Merging changes synced from https://github.com/MicrosoftDocs/azure-do…

…cs-pr (branch live)
changeworld · May 8, 2019 · 0614c1a · 0614c1a
2 parents fe61caf + e6d5364
commit 0614c1a
Show file tree

Hide file tree

Showing 193 changed files with 1,072 additions and 600 deletions.
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
@@ -15125,6 +15125,11 @@
       "redirect_url": "/azure/aks/networking-overview",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/stream-analytics/custom-deserializer.md",
+      "redirect_url": "https://aka.ms/asapreview1",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/stream-analytics/stream-analytics-tools-for-visual-studio.md",
       "redirect_url": "/azure/stream-analytics/stream-analytics-quick-create-vs",

diff --git a/articles/active-directory/develop/TOC.yml b/articles/active-directory/develop/TOC.yml
@@ -342,6 +342,8 @@
           items:
             - name: Acquire a token from the cache
               href: msal-net-acquire-token-silently.md
+            - name: Clear the token cache
+              href: msal-net-clear-token-cache.md
             - name: Instantiate a public client with options
               href: msal-net-instantiate-public-client-config-options.md
             - name: Instantiate a confidential client with options

diff --git a/articles/active-directory/develop/msal-net-clear-token-cache.md b/articles/active-directory/develop/msal-net-clear-token-cache.md
@@ -0,0 +1,50 @@
+---
+title: Clear the token cache by using Microsoft Authentication Library for .NET - Azure
+description: Learn how to clear the token cache using the Microsoft Authentication Library for .NET (MSAL.NET).
+services: active-directory
+documentationcenter: dev-center-name
+author: rwike77
+manager: celested
+editor: ''
+
+ms.service: active-directory
+ms.subservice: develop
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 05/07/2019
+ms.author: ryanwi
+ms.reviewer: saeeda
+ms.custom: aaddev
+#Customer intent: As an application developer, I want to learn how how to clear the token cache so I can .
+ms.collection: M365-identity-device-management
+---
+
+# Clear the token cache using MSAL.NET
+
+When you [acquire an access token](msal-acquire-cache-tokens.md) using Microsoft Authentication Library for .NET (MSAL.NET), the token is cached. When the application needs a token, it should first call the `AcquireTokenSilent` method to verify if an acceptable token is in the cache. 
+
+Clearing the cache is achieved by removing the accounts from the cache. This does not remove the session cookie which is in the browser, though.  The following example instantiates a public client application, gets the accounts for the application, and removes the accounts.
+
+```csharp
+private readonly IPublicClientApplication _app;
+private static readonly string ClientId = ConfigurationManager.AppSettings["ida:ClientId"];
+private static readonly string Authority = string.Format(CultureInfo.InvariantCulture, AadInstance, Tenant);
+
+_app = PublicClientApplicationBuilder.Create(ClientId)
+                .WithAuthority(Authority)
+                .Build();
+
+var accounts = (await _app.GetAccountsAsync()).ToList();
+
+// clear the cache
+while (accounts.Any())
+{
+   await _app.RemoveAsync(accounts.First());
+   accounts = (await _app.GetAccountsAsync()).ToList();
+}
+
+```
+
+To learn more about acquiring and caching tokens, read [acquire an access token](msal-acquire-cache-tokens.md).
diff --git a/articles/active-directory/fundamentals/active-directory-faq.md b/articles/active-directory/fundamentals/active-directory-faq.md
@@ -206,4 +206,4 @@ For more information, see [Automate user provisioning and deprovisioning to SaaS
 - - -
 **Q:  Can I set up a secure LDAP connection with Azure AD?**
 
-**A:**  No. Azure AD does not support the LDAP protocol. However, you can configure secure LDAP with Azure AD Domain Services.
+**A:**  No. Azure AD does not support the Lightweight Directory Access Protocol (LDAP) protocol. However, it's possible to use Azure AD Domain Services (Azure AD DS) with properly configured network security groups through Azure Networking to achieve LDAP connectivity. For more information, see https://docs.microsoft.com/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap.
diff --git a/...rectory/fundamentals/active-directory-how-subscriptions-associated-directory.md b/...rectory/fundamentals/active-directory-how-subscriptions-associated-directory.md
@@ -60,8 +60,8 @@ Before you can associate or add your subscription, you must perform the followin
 
     The directory is changed for the subscription and you get a success message.
 
