MicrosoftDocs
diff --git a/‎articles/active-directory/manage-apps/f5-big-ip-header-advanced.md
Lines changed: 19 additions & 18 deletions b/‎articles/active-directory/manage-apps/f5-big-ip-header-advanced.md
Lines changed: 19 additions & 18 deletions
diff --git a/‎articles/active-directory/manage-apps/f5-big-ip-kerberos-advanced.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/manage-apps/f5-big-ip-kerberos-advanced.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/aks/tutorial-kubernetes-upgrade-cluster.md
Lines changed: 25 additions & 0 deletions b/‎articles/aks/tutorial-kubernetes-upgrade-cluster.md
Lines changed: 25 additions & 0 deletions
diff --git a/‎articles/aks/upgrade-cluster.md
Lines changed: 25 additions & 0 deletions b/‎articles/aks/upgrade-cluster.md
Lines changed: 25 additions & 0 deletions
diff --git a/‎articles/app-service/webjobs-sdk-get-started.md
Lines changed: 3 additions & 0 deletions b/‎articles/app-service/webjobs-sdk-get-started.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/applied-ai-services/immersive-reader/how-to-configure-translation.md
Lines changed: 5 additions & 5 deletions b/‎articles/applied-ai-services/immersive-reader/how-to-configure-translation.md
Lines changed: 5 additions & 5 deletions
diff --git a/‎articles/applied-ai-services/immersive-reader/how-to-create-immersive-reader.md
Lines changed: 2 additions & 2 deletions b/‎articles/applied-ai-services/immersive-reader/how-to-create-immersive-reader.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/applied-ai-services/immersive-reader/index.yml
Lines changed: 13 additions & 11 deletions b/‎articles/applied-ai-services/immersive-reader/index.yml
Lines changed: 13 additions & 11 deletions
@@ -2,20 +2,20 @@
 title: Configure F5 BIG-IP Access Policy Manager for header-based SSO
 description: Learn how to configure F5's BIG-IP Access Policy Manager (APM) and Azure Active Directory SSO for header-based authentication
 services: active-directory
-author: gargi-sinha
+author: NishthaBabith-V
 manager: martinco
 ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: how-to
 ms.workload: identity
 ms.date: 11/10/2021
-ms.author: gasinh
+ms.author: v-nisba
 ms.collection: M365-identity-device-management
 ---
 
 # Tutorial: Configure F5 BIG-IP’s Access Policy Manager for header-based SSO
 
-In this tutorial, you'll learn how to configure F5's BIG-IP Access Policy Manager (APM) and Azure Active Directory (Azure AD) for secure hybrid access to header-based applications.
+In this article, you’ll learn to implement Secure Hybrid Access (SHA) with single sign-on (SSO) to header-based applications using F5’s BIG-IP advanced configuration.
 
 Configuring BIG-IP published applications with Azure AD provides many benefits, including:
 
@@ -30,20 +30,20 @@ To learn about all of the benefits, see the article on [F5 BIG-IP and Azure AD i
 
 ## Scenario description
 
-For this scenario, we have an internal application whose access relies on receiving HTTP authorization headers from a legacy broker system. This enables users to be directed to their respective areas of content.
+For this scenario, we have a legacy application using HTTP authorization headers to control access to protected content.
 
-The ideal scenario is to have the application managed and governed directly through Azure AD. However, as it lacks any form of modern protocol interop, it would take considerable effort and time to modernize, introducing inevitable costs and risks of potential downtime.
+Ideally, application access should be managed directly by Azure AD but being legacy it lacks any form of modern authentication protocol. Modernization would take considerable effort and time, introducing inevitable costs and risk of potential downtime. Instead, a BIG-IP deployed between the public internet and the internal application will be used to gate inbound access to the application.
 
-Instead, a BIG-IP Virtual Edition (VE) deployed between the public internet and the internal Azure VNet the application is connected to will be used. It will enable to gate inbound access, with Azure AD for its extensive choice of authentication and authorization capabilities.
+Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and header-based SSO, significantly improving the overall security posture of the application.
 
-Having a BIG-IP in front of the application enables to overlay the service with Azure AD pre-authentication and header-based SSO. It significantly improves the overall security posture of the application, allowing the business to continue operating at pace, without interruption.
 
-The secure hybrid access solution for this scenario is made up of the following components:
+## Scenario architecture
 
-- **Application**: Backend service to be protected by Azure AD and BIG-IP secure hybrid access
+The secure hybrid access solution for this scenario is made up of:
 
-- **Azure AD**: The SAML Identity Provider (IdP), responsible for
-verification of user credentials, Conditional Access (CA), and SSO to the BIG-IP APM.
+- **Application**: BIG-IP published service to be protected by and Azure AD SHA.
+
+- **Azure AD**: Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SSO to the BIG-IP. Through SSO, Azure AD provides the BIG-IP with any required session attributes including user identifiers.
 
