Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: tynevi

.openpublishing.redirection.json

@@ -23059,6 +23059,11 @@
       "redirect_url": "/azure/storage/blobs/storage-dotnet-shared-access-signature-part-2",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/storage/blobs/storage-dotnet-shared-access-signature-part-2.md",
+      "redirect_url": "/azure/storage/common/storage-dotnet-shared-access-signature-part-1",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/storage/storage-e2e-troubleshooting.md",
       "redirect_url": "/azure/storage/common/storage-e2e-troubleshooting",

articles/active-directory/b2b/tutorial-bulk-invite.md

@@ -105,7 +105,7 @@ foreach ($email in $invitations)
    {New-AzureADMSInvitation `
       -InvitedUserEmailAddress $email.InvitedUserEmailAddress `
       -InvitedUserDisplayName $email.Name `
-      -InviteRedirectUrl https://myapps.azure.com `
+      -InviteRedirectUrl https://myapps.microsoft.com `
       -InvitedUserMessageInfo $messageInfo `
       -SendInvitationMessage $true
    }

articles/active-directory/develop/quickstart-v2-windows-desktop.md

@@ -67,7 +67,7 @@ In this quickstart, you'll learn how to write a Windows desktop .NET (WPF) appli
 
 #### Step 2: Download your Visual Studio project
 
-[Download the Visual Studio project](https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2/archive/msal3x.zip)
+[Download the Visual Studio project](https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2/archive/msal3x.zip)  ([View Project on Github](https://github.com/Azure-Samples/active-directory-dotnet-desktop-msgraph-v2/))
 
 #### Step 3: Configure your Visual Studio project
 

articles/active-directory/manage-apps/end-user-experiences.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 11/09/2018
+ms.date: 05/03/2019
 ms.author: celested
 ms.reviewer: arvindh
 ms.collection: M365-identity-device-management
@@ -48,7 +48,9 @@ Most federated applications that support SAML 2.0, WS-Federation, or OpenID conn
 ## Direct sign-on links
 Azure AD also supports direct single sign-on links to individual applications that support password-based single sign-on, linked single sign-on, and any form of federated single sign-on.
 
-These links are specifically crafted URLs that send a user through the Azure AD sign-in process for a specific application without requiring the user launch them from the Azure AD access panel or Office 365. These **User access URLs** can be found under the properties of available enterprise applications under Azure Active Directory in the Azure portal.
+These links are specifically crafted URLs that send a user through the Azure AD sign-in process for a specific application without requiring the user launch them from the Azure AD access panel or Office 365. These **User access URLs** can be found under the properties of available enterprise applications. In the Azure portal, select **Azure Active Directory** > **Enterprise applications**. Select the application, and then select **Properties**.
+
+![Example of the User access URL in Twitter properties](media/end-user-experiences/direct-sign-on-link.png)
 
 These links can be copied and pasted anywhere you want to provide a sign-in link to the selected application. This could be in an email, or in any custom web-based portal that you have set up for user application access. Here's an example of an Azure AD direct single sign-on URL for Twitter:
 

articles/active-directory/manage-apps/media/end-user-experiences/direct-sign-on-link.png

@@ -59,7 +59,7 @@ In AKS, there are two sets of ports and addresses:
 * The [optional recommended addresses and ports for AKS clusters](#optional-recommended-addresses-and-ports-for-aks-clusters) aren't required for all scenarios, but integration with other services such as Azure Monitor won't work correctly. Review this list of optional ports and FQDNs, and authorize any of the services and components used in your AKS cluster.
 
 > [!NOTE]
-> Limiting egress traffic only works on new AKS clusters created after you enable the feature flag registration. You can't limit egress traffic on an existing AKS cluster created before the feature flag was registered.
+> Limiting egress traffic only works on new AKS clusters created after you enable the feature flag registration. For existing clusters, [perform a cluster upgrade operation][aks-upgrade] using the `az aks upgrade` command before you limit the egress traffic.
 
