Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/develop/mobile-app-quickstart-portal-android.md

@@ -34,7 +34,7 @@ Applications must be represented by an app object in Azure Active Directory so t
 ### Step 1: Configure your application in the Azure portal
 For the code sample in this quickstart to work, add a **Redirect URI** compatible with the Auth broker.
 > [!div id="makechanges" class="nextstepaction" class="configure-app-button"]
-> [Make these changes for me]()
+> <button>Make this change for me</button>
 
 > [!div id="appconfigured" class="alert alert-info"]
 > ![Already configured](media/quickstart-v2-android/green-check.png) Your application is configured with these attributes

articles/active-directory/develop/mobile-app-quickstart-portal-ios.md

@@ -35,9 +35,9 @@ The quickstart applies to both iOS and macOS apps. Some steps are needed only fo
 ![Shows how the sample app generated by this quickstart works](media/quickstart-v2-ios/ios-intro.svg)
 
 #### Step 1: Configure your application
-For the code sample for this quickstart to work, add a **Redirect URI** compatible with the Auth broker.
+For the code sample in this quickstart to work, add a **Redirect URI** compatible with the Auth broker.
 > [!div id="makechanges" class="nextstepaction" class="configure-app-button"]
-> [Make this change for me]()
+> <button>Make this change for me</button>
 
 > [!div id="appconfigured" class="alert alert-info"]
 > ![Already configured](media/quickstart-v2-ios/green-check.png) Your application is configured with these attributes

articles/active-directory/manage-apps/f5-big-ip-oracle-jde-easy-button.md

@@ -43,7 +43,7 @@ The secure hybrid access solution for this scenario is made up of several compon
 
 **Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SSO to the BIG-IP.
 
-**BIG-IP APM:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the Oracle service.
+**BIG-IP:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the Oracle service.
 
 SHA for this scenario supports both SP and IdP initiated flows. The following image illustrates the SP initiated flow.
 
@@ -146,9 +146,9 @@ Initiate the **Easy Button** configuration to set up a SAML Service Provider (SP
 
 ### Configuration Properties
 
-The **Configuration Properties** tab creates up a new application config and SSO object. Consider **Azure Service Account Details** section to be the client application you registered in your Azure AD tenant earlier. These settings allow a BIG-IP to programmatically register a SAML application directly in your tenant, along with the properties you would normally configure manually. Easy Button does this for every BIG-IP APM service being enabled for SHA.
+The **Configuration Properties** tab creates a new application config and SSO object. Consider **Azure Service Account Details** section to be the client application you registered in your Azure AD tenant earlier. These settings allow a BIG-IP to programmatically register a SAML application directly in your tenant, along with the properties you would normally configure manually. Easy Button does this for every BIG-IP APM service being enabled for SHA.
 
-Some of these are global settings so can be re-used for publishing more applications, further reducing deployment time and effort.
+Some of these are global settings can be re-used for publishing more applications, further reducing deployment time and effort.
 
 1. Provide a unique **Configuration Name** that enables an admin to easily distinguish between Easy Button configurations
 

articles/active-directory/reports-monitoring/howto-download-logs.md

@@ -12,7 +12,7 @@ ms.service: active-directory
 ms.topic: how-to
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 05/14/2021
+ms.date: 02/25/2022
 ms.author: markvi
 ms.reviewer: besiler 
 
@@ -39,8 +39,6 @@ This article explains how to download activity logs in Azure AD.
 
 - By downloading the logs, you can control for how long logs are stored. 
 
-- You can download up to 250 000 records. If you want to download more data, use the reporting API.
-
 - Your download is based on the filter you have set. 
 
 - Azure AD supports the following formats for your download:
@@ -51,6 +49,7 @@ This article explains how to download activity logs in Azure AD.
 
 - The timestamps in the downloaded files are always based on UTC.
 
+- For large data sets (> 250 000 records), you should use the reporting API to download the data.
 
 
 ## What license do you need?

articles/active-directory/verifiable-credentials/media/verifiable-credentials-configure-tenant/issuer-service-key-vault-access-policy.png

@@ -7,7 +7,7 @@ author: barclayn
 manager: karenhoran
 ms.author: barclayn
 ms.topic: tutorial
-ms.date: 10/08/2021
+ms.date: 02/24/2022
 # Customer intent: As an enterprise, we want to enable customers to manage information about themselves by using verifiable credentials.
 
