the device’s leaf certificate. Step 4 in [Managing test CA certificates for samples and tutorials](https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md) generates a device certificate.
+To authenticate your X.509 device, you need to first sign the device with the CA certificate. Signing of leaf devices is normally done at the manufacturing plant, where manufacturing tools have been enabled accordingly. As the device goes from one manufacturer to another, each manufacturer's signing action is captured as an intermediate certificate within the chain. The result is a certificate chain from the CA certificate to the device's leaf certificate. Step 4 in [Managing test CA certificates for samples and tutorials](https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md) generates a device certificate.
 
 Next, we will show you how to create a C# application to simulate the X.509 device registered for your IoT hub. We will send temperature and humidity values from the simulated device to your hub. In this tutorial, we will create only the device application. It is left as an exercise to the readers to create the IoT Hub service application that will send response to the events sent by this simulated device. The C# application assumes that you have followed the steps in [Managing test CA certificates for samples and tutorials](https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md).
 
diff --git a/articles/iot-hub/iot-hub-troubleshoot-connectivity.md b/articles/iot-hub/iot-hub-troubleshoot-connectivity.md
@@ -8,6 +8,8 @@ services: iot-hub
 ms.topic: conceptual
 ms.date: 01/30/2020
 ms.author: jlian
+ms.custom: mqtt
+
 # As an operator for Azure IoT Hub, I need to know how to find out when devices are disconnecting unexpectedly and troubleshoot resolve those issues right away
 ---
 # Monitor, diagnose, and troubleshoot disconnects with Azure IoT Hub
diff --git a/articles/search/index-add-suggesters.md b/articles/search/index-add-suggesters.md
diff --git a/articles/search/search-autocomplete-tutorial.md b/articles/search/search-autocomplete-tutorial.md
diff --git a/articles/service-fabric/service-fabric-tutorial-dotnet-app-enable-https-endpoint.md b/articles/service-fabric/service-fabric-tutorial-dotnet-app-enable-https-endpoint.md
diff --git a/articles/virtual-machines/custom-data.md b/articles/virtual-machines/custom-data.md
diff --git a/articles/virtual-machines/linux/redhat-create-upload-vhd.md b/articles/virtual-machines/linux/redhat-create-upload-vhd.md
