Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/hybrid/how-to-connect-pta-faq.md

@@ -12,7 +12,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 04/15/2019
+ms.date: 03/09/2020
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -39,7 +39,7 @@ No. Pass-through Authentication is only available in the worldwide instance of A
 Yes. All Conditional Access capabilities, including Azure Multi-Factor Authentication, work with Pass-through Authentication.
 
 ## Does Pass-through Authentication support "Alternate ID" as the username, instead of "userPrincipalName"?
-To a limited extent, Pass-through Authentication supports Alternate ID as the username when configured in Azure AD Connect. As a pre-requisite, Azure AD Connect needs to synchronize the on-premises Active Directory `UserPrincipalName` attribute to Azure AD. This makes the  `UserPrincipalName` on the on-premises AD and Azure AD become identical. If you would like to use another attribute to synchronize from on-premises AD as the UPN to Azure AD, you will have to use either Password Hash sync or AD FS. For more information, see [Custom installation of Azure AD Connect](how-to-connect-install-custom.md). Not all Office 365 applications support `Alternate ID`. Refer to the specific application's documentation support statement.
+Sign in using a non-UPN value, such as an alternate email, is currently being tested in private preview for both pass-through authentication (PTA) and password hash sync (PHS).
 
 ## Does password hash synchronization act as a fallback to Pass-through Authentication?
 

articles/aks/TOC.yml

@@ -216,7 +216,7 @@
       href: api-server-authorized-ip-ranges.md
     - name: Control deployments with Azure Policy (preview)
       href: ../governance/policy/concepts/rego-for-aks.md?toc=/azure/aks/toc.json
-    - name: Update cluster service principal credentials
+    - name: Update cluster credentials
       href: update-credentials.md
     - name: Restrict and control cluster egress traffic
       href: limit-egress-traffic.md

articles/aks/update-credentials.md

@@ -1,28 +1,30 @@
 ---
 title: Reset the credentials for an Azure Kubernetes Service (AKS) cluster
-description: Learn how update or reset the service principal credentials for a cluster in Azure Kubernetes Service (AKS)
+description: Learn how update or reset the service principal or AAD Application credentials for an Azure Kubernetes Service (AKS) cluster
 services: container-service
 ms.topic: article
-ms.date: 05/31/2019
+ms.date: 03/11/2019
 
 ---
 
-# Update or rotate the credentials for a service principal in Azure Kubernetes Service (AKS)
+# Update or rotate the credentials for Azure Kubernetes Service (AKS)
 
 By default, AKS clusters are created with a service principal that has a one-year expiration time. As you near the expiration date, you can reset the credentials to extend the service principal for an additional period of time. You may also want to update, or rotate, the credentials as part of a defined security policy. This article details how to update these credentials for an AKS cluster.
 
+You may also have [integrated your AKS cluster with Azure Active Directory][aad-integration], and use it as an authentication provider for your cluster. In that case you will have 2 more identities created for your cluster, the AAD Server App and the AAD Client App, you may also reset those credentials. 
+
 ## Before you begin
 
 You need the Azure CLI version 2.0.65 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
 
-## Choose to update or create a service principal
+## Update or create a new Service Principal for your AKS cluster
 
 When you want to update the credentials for an AKS cluster, you can choose to:
 
 * update the credentials for the existing service principal used by the cluster, or
 * create a service principal and update the cluster to use these new credentials.
 
-### Update Existing Service Principal Expiration
+### Reset Existing Service Principal Credential
 
 To update the credentials for the existing service principal, get the service principal ID of your cluster using the [az aks show][az-aks-show] command. The following example gets the ID for the cluster named *myAKSCluster* in the *myResourceGroup* resource group. The service principal ID is set as a variable named *SP_ID* for use in additional command.
 
