MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 100 additions & 5 deletions b/‎.openpublishing.redirection.json
Lines changed: 100 additions & 5 deletions
diff --git a/‎articles/active-directory/develop/scenario-web-api-call-api-app-configuration.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/scenario-web-api-call-api-app-configuration.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/hybrid/reference-connect-version-history.md
Lines changed: 7 additions & 0 deletions b/‎articles/active-directory/hybrid/reference-connect-version-history.md
Lines changed: 7 additions & 0 deletions
diff --git a/‎articles/aks/use-pod-security-policies.md
Lines changed: 15 additions & 91 deletions b/‎articles/aks/use-pod-security-policies.md
Lines changed: 15 additions & 91 deletions
@@ -40082,12 +40082,12 @@
     },
     {
       "source_path": "articles/iot-central/tutorial-add-device-pnp.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device",
+      "redirect_url": "/azure/iot-central/core/tutorial-connect-pnp-device",
       "redirect_document_id": false
     },
     {
       "source_path": "articles/iot-central/tutorial-define-device-type-pnp.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device",
+      "redirect_url": "/azure/iot-central/core/howto-set-up-template",
       "redirect_document_id": false
     },
     {
@@ -46282,7 +46282,7 @@
     },
     {
       "source_path": "articles/iot-central/quick-create-pnp-device-pnp.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device/",
+      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
       "redirect_document_id": false
     },
     {
@@ -46347,7 +46347,12 @@
     },
     {
       "source_path": "articles/iot-central/core/quick-create-pnp-device-pnp.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device/",
+      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/iot-central/core/quick-create-pnp-device.md",
+      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
       "redirect_document_id": false
     },
     {
@@ -46782,7 +46787,7 @@
     },
     {
       "source_path": "articles/iot-central/preview/quick-create-pnp-device.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device/",
+      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
       "redirect_document_id": false
     },
     {
@@ -46880,6 +46885,66 @@
       "redirect_url": "/azure/iot-central/core/tutorial-connect-device-nodejs",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/iot-central/retail/architecture-connected-logistics-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/architecture-connected-logistics",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/architecture-digital-distribution-center-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/architecture-digital-distribution-center",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/architecture-micro-fulfillment-center-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/architecture-micro-fulfillment-center",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/architecture-smart-inventory-management-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/architecture-smart-inventory-management",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/overview-iot-central-retail-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/overview-iot-central-retail",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-in-store-analytics-create-app-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-in-store-analytics-create-app",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-in-store-analytics-customize-dashboard-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-in-store-analytics-customize-dashboard",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-in-store-analytics-export-data-visualize-insights-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-in-store-analytics-export-data-visualize-insights",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-iot-central-connected-logistics-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-iot-central-connected-logistics",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-iot-central-digital-distribution-center-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-iot-central-digital-distribution-center",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-iot-central-smart-inventory-management-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-iot-central-smart-inventory-management",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/iot-central/retail/tutorial-micro-fulfillment-center-pnp.md",
+      "redirect_url": "/azure/iot-central/retail/tutorial-micro-fulfillment-center",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/iot-accelerators/iot-accelerators-arduino-iot-devkit-az3166-devkit-remote-monitoringV2.md",
       "redirect_url": "/azure/iot-accelerators/iot-accelerators-arduino-iot-devkit-az3166-devkit-remote-monitoring-v2",
@@ -50588,6 +50653,36 @@
       "source_path": "articles/ansible/index.yml",
       "redirect_url": "/azure/developer/ansible/",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/chef/chef-automation.md",
+      "redirect_url": "/azure/developer/chef/windows-vm-configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/chef/chef-extension-portal.md",
+      "redirect_url": "/azure/developer/chef/client-install-from-azure-portal",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/chef/chef-habitat-overview.md",
+      "redirect_url": "/azure/developer/chef/habitat-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/chef/chef-inspec-overview.md",
+      "redirect_url": "/azure/developer/chef/inspec-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/chef/chef-overview.md",
+      "redirect_url": "/azure/developer/chef/overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/chef/index.yml",
+      "redirect_url": "/azure/developer/chef/",
+      "redirect_document_id": false
     }
   ]
 }
@@ -211,7 +211,7 @@ class MsalAuthHelper {
 
 The On-behalf-of (OBO) flow is used to obtain a token to call the downstream web API. In this flow, your web API receives a bearer token with user delegated permissions from the client application and then exchanges this token for another access token to call the downstream web API.
 
-A Python web API will need to use some middleware to validate the bearer token received from the client. The web API can then obtain the access token for downstream API using MSAL Python library by calling the [`acquire_token_on_behalf_of`](https://msal-python.readthedocs.io/en/latest/?badge=latest#msal.ConfidentialClientApplication.acquire_token_on_behalf_of) method. A sample demonstrating this flow with MSAL Python is not yet available.
+A Python web API will need to use some middleware to validate the bearer token received from the client. The web API can then obtain the access token for downstream API using MSAL Python library by calling the [`acquire_token_on_behalf_of`](https://msal-python.readthedocs.io/en/latest/?badge=latest#msal.ConfidentialClientApplication.acquire_token_on_behalf_of) method. For an example of using this API, see the [test code for the microsoft-authentication-library-for-python on GitHub](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/1.2.0/tests/test_e2e.py#L429-L472). Also see the discussion of [issue 53](https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/53) in that same repository for an approach that bypasses the need for a middle-tier application.
 
