Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-rbac-roles-feb

Author: rolyon

.openpublishing.redirection.json

@@ -48550,6 +48550,16 @@
       "source_path": "articles/app-service/containers/tutorial-java-enterprise-postgresql-app.md",
       "redirect_url": "/azure/app-service/containers/configure-language-java",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/virtual-machines/linux/terraform-install-configure.md",
+      "redirect_url": "/azure/terraform/terraform-install-configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/virtual-machines/linux/terraform-create-complete-vm.md",
+      "redirect_url": "/azure/terraform/terraform-create-complete-vm",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory/develop/howto-convert-app-to-be-multi-tenant.md

@@ -11,9 +11,9 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 12/10/2019
+ms.date: 02/19/2020
 ms.author: ryanwi
-ms.reviewer: jmprieur, lenalepa, sureshja
+ms.reviewer: jmprieur, lenalepa, sureshja, kkrishna
 ms.custom: aaddev
 ---
 
@@ -33,7 +33,7 @@ There are four simple steps to convert your application into an Azure AD multi-t
 3. [Update your code to handle multiple issuer values](#update-your-code-to-handle-multiple-issuer-values)
 4. [Understand user and admin consent and make appropriate code changes](#understand-user-and-admin-consent)
 
-Let’s look at each step in detail. You can also jump straight to [this list of multi-tenant samples](https://docs.microsoft.com/samples/browse/?products=azure-active-directory).
+Let’s look at each step in detail. You can also jump straight to the sample [Build a multi-tenant SaaS web application that calls Microsoft Graph using Azure AD and OpenID Connect](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md).
 
 ## Update registration to be multi-tenant
 

articles/aks/quotas-skus-regions.md

@@ -28,7 +28,7 @@ All other network, compute, and storage limitations apply to the provisioned inf
 
 ## Restricted VM sizes
 
-Each node in an AKS cluster contains a fixed amount of compute resources such as vCPU and memory. If an AKS node contains insufficient compute resources, pods might fail to run correctly. To ensure that the required *kube-system* pods and your applications can reliably be scheduled, don't use the following VM SKUs in AKS:
+Each node in an AKS cluster contains a fixed amount of compute resources such as vCPU and memory. If an AKS node contains insufficient compute resources, pods might fail to run correctly. To ensure that the required *kube-system* pods and your applications can reliably be scheduled, **don't use the following VM SKUs in AKS**:
 
 - Standard_A0
 - Standard_A1

articles/api-management/import-api-from-oas.md

@@ -20,7 +20,7 @@ ms.author: apimpm
 This article shows how to import an "OpenAPI specification" back-end API residing at https://conferenceapi.azurewebsites.net?format=json. This back-end API is provided by Microsoft and hosted on Azure. The article also shows how to test the APIM API.
 
 > [!IMPORTANT]
-> See this [document](https://blogs.msdn.microsoft.com/apimanagement/2018/04/11/important-changes-to-openapi-import-and-export/) for important information and tips related to OpenAPI import.
+> See this [document](https://azure.microsoft.com/blog/announcing-the-preview-of-openapi-specification-v3-support-in-azure-api-management/) for important information and tips related to OpenAPI import.
 
 In this article, you learn how to:
 