 ## Required ports and addresses for AKS clusters
 
@@ -115,3 +115,4 @@ In this article, you learned what ports and addresses to allow if you restrict e
 [az-feature-register]: /cli/azure/feature#az-feature-register
 [az-feature-list]: /cli/azure/feature#az-feature-list
 [az-provider-register]: /cli/azure/provider#az-provider-register
+[aks-upgrade]: upgrade-cluster.md

articles/aks/limit-egress-traffic.md

@@ -2,8 +2,8 @@
 title: Grant access to create Azure Enterprise subscriptions| Microsoft Docs
 description: Learn how to give a user or service principal the ability to programmatically create Azure Enterprise subscriptions.
 services: azure-resource-manager
-author: adpick
-manager: adpick
+author: jureid
+manager: jureid
 editor: ''
 
 ms.assetid: 
@@ -12,8 +12,8 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 06/05/2018
-ms.author: adpick
+ms.date: 04/09/2019
+ms.author: jureid
 ---
 
 # Grant access to create Azure Enterprise subscriptions (preview)
@@ -22,14 +22,118 @@ As an Azure customer on [Enterprise Agreement (EA)](https://azure.microsoft.com/
 
 To create a subscription, see [Programmatically create Azure Enterprise subscriptions (preview)](programmatically-create-subscription.md).
 
-## Delegate access to an enrollment account using RBAC
+## Grant subscription creation access to a user or group
 
-To give another user or service principal the ability to create subscriptions against a specific account, [give them an RBAC Owner role at the scope of the enrollment account](../active-directory/role-based-access-control-manage-access-rest.md). The following example gives a user in the tenant with `principalId` of `<userObjectId>` (for [email protected]) an Owner role on the enrollment account. To find the enrollment account ID and principal ID, see [Programmatically create Azure Enterprise subscriptions (preview)](programmatically-create-subscription.md).
+To create subscriptions under an enrollment account, users must have the [RBAC Owner role](../role-based-access-control/built-in-roles.md#owner) on that account. You can grant a user or a group of users the RBAC Owner role on an enrollment account by following these steps:
 
-# [REST](#tab/rest)
+### 1. Get the object ID of the enrollment account you want to grant access to
+
+To grant others the RBAC Owner role on an enrollment account, you must either be the Account Owner or an RBAC Owner of the account.
+
+### [REST](#tab/rest)
+
+Request to list all enrollment accounts you have access to:
+
+```json
+GET https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts?api-version=2018-03-01-preview
+```
+
+Azure responds with a list of all enrollment accounts you have access to:
+
+```json
+{
+  "value": [
+    {
+      "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+      "name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+      "type": "Microsoft.Billing/enrollmentAccounts",
+      "properties": {
+        "principalName": "[email protected]"
+      }
+    },
+    {
+      "id": "/providers/Microsoft.Billing/enrollmentAccounts/4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+      "name": "4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+      "type": "Microsoft.Billing/enrollmentAccounts",
+      "properties": {
+        "principalName": "[email protected]"
+      }
+    }
+  ]
+}
+```
+
+Use the `principalName` property to identify the account that you want to grant RBAC Owner access to. Copy the `name` of that account. For example, if you wanted to grant RBAC Owner access to the [email protected] enrollment account, you'd copy ```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```. This is the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step as `enrollmentAccountObjectId`.
+
+### [PowerShell](#tab/azure-powershell)
+
+Open [Azure Cloud Shell](https://shell.azure.com/) and select PowerShell.
+
+Use the [Get-AzEnrollmentAccount](/powershell/module/az.billing/get-azenrollmentaccount) cmdlet to list all enrollment accounts you have access to.
+
+```azurepowershell-interactive
+Get-AzEnrollmentAccount
+```
+
+Azure responds with a list of enrollment accounts you have access to:
+
+```azurepowershell
+ObjectId                               | PrincipalName
+747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx   | [email protected]
+4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx   | [email protected]
+```
+
+Use the `principalName` property to identify the account you want to grant RBAC Owner access to. Copy the `ObjectId` of that account. For example, if you wanted to grant RBAC Owner access to the [email protected] enrollment account, you'd copy ```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```. Paste this object ID somewhere so that you can use it in the next step as the `enrollmentAccountObjectId`.
+
+### [Azure CLI](#tab/azure-cli)
+
+Use the [az billing enrollment-account list](https://aka.ms/EASubCreationPublicPreviewCLI) command to list all enrollment accounts you have access to.
+
+```azurecli-interactive 
+az billing enrollment-account list
+```
+
+Azure responds with a list of enrollment accounts you have access to:
+
+```json
+[
+  {
+    "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "name": "747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "principalName": "[email protected]",
+    "type": "Microsoft.Billing/enrollmentAccounts",
+  },
+  {
+    "id": "/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "name": "4cd2fcf6-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+    "principalName": "[email protected]",
+    "type": "Microsoft.Billing/enrollmentAccounts",
+  }
+]
+
+```
+
+Use the `principalName` property to identify the account that you want to grant RBAC Owner access to. Copy the `name` of that account. For example, if you wanted to grant RBAC Owner access to the [email protected] enrollment account, you'd copy ```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```. This is the object ID of the enrollment account. Paste this value somewhere so that you can use it in the next step as `enrollmentAccountObjectId`.
+
+<a id="userObjectId"></a>
+
+### 2. Get object ID of the user or group you want to give the RBAC Owner role to
+
+1. In the Azure portal, search on **Azure Active Directory**.
+1. If you want to grant a user access, click on **Users** in the menu on the left. If you want to grant access to a group, click **Groups**.
+1. Select the User or Group you want to give the RBAC Owner role to.
+1. If you selected a User, you'll find the object ID in the Profile page. If you selected a Group, the object ID will be in the Overview page. Copy the **ObjectID** by clicking the icon to the right of the text box. Paste this somewhere so that you can use it in the next step as `userObjectId`.
+
+### 3. Grant the user or group the RBAC Owner role on the enrollment account
+
+Using the values you collected in the first two steps, grant the user or group the RBAC Owner role on the enrollment account.
+
+### [REST](#tab/rest-2)
+
+Run the following command, replacing ```<enrollmentAccountObjectId>``` with the `name` you copied in the first step (```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```). Replace ```<userObjectId>``` with the object ID you copied from the second step.
 
 ```json
-PUT  https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentGuid>?api-version=2015-07-01
+PUT  https://management.azure.com/providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>/providers/Microsoft.Authorization/roleAssignments/<roleAssignmentGuid>?api-version=2015-07-01
 
 {
   "properties": {
@@ -58,27 +162,27 @@ When the Owner role is successfully assigned at the enrollment account scope, Az
 }
 ```
 
