Merge branch 'master' of github.com:MicrosoftDocs/azure-docs-pr

Author: arramac

.openpublishing.redirection.json

@@ -39132,7 +39132,11 @@
       "source_path": "articles/media-services/video-indexer/video-indexer-create-new.md",
       "redirect_url": "/azure/media-services/video-indexer/use-editor-create-project",
       "redirect_document_id": false
+    },
+	   {
+      "source_path": "articles/azure-monitor/app/asp-net-core-no-visualstudio.md",
+      "redirect_url": "/azure/azure-monitor/app/asp-net-core",
+      "redirect_document_id": false
     }
-
   ]
 }

articles/active-directory/conditional-access/howto-conditional-access-session-lifetime.md

@@ -63,7 +63,7 @@ Conditional access is an Azure AD Premium capability and requires a premium lice
 1. Go to **Access Controls** > **Session** and click **Sign-in frequency**
 1. Enter the required value of days and hours in the first text box
 1. Select a value of **Hours** or **Days** from dropdown
-1. Save you policy
+1. Save your policy
 
 ![Conditional access policy configured for sign in frequency](media/howto-conditional-access-session-lifetime/conditional-access-policy-session-sign-in-frequency.png)
 

articles/active-directory/fundamentals/users-default-permissions.md

@@ -49,7 +49,7 @@ Users can register application | Setting this option to No prevents users from c
 Allow users to connect work or school account with LinkedIn | Setting this option to No prevents users from connecting their work or school account with their LinkedIn account.  See [LinkedIn account connections data sharing and consent](https://docs.microsoft.com/azure/active-directory/users-groups-roles/linkedin-user-consent) for more information.
 Ability to create security groups | Setting this option to No prevents users from creating security groups. Global administrators and User administrators can still create security groups. See [Azure Active Directory cmdlets for configuring group settings](../users-groups-roles/groups-settings-cmdlets.md) to learn how.
 Ability to create Office 365 groups | Setting this option to No prevents users from creating Office 365 groups. Setting this option to Some allows a select set of users to create Office 365 groups. Global administrators and User administrators will still be able to create Office 365 groups. See [Azure Active Directory cmdlets for configuring group settings](../users-groups-roles/groups-settings-cmdlets.md) to learn how.
-Restrict access to Azure AD administration portal | Setting this option to No prevents users from accessing Azure Active Directory.
+Restrict access to Azure AD administration portal | Setting this option to Yes prevents users from accessing Azure Active Directory through Azure portal only.
 Ability to read other users | This setting is available in PowerShell only. Setting this to $false prevents all non-admins from reading user information from the directory. This does not prevent reading user information in other Microsoft services like Exchange Online. This setting is meant for special circumstances, and setting this to $false is not recommended.
 
 ## Object ownership

articles/active-directory/governance/entitlement-management-overview.md

@@ -112,7 +112,7 @@ The following diagram shows an example of the different elements in entitlement
 
 When using the [Azure AD business-to-business (B2B)](../b2b/what-is-b2b.md) invite experience, you must already know the email addresses of the external guest users you want to bring into your resource directory and work with. This works great when you're working on a smaller or short-term project and you already know all the participants, but this is harder to manage if you have lots of users you want to work with or if the participants change over time.  For example, you might be working with another organization and have one point of contact with that organization, but over time additional users from that organization will also need access.
 
-With entitlement management, you can define a policy that allows users from organizations you specify, that are also using Azure AD, to be able to request an access package. You can specify whether approval is required and an expiration date for the access. If approval is required, you can also designate as an approver one or more users from the external organization that you previously invited - since they are likely to know which external users from their organization need access. Once you have configured the access package, you can send a link to the access package to your contact person at the external organization. That contact can share with others users in the external organization, and they can use this link to request the access package.  Users from that organizational who have already been invited into your directory can also use that link.
+With entitlement management, you can define a policy that allows users from organizations you specify, that are also using Azure AD, to be able to request an access package. You can specify whether approval is required and an expiration date for the access. If approval is required, you can also designate as an approver one or more users from the external organization that you previously invited - since they are likely to know which external users from their organization need access. Once you have configured the access package, you can send a link to the access package to your contact person at the external organization. That contact can share with other users in the external organization, and they can use this link to request the access package.  Users from that organization who have already been invited into your directory can also use that link.
 
 When a request is approved, entitlement management will provision the user with the necessary access, which may include inviting the user if they're not already in your directory. Azure AD will automatically create a B2B account for them.  Note that an administrator may have previously limited which organizations are permitted for collaboration, by setting a [B2B allow or deny list](../b2b/allow-deny-list.md) to allow or block invites to other organizations.  If the user is not permitted by the allow or block list, then they will not be invited.
 

articles/active-directory/managed-identities-azure-resources/known-issues.md

@@ -77,6 +77,11 @@ No. If you move a subscription to another directory, you will have to manually r
 
 No. Managed identities do not currently support cross-directory scenarios. 
 