articles/azure-app-configuration/TOC.yml

@@ -1,4 +1,4 @@
-- name: Azure App Configuration Preview documentation
+- name: Azure App Configuration documentation
   href: index.yml
 - name: Overview
   items:
@@ -59,6 +59,8 @@
   items:
     - name: Key-value store
       href: concept-key-value.md
+    - name: Encrypt using customer-managed keys
+      href: concept-customer-managed-keys.md
     - name: Point-in-time snapshot
       href: concept-point-time-snapshot.md
     - name: Feature management
@@ -67,14 +69,18 @@
       href: concept-github-action.md
     - name: Event handling
       href: concept-app-configuration-event.md
+    - name: Authentication
+      items:
+        - name: Integrate with Azure Managed Identity
+          href: howto-integrate-azure-managed-service-identity.md
+        - name: Enable access using Azure Active Directory
+          href: concept-enable-rbac.md
     - name: High availability
       items:
         - name: Resiliency and disaster recovery
           href: concept-disaster-recovery.md
 - name: How-to guides
   items:
-    - name: Integrate with Azure Managed Identity
-      href: howto-integrate-azure-managed-service-identity.md
     - name: Import or export configuration data
       href: howto-import-export-data.md
     - name: Route events to a custom endpoint
@@ -86,12 +92,12 @@
     - name: Configuration
       items:
         - name: Azure CLI
-          href: https://docs.microsoft.com/cli/azure/ext/appconfig/appconfig?view=azure-cli-latest
+          href: https://docs.microsoft.com/cli/azure/appconfig?view=azure-cli-latest
         - name: .NET Core provider
           href: https://go.microsoft.com/fwlink/?linkid=2074664
         - name: .NET Framework builder
           href: https://go.microsoft.com/fwlink/?linkid=2074663
-        - name: Azure SDK for .Net
+        - name: Azure SDK for .NET
           href: https://go.microsoft.com/fwlink/?linkid=2092056
         - name: Java Spring provider
           href: https://go.microsoft.com/fwlink/?linkid=2074659

