Merge remote-tracking branch 'refs/remotes/MicrosoftDocs/master'

Author: anzaman

articles/active-directory/manage-apps/methods-for-assigning-users-and-groups.md

@@ -30,10 +30,11 @@ This article shows you how to assign users or groups to an application in Azure
 
 The availability of group-based assignment is determined by your license agreement. Group-based assignment is supported for Security groups only. Nested group memberships and O365 groups are not currently supported.
 
-## Prerequisites
-Before you can assign users and groups to an application, you must require user assignment. To require user assignment:
+## Configure the application to require assignment
 
-1. Log in to the Azure portal with an administrator account.
+An application can be configured to require assignment before it can be accessed. To require assignment:
+
+1. Log in to the Azure portal with an administrator account, or as an owner of the app under **Enterprise apps**.
 2. Click on the **All services** item in the main menu.
 3. Choose the directory you are using for the application.
 4. Click on the **Enterprise applications** tab.

articles/active-directory/saas-apps/media/officespace-software-provisioning-tutorial/userattributes.png

@@ -16,7 +16,7 @@ Advisor helps you optimize and reduce your overall Azure spend by identifying id
 
 ## Optimize virtual machine spend by resizing or shutting down underutilized instances 
 
-Although certain application scenarios can result in low utilization by design, you can often save money by managing the size and number of your virtual machines. Advisor advanced evaluation models considers a virtual machines for shut-down when P95th of the max of max value of CPU utilization is less than 3% and network utilization is less than 2% over a 7 day period. Virtual machines are considered for right size when it is possible to fit the current load in a smaller SKU (within the same SKU family) or a smaller number # of instance such that the current load doesn’t go over 80% utilization when non-user facing workloads and not above 40% when user-facing workload. Here, the type of workload is determined by analyzing the CPU utilization characteristics of the workload.
+Although certain application scenarios can result in low utilization by design, you can often save money by managing the size and number of your virtual machines. Advisor advanced evaluation models considers virtual machines for shut-down when P95th of the max of max value of CPU utilization is less than 3% and network utilization is less than 2% over a 7 day period. Virtual machines are considered for right size when it is possible to fit the current load in a smaller SKU (within the same SKU family) or a smaller number # of instance such that the current load doesn’t go over 80% utilization when non-user facing workloads and not above 40% when user-facing workload. Here, the type of workload is determined by analyzing the CPU utilization characteristics of the workload.
 
 The recommended actions are shut-down or resize, specific to resource being recommended for. Advisor shows you the estimated cost savings for either recommended actions - resize or shut-down. Also, for resize recommended action, Advisor provides current and target SKU information. 
 
@@ -45,13 +45,15 @@ Advisor identifies public IP addresses that are not currently associated to Azur
 Azure Advisor will detect Azure Data Factory pipelines that repeatedly fail and recommend that you resolve the issues or delete the failing pipelines if they are no longer needed. You will be billed for these pipelines even if though they are not serving you while they are failing. 
 
 ## Use Standard Snapshots for Managed Disks
-To save 60% of cost, we recommend storing your snapshots in Standard Storage, regardless of the storage type of the parent disk. This is the default option for Managed Disks snapshots. Azure Advisor will identify snapshots that are stored Premium Storage and recommend migrating your snapshot from Premium to Standard Storage. [Learn more about Managed Disk pricing](https://aka.ms/aa_manageddisksnapshot_learnmore)
+To save 60% of cost, we recommend storing your snapshots in Standard Storage, regardless of the storage type of the parent disk. This option is the default option for Managed Disks snapshots. Azure Advisor will identify snapshots that are stored Premium Storage and recommend migrating your snapshot from Premium to Standard Storage. [Learn more about Managed Disk pricing](https://aka.ms/aa_manageddisksnapshot_learnmore)
 
 ## How to access Cost recommendations in Azure Advisor
 
-1. Sign in to the [Azure portal](https://portal.azure.com), and then open [Advisor](https://aka.ms/azureadvisordashboard).
+1. Sign in to the [Azure portal](https://portal.azure.com).
 
-2.	On the Advisor dashboard, click the **Cost** tab.
+1. Search for and select [**Advisor**](https://aka.ms/azureadvisordashboard) from any page.
+
+1. On the **Advisor** dashboard, select the **Cost** tab.
 