-# [PowerShell](#tab/azure-powershell)
+### [PowerShell](#tab/azure-powershell-2)
 
 [!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
 
-Use the [New-AzRoleAssignment](../active-directory/role-based-access-control-manage-access-powershell.md) to give another user Owner access to your enrollment account.
+Run the following [New-AzRoleAssignment](../active-directory/role-based-access-control-manage-access-powershell.md) command, replacing ```<enrollmentAccountObjectId>``` with the `ObjectId` collected in the first step (```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```). Replace ```<userObjectId>``` with the object ID collected in the second step.
 
 ```azurepowershell-interactive
-New-AzRoleAssignment -RoleDefinitionName Owner -ObjectId <userObjectId> -Scope /providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+New-AzRoleAssignment -RoleDefinitionName Owner -ObjectId <userObjectId> -Scope /providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>
 ```
 
-# [Azure CLI](#tab/azure-cli)
+### [Azure CLI](#tab/azure-cli-2)
 
-Use the [az role assignment create](../active-directory/role-based-access-control-manage-access-azure-cli.md) to give another user Owner access to your enrollment account.
+Run the following [az role assignment create](../active-directory/role-based-access-control-manage-access-azure-cli.md) command, replacing ```<enrollmentAccountObjectId>``` with the `name` you copied in the first step (```747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx```). Replace ```<userObjectId>``` with the object ID collected in the second step.
 
-```azurecli-interactive 
-az role assignment create --role Owner --assignee-object-id <userObjectId> --scope /providers/Microsoft.Billing/enrollmentAccounts/747ddfe5-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+```azurecli-interactive
+az role assignment create --role Owner --assignee-object-id <userObjectId> --scope /providers/Microsoft.Billing/enrollmentAccounts/<enrollmentAccountObjectId>
 ```
 
 ----
 
-Once a user becomes an RBAC Owner for your enrollment account, they can programmatically create subscriptions under it. A subscription created by a delegated user still has the original Account Owner as Service Admin, but it also has the delegated user as an Owner by default. 
+Once a user becomes an RBAC Owner for your enrollment account, they can [programmatically create subscriptions](programmatically-create-subscription.md) under it. A subscription created by a delegated user still has the original Account Owner as Service Admin, but it also has the delegated user as an RBAC Owner by default.
 
 ## Audit who created subscriptions using activity logs
 
@@ -91,7 +195,6 @@ To track the subscriptions created via this API, use the [Tenant Activity Log AP
 GET "/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '{greaterThanTimeStamp}' and eventTimestamp le '{lessThanTimestamp}' and eventChannels eq 'Operation' and resourceProvider eq 'Microsoft.Subscription'" 
 ```
 
-> [!NOTE]
 > To conveniently call this API from the command line, try [ARMClient](https://github.com/projectkudu/ARMClient).
 
 ## Next steps