@@ -37,11 +39,11 @@ With a variable set that contains the service principal ID, now reset the creden
 SP_SECRET=$(az ad sp credential reset --name $SP_ID --query password -o tsv)
 ```
 
-Now continue on to [update AKS cluster with new credentials](#update-aks-cluster-with-new-credentials). This step is necessary for the Service Principal changes to reflect on the AKS cluster.
+Now continue on to [update AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials). This step is necessary for the Service Principal changes to reflect on the AKS cluster.
 
 ### Create a New Service Principal
 
-If you chose to update the existing service principal credentials in the previous section, skip this step. Continue to [update AKS cluster with new credentials](#update-aks-cluster-with-new-credentials).
+If you chose to update the existing service principal credentials in the previous section, skip this step. Continue to [update AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials).
 
 To create a service principal and then update the AKS cluster to use these new credentials, use the [az ad sp create-for-rbac][az-ad-sp-create] command. In the following example, the `--skip-assignment` parameter prevents any additional default assignments being assigned:
 
@@ -67,9 +69,9 @@ SP_ID=7d837646-b1f3-443d-874c-fd83c7c739c5
 SP_SECRET=a5ce83c9-9186-426d-9183-614597c7f2f7
 ```
 
-Now continue on to [update AKS cluster with new credentials](#update-aks-cluster-with-new-credentials). This step is necessary for the Service Principal changes to reflect on the AKS cluster.
+Now continue on to [update AKS cluster with new service principal credentials](#update-aks-cluster-with-new-service-principal-credentials). This step is necessary for the Service Principal changes to reflect on the AKS cluster.
 
-## Update AKS cluster with new credentials
+## Update AKS cluster with new Service Principal credentials
 
 Regardless of whether you chose to update the credentials for the existing service principal or create a service principal, you now update the AKS cluster with your new credentials using the [az aks update-credentials][az-aks-update-credentials] command. The variables for the *--service-principal* and *--client-secret* are used:
 
@@ -84,14 +86,31 @@ az aks update-credentials \
 
 It takes a few moments for the service principal credentials to be updated in the AKS.
 
+## Update AKS Cluster with new AAD Application credentials
+
+You may create new AAD Server and Client applications by following the [AAD integration steps][create-aad-app]. Or reset your existing AAD Applications following the [same method as for service principal reset](#reset-existing-service-principal-credential). After that you just need to update your cluster AAD Application credentials using the same [az aks update-credentials][az-aks-update-credentials] command but using the *--reset-aad* variables.
+
+```azurecli-interactive
+az aks update-credentials \
+    --resource-group myResourceGroup \
+    --name myAKSCluster \
+    --reset-aad \
+    --aad-server-app-id <SERVER APPLICATION ID> \
+    --aad-server-app-secret <SERVER APPLICATION SECRET> \
+    --aad-client-app-id <CLIENT APPLICATION ID>
+```
+
+
 ## Next steps
 
-In this article, the service principal for the AKS cluster itself was updated. For more information on how to manage identity for workloads within a cluster, see [Best practices for authentication and authorization in AKS][best-practices-identity].
+In this article, the service principal for the AKS cluster itself and the AAD Integration Applications were updated. For more information on how to manage identity for workloads within a cluster, see [Best practices for authentication and authorization in AKS][best-practices-identity].
 
 <!-- LINKS - internal -->
 [install-azure-cli]: /cli/azure/install-azure-cli
 [az-aks-show]: /cli/azure/aks#az-aks-show
 [az-aks-update-credentials]: /cli/azure/aks#az-aks-update-credentials
 [best-practices-identity]: operator-best-practices-identity.md
+[aad-integration]: azure-ad-integration.md
+[create-aad-app]: azure-ad-integration.md#create-the-server-application
 [az-ad-sp-create]: /cli/azure/ad/sp#az-ad-sp-create-for-rbac
 [az-ad-sp-credential-reset]: /cli/azure/ad/sp/credential#az-ad-sp-credential-reset

articles/application-gateway/multiple-site-overview.md

@@ -4,14 +4,14 @@ description: This article provides an overview of the Azure Application Gateway
 services: application-gateway
 author: vhorne
 ms.service: application-gateway
-ms.date: 1/7/2020
+ms.date: 03/11/2020
 ms.author: amsriva
 ms.topic: conceptual
 ---
 