 ## Next steps
 

articles/advisor/advisor-cost-recommendations.md

@@ -57,9 +57,7 @@ To protect an API with Azure AD, the first step is to register an application in
 
 1. On the app **Overview** page, find the **Application (client) ID** value and record it for later.
 
-When the application is created, make a note of the **Application ID**, for use in a subsequent step. 
-
-1. Select **Expose an API** and click on **Save and continue** to create an Application ID URI.
+1. Select **Expose an API** and set the **Application ID URI** with the default value. Record this value for later.
 
 1. In the **Add a scope** page, create a new scope supported by the API. (e.g., Read) then click on *Add scope* to create the scope. Repeat this step to add all scopes supported by your API.
 
@@ -200,7 +198,7 @@ You can use the [Validate JWT](api-management-access-restriction-policies.md#Val
     <openid-config url="https://login.microsoftonline.com/{aad-tenant}/.well-known/openid-configuration" />
     <required-claims>
         <claim name="aud">
-            <value>{Application ID of backend-app}</value>
+            <value>{Application ID URI of backend-app}</value>
         </claim>
     </required-claims>
 </validate-jwt>

articles/api-management/api-management-howto-protect-backend-with-aad.md

@@ -24,17 +24,17 @@ Azure API Management relies on Azure Role-Based Access Control (RBAC) to enable
 
 ## Built-in roles
 
-API Management currently provides three built-in roles and will add two more roles in the near future. These roles can be assigned at different scopes, including subscription, resource group, and individual API Management instance. For instance, if you assign the "Azure API Management Service Reader" role to a user at the resource-group level, then the user has read access to all API Management instances inside the resource group. 
+API Management currently provides three built-in roles and will add two more roles in the near future. These roles can be assigned at different scopes, including subscription, resource group, and individual API Management instance. For instance, if you assign the "API Management Service Reader" role to a user at the resource-group level, then the user has read access to all API Management instances inside the resource group. 
 
 The following table provides brief descriptions of the built-in roles. You can assign these roles by using the Azure portal or other tools, including Azure [PowerShell](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-powershell), [Azure CLI](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-cli), and [REST API](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-rest). For details about how to assign built-in roles, see [Use role assignments to manage access to your Azure subscription resources](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal).
 
 | Role          | Read access<sup>[1]</sup> | Write access<sup>[2]</sup> | Service creation, deletion, scaling, VPN, and custom domain configuration | Access to the legacy publisher portal | Description
 | ------------- | ---- | ---- | ---- | ---- | ---- 
-| Azure API Management Service Contributor | ✓ | ✓ | ✓ | ✓ | Super user. Has full CRUD access to API Management services and entities (for example, APIs and policies). Has access to the legacy publisher portal. |
-| Azure API Management Service Reader | ✓ | | || Has read-only access to API Management services and entities. |
-| Azure API Management Service Operator | ✓ | | ✓ | | Can manage API Management services, but not entities.|
-| Azure API Management Service Editor<sup>*</sup> | ✓ | ✓ | |  | Can manage API Management entities, but not services.|
-| Azure API Management Content Manager<sup>*</sup> | ✓ | | | ✓ | Can manage the developer portal. Read-only access to services and entities.|
+| API Management Service Contributor | ✓ | ✓ | ✓ | ✓ | Super user. Has full CRUD access to API Management services and entities (for example, APIs and policies). Has access to the legacy publisher portal. |
+| API Management Service Reader | ✓ | | || Has read-only access to API Management services and entities. |
+| API Management Service Operator | ✓ | | ✓ | | Can manage API Management services, but not entities.|
+| API Management Service Editor<sup>*</sup> | ✓ | ✓ | |  | Can manage API Management entities, but not services.|
+| API Management Content Manager<sup>*</sup> | ✓ | | | ✓ | Can manage the developer portal. Read-only access to services and entities.|
 
 <sup>[1] Read access to API Management services and entities (for example, APIs and policies).</sup>
 
@@ -49,7 +49,7 @@ If none of the built-in roles meet your specific needs, custom roles can be crea
 > [!NOTE]
 > To be able to see an API Management instance in the Azure portal, a custom role must include the ```Microsoft.ApiManagement/service/read``` action.
 