 - **BIG-IP**: Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP, before
 performing header-based SSO to the backend application.
@@ -52,13 +52,13 @@ performing header-based SSO to the backend application.
 
 | Step | Description |
 |:-------|:-----------|
-| 1. | User connects to application's SAML SP endpoint (BIG-IP APM). |
-| 2. | APM access policy redirects user to SAML IdP (Azure AD) for pre-authentication.|
-| 3. | SAML IdP authenticates user and applies any enforced CA policies. |
-| 4. | Azure AD redirects user back to SAML SP with issued token and claims. |
-| 5. | BIG-IP APM grants user access and injects headers in the request to the application. |
+| 1. | User connects to application's SAML SP endpoint (BIG-IP). |
+| 2. | BIG-IP APM access policy redirects user to Azure AD (SAML IdP).|
+| 3. | Azure AD pre-authenticates user and applies any enforced CA policies. |
+| 4. | User is redirected to BIG-IP (SAML SP) and SSO is performed using issued SAML token. |
+| 5. | BIG-IP injects Azure AD attributes as headers in request to the application. |
+| 6. | Application authorizes request and returns payload. |
 
-For increased security, organizations using this pattern could also consider blocking all direct access to the application, in that way, forcing a strict path through the BIG-IP.
 
 ## Prerequisites
 
@@ -398,7 +398,6 @@ This last step provides break down of all applied settings before they are commi
 
 Your application is now published and accessible via Secure Hybrid Access, either directly via its URL or through Microsoft's application portals.
 
-For increased security, organizations using this pattern could also consider blocking all direct access to the application, in that way forcing a strict path through the BIG-IP.
 
 ## Next steps
 
@@ -407,6 +406,8 @@ The output of the injected headers displayed by our headers-based application is
 
 ![Screenshot shows the output](./media/f5-big-ip-header-advanced/mytravel-example.png)
 
+For increased security, organizations using this pattern could also consider blocking all direct access to the application, in that way forcing a strict path through the BIG-IP.
+
 ## Troubleshooting
 
 Failure to access the secure hybrid access protected application could be down to any number of potential factors, including a
 
@@ -235,7 +235,7 @@ If the **web_svc_account** service runs in context of a computer account, use th
 
 For more information, see [Kerberos Constrained Delegation across domains](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831477(v=ws.11)).
 
-## Make BIG-IP advanced configurations
+## BIG-IP advanced configuration
 
 Now you can proceed with setting up the BIG-IP configurations.
 
@@ -348,7 +348,7 @@ An *access profile* binds many APM elements that manage access to BIG-IP virtual
 
     ![Screenshot that shows the list box for configuring an A A A server.](./media/f5-big-ip-kerberos-advanced/configure-aaa-server.png)
 
-6. Select the link in the upper **Deny** box to change the **Successful** branch to **Allow**.
+6. Select the link in the upper **Deny** box to change the **Successful** branch to **Allow**, and then select **Save**.
 
     ![Screenshot that shows changing the successful branch to Allow.](./media/f5-big-ip-kerberos-advanced/select-allow-successful-branch.png)
 
 
@@ -185,6 +185,31 @@ Tags                    : {}
 
 ---
 
+## View the upgrade events
+
+When you upgrade your cluster, the following Kubenetes events may occur on each node:
+
+* Surge – Create surge node.
+* Drain – Pods are being evicted from the node. Each pod has a 30 minute timeout to complete the eviction.
+* Update – Update of a node has succeeded or failed.
+* Delete – Deleted a surge node.
+
+Use `kubectl get events` to show events in the default namespaces while running an upgrade. For example:
+
+```azurecli-interactive
+kubectl get events 
+```
+
+The following example output shows some of the above events listed during an upgrade. 
+
+```output
+...
+default 2m1s Normal Drain node/aks-nodepool1-96663640-vmss000001 Draining node: [aks-nodepool1-96663640-vmss000001]
+...
+default 9m22s Normal Surge node/aks-nodepool1-96663640-vmss000002 Created a surge node [aks-nodepool1-96663640-vmss000002 nodepool1] for agentpool %!s(MISSING)
+...
+```
+
 ## Validate an upgrade
 