+### What Azure RBAC permissions are required to managed identity on a resource? 
+
+- System-assigned managed identity: You need write permissions over the resource. For example: Microsoft.Compute/virtualMachines/write or This action is included in resource specific built-in roles like [Virtual Machine Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#virtual-machine-contributor).
+- User-assigned managed identity: You need write permissions over the resource. For example: Microsoft.Compute/virtualMachines/write . In addition to [Managed Identity Operator](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#managed-identity-operator) role assignment over the managed identity. 
+
 ### How do you restart the managed identities for Azure resources extension?
 On Windows and certain versions of Linux, if the extension stops, the following cmdlet may be used to manually restart it:
 

articles/active-directory/saas-apps/netdocuments-tutorial.md

@@ -101,13 +101,13 @@ To configure Azure AD single sign-on with NetDocuments, perform the following st
     ![NetDocuments Domain and URLs single sign-on information](common/sp-reply.png)
 
 	a. In the **Sign on URL** text box, type a URL using the following pattern:
-    `https://vault.netvoyage.com/neWeb2/docCent.aspx?whr=<user identifier>`
+    `https://vault.netvoyage.com/neWeb2/docCent.aspx?whr=<Repository ID>`
 
     b. In the **Reply URL** text box, type a URL using the following pattern:
-    `https://vault.netvoyage.com/neWeb2/docCent.aspx?whr=<user identifier>`
+    `https://vault.netvoyage.com/neWeb2/docCent.aspx?whr=<Repository ID>`
 
 	> [!NOTE]
-	> These values are not real. Update these values with the actual Sign on URL and Reply URL. Contact [NetDocuments Client support team](https://support.netdocuments.com/hc/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+	> These values are not real. Update these values with the actual Sign on URL and Reply URL. Repository ID is a value staring with CA- followed by 8 character code associated with your NetDocuments Repository. You can check the [NetDocuments Federated Identity support document](https://support.netdocuments.com/hc/en-us/articles/205220410-Federated-Identity-Login) for more information. Alternatively you can contact [NetDocuments Client support team](https://support.netdocuments.com/hc/) to get these values if you have difficulties configuring using the above information . You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
 
 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
 

articles/api-management/api-management-access-restriction-policies.md

@@ -312,8 +312,6 @@ The `quota-by-key` policy enforces a renewable or lifetime call volume and/or ba
 
 For more information and examples of this policy, see [Advanced request throttling with Azure API Management](https://azure.microsoft.com/documentation/articles/api-management-sample-flexible-throttling/).
 
-> [Policy expressions](api-management-policy-expressions.md) cannot be used in any of the policy attributes for this policy.
-
 ### Policy statement
 
 ```xml

articles/api-management/api-management-howto-aad.md

@@ -57,22 +57,23 @@ This article shows you how to enable access to the developer portal for users fr
 14.  After the application is registered, copy the **Application (client) ID** from the **Overview** page. 
 15. Go back to your API Management instance. In the **Add identity provider** window, paste the **Application (client) ID** value into the **Client ID** box.
 16. Switch back to the Azure AD configuration, Select **Certificates & secrets** under **Manage**. Select the **New client secret** button. Enter a value in **Description**, select any option for **Expires** and choose **Add**. Copy the client secret value before leaving the page. You will need it in the next step. 
-17. Go back to your API Management instance, paste the secret into the **Client secret** box.
+17. Under **Manage**, select **Authentication** and then select **ID tokens** under **Implicit Grant**
+18. Go back to your API Management instance, paste the secret into the **Client secret** box.
 
     > [!IMPORTANT]
     > Please make sure to update the **Client secret** before the key expires. 
     >  
     >
 
-18. The **Add identity provider** window also contains the **Allowed Tenants** text box. There, specify the domains of the Azure AD instances to which you want to grant access to the APIs of the API Management service instance. You can separate multiple domains with newlines, spaces, or commas.
+19. The **Add identity provider** window also contains the **Allowed Tenants** text box. There, specify the domains of the Azure AD instances to which you want to grant access to the APIs of the API Management service instance. You can separate multiple domains with newlines, spaces, or commas.
 
 > [!NOTE]
 > You can specify multiple domains in the **Allowed Tenants** section. Before any user can sign in from a different domain than the original domain where the application was registered, a global administrator of the different domain must grant permission for the application to access directory data. To grant permission, the global administrator should:
 > a. Go to `https://<URL of your developer portal>/aadadminconsent` (for example, https://contoso.portal.azure-api.net/aadadminconsent).
 > b. Type in the domain name of the Azure AD tenant that they want to give access to.
 > c. Select **Submit**. 
 
-19.  After you specify the desired configuration, select **Add**.
+20.  After you specify the desired configuration, select **Add**.
 
 After the changes are saved, users in the specified Azure AD instance can sign in to the developer portal by following the steps in [Sign in to the developer portal by using an Azure AD account](#log_in_to_dev_portal).
 

articles/automation/media/pre-post-scripts/configure-script.png

@@ -6,7 +6,7 @@ ms.service: automation
 ms.subservice: update-management
 author: georgewallace
 ms.author: gwallace
-ms.date: 04/15/2019
+ms.date: 05/17/2019
 ms.topic: conceptual
 manager: carmonm 
 ---
@@ -24,9 +24,7 @@ To use a pre and or post script in an Update Deployment, start by creating an Up
 
 ![Select scripts](./media/pre-post-scripts/select-scripts.png)
 
-Select the script you want to use, in this example, you used the **UpdateManagement-TurnOnVms** runbook. When you select the runbook the **Configure Script** page opens, provide values for the parameters, and choose **Pre-Script**. Click **OK** when done.
-
-![Configure script](./media/pre-post-scripts/configure-script.png)
+Select the script you want to use, in this example, you used the **UpdateManagement-TurnOnVms** runbook. When you select the runbook the **Configure Script** page opens, choose **Pre-Script**. Click **OK** when done.
 
 Repeat this process for the **UpdateManagement-TurnOffVms** script. But when choosing the **Script type**, choose **Post-Script**.