-    ![Success message about directory change](media/active-directory-how-subscriptions-associated-directory/edit-directory-success.png)    
-4. Use the **Directory switcher** to go to your new directory. It might take up to 10 minutes for everything to show up properly.
+    ![Success message about directory change](media/active-directory-how-subscriptions-associated-directory/edit-directory-success.png)
+4. Use the **Directory switcher** to go to your new directory. It can take several hours for everything to show up properly. If it seems to be taking too long, make sure you check the **Global subscription filter** for the moved subscription, to make sure it's not simply hidden.
 
     ![Directory switcher page, with sample information](media/active-directory-how-subscriptions-associated-directory/directory-switcher.png)
 

diff --git a/articles/active-directory/reports-monitoring/reference-sign-ins-error-codes.md b/articles/active-directory/reports-monitoring/reference-sign-ins-error-codes.md
@@ -14,7 +14,7 @@ ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 04/25/2019
+ms.date: 05/08/2019
 ms.author: markvi
 ms.reviewer: dhanyahk
 
@@ -174,6 +174,7 @@ You can also programmatically access the sign-in data using the [reporting API](
 |90051|	Invalid Delegation Token. Invalid national Cloud ID ({cloudId}) is specified.|
 |90072| The account needs to be added as an external user in the tenant first. Sign-out and sign-in again with a different Azure AD account.|
 |90094| The grant requires administrator permissions. Ask your tenant administrator to provide consent for this application.|
+|500021|Tenant is restricted by company proxy. Denying the resource access.|
 |500121| Authentication failed during strong authentication request.|
 |500133| The assertion is not within its valid time range. Ensure that the access token is not expired before using it for user assertion, or request a new token.|
 |530021|Application does not meet the conditional access approved app requirements.|

diff --git a/articles/active-directory/saas-apps/bluejeans-tutorial.md b/articles/active-directory/saas-apps/bluejeans-tutorial.md
@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: tutorial
-ms.date: 12/31/2018
+ms.date: 04/16/2019
 ms.author: jeedes
 
 ms.collection: M365-identity-device-management
@@ -98,19 +98,19 @@ To configure Azure AD single sign-on with BlueJeans, perform the following steps
 
 3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
 
-	![Edit Basic SAML Configuration](common/edit-urls.png)
+	![Edit Basic SAML Configuration](media/bluejeans-tutorial/edit-urls-bluejeans.png)
 
-4. On the **Basic SAML Configuration** section, perform the following steps:
+4. In the **Basic SAML Configuration** dialog, enter the following values:
 
-    ![BlueJeans Domain and URLs single sign-on information](common/sp-identifier.png)
+    ![BlueJeans Domain and URLs single sign-on information](media/bluejeans-tutorial/tutorial_bluejeans-basic-configuration.png)
 
-    a. In the **Sign-on URL** text box, type a URL using the following pattern:
-    `https://<companyname>.BlueJeans.com`
-
-    b. In the **Identifier** text box, type a URL: `https://samlsp.bluejeans.com`
-
-	> [!NOTE]
-	> The Sign-on URL value is not real. Update the value with the actual Sign-On URL. Contact [BlueJeans Client support team](https://support.bluejeans.com/contact) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+   - In the **Identifier** text box, type the following:
+    `https://samlsp.bluejeans.com`
+    
+   - In the **Sign-on URL** text box, type the landing page URL provided to you by BlueJeans (to get this value, you can contact the [BlueJeans Client support team](https://support.bluejeans.com/contact)):
+    `https://<companyname>.bluejeans.com`
+    
+   - Click **Save**.
 
 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
 

diff --git a/...les/active-directory/saas-apps/media/bluejeans-tutorial/edit-urls-bluejeans.png b/...les/active-directory/saas-apps/media/bluejeans-tutorial/edit-urls-bluejeans.png
diff --git a/...y/saas-apps/media/bluejeans-tutorial/tutorial_bluejeans-basic-configuration.png b/...y/saas-apps/media/bluejeans-tutorial/tutorial_bluejeans-basic-configuration.png
diff --git a/articles/active-directory/users-groups-roles/licensing-groups-resolve-problems.md b/articles/active-directory/users-groups-roles/licensing-groups-resolve-problems.md
@@ -106,10 +106,16 @@ If you use Exchange Online, some users in your tenant might be incorrectly confi
 > Run Get-Recipient | where {$_.EmailAddresses -match "user@contoso.onmicrosoft.com"} | fL Name, RecipientType,emailaddresses
 > ```
 > For more information about this problem, see ["Proxy address 
-> is already being used" error message in Exchange Online](https://support.microsoft.com/help/3042584/-proxy-address-address-is-already-being-used-error-message-in-exchange-online). The article also includes information on [how to connect to Exchange Online by using remote PowerShell](https://technet.microsoft.com/library/jj984289.aspx). See this article for more information [on how the proxyAddresses attribute is populated in Azure AD](https://support.microsoft.com/help/3190357/how-the-proxyaddresses-attribute-is-populated-in-azure-ad).
+> is already being used" error message in Exchange Online](https://support.microsoft.com/help/3042584/-proxy-address-address-is-already-being-used-error-message-in-exchange-online). The article also includes information on [how to connect to Exchange Online by using remote PowerShell](https://technet.microsoft.com/library/jj984289.aspx).
 