 ---
 
 
@@ -43,6 +43,13 @@ Not all releases of Azure AD Connect will be made available for auto upgrade. Th
 >
 >Please refer to [this article](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-upgrade-previous-version) to learn more about how to upgrade Azure AD Connect to the latest version.
 
+## 1.5.20.0
+
+### Release status
+04/09/2020: Released for download
+
+### Fixed issues
+This hotfix build fixes an issue with build 1.5.18.0 if you have the Group Filtering feature enabled and use mS-DS-ConsistencyGuid as the source anchor.
 
 ## 1.5.18.0
 
 
@@ -3,8 +3,7 @@ title: Use pod security policies in Azure Kubernetes Service (AKS)
 description: Learn how to control pod admissions by using PodSecurityPolicy in Azure Kubernetes Service (AKS)
 services: container-service
 ms.topic: article
-ms.date: 04/17/2019
-
+ms.date: 04/08/2020
 ---
 
 # Preview - Secure your cluster using pod security policies in Azure Kubernetes Service (AKS)
@@ -99,17 +98,17 @@ NAME         PRIV    CAPS   SELINUX    RUNASUSER          FSGROUP     SUPGROUP
 privileged   true    *      RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *     configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
 ```
 
-The *privileged* pod security policy is applied to any authenticated user in the AKS cluster. This assignment is controlled by ClusterRoles and ClusterRoleBindings. Use the [kubectl get clusterrolebindings][kubectl-get] command and search for the *default:privileged:* binding:
+The *privileged* pod security policy is applied to any authenticated user in the AKS cluster. This assignment is controlled by ClusterRoles and ClusterRoleBindings. Use the [kubectl get rolebindings][kubectl-get] command and search for the *default:privileged:* binding in the *kube-system* namespace:
 
 ```console
-kubectl get clusterrolebindings default:privileged -o yaml
+kubectl get rolebindings default:privileged -n kube-system -o yaml
 ```
 
 As shown in the following condensed output, the *psp:restricted* ClusterRole is assigned to any *system:authenticated* users. This ability provides a basic level of restrictions without your own policies being defined.
 
 ```
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   [...]
   name: default:privileged
@@ -121,7 +120,7 @@ roleRef:
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group
-  name: system:authenticated
+  name: system:masters
 ```
 
 It's important to understand how these default policies interact with user requests to schedule pods before you start to create your own pod security policies. In the next few sections, let's schedule some pods to see these default policies in action.
@@ -191,7 +190,7 @@ The pod fails to be scheduled, as shown in the following example output:
 ```console
 $ kubectl-nonadminuser apply -f nginx-privileged.yaml
 
-Error from server (Forbidden): error when creating "nginx-privileged.yaml": pods "nginx-privileged" is forbidden: unable to validate against any pod security policy: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
+Error from server (Forbidden): error when creating "nginx-privileged.yaml": pods "nginx-privileged" is forbidden: unable to validate against any pod security policy: []
 ```
 
 The pod doesn't reach the scheduling stage, so there are no resources to delete before you move on.
@@ -219,44 +218,15 @@ Create the pod using the [kubectl apply][kubectl-apply] command and specify the
 kubectl-nonadminuser apply -f nginx-unprivileged.yaml
 ```
 
-The Kubernetes scheduler accepts the pod request. However, if you look at the status of the pod using `kubectl get pods`, there's an error:
-
-```console
-$ kubectl-nonadminuser get pods
-
-NAME                 READY   STATUS                       RESTARTS   AGE
-nginx-unprivileged   0/1     CreateContainerConfigError   0          26s
-```
-
-Use the [kubectl describe pod][kubectl-describe] command to look at the events for the pod. The following condensed example shows the container and image require root permissions, even though we didn't request them:
+The pod fails to be scheduled, as shown in the following example output:
 
 ```console
-$ kubectl-nonadminuser describe pod nginx-unprivileged
+$ kubectl-nonadminuser apply -f nginx-unprivileged.yaml
 
-Name:               nginx-unprivileged
-Namespace:          psp-aks
-Priority:           0
-PriorityClassName:  <none>
-Node:               aks-agentpool-34777077-0/10.240.0.4
-Start Time:         Thu, 28 Mar 2019 22:05:04 +0000
-[...]
-Events:
-  Type     Reason     Age                     From                               Message
-  ----     ------     ----                    ----                               -------
-  Normal   Scheduled  7m14s                   default-scheduler                  Successfully assigned psp-aks/nginx-unprivileged to aks-agentpool-34777077-0
-  Warning  Failed     5m2s (x12 over 7m13s)   kubelet, aks-agentpool-34777077-0  Error: container has runAsNonRoot and image will run as root
-  Normal   Pulled     2m10s (x25 over 7m13s)  kubelet, aks-agentpool-34777077-0  Container image "nginx:1.14.2" already present on machine
+Error from server (Forbidden): error when creating "nginx-unprivileged.yaml": pods "nginx-unprivileged" is forbidden: unable to validate against any pod security policy: []
 ```
 