 # Application Gateway multiple site hosting
 
-Multiple site hosting enables you to configure more than one web application on the same port of an application gateway. This feature allows you to configure a more efficient topology for your deployments by adding up to 100 websites to one application gateway. Each website can be directed to its own backend pool. In the following example, application gateway is serving traffic for contoso.com and fabrikam.com from two back-end server pools called ContosoServerPool and FabrikamServerPool.
+Multiple site hosting enables you to configure more than one web application on the same port of an application gateway. This feature allows you to configure a more efficient topology for your deployments by adding up to 100 websites to one application gateway. Each website can be directed to its own backend pool. In the following example, application gateway serves traffic for `contoso.com` and `fabrikam.com` from two back-end server pools called ContosoServerPool and FabrikamServerPool.
 
 ![imageURLroute](./media/multiple-site-overview/multisite.png)
 
@@ -20,7 +20,7 @@ Multiple site hosting enables you to configure more than one web application on
 
 Requests for `http://contoso.com` are routed to ContosoServerPool, and `http://fabrikam.com` are routed to FabrikamServerPool.
 
-Similarly two subdomains of the same parent domain can be hosted on the same application gateway deployment. Examples of using subdomains could include `http://blog.contoso.com` and `http://app.contoso.com` hosted on a single application gateway deployment.
+Similarly, you can host multiple subdomains of the same parent domain on the same application gateway deployment. For example, you can  host `http://blog.contoso.com` and `http://app.contoso.com` on a single application gateway deployment.
 
 ## Host headers and Server Name Indication (SNI)
 
@@ -30,11 +30,17 @@ There are three common mechanisms for enabling multiple site hosting on the same
 2. Use host name to host multiple web applications on the same IP address.
 3. Use different ports to host multiple web applications on the same IP address.
 
-Currently an application gateway gets a single public IP address on which it listens for traffic. Therefore supporting multiple applications, each with its own IP address, is currently not supported. Application Gateway supports hosting multiple applications each listening on different ports but this scenario would require the applications to accept traffic on non-standard ports and is often not a desired configuration. Application Gateway relies on HTTP 1.1 host headers to host more than one website on the same public IP address and port. The sites hosted on application gateway can also support SSL offload with Server Name Indication (SNI) TLS extension. This scenario means that the client browser and backend web farm must support HTTP/1.1 and TLS extension as defined in RFC 6066.
+Currently Application Gateway supports a single public IP address where it listens for traffic. So multiple applications, each with its own IP address is currently not supported. 
+
+Application Gateway supports multiple applications each listening on different ports, but this scenario requires the applications to accept traffic on non-standard ports. This is often not a configuration that you want.
+
+Application Gateway relies on HTTP 1.1 host headers to host more than one website on the same public IP address and port. The sites hosted on application gateway can also support SSL offload with Server Name Indication (SNI) TLS extension. This scenario means that the client browser and backend web farm must support HTTP/1.1 and TLS extension as defined in RFC 6066.
 
 ## Listener configuration element
 
-Existing HTTPListener configuration element is enhanced to support host name and server name indication elements, which is used by application gateway to route traffic to appropriate backend pool. The following code example is the snippet of HttpListeners element from template file.
+Existing HTTPListener configuration elements are enhanced to support host name and server name indication elements. It's used by Application Gateway to route traffic to the appropriate backend pool. 
+
+The following code example is the snippet of an HttpListeners element from a template file:
 
 ```json
 "httpListeners": [
@@ -76,7 +82,7 @@ You can visit [Resource Manager template using multiple site hosting](https://gi
 
 ## Routing rule
 
-There is no change required in the routing rule. The routing rule 'Basic' should continue to be chosen to tie the appropriate site listener to the corresponding backend address pool.
+There's no change required in the routing rule. The routing rule 'Basic' should continue to be chosen to tie the appropriate site listener to the corresponding backend address pool.
 
 ```json
 "requestRoutingRules": [