 ---
@@ -31,7 +31,7 @@ The following diagram illustrates the Azure AD Verifiable Credentials architectu
 
 ![Diagram that illustrates the Azure AD Verifiable Credentials architecture.](media/verifiable-credentials-configure-tenant/verifiable-credentials-architecture.png)
 
-See a [video walkthrough](https://www.youtube.com/watch?v=8jqjHjQo-3c) of setting up the Azure AD Verifiable Credential service, including all prerequisites, like Azure AD and an Azure subscription.
+See a [video walkthrough](https://www.youtube.com/watch?v=8jqjHjQo-3c) going over the setup of the Azure AD Verifiable Credential service.
 
 ## Prerequisites
 
@@ -82,6 +82,8 @@ After you create your key vault, Verifiable Credentials generates a set of keys
 
 A Key Vault [access policy](../../key-vault/general/assign-access-policy.md) defines whether a specified security principal can perform operations on Key Vault secrets and keys. Set access policies in your key vault for both the administrator account of the Azure AD Verifiable Credentials service, and for the Request Service API principal that you created.
 
+### Set access policies for the Verifiable Credentials Admin user
+
 1. In the [Azure portal](https://portal.azure.com/), go to the key vault you use for this tutorial.
 
 1. Under **Settings**, select **Access policies**.
@@ -94,20 +96,34 @@ A Key Vault [access policy](../../key-vault/general/assign-access-policy.md) def
 
 1. To save the changes, select **Save**.
 
+### Set access policies for the Verifiable Credentials Issuer and Request services
+
 1. Select **+ Add Access Policy** to add permission to the service principal of the **Verifiable Credential Request Service**.
 
 1. In **Add access policy**:
 
     1. For **Key permissions**, select **Get** and **Sign**.
 
-    1. For **Secret permissions**, select **Get**.
-
     1. For **Select principal**, select **Verifiable Credential Request Service**.
 
     1. Select **Add**.  
         
-       ![Screenshot that demonstrates how to add an access policy for the Verifiable Credential Request Service.](media/verifiable-credentials-configure-tenant/set-key-vault-service-principal-access-policy.png)
+    :::image type="content" source="media/verifiable-credentials-configure-tenant/request-service-key-vault-access-policy.png" alt-text="Screenshot that demonstrates how to add an access policy for the Verifiable Credential Issuer Service." :::
+
+The access policies for the Verifiable Credentials Issuer service should be added automatically. If the **Verifiable Credential Issuer Service** doesn't appear in the list of access policies, take the following steps to manually add access policies to the service.
+
+1. Select **+ Add Access Policy** to add permission to the service principal of the **Verifiable Credential Issuer Service**.
+
+1. In **Add access policy**:
+
+    1. For **Key permissions**, select **Get** and **Sign**.
+
+    1. For **Select principal**, select **Verifiable Credential Issuer Service**.
+
+    1. Select **Add**.  
 
+     :::image type="content" source="media/verifiable-credentials-configure-tenant/issuer-service-key-vault-access-policy.png" alt-text="Screenshot that demonstrates how to add an access policy for the Verifiable Credential Request Service." :::
+       
 1. Select **Save** to save the new policy you created.
 
 ## Register an application in Azure AD
@@ -166,7 +182,7 @@ To set up Azure AD Verifiable Credentials, follow these steps:
 
     1. **Organization name**: Enter a name to reference your business within Verifiable Credentials. Your customers don't see this name.
 
-    1. **Domain**: Enter a domain that's added to a service endpoint in your decentralized identity (DID) document. The domain is what binds your DID to something tangible that the user might know about your business. Microsoft Authenticator and other digital wallets use this information to validate that your DID is linked to your domain. If the wallet can verify the DID, it displays a verified symbol. If the wallet can't verify the DID, it informs the user that the credential was issued by an organization it couldn't validate.   
+    1. **Domain**: Enter a domain that's added to a service endpoint in your decentralized identity (DID) document. The domain is what binds your DID to something tangible that the user might know about your business. Microsoft Authenticator and other digital wallets use this information to validate that your DID is linked to your domain. If the wallet can verify the DID, it displays a verified symbol. If the wallet can't verify the DID, it informs the user that the credential was issued by an organization it couldn't validate.
             