-When you create a custom role, it's easier to start with one of the built-in roles. Edit the attributes to add **Actions**, **NotActions**, or **AssignableScopes**, and then save the changes as a new role. The following example begins with the "Azure API Management Service Reader" role and creates a custom role called "Calculator API Editor." You can assign the custom role to a specific API. Consequently, this role only has access to that API. 
+When you create a custom role, it's easier to start with one of the built-in roles. Edit the attributes to add **Actions**, **NotActions**, or **AssignableScopes**, and then save the changes as a new role. The following example begins with the "API Management Service Reader" role and creates a custom role called "Calculator API Editor." You can assign the custom role to a specific API. Consequently, this role only has access to that API. 
 
 ```powershell
 $role = Get-AzRoleDefinition "API Management Service Reader Role"
@@ -79,4 +79,4 @@ To learn more about Role-Based Access Control in Azure, see the following articl
   * [Get started with access management in the Azure portal](../role-based-access-control/overview.md)
   * [Use role assignments to manage access to your Azure subscription resources](../role-based-access-control/role-assignments-portal.md)
   * [Custom roles in Azure RBAC](../role-based-access-control/custom-roles.md)
-  * [Azure Resource Manager resource provider operations](../role-based-access-control/resource-provider-operations.md#microsoftapimanagement)
+  * [Azure Resource Manager resource provider operations](../role-based-access-control/resource-provider-operations.md#microsoftapimanagement)

articles/api-management/api-management-role-based-access-control.md

@@ -1,6 +1,6 @@
 ---
-title: Restrict access for IP addresses 
-description: Learn how to secure your app in Azure App Service by explicitly whitelisting client IP addresses or address ranges. 
+title: Azure App Service access restrictions 
+description: Learn how to secure your app in Azure App Service by specifying access restrictions. 
 author: ccompy
 
 ms.assetid: 3be1f4bd-8a81-4565-8a56-528c037b24bd
@@ -12,19 +12,19 @@ ms.custom: seodec18
 ---
 # Azure App Service Access Restrictions #
 
-Access Restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit "deny all" that exists at the end of the list.
+Access restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit "deny all" that exists at the end of the list.
 
-The Access Restrictions capability works with all App Service hosted work loads including; web apps, API apps, Linux apps, Linux container apps, and Functions.
+The access restrictions capability works with all App Service hosted work loads including; web apps, API apps, Linux apps, Linux container apps, and Functions.
 
 When a request is made to your app, the FROM address is evaluated against the IP address rules in your access restrictions list. If the FROM address is in a subnet that is configured with service endpoints to Microsoft.Web, then the source subnet is compared against the virtual network rules in your access restrictions list. If the address is not allowed access based on the rules in the list, the service replies with an [HTTP 403](https://en.wikipedia.org/wiki/HTTP_403) status code.
 
 The access restrictions capability is implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs. Therefore, access restrictions are effectively network ACLs.
 
-The ability to restrict access to your web app from an Azure Virtual Network (VNet) is called [service endpoints][serviceendpoints]. Service endpoints enable you to restrict access to a multi-tenant service from selected subnets. It must be enabled on both the networking side as well as the service that it is being enabled with. It does not work to restrict traffic to apps that are hosted in an App Service Environment.  If you are in an App Service Environment, you can control access to your app with IP address rules.
+The ability to restrict access to your web app from an Azure Virtual Network (VNet) is called [service endpoints][serviceendpoints]. Service endpoints enable you to restrict access to a multi-tenant service from selected subnets. It must be enabled on both the networking side as well as the service that it is being enabled with. It does not work to restrict traffic to apps that are hosted in an App Service Environment. If you are in an App Service Environment, you can control access to your app with IP address rules.
 
 ![access restrictions flow](media/app-service-ip-restrictions/access-restrictions-flow.png)
 
-## Adding and editing Access Restriction rules in the portal ##
