Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into release-synapse-current

Author: v-alje

articles/active-directory/authentication/concept-authentication-methods.md

@@ -33,7 +33,7 @@ Some of these settings apply to MFA Server, Azure MFA, or both.
 | [Block/unblock users](#block-and-unblock-users) | Used to block specific users from being able to receive Multi-Factor Authentication requests. Any authentication attempts for blocked users are automatically denied. Users remain blocked for 90 days from the time that they are blocked. |
 | [Fraud alert](#fraud-alert) | Configure settings related to users ability to report fraudulent verification requests |
 | [Notifications](#notifications) | Enable notifications of events from MFA Server. |
-| [OATH tokens](concept-authentication-methods.md#oath-hardware-tokens-public-preview) | Used in cloud-based Azure MFA environments to manage OATH tokens for users. |
+| [OATH tokens](concept-authentication-methods.md#oath-hardware-tokens) | Used in cloud-based Azure MFA environments to manage OATH tokens for users. |
 | [Phone call settings](#phone-call-settings) | Configure settings related to phone calls and greetings for cloud and on-premises environments. |
 | Providers | This will show any existing authentication providers that you may have associated with your account. New authentication providers may not be created as of September 1, 2018 |
 

articles/active-directory/authentication/howto-mfa-mfasettings.md

@@ -1,6 +1,6 @@
 ---
-title: 'Azure AD Connect: Hybrid identity considerations for Azure Government'
-description: Special considerations for deploying Azure AD Connect with the government cloud.
+title: 'Azure AD Connect: Hybrid identity considerations for Azure Government cloud'
+description: Special considerations for deploying Azure AD Connect with the Azure Government cloud.
 services: active-directory
 author: billmath
 manager: daveba
@@ -13,68 +13,89 @@ ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
-# Hybrid identity considerations for Azure Government 
-The following document describes the considerations for implementing a hybrid environment with the Azure Government cloud.  This information is provided as reference for administrators and architects who are working with the Azure Government cloud.  
-> [!NOTE] 
-> In order to integrate an on-premises AD environment with the Azure Governemnt cloud, you need to upgrade to the latest release of [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594). 
+# Hybrid identity considerations for the Azure Government cloud
 
-> [!NOTE] 
-> For a full list of U.S. Government DoD Endpoints, refer to the [documentation](https://docs.microsoft.com/office365/enterprise/office-365-u-s-government-dod-endpoints) 
+This article describes considerations for integrating a hybrid environment with the Microsoft Azure Government cloud. This information is provided as a reference for administrators and architects who work with the Azure Government cloud.
 
-## Pass-Through Authentication 
-The following information is provided for implementation of pass-through authentication (PTA) and the Azure Government cloud.
+> [!NOTE]
+> To integrate an on-premises Microsoft Azure Active Directory (Azure AD) environment with the Azure Government cloud, you need to upgrade to the latest release of [Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594).
+
+For a full list of United States government Department of Defense endpoints, refer to the [documentation](https://docs.microsoft.com/office365/enterprise/office-365-u-s-government-dod-endpoints).
+
+## Azure AD Pass-through Authentication
+
+The following information describes implementation of Pass-through Authentication and the Azure Government cloud.
+
+### Allow access to URLs
+
+Before you deploy the Pass-through Authentication agent, verify whether a firewall exists between your servers and Azure AD. If your firewall or proxy allows Domain Name System (DNS) blocked or safe programs, add the following connections.
 
-### Allow access to URLs  
-Before deploying the pass-through authentication agent, verify if there is a firewall between your servers and Azure AD. If your firewall or proxy allows DNS whitelisting, add the following connections: 
 > [!NOTE]
-> The following guidance also applies to installing the [Application Proxy connector](https://aka.ms/whyappproxy) for Azure Government environments.
+> The following guidance also applies to installing the [Azure AD Application Proxy connector](https://aka.ms/whyappproxy) for Azure Government environments.
 