         >[!IMPORTANT]
         > The domain can't be a redirect. Otherwise, the DID and domain can't be linked. Make sure to use HTTPS for the domain. For example: `https://contoso.com`.
@@ -180,4 +196,4 @@ To set up Azure AD Verifiable Credentials, follow these steps:
 ## Next steps
 
 - [Learn how to issue Azure AD Verifiable Credentials from a web application](verifiable-credentials-configure-issuer.md).
-- [Learn how to verify Azure AD Verifiable Credentials](verifiable-credentials-configure-verifier.md).
+- [Learn how to verify Azure AD Verifiable Credentials](verifiable-credentials-configure-verifier.md).

articles/active-directory/verifiable-credentials/media/verifiable-credentials-configure-tenant/request-service-key-vault-access-policy.png

@@ -97,11 +97,6 @@ The following parameters can be leveraged to configure Private DNS Zone.
 ```azurecli-interactive
 az aks create -n <private-cluster-name> -g <private-cluster-resource-group> --load-balancer-sku standard --enable-private-cluster --enable-managed-identity --assign-identity <ResourceId> --private-dns-zone [system|none]
 ```
-### Create a private AKS cluster with a BYO Private DNS SubZone
-
-Prerequisites:
-
-* Azure CLI >= 2.32.0 or later.
 
 ### Create a private AKS cluster with Custom Private DNS Zone or Private DNS SubZone
 

articles/active-directory/verifiable-credentials/media/verifiable-credentials-configure-tenant/set-key-vault-service-principal-access-policy.png

@@ -26,8 +26,11 @@ In this article, you'll learn how to:
 ## Prerequisites
 
 - Complete the [Create an Azure API Management instance](get-started-create-service-instance.md) quickstart.
+
 - [Import and publish](import-and-publish.md) an Azure API Management instance.
 
+[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](../../includes/azure-cli-prepare-your-environment-no-header.md)]
+
 [!INCLUDE [premium-dev-standard.md](../../includes/api-management-availability-premium-dev-standard.md)]
 
 ## Authorize developer accounts by using Azure AD
@@ -104,8 +107,9 @@ Follow these steps to grant:
 * `Directory.Read.All` application permission for Microsoft Graph API and Azure Active Directory Graph API.
 * `User.Read` delegated permission for Microsoft Graph API. 
 
-1. Update the first 3 lines of the following PowerShell script to match your environment and run it. 
-   ```powershell
+1. Update the first 3 lines of the following Azure CLI script to match your environment and run it.
+
+   ```azurecli
    $subId = "Your Azure subscription ID" #e.g. "1fb8fadf-03a3-4253-8993-65391f432d3a"
    $tenantId = "Your Azure AD Tenant or Organization ID" #e.g. 0e054eb4-e5d0-43b8-ba1e-d7b5156f6da8"
    $appObjectID = "Application Object ID that has been registered in AAD" #e.g. "2215b54a-df84-453f-b4db-ae079c0d2619"
@@ -115,9 +119,10 @@ Follow these steps to grant:
    #Assign the following permissions: Microsoft Graph Delegated Permission: User.Read, Microsoft Graph Application Permission: Directory.ReadAll,  Azure Active Directory Graph Application Permission: Directory.ReadAll (legacy)
    az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/$($tenantId)/applications/$($appObjectID)" --body "{'requiredResourceAccess':[{'resourceAccess': [{'id': 'e1fe6dd8-ba31-4d61-89e7-88639da4683d','type': 'Scope'},{'id': '7ab1d382-f21e-4acd-a863-ba3e13f7da61','type': 'Role'}],'resourceAppId': '00000003-0000-0000-c000-000000000000'},{'resourceAccess': [{'id': '5778995a-e1bf-45b8-affa-663a9f3f4d04','type': 'Role'}], 'resourceAppId': '00000002-0000-0000-c000-000000000000'}]}"
    ```
+
 2. Log out and log back in to the Azure portal.
 3. Navigate to the App Registration page for the application you registered in [the previous section](#authorize-developer-accounts-by-using-azure-ad). 
-4. Click **API Permissions**. You should see the permissions granted by the PowerShell script in step 1. 
+4. Click **API Permissions**. You should see the permissions granted by the Azure CLI script in step 1. 
 5. Select **Grant admin consent for {tenantname}** so that you grant access for all users in this directory. 
 
 Now you can add external Azure AD groups from the **Groups** tab of your API Management instance.