Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into release-ga-sentinel

Author: v-alje

articles/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.md

@@ -29,7 +29,7 @@ In this quickstart, you walk through configuring self-service password reset (SS
 
 ## Enable self-service password reset
 
-> [!VIDEO https://www.youtube.com/embed/Pa0eyqjEjvQ]
+[View this process as a video on YouTube](https://youtu.be/Pa0eyqjEjvQ)
 
 1. From your existing Azure AD tenant, on the **Azure portal** under **Azure Active Directory** select **Password reset**.
 

articles/active-directory/authentication/quickstart-sspr.md

@@ -12,7 +12,7 @@ ms.devlang: na
 ms.topic: reference
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 05/23/2019
+ms.date: 09/23/2019
 ms.subservice: hybrid
 ms.author: billmath
 
@@ -41,7 +41,13 @@ Not all releases of Azure AD Connect will be made available for auto upgrade. Th
 ## 1.4.X.0
 
 >[!IMPORTANT]
->Previously, Windows down-level computers joined to on-prem AD were incorrectly getting synced to the cloud under some circumstances. As an example, the userCertificate attribute value for Windows down-level devices in AD is populated. But such devices in Azure AD always stayed in the “pending” state because these OS versions were not designed to be registered with Azure AD via AAD Sync. In this version of Azure AD Connect, AAD Sync will stop syncing Windows down-level computers to Azure AD and will also remove the previously incorrectly synced Windows down-level devices from Azure AD. Please note that this change will not delete any Windows down-level devices that were correctly registered with Azure AD by using the MSI package. Those devices will continue to work as expected for the purposes of device-based conditional access. Some customers may see some or all of their Windows down-level devices disappear from Azure AD. This is not a cause for concern, as these device identities were never actually used by Azure AD during conditional access authorization. Such customers may need to revisit https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan and get their Windows down-level devices registered correctly to ensure that such devices can fully participate in device-based conditional access. Note that if you see these deletes of down-level Computer/Device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow these deletes to go through.
+>Windows Computers registered as Hybrid Azure AD Joined are represented in Azure AD as device objects. These device objects can be used for conditional access. Windows 10 Computers are synced to the cloud via Azure AD Connect, down level Windows Computers are registered directly using either AD FS or seamless single sign on.
+>
+>Only Windows 10 computers with a specific userCertificate attribute value configured by Hybrid Azure AD Join are supposed to be synced to the cloud by Azure AD Connect.  In previous versions of Azure AD Connect this requirement was not rigorously enforced, resulting in unnecessary device objects in Azure AD. Such devices in Azure AD always stayed in the “pending” state because these computers were not intended to be registered with Azure AD.
+>
+>This version of Azure AD Connect will only sync Windows 10 computers that are correctly configured to be Hybrid Azure AD Joined. Azure AD Connect should never be syncing [down-level Windows devices](../../active-directory/devices/hybrid-azuread-join-plan.md#windows-down-level-devices).  Any devices in Azure AD previously synced incorrectly will now be deleted from Azure AD.  However, this change won't delete any Windows devices that were correctly registered with Azure AD for Hybrid Azure AD Join. 
+>
+>Some customers may see some or all of their Windows devices disappear from Azure AD. This is not a cause for concern, as these device identities are not used by Azure AD during conditional access authorization. Some customers may need to revisit [How To: Plan your hybrid Azure Active Directory join implementation](../../active-directory/devices/hybrid-azuread-join-plan.md) to get their Windows computers registered correctly and ensure that such devices can fully participate in device-based conditional access. If Azure AD Connect is attempting to delete [down-level Windows devices](../../active-directory/devices/hybrid-azuread-join-plan.md#windows-down-level-devices) then the device is not the one that was created by the [Microsoft Workplace Join for non-Windows 10 computers MSI](https://www.microsoft.com/download/details.aspx?id=53554) and it is not able to be consumed by any other Azure AD feature.  If you see the deletes of Computer/Device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow these deletes to go through.
 