 After you resolve any proxy address problems for the affected users, make sure to force license processing on the group to make sure that the licenses can now be applied.
 
+## Azure AD Mail and ProxyAddresses attribute change
+
+**Problem:** While updating license assignment on a user or a group, you might see that the Azure AD Mail and ProxyAddresses attribute of some users are changed.
+
+Updating license assignment on a user causes the proxy address calculation to be triggered, which can change user attributes. To understand the exact reason of the change and solve the problem, see this article on [how the proxyAddresses attribute is populated in Azure AD](https://support.microsoft.com/help/3190357/how-the-proxyaddresses-attribute-is-populated-in-azure-ad).
+
 ## What happens when there's more than one product license on a group?
 
 You can assign more than one product license to a group. For example, you can assign Office 365 Enterprise E3 and Enterprise Mobility + Security to a group to easily enable all included services for users.

diff --git a/articles/aks/TOC.yml b/articles/aks/TOC.yml
@@ -140,6 +140,8 @@
       href: azure-files-dynamic-pv.md
     - name: Azure Files - Static
       href: azure-files-volume.md
+    - name: NFS Server - Static
+      href: azure-nfs-volume.md
   - name: Configure networking
     items:
     - name: Create or use existing virtual network

diff --git a/articles/aks/azure-nfs-volume.md b/articles/aks/azure-nfs-volume.md
@@ -0,0 +1,167 @@
+---
+title: Create an NFS (Network File System) Ubuntu Server for use by pods of Azure Kubernetes Service (AKS)
+description: Learn how to manually create an NFS Ubuntu Linux Server volume for use with pods in Azure Kubernetes Service (AKS)
+services: container-service
+author: ozboms
+
+ms.service: container-service
+ms.topic: article
+ms.date: 4/25/2019
+ms.author: obboms
+---
+
+# Manually create and use an NFS (Network File System) Linux Server volume with Azure Kubernetes Service (AKS)
+Sharing data between containers is often a necessary component of container-based services and applications. You usually have various pods that need access to the same information on an external persistent volume.    
+While Azure files are an option, creating an NFS Server on an Azure VM is another form of persistent shared storage. 
+
+This article will show you how to create an NFS Server on an Ubuntu virtual machine. And also give your AKS containers access to this shared file system.
+
+## Before you begin
+This article assumes that you have an existing AKS Cluster. If you need an AKS Cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli] or [using the Azure portal][aks-quickstart-portal].
+
+Your AKS Cluster will need to live in the same or peered virtual networks as the NFS Server. The cluster must be created in an existing VNET, which can be the same VNET as your VM.
+
+The steps for configuring with an existing VNET are described in the documentation: [creating AKS Cluster in existing VNET][aks-virtual-network] and [connecting virtual networks with VNET peering][peer-virtual-networks]
+
+It also assumes you've created an Ubuntu Linux Virtual Machine (for example, 18.04 LTS). Settings and size can be to your liking and can be deployed through Azure. For Linux quickstart, see [linux VM management][linux-create].
+
+If you deploy your AKS Cluster first, Azure will automatically populate the virtual network field when deploying your Ubuntu machine, making them live within the same VNET. But if you want to work with peered networks instead, consult the documentation above.
+
+## Deploying the NFS Server onto a Virtual Machine
+Here is the script to set up an NFS Server within your Ubuntu virtual machine:
+```bash
+#!/bin/bash
+
+# This script should be executed on Linux Ubuntu Virtual Machine
+
+EXPORT_DIRECTORY=${1:-/export/data}
+DATA_DIRECTORY=${2:-/data}
+AKS_SUBNET=${3:-*}
+
+echo "Updating packages"
+apt-get -y update
+
+echo "Installing NFS kernel server"
+
+apt-get -y install nfs-kernel-server
+
+echo "Making data directory ${DATA_DIRECTORY}"
+mkdir -p ${DATA_DIRECTORY}
+
+echo "Making new directory to be exported and linked to data directory: ${EXPORT_DIRECTORY}"
+mkdir -p ${EXPORT_DIRECTORY}
+
+echo "Mount binding ${DATA_DIRECTORY} to ${EXPORT_DIRECTORY}"
+mount --bind ${DATA_DIRECTORY} ${EXPORT_DIRECTORY}
+
+echo "Giving 777 permissions to ${EXPORT_DIRECTORY} directory"