 |URL |How it's used|
-|-----|-----| 
-|*.msappproxy.us *.servicebus.usgovcloudapi.net|Communication between the agent and the Azure AD cloud service |
-|mscrl.microsoft.us:80 crl.microsoft.us:80 </br>ocsp.msocsp.us:80 www.microsoft.us:80| The agent uses these URLs to verify certificates.| 
-|login.windows.us secure.aadcdn.microsoftonline-p.com *.microsoftonline.us </br>*.microsoftonline-p.us </br>*.msauth.net </br>*.msauthimages.net </br>*.msecnd.net</br>*.msftauth.net </br>*.msftauthimages.net</br>*.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctdl.windowsupdate.us:80| The agent uses these URLs during the registration process.| 
-
-### Install the agent for the Azure Government cloud 
-In order to install the agent for the Azure Government cloud, you must follow these specific steps: 
-In the command line terminal, navigate to folder where the executable for installing the agent is located. 
-Run the following command which specifies the installation is for Azure Government. 
-
-For Passthrough Authentication: 
-```
-AADConnectAuthAgentSetup.exe ENVIRONMENTNAME="AzureUSGovernment"
-```
-
-For Application Proxy:
-```
-AADApplicationProxyConnectorInstaller.exe ENVIRONMENTNAME="AzureUSGovernment" 
-```
-
-## Single sign on 
-Set up your Azure AD Connect server: If you use Pass-through Authentication as your sign-in method, no additional prerequisite check is required. If you use password hash synchronization as your sign-in method, and if there is a firewall between Azure AD Connect and Azure AD, ensure that:
-- You use version 1.1.644.0 or later of Azure AD Connect. 
-- If your firewall or proxy allows DNS whitelisting, add the connections to the *.msapproxy.us URLs over port 443. If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite is applicable only when you enable the feature. It is not required for actual user sign-ins. 
-
-### Rolling out seamless SSO 
-You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory: 
-https://autologon.microsoft.us 
-
-In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy. 
-Browser considerations 
-Mozilla Firefox (all platforms) 
-Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by using the following steps: 
-1. Run Firefox and enter about:config in the address bar. Dismiss any notifications that you see. 
-2. Search for the network.negotiate-auth.trusted-uris preference. This preference lists Firefox's trusted sites for Kerberos authentication. 
-3. Right-click and select Modify. 
-4. Enter https://autologon.microsoft.us in the field.
-5. Select OK and then reopen the browser. 
-
-### Microsoft Edge based on Chromium (all platforms) 
-If you have overridden the `AuthNegotiateDelegateAllowlist` or the `AuthServerAllowlist` policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoft.us) to them as well. 
-
-### Google Chrome (all platforms) 
-If you have overridden the `AuthNegotiateDelegateWhitelist` or the `AuthServerWhitelist` policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoft.us) to them as well. 
+|-----|-----|
+|&#42;.msappproxy.us</br>&#42;.servicebus.usgovcloudapi.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
+|mscrl.microsoft.us:80 </br>crl.microsoft.us:80 </br>ocsp.msocsp.us:80 </br>www.microsoft.us:80| The agent uses these URLs to verify certificates.|
+|login.windows.us </br>secure.aadcdn.microsoftonline-p.com </br>&#42;.microsoftonline.us </br>&#42;.microsoftonline-p.us </br>&#42;.msauth.net </br>&#42;.msauthimages.net </br>&#42;.msecnd.net</br>&#42;.msftauth.net </br>&#42;.msftauthimages.net</br>&#42;.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctdl.windowsupdate.us:80| The agent uses these URLs during the registration process.
+
+### Install the agent for the Azure Government cloud
+
+Follow these steps to install the agent for the Azure Government cloud:
+
+1. In the command-line terminal, go to the folder that contains the executable file that installs the agent.
+1. Run the following commands, which specify that the installation is for Azure Government.
+
+   For Pass-through Authentication:
+
+   ```
+   AADConnectAuthAgentSetup.exe ENVIRONMENTNAME="AzureUSGovernment"
+   ```
+
+   For Application Proxy:
+
+   ```
+   AADApplicationProxyConnectorInstaller.exe ENVIRONMENTNAME="AzureUSGovernment" 
+   ```
+
+## Single sign-on
+
+### Set up your Azure AD Connect server
+
+If you use Pass-through Authentication as your sign-on method, no additional prerequisite check is required. If you use password hash synchronization as your sign-on method and there is a firewall between Azure AD Connect and Azure AD, ensure that:
+
+- You use Azure AD Connect version 1.1.644.0 or later.
+- If your firewall or proxy allows DNS blocked or safe programs, add the connections to the &#42;.msappproxy.us URLs over port 443.
+
+  If not, allow access to the Azure datacenter IP ranges, which are updated weekly. This prerequisite applies only when you enable the feature. It isn't required for actual user sign-ons.
+
+### Roll out Seamless Single Sign-On
+
+You can gradually roll out Azure AD Seamless Single Sign-On to your users by using the following instructions. You start by adding the Azure AD URL [https://autologon.microsoft.us](https://autologon.microsoft.us) to all or selected users' Intranet zone settings by using Group Policy in Active Directory.
+
+You also need to enable the intranet zone policy setting **Allow updates to status bar via script through Group Policy**.
+
+## Browser considerations
+
+### Mozilla Firefox (all platforms)
+
+Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by following these steps:
+
+1. Run Firefox and enter **about:config** in the address bar. Dismiss any notifications that you might see.
+1. Search for the **network.negotiate-auth.trusted-uris** preference. This preference lists the sites trusted by Firefox for Kerberos authentication.
+1. Right-click the preference name and then select **Modify**.
+1. Enter [**https://autologon.microsoft.us**](https://autologon.microsoft.us**) in the box.
+1. Select **OK** and then reopen the browser.
+
+### Microsoft Edge based on Chromium (all platforms)
+
+If you have overridden the `AuthNegotiateDelegateAllowlist` or `AuthServerAllowlist` policy settings in your environment, ensure that you add the Azure AD URL [https://autologon.microsoft.us](https://autologon.microsoft.us) to them.
+
+### Google Chrome (all platforms)
+
+If you have overridden the `AuthNegotiateDelegateWhitelist` or `AuthServerWhitelist` policy settings in your environment, ensure that you add the Azure AD URL [https://autologon.microsoft.us](https://autologon.microsoft.us) to them.
 