 ### Release status
 9/10/2019: Released for auto-upgrade only
@@ -1268,7 +1274,7 @@ Released: December 2014
 **New features:**
 
 * Password synchronization with attribute-based filtering is now supported. For more information, see [Password synchronization with filtering](how-to-connect-sync-configure-filtering.md).
-* The ms-DS-ExternalDirectoryObjectID attribute is written back to Active Directory. This feature adds support for Office 365 applications. It uses OAuth2 to access Online and On-Premises mailboxes in a Hybrid Exchange Deployment.
+* The ms-DS-ExternalDirectoryObjectID attribute is written back to Active Directory. This feature adds support for Office 365 applications. It uses OAuth2 to access online and on-premises mailboxes in a Hybrid Exchange Deployment.
 
 **Fixed upgrade issues:**
 

articles/active-directory/hybrid/reference-connect-version-history.md

@@ -87,7 +87,7 @@ In this section, you enable Azure AD SSO in the Azure portal.
     `https://<subdomain>.jamfcloud.com`
 
 	> [!NOTE]
-	> These values aren't real. Update these values with the actual identifier, reply URL, and sign-on URL. You'll get the actual identifier value from *the **Single Sign-On** section in Jamf Pro portal, which is explained later in the tutorial. You can extract the actual subdomain value from the identifier value and use that subdomain information as your sign-on URL and reply URL. You can also refer to the formulas shown in the **Basic SAML Configuration** section in the Azure portal.
+	> These values aren't real. Update these values with the actual identifier, reply URL, and sign-on URL. You'll get the actual identifier value from the **Single Sign-On** section in Jamf Pro portal, which is explained later in the tutorial. You can extract the actual subdomain value from the identifier value and use that subdomain information as your sign-on URL and reply URL. You can also refer to the formulas shown in the **Basic SAML Configuration** section in the Azure portal.
 
 1. On the **Set up Single Sign-On with SAML** page, go to the **SAML Signing Certificate** section, select the **copy** button to copy **App Federation Metadata URL**, and then save it to your computer.
 

articles/active-directory/saas-apps/jamfprosamlconnector-tutorial.md

@@ -65,8 +65,6 @@ Users with this role can set or reset non-password credentials and can update pa
 * Message Center Reader
 * Reports Reader
 
-The Authentication administrator role is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
 > [!IMPORTANT]
 > Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that user's identity and permissions. For example:
 

articles/active-directory/users-groups-roles/directory-assign-admin-roles.md

@@ -34,7 +34,7 @@ This topic provides a reference for the following API Management policies. For i
 -   [Set request method](#SetRequestMethod) - Allows you to change the HTTP method for a request.
 -   [Set status code](#SetStatus) - Changes the HTTP status code to the specified value.
 -   [Set variable](api-management-advanced-policies.md#set-variable) - Persists a value in a named [context](api-management-policy-expressions.md#ContextVariables) variable for later access.
--   [Trace](#Trace) - Adds a string into the [API Inspector](https://azure.microsoft.com/documentation/articles/api-management-howto-api-inspector/) output.
+-   [Trace](#Trace) - Adds custom traces into the [API Inspector](https://azure.microsoft.com/documentation/articles/api-management-howto-api-inspector/) output, Application Insights telemetries, and Diagnostic Logs.
 -   [Wait](#Wait) - Waits for enclosed [Send request](api-management-advanced-policies.md#SendRequest), [Get value from cache](api-management-caching-policies.md#GetFromCacheByKey), or [Control flow](api-management-advanced-policies.md#choose) policies to complete before proceeding.
 