 ### [Azure CLI](#tab/azure-cli)
 
@@ -112,6 +112,31 @@ Name          Location    ResourceGroup    KubernetesVersion    ProvisioningStat
 myAKSCluster  eastus      myResourceGroup  1.18.10              Succeeded            myakscluster-dns-379cbbb9.hcp.eastus.azmk8s.io
 ```
 
+## View the upgrade events
+
+When you upgrade your cluster, the following Kubenetes events may occur on each node:
+
+- Surge – Create surge node.
+- Drain – Pods are being evicted from the node. Each pod has a 30 minute timeout to complete the eviction.
+- Update – Update of a node has succeeded or failed.
+- Delete – Deleted a surge node.
+
+Use `kubectl get events` to show events in the default namespaces while running an upgrade. For example:
+
+```azurecli-interactive
+kubectl get events 
+```
+
+The following example output shows some of the above events listed during an upgrade.
+
+```output
+...
+default 2m1s Normal Drain node/aks-nodepool1-96663640-vmss000001 Draining node: [aks-nodepool1-96663640-vmss000001]
+...
+default 9m22s Normal Surge node/aks-nodepool1-96663640-vmss000002 Created a surge node [aks-nodepool1-96663640-vmss000002 nodepool1] for agentpool %!s(MISSING)
+...
+```
+
 ## Set auto-upgrade channel
 
 In addition to manually upgrading a cluster, you can set an auto-upgrade channel on your cluster. The following upgrade channels are available:
 
@@ -163,6 +163,9 @@ In this section, you create a function triggered by messages in an Azure Storage
 
 Starting with version 3 of the WebJobs SDK, to connect to Azure Storage services you must install a separate Storage binding extension package. 
 
+>[!NOTE]
+> Beginning with 5.x, Microsoft.Azure.WebJobs.Extensions.Storage has been [split by storage service](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/storage/Microsoft.Azure.WebJobs.Extensions.Storage/CHANGELOG.md#major-changes-and-features) and has migrated the `AddAzureStorage()` extension method by service type.
+
 1. Get the latest stable version of the [Microsoft.Azure.WebJobs.Extensions.Storage](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage) NuGet package, version 3.x.
 
 1. In the following command, replace `<3_X_VERSION>` with the current version  number you found in step 1. Each type of NuGet Package has a unique version number. 
 
@@ -8,17 +8,17 @@ manager: guillasi
 ms.service: applied-ai-services
 ms.subservice: immersive-reader
 ms.topic: how-to
-ms.date: 06/29/2020
+ms.date: 01/06/2022
 ms.author: metang
 ---
 
-# How to configure translation
+# How to configure Translation
 
-This article demonstrates how to configure the various options for translation in the Immersive Reader.
+This article demonstrates how to configure the various options for Translation in the Immersive Reader.
 
-## Configure translation language
+## Configure Translation language
 
-The `options` parameter contains all of the flags that can be used to configure translation. Set the `language` parameter to the language you wish to translate to. See the [Language Support](./language-support.md) for the full list of supported languages.
+The `options` parameter contains all of the flags that can be used to configure Translation. Set the `language` parameter to the language you wish to translate to. See the [Language Support](./language-support.md) for the full list of supported languages.
 
 ```typescript
 const options = {
 
@@ -9,7 +9,7 @@ manager: guillasi
 ms.service: applied-ai-services
 ms.subservice: immersive-reader
 ms.topic: how-to
-ms.date: 07/22/2019
+ms.date: 11/11/2021
 ms.author: rwaller
 ---
 
@@ -117,7 +117,7 @@ The script is designed to be flexible. It will first look for existing Immersive
         Start-Sleep -Seconds 5
 
         Write-Host "Granting service principal access to the newly created Immersive Reader resource"
-        $accessResult = az role assignment create --assignee $principalId --scope $resourceId --role "Cognitive Services User"
+        $accessResult = az role assignment create --assignee $principalId --scope $resourceId --role "Cognitive Services Immersive Reader User"
         if (-not $accessResult) {
             throw "Error: Failed to grant service principal access"
         }
 
@@ -15,6 +15,7 @@ metadata:
   ms.author: dapine
   ms.date: 11/15/2021
 
+
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
 
 landingContent:
@@ -51,31 +52,32 @@ landingContent:
         links:
           - text: Create an Immersive Reader Resource
             url: how-to-create-immersive-reader.md
-          - text: Use multiple Immersive Reader resources
-            url: how-to-multiple-resources.md
           - text: Launch the Immersive Reader
             url: how-to-launch-immersive-reader.md
+          - text: Prepare HTML content
+            url: how-to-prepare-html.md
+          - text: Customize the launch button
+            url: how-to-customize-launch-button.md
           - text: Set the cookie policy
             url: how-to/set-cookie-policy.md
           - text: Display math
             url: how-to/display-math.md
-          - text: Customize Immersive Reader button
-            url: how-to-customize-launch-button.md
-          - text: Cache the authentication token
-            url: how-to-cache-token.md
           - text: Configure Read Aloud
             url: how-to-configure-read-aloud.md
-          - text: Configure translation
-            url: how-to-configure-translation.md
-          - text: Store user preferences
-            url: how-to-store-user-preferences.md
+          - text: Configure Translation
+            url: how-to-configure-translation.md          
+          - text: Use multiple Immersive Reader resources
+            url: how-to-multiple-resources.md
+          - text: Cache the authentication token
+            url: how-to-cache-token.md
       - linkListType: reference
         links:
           - text: JavaScript SDK
             url: reference.md
+          - text: Security Advisory - Update Role Assignment for Azure Active Directory authentication
+            url: security-how-to-update-role-assignment.md            
           - text: Release notes
             url: release-notes.md
-
   - title: Help and feedback
     linkLists:
     - linkListType: reference