 ## Next steps
-[Pass-through Authentication](how-to-connect-pta-quick-start.md#step-1-check-the-prerequisites)
-[Single Sign-on](how-to-connect-sso-quick-start.md#step-1-check-the-prerequisites) 
+
+- [Pass-through Authentication](how-to-connect-pta-quick-start.md#step-1-check-the-prerequisites)
+- [Single Sign-On](how-to-connect-sso-quick-start.md#step-1-check-the-prerequisites)

articles/active-directory/authentication/media/concept-authentication-methods/app-password-authentication-method.png

@@ -63,7 +63,9 @@ The maximum number of pods per node in an AKS cluster is 250. The *default* maxi
 
 ### Configure maximum - new clusters
 
-You're able to configure the maximum number of pods per node *only at cluster deployment time*. If you deploy with the Azure CLI or with a Resource Manager template, you can set the maximum pods per node value as high as 250.
+You're able to configure the maximum number of pods per node at cluster deployment time or as you add new node pools. If you deploy with the Azure CLI or with a Resource Manager template, you can set the maximum pods per node value as high as 250.
+
+If you don't specify maxPods when creating new node pools, you receive a default value of 30 for Azure CNI.
 
 A minimum value for maximum pods per node is enforced to guarantee space for system pods critical to cluster health. The minimum value that can be set for maximum pods per node is 10 if and only if the configuration of each node pool has space for a minimum of 30 pods. For example, setting the maximum pods per node to the minimum of 10 requires each individual node pool to have a minimum of 3 nodes. This requirement applies for each new node pool created as well, so if 10 is defined as maximum pods per node each subsequent node pool added must have at least 3 nodes.
 
@@ -81,7 +83,7 @@ A minimum value for maximum pods per node is enforced to guarantee space for sys
 
 ### Configure maximum - existing clusters
 
-You can't change the maximum pods per node on an existing AKS cluster. You can adjust the number only when you initially deploy the cluster.
+The maxPod per node setting can be defined when you create a new node pool. If you need to increase the maxPod per node setting on an existing cluster, add a new node pool with the new desired maxPod count. After migrating your pods to the new pool, delete the older pool. To delete any older pool in a cluster, ensure you are setting node pool modes as defined in the [system node pool document[system-node-pools].
 
 ## Deployment parameters
 
@@ -208,3 +210,4 @@ Kubernetes clusters created with AKS Engine support both the [kubenet][kubenet]
 [network-policy]: use-network-policies.md
 [nodepool-upgrade]: use-multiple-node-pools.md#upgrade-a-node-pool
 [network-comparisons]: concepts-network.md#compare-network-models
+[system-node-pools]: use-system-pools.md

articles/active-directory/authentication/media/concept-authentication-methods/mfa-server-oath-tokens-azure-ad.png

@@ -12,7 +12,7 @@ ms.reviewer: nieberts, jomore
 
 By default, AKS clusters use [kubenet][kubenet], and an Azure virtual network and subnet are created for you. With *kubenet*, nodes get an IP address from the Azure virtual network subnet. Pods receive an IP address from a logically different address space to the Azure virtual network subnet of the nodes. Network address translation (NAT) is then configured so that the pods can reach resources on the Azure virtual network. The source IP address of the traffic is NAT'd to the node's primary IP address. This approach greatly reduces the number of IP addresses that you need to reserve in your network space for pods to use.
 
-With [Azure Container Networking Interface (CNI)][cni-networking], every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your network space, and must be planned in advance. Each node has a configuration parameter for the maximum number of pods that it supports. The equivalent number of IP addresses per node are then reserved up front for that node. This approach requires more planning, and often leads to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow.
+With [Azure Container Networking Interface (CNI)][cni-networking], every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your network space, and must be planned in advance. Each node has a configuration parameter for the maximum number of pods that it supports. The equivalent number of IP addresses per node are then reserved up front for that node. This approach requires more planning, and often leads to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow. You can configure the maximum pods deployable to a node at cluster create time or when creating new node pools. If you don't specify maxPods when creating new node pools, you receive a default value of 110 for kubenet.
 
 This article shows you how to use *kubenet* networking to create and use a virtual network subnet for an AKS cluster. For more information on network options and considerations, see [Network concepts for Kubernetes and AKS][aks-network-concepts].
 

articles/active-directory/authentication/media/concept-authentication-methods/security-questions-authentication-method.png

@@ -46,6 +46,7 @@ You can do the following operations with node pools:
 * Delete user node pools.
 * You can delete system node pools, provided you have another system node pool to take its place in the AKS cluster.
 * An AKS cluster may have multiple system node pools and requires at least one system node pool.
+* If you want to change various immutable settings on existing node pools, you can create new node pools to replace them. One example is to add a new node pool with a new maxPods setting and delete the old node pool.
 
 ## Create a new AKS cluster with a system node pool