+chmod 777 ${EXPORT_DIRECTORY}
+
+parentdir="$(dirname "$EXPORT_DIRECTORY")"
+echo "Giving 777 permissions to parent: ${parentdir} directory"
+chmod 777 $parentdir
+
+echo "Appending bound directories into fstab"
+echo "${DATA_DIRECTORY}    ${EXPORT_DIRECTORY}   none    bind  0  0" >> /etc/fstab
+
+echo "Appending localhost and Kubernetes subnet address ${AKS_SUBNET} to exports configuration file"
+echo "/export        ${AKS_SUBNET}(rw,async,insecure,fsid=0,crossmnt,no_subtree_check)" >> /etc/exports
+echo "/export        localhost(rw,async,insecure,fsid=0,crossmnt,no_subtree_check)" >> /etc/exports
+
+nohup service nfs-kernel-server restart
+```
+The server will restart (because of the script) and you can mount the NFS Server to AKS
+
+>[!IMPORTANT]  
+>Make sure to replace the **AKS_SUBNET** with the correct one from your cluster or else "*" will open your NFS Server to all ports and connections.
+
+After you've created your VM, copy the script above into a file. Then, you can move it from your local machine, or wherever the script is, into the VM using: 
+```console
+scp /path/to/script_file username@vm-ip-address:/home/{username}
+```
+Once your script is in your VM, you can ssh into the VM and execute it via the command:
+```console
+sudo ./nfs-server-setup.sh
+```
+If its execution fails because of a permission denied error, set execution permission via the command:
+```console
+chmod +x ~/nfs-server-setup.sh
+```
+
+## Connecting AKS Cluster to NFS Server
+We can connect the NFS Server to our cluster by provisioning a persistent volume and persistent volume claim that specifies how to access the volume.  
+Connecting the two services in the same or peered virtual networks is necessary. Instructions for setting up the cluster in the same VNET are here: [creating AKS Cluster in existing VNET][aks-virtual-network]
+
+Once they are in the same virtual network (or peered), you need to provision a persistent volume and a persistent volume claim in your AKS Cluster. The containers can then mount the NFS drive to their local directory.
+
+Here is an example kubernetes definition for the persistent volume (This definition assumes your cluster and VM are in the same VNET):
+
+```yaml
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: <NFS_NAME>
+  labels:
+    type: nfs
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: <NFS_INTERNAL_IP>
+    path: <NFS_EXPORT_FILE_PATH>
+```
+Replace **NFS_INTERNAL_IP**, **NFS_NAME** and **NFS_EXPORT_FILE_PATH** with NFS Server information.
+
+You'll also need a persistent volume claim file. Here is an example of what to include:
+
+>[!IMPORTANT]  
+>**"storageClassName"** needs to remain an empty string or the claim won't work.
+
+```yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: <NFS_NAME>
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: ""
+  resources:
+    requests:
+      storage: 1Gi
+  selector: 
+    matchLabels:
+      type: nfs
+```
+
+## Troubleshooting
+If you can't connect to the server from a cluster, an issue might be the exported directory, or its parent, doesn't have sufficient permissions to access the server.
+
+Check that both your export directory and its parent directory have 777 permissions.
+
+You can check permissions by running the command below and the directories should have *'drwxrwxrwx'* permissions:
+```console
+ls -l
+```
+
+## More information
+To get a full walkthrough or to help you debug your NFS Server setup, here is an in-depth tutorial:
+  - [NFS Tutorial][nfs-tutorial]
+
+## Next steps
+
+For associated best practices, see [Best practices for storage and backups in AKS][operator-best-practices-storage].
+
+<!-- LINKS - external -->
+[kubernetes-volumes]: https://kubernetes.io/docs/concepts/storage/volumes/
+[linux-create]: https://docs.microsoft.com/azure/virtual-machines/linux/tutorial-manage-vm
+[nfs-tutorial]: https://help.ubuntu.com/community/SettingUpNFSHowTo#Pre-Installation_Setup
+[aks-virtual-network]: https://docs.microsoft.com/azure/aks/configure-kubenet#create-an-aks-cluster-in-the-virtual-network
+[peer-virtual-networks]: https://docs.microsoft.com/azure/virtual-network/tutorial-connect-virtual-networks-portal
+
+<!-- LINKS - internal -->
+[aks-quickstart-cli]: kubernetes-walkthrough.md
+[aks-quickstart-portal]: kubernetes-walkthrough-portal.md
+[operator-best-practices-storage]: operator-best-practices-storage.md