-Even though we didn't request any privileged access, the container image for NGINX needs to create a binding for port *80*. To bind ports *1024* and below, the *root* user is required. When the pod tries to start, the *restricted* pod security policy denies this request.
-
-This example shows that the default pod security policies created by AKS are in effect and restrict the actions a user can perform. It's important to understand the behavior of these default policies, as you may not expect a basic NGINX pod to be denied.
-
-Before you move on to the next step, delete this test pod using the [kubectl delete pod][kubectl-delete] command:
-
-```console
-kubectl-nonadminuser delete -f nginx-unprivileged.yaml
-```
+The pod doesn't reach the scheduling stage, so there are no resources to delete before you move on.
 
 ## Test creation of a pod with a specific user context
 
@@ -283,61 +253,15 @@ Create the pod using the [kubectl apply][kubectl-apply] command and specify the
 kubectl-nonadminuser apply -f nginx-unprivileged-nonroot.yaml
 ```
 
-The Kubernetes scheduler accepts the pod request. However, if you look at the status of the pod using `kubectl get pods`, there's a different error than the previous example:
-
-```console
-$ kubectl-nonadminuser get pods
-
-NAME                         READY   STATUS              RESTARTS   AGE
-nginx-unprivileged-nonroot   0/1     CrashLoopBackOff    1          3s
-```
-
-Use the [kubectl describe pod][kubectl-describe] command to look at the events for the pod. The following condensed example shows the pod events:
-
-```console
-$ kubectl-nonadminuser describe pods nginx-unprivileged
-
-Name:               nginx-unprivileged
-Namespace:          psp-aks
-Priority:           0
-PriorityClassName:  <none>
-Node:               aks-agentpool-34777077-0/10.240.0.4
-Start Time:         Thu, 28 Mar 2019 22:05:04 +0000
-[...]
-Events:
-  Type     Reason     Age                   From                               Message
-  ----     ------     ----                  ----                               -------
-  Normal   Scheduled  2m14s                 default-scheduler                  Successfully assigned psp-aks/nginx-unprivileged-nonroot to aks-agentpool-34777077-0
-  Normal   Pulled     118s (x3 over 2m13s)  kubelet, aks-agentpool-34777077-0  Container image "nginx:1.14.2" already present on machine
-  Normal   Created    118s (x3 over 2m13s)  kubelet, aks-agentpool-34777077-0  Created container
-  Normal   Started    118s (x3 over 2m12s)  kubelet, aks-agentpool-34777077-0  Started container
-  Warning  BackOff    105s (x5 over 2m11s)  kubelet, aks-agentpool-34777077-0  Back-off restarting failed container
-```
-
-The events indicate that the container was created and started. There's nothing immediately obvious as to why the pod is in a failed state. Let's look at the pod logs using the [kubectl logs][kubectl-logs] command:
-
-```console
-kubectl-nonadminuser logs nginx-unprivileged-nonroot --previous
-```
-
-The following example log output gives an indication that within the NGINX configuration itself, there's a permissions error when the service tries to start. This error is again caused by needing to bind to port 80. Although the pod specification defined a regular user account, this user account isn't sufficient in the OS-level for the NGINX service to start and bind to the restricted port.
+The pod fails to be scheduled, as shown in the following example output:
 
 ```console
-$ kubectl-nonadminuser logs nginx-unprivileged-nonroot --previous
+$ kubectl-nonadminuser apply -f nginx-unprivileged-nonroot.yaml
 
-2019/03/28 22:38:29 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
-nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
-2019/03/28 22:38:29 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
-nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
+Error from server (Forbidden): error when creating "nginx-unprivileged-nonroot.yaml": pods "nginx-unprivileged-nonroot" is forbidden: unable to validate against any pod security policy: []
 ```
 
-Again, it's important to understand the behavior of the default pod security policies. This error was a little harder to track down, and again, you may not expect a basic NGINX pod to be denied.
-
-Before you move on to the next step, delete this test pod using the [kubectl delete pod][kubectl-delete] command:
-
-```console
-kubectl-nonadminuser delete -f nginx-unprivileged-nonroot.yaml
-```
+The pod doesn't reach the scheduling stage, so there are no resources to delete before you move on.
 
 ## Create a custom pod security policy
 
@@ -379,7 +303,7 @@ $ kubectl get psp
 
 NAME                  PRIV    CAPS   SELINUX    RUNASUSER          FSGROUP     SUPGROUP    READONLYROOTFS   VOLUMES
 privileged            true    *      RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *
-psp-deny-privileged   false          RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *          configMap,emptyDir,projected,secret,downwardAPI,persistentVolumeClaim
+psp-deny-privileged   false          RunAsAny   RunAsAny           RunAsAny    RunAsAny    false            *          
 ```
 
 ## Allow user account to use the custom pod security policy