articles/azure-app-configuration/concept-customer-managed-keys.md

@@ -0,0 +1,103 @@
+---
+title: Use customer-managed keys to encrypt your configuration data 
+description: Encrypt your configuration data using customer-managed keys
+author: lisaguthrie
+
+ms.author: lcozzens
+ms.date: 02/18/2020
+ms.topic: conceptual
+ms.service: azure-app-configuration
+
+---
+# Use customer-managed keys to encrypt your App Configuration data
+Azure App Configuration [encrypts sensitive information at rest](../security/fundamentals/encryption-atrest.md). The use of customer-managed keys provides enhanced data protection by allowing you to manage your encryption keys.  When managed key encryption is used, all sensitive information in App Configuration is encrypted with a user-provided Azure Key Vault key.  This provides the ability to rotate the encryption key on demand.  It also provides the ability to revoke Azure App Configuration's access to sensitive information by revoking the App Configuration instance's access to the key.
+
+## Overview 
+Azure App Configuration encrypts sensitive information at rest using a 256-bit AES encryption key provided by Microsoft. Every App Configuration instance has its own encryption key managed by the service and used to encrypt sensitive information. Sensitive information includes the values found in key-value pairs.  When customer-managed key capability is enabled, App Configuration uses a managed identity assigned to the App Configuration instance to authenticate with Azure Active Directory. The managed identity then calls Azure Key Vault and wraps the App Configuration instance's encryption key. The wrapped encryption key is then stored and the unwrapped encryption key is cached within App Configuration for one hour. App Configuration refreshes the unwrapped version of the App Configuration instance's encryption key hourly. This ensures availability under normal operating conditions. 
+
+>[!IMPORTANT]
+> If the identity assigned to the App Configuration instance is no longer authorized to unwrap the instance's encryption key, or if the managed key is permanently deleted, then it will no longer be possible to decrypt sensitive information stored in the App Configuration instance. Using Azure Key Vault's [soft delete](../key-vault/key-vault-ovw-soft-delete.md) function mitigates the chance of accidentally deleting your encryption key.
+
+When users enable the customer managed key capability on their Azure App Configuration instance, they control the service’s ability to access their sensitive information. The managed key serves as a root encryption key. A user can revoke their App Configuration instance’s access to their managed key by changing their key vault access policy. When this access is revoked, App Configuration will lose the ability to decrypt user data within one hour. At this point, the App Configuration instance will forbid all access attempts. This situation is recoverable by granting the service access to the managed key once again.  Within one hour, App Configuration will be able to decrypt user data and operate under normal conditions.
+
+>[!NOTE]
+>All Azure App Configuration data is stored for up to 24 hours in an isolated backup. This includes the unwrapped encryption key. This data is not immediately available to the service or service team. In the event of an emergency restore, Azure App Configuration will re-revoke itself from the managed key data.
+
+## Requirements
+The following components are required to successfully enable the customer-managed key capability for Azure App Configuration:
+- Standard tier Azure App Configuration instance
+- Azure Key Vault with soft-delete and purge-protection features enabled
+- An RSA or RSA-HSM key within the Key Vault
+    - The key must not be expired, it must be enabled, and it must have both wrap and unwrap capabilities enabled
+
+Once these resources are configured, two steps remain to allow Azure App Configuration to use the Key Vault key:
+1. Assign a managed identity to the Azure App Configuration instance
+2. Grant the identity `GET`, `WRAP`, and `UNWRAP` permissions in the target Key Vault's access policy.
+
+## Enable customer-managed key encryption for your Azure App Configuration instance
+To begin, you will need a properly configured Azure App Configuration instance. If you do not yet have an App Configuration instance available, follow one of these quickstarts to set one up:
+- [Create an ASP.NET Core app with Azure App Configuration](quickstart-aspnet-core-app.md)
+- [Create a .NET Core app with Azure App Configuration](quickstart-dotnet-core-app.md)
+- [Create a .NET Framework app with Azure App Configuration](quickstart-dotnet-app.md)
+- [Create a Java Spring app with Azure App Configuration](quickstart-java-spring-app.md)
+
+>[!TIP]
+> The Azure Cloud Shell is a free interactive shell that you can use to run the command line instructions in this article.  It has common Azure tools preinstalled, including the .NET Core SDK. If you are logged in to your Azure subscription, launch your [Azure Cloud Shell](https://shell.azure.com) from shell.azure.com.  You can learn more about Azure Cloud Shell by [reading our documentation](../cloud-shell/overview.md)
+
+### Create and configure an Azure Key Vault
+1. Create an Azure Key Vault using the Azure CLI.  Note that both `vault-name` and `resource-group-name` are user-provided and must be unique.  We use `contoso-vault` and `contoso-resource-group` in these examples.
+
+    ```azurecli
+    az keyvault create --name contoso-vault --resource-group contoso-resource-group
+    ```
+    
+1. Enable soft-delete and purge-protection for the Key Vault. Substitute the names of the Key Vault (`contoso-vault`) and Resource Group (`contoso-resource-group`) created in step 1.
+
+    ```azurecli
+    az keyvault update --name contoso-vault --resource-group contoso-resource-group --enable-purge-protection --enable-soft-delete
+    ```
+    
+1. Create a Key Vault key. Provide a unique `key-name` for this key, and substitute the names of the Key Vault (`contoso-vault`) created in step 1. Specify whether you prefer `RSA` or `RSA-HSM` encryption.
+
+    ```azurecli
+    az keyvault key create --name key-name --kty {RSA or RSA-HSM} --vault-name contoso-vault
+    ```
+    
+    The output from this command shows the key ID ("kid") for the generated key.  Make a note of the key ID to use later in this exercise.  The key ID has the form: `https://{my key vault}.vault.azure.net/keys/{key-name}/{Key version}`.  The key ID has three important components:
+    1. Key Vault URI: `https://{my key vault}.vault.azure.net
+    1. Key Vault key name: {Key Name}
+    1. Key Vault key version: {Key version}
+
+1. Create a system assigned managed identity using the Azure CLI, substituting the name of your App Configuration instance and resource group used in the previous steps. The managed identity will be used to access the managed key. We use `contoso-app-config` to illustrate the name of an App Configuration instance:
+    
+    ```azurecli
+    az appconfig identity assign --na1. me contoso-app-config --group contoso-resource-group --identities [system]
+    ```
+    
+    The output of this command includes the principal ID ("principalId") and tenant ID ("tenandId") of the system assigned identity.  This will be used to grant the identity access to the managed key.
+
+    ```json
+    {
+    "principalId": {Principal Id},
+    "tenantId": {Tenant Id},
+    "type": "SystemAssigned",
+    "userAssignedIdentities": null
+    }
+    ```
+
+1. The managed identity of the Azure App Configuration instance needs access to the key to perform key validation, encryption and decryption. The specific set of actions to which it needs access includes: `GET`, `WRAP`, and `UNWRAP` for keys.  Granting the access requires the principal ID  of the App Configuration instance's managed identity. This value was obtained in the previous step. It is shown below as `contoso-principalId`. Grant permission to the managed key using the command line:
+
+    ```azurecli
+    az keyvault set-policy -n contoso-vault --object-id contoso-principalId --key-permissions get wrapKey unwrapKey
+    ```
+
+1. Once the Azure App Configuration instance can access the managed key, we can enable the customer-managed key capability in the service using the Azure CLI. Recall the following properties recorded during the key creation steps: `key name` `key vault URI`.
+
+    ```azurecli
+    az appconfig update -g contoso-resource-group -n contoso-app-config --encryption-key-name key-name --encryption-key-version key-version --encryption-key-vault key-vault-Uri
+    ```
+
+Your Azure App Configuration instance is now configured to use a customer-managed key stored in Azure Key Vault.
+
+## Next Steps
+In this article, you configured your Azure App Configuration instance to use a customer-managed key for encryption.  Learn how to [integrate your service with Azure Managed Identities](howto-integrate-azure-managed-service-identity.md).