 ## <a name="choose"></a> Control flow
@@ -909,29 +909,49 @@ Expressions used in the `set-variable` policy must return one of the following b
 
 ## <a name="Trace"></a> Trace
 
-The `trace` policy adds a string into the [API Inspector](https://azure.microsoft.com/documentation/articles/api-management-howto-api-inspector/) output. The policy will execute only when tracing is triggered, i.e. `Ocp-Apim-Trace` request header is present and set to `true` and `Ocp-Apim-Subscription-Key` request header is present and holds a valid key associated with the admin account.
+The `trace` policy adds a custom trace into the API Inspector output, Application Insights telemetries, and/or Diagnostic Logs. 
+
+* The policy adds a custom trace to the [API Inspector](https://azure.microsoft.com/documentation/articles/api-management-howto-api-inspector/) output when tracing is triggered, i.e. `Ocp-Apim-Trace` request header is present and set to true and `Ocp-Apim-Subscription-Key` request header is present and holds a valid key that allows tracing. 
+* The policy creates a [Trace](https://docs.microsoft.com/azure/azure-monitor/app/data-model-trace-telemetry) telemetry in Application Insights, when [Application Insights integration](https://docs.microsoft.com/azure/api-management/api-management-howto-app-insights) is enabled and the `severity` level specified in the policy is at or higher than the `verbosity` level specified in the diagnostic setting. 
+* The policy adds a property in the log entry when [Diagnostic Logs](https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor#diagnostic-logs) is enabled and the severity level specified in the policy is at or higher than the verbosity level specified in the diagnostic setting.  
+
 
 ### Policy statement
 
 ```xml
 
-<trace source="arbitrary string literal">
-    <!-- string expression or literal -->
+<trace source="arbitrary string literal" severity="verbose|information|error">
+    <message>String literal or expressions</message>
+    <metadata name="string literal or expressions" value="string literal or expressions"/>
 </trace>
 
 ```
 
+### <a name="traceExample"></a> Example
+
+```xml
+<trace source="PetStore API" severity="verbose">
+    <message>@((string)context.Variables["clientConnectionID"])</message>
+    <metadata name="Operation Name" value="New-Order"/>
+</trace>
+```
+
 ### Elements
 
 | Element | Description   | Required |
 | ------- | ------------- | -------- |
 | trace   | Root element. | Yes      |
+| message | A string or expression to be logged. | Yes |
+| metadata | Adds a custom property to the Application Insights [Trace](https://docs.microsoft.com/en-us/azure/azure-monitor/app/data-model-trace-telemetry) telemetry. | No |
 
 ### Attributes
 
 | Attribute | Description                                                                             | Required | Default |
 | --------- | --------------------------------------------------------------------------------------- | -------- | ------- |
 | source    | String literal meaningful to the trace viewer and specifying the source of the message. | Yes      | N/A     |
+| severity    | Specifies the severity level of the trace. Allowed values are `verbose`, `information`, `error` (from lowest to highest). | No      | Verbose     |
+| name    | Name of the property. | Yes      | N/A     |
+| value    | Value of the property. | Yes      | N/A     |
 
 ### Usage
 

articles/api-management/api-management-advanced-policies.md

@@ -75,7 +75,8 @@ Before you can use Azure Application Insights, you first need to create an insta
 | Sampling (%)                        | decimal                           | Values from 0 to 100 (percent). <br/> Specifies what percentage of requests will be logged to Azure Application Insights. 0% sampling means zero requests logged, while 100% sampling means all requests logged. <br/> This setting is used for reducing performance implications of logging requests to Azure Application Insights (see the section below). |
 | Always log errors                   | boolean                           | If this setting is selected, all failures will be logged to Azure Application Insights, regardless of the **Sampling** setting.                                                                                                                                                                                                                  |
 | Basic Options: Headers              | list                              | Specifies the headers that will be logged to Azure Application Insights for requests and responses.  Default: no headers are logged.                                                                                                                                                                                                             |
-| Basic Options: First bytes of body  | integer                           | Specifies how many first bytes of the body are logged to Azure Application Insights for requests and responses.  Default: body is not logged.                                                                                                                                                                                              |
+| Basic Options: First bytes of body  | integer                           | Specifies how many first bytes of the body are logged to Azure Application Insights for requests and responses.  Default: body is not logged.                                                                                                                                                                                                    |
+| Advanced Options: Verbosity         |                                   | Specifies the verbosity level. Only custom traces with higher severity level will be logged. Default: Information.                                                                                                                                                                                                                               |
 | Advanced Options: Frontend Request  |                                   | Specifies whether and how *frontend requests* will be logged to Azure Application Insights. *Frontend request* is a request incoming to the Azure API Management service.                                                                                                                                                                        |
 | Advanced Options: Frontend Response |                                   | Specifies whether and how *frontend responses* will be logged to Azure Application Insights. *Frontend response* is a response outgoing from the Azure API Management service.                                                                                                                                                                   |
 | Advanced Options: Backend Request   |                                   | Specifies whether and how *backend requests* will be logged to Azure Application Insights. *Backend request* is a request outgoing from the Azure API Management service.                                                                                                                                                                        |