+## Adding and editing access restriction rules in the portal ##
 
 To add an access restriction rule to your app, use the menu to open **Network**>**Access Restrictions** and click on **Configure Access Restrictions**
 
@@ -54,7 +54,7 @@ Service endpoints enables you to restrict access to selected Azure virtual netwo
 
 Service endpoints cannot be used to restrict access to apps that run in an App Service Environment. When your app is in an App Service Environment, you can control access to your app with IP access rules. 
 
-With service endpoints, you can configure your app with Application Gateways or other WAF devices. You can also configure multi-tier applications with secure backends. For more details on some of the possibilities, read [Networking features and App Service](networking-features.md).
+With service endpoints, you can configure your app with Application Gateways or other WAF devices. You can also configure multi-tier applications with secure backends. For more details on some of the possibilities, read [Networking features and App Service](networking-features.md) and [Application Gateway integration with service endpoints](networking/app-gateway-with-service-endpoints.md).
 
 ## Managing access restriction rules
 
@@ -86,34 +86,50 @@ In addition to being able to control access to your app, you can also restrict a
 
 ## Programmatic manipulation of access restriction rules ##
 
-There currently is no CLI or PowerShell for the new Access Restrictions capability but the values can be set manually with an [Azure REST API](https://docs.microsoft.com/rest/api/azure/) PUT operation on the app configuration in Resource Manager. As an example, you can use resources.azure.com and edit the ipSecurityRestrictions block to add the required JSON.
+[Azure CLI](https://docs.microsoft.com/cli/azure/webapp/config/access-restriction?view=azure-cli-latest) and [Azure PowerShell](https://docs.microsoft.com/powershell/module/Az.Websites/Add-AzWebAppAccessRestrictionRule?view=azps-3.1.0) has support for editing access restrictions. 
+Example of adding an access restriction using Azure CLI:
+
+```azurecli-interactive
+az webapp config access-restriction add --resource-group ResourceGroup --name AppName \
+    --rule-name 'IP example rule' --action Allow --ip-address 122.133.144.0/24 --priority 100
+```
+Example of adding an access restriction using Azure PowerShell:
+
+```azurepowershell-interactive
+Add-AzWebAppAccessRestrictionRule -ResourceGroupName "ResourceGroup" -WebAppName "AppName"
+    -Name "Ip example rule" -Priority 100 -Action Allow -IpAddress 122.133.144.0/24
+```
+
+Values can also be set manually with an [Azure REST API](https://docs.microsoft.com/rest/api/azure/) PUT operation on the app configuration in Resource Manager or using an Azure Resource Manager template. As an example, you can use resources.azure.com and edit the ipSecurityRestrictions block to add the required JSON.
 
 The location for this information in Resource Manager is:
 
 management.azure.com/subscriptions/**subscription ID**/resourceGroups/**resource groups**/providers/Microsoft.Web/sites/**web app name**/config/web?api-version=2018-02-01
 
 The JSON syntax for the earlier example is:
-
-    {
-      "properties": {
-        "ipSecurityRestrictions": [
-          {
-            "ipAddress": "122.133.144.0/24",
-            "action": "Allow",
-            "tag": "Default",
-            "priority": 100,
-            "name": "IP example rule"
-          }
-        ]
+```json
+{
+  "properties": {
+    "ipSecurityRestrictions": [
+      {
+        "ipAddress": "122.133.144.0/24",
+        "action": "Allow",
+        "priority": 100,
+        "name": "IP example rule"
       }
-    }
+    ]
+  }
+}
+```
 
-## Function App IP Restrictions
+## Azure Function App Access Restrictions
 
-IP restrictions are available for both Function Apps with the same functionality as App Service plans. Enabling IP restrictions will disable the portal code editor for any disallowed IPs.
+Access restrictions are available for both Function Apps with the same functionality as App Service plans. Enabling access restrictions will disable the portal code editor for any disallowed IPs.
 
-[Learn more here](../azure-functions/functions-networking-options.md#inbound-ip-restrictions)
+## Next steps
+[Access restrictions for Azure Function Apps](../azure-functions/functions-networking-options.md#inbound-ip-restrictions)
 
+[Application Gateway integration with service endpoints](networking/app-gateway-with-service-endpoints.md)
 
 <!--Links-->
 [serviceendpoints]: https://docs.microsoft.com/azure/virtual-network/virtual-network-service-endpoints-overview