articles/azure-app-configuration/concept-enable-rbac.md

@@ -0,0 +1,36 @@
+---
+title: Authorize access to Azure App Configuration using Azure Active Directory
+description: Enable RBAC to authorize access to your Azure App Configuration instance
+author: lisaguthrie
+ms.author: lcozzens
+ms.date: 02/13/2020
+ms.topic: conceptual
+ms.service: azure-app-configuration
+
+---
+# Authorize access to Azure App Configuration using Azure Active Directory
+Azure App Configuration supports using Azure Active Directory (Azure AD) to authorize requests to App Configuration instances.  Azure AD allows you to use role-based access control (RBAC) to grant permissions to a security principal.  A security principal may be a user, or an [application service principal](../active-directory/develop/app-objects-and-service-principals.md).  To learn more about roles and role assignments, see [Understanding different roles](../role-based-access-control/overview.md).
+
+## Overview
+Requests made by security principal (a user, or an application) to access an App Configuration resource must be authorized.  With Azure AD, access to a resource is a two-step process.
+1. The security principal's identity is authenticated and an OAuth 2.0 token is returned.  The resource name to request a token is `https://login.microsoftonline.com/{tenantID}` where `{tenantID}` matches the Azure Active Directory tenant ID to which the service principal belongs.
+2. The token is passed as part of a request to the App Configuration service to authorize access to the specified resource.
+
+The authentication step requires that an application request contains an OAuth 2.0 access token at runtime.  If an application is running within an Azure entity, such as an Azure Functions app, an Azure Web App, or an Azure VM, it can use a managed identity to access the resources.  To learn how to authenticate requests made by a managed identity to Azure App Configuration, see [Authenticate access to Azure App Configuration resources with Azure Active Directory and managed identities for Azure Resources](howto-integrate-azure-managed-service-identity.md).
+
+The authorization step requires that one or more RBAC roles be assigned to the security principal. Azure App Configuration provides RBAC roles that encompass sets of permissions for App Configuration resources. The roles that are assigned to a security principal determine the permissions provided to the principal. For more information about RBAC roles, see [Built-in RBAC roles for Azure App Configuration](#built-in-rbac-roles-for-azure-app-configuration). 
+
+## Assign RBAC roles for access rights
+Azure Active Directory (Azure AD) authorizes access rights to secured resources through [role-based access control (RBAC)](../role-based-access-control/overview.md).
+
+When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access is scoped to the App Configuration resource. An Azure AD security principal may be a user, or an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
+
+## Built-in RBAC roles for Azure App Configuration
+Azure provides the following built-in RBAC roles for authorizing access to App Configuration data using Azure AD and OAuth:
+
+- Azure App Configuration Data Owner: Use this role to give read/write access to App Configuration resources.
+- Azure App Configuration Data Reader: Use this role to give read access to App Configuration resources.
+- Contributor: Use this role to give admin access to the service without granting access to the data stored in the App Configuration instance.
+
+## Next steps
+Learn more about using [managed identities](howto-integrate-azure-managed-service-identity.md) to administer your App Configuration service.