articles/api-management/api-management-howto-app-insights.md

@@ -45,7 +45,7 @@ This section provides a reference for the following API Management policies. For
     -   [Set variable](api-management-advanced-policies.md#set-variable) - Persist a value in a named context variable for later access.  
     -   [Set request method](api-management-advanced-policies.md#SetRequestMethod) - Allows you to change the HTTP method for a request.  
     -   [Set status code](api-management-advanced-policies.md#SetStatus) - Changes the HTTP status code to the specified value.  
-    -   [Trace](api-management-advanced-policies.md#Trace) - Adds a string into the [API Inspector](https://azure.microsoft.com/documentation/articles/api-management-howto-api-inspector/) output.  
+    -   [Trace](api-management-advanced-policies.md#Trace) - Adds custom traces into the [API Inspector](https://azure.microsoft.com/documentation/articles/api-management-howto-api-inspector/) output, Application Insights telemetries, and Diagnostic Logs.  
     -   [Wait](api-management-advanced-policies.md#Wait) - Waits for enclosed [Send request](api-management-advanced-policies.md#SendRequest), [Get value from cache](api-management-caching-policies.md#GetFromCacheByKey), or [Control flow](api-management-advanced-policies.md#choose) policies to complete before proceeding.  
 -   [Authentication policies](api-management-authentication-policies.md#AuthenticationPolicies)  
     -   [Authenticate with Basic](api-management-authentication-policies.md#Basic) - Authenticate with a backend service using Basic authentication.  

articles/api-management/api-management-policies.md

@@ -0,0 +1,49 @@
+---
+title: Restore deleted App Service apps - Azure App Service
+description: Learn how to restore a deleted App Service app using PowerShell.
+author: btardif
+ms.author: byvinyal
+ms.date: 9/23/2019
+ms.topic: article
+ms.service: app-service
+---
+
+# Restore deleted App Service app Using PowerShell
+
+If you happened to accidentally delete your app in Azure App Service, you can restore it using the commands from the [Az PowerShell module](https://docs.microsoft.com/powershell/azure/?view=azps-2.6.0&viewFallbackFrom=azps-2.2.0).
+
+## List deleted apps
+
+To get the collection of deleted apps, you can use `Get-AzDeletedWebApp`.
+
+For details on a specific deleted app you can use:
+
+```powershell
+Get-AzDeletedWebApp -Name <your_deleted_app>
+```
+
+The detailed information includes:
+
+- **DeletedSiteId**: Unique identifier for the app, used for scenarios where multiple apps with the same name have been deleted
+- **SubscriptionID**: Subscription containing the deleted resource
+- **Location**: Location of the original app
+- **ResourceGroupName**: Name of the original resource group
+- **Name**: Name of the original app.
+- **Slot**: the name of the slot.
+- **Deletion Time**: When was the app deleted  
+
+## Restore deleted app
+
+Once the app you want to restore has been identified, you can restore it using `Restore-AzDeletedWebApp`.
+
+```powershell
+Restore-AzDeletedWebApp -ResourceGroupName <my_rg> -Name <my_app> -TargetAppServicePlanName <my_asp>
+```
+
+The inputs for command are:
+
+- **Resource Group**: Target resource group where the app will be restored
+- **Name**: Name for the app, should be globally unique.
+- **TargetAppServicePlanName**: App Service plan linked to the app
+
+By default `Restore-AzDeletedWebApp` will restore both your app configuration as well a content. If you want to only restore content, you use the `-RestoreContentOnly` flag with this commandlet.