Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr into owend0120

Author: Owen Duncan

articles/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 09/21/2016
+ms.date: 01/20/2016
 ms.author: maheshu
 
 ---
@@ -28,43 +28,45 @@ To perform the tasks listed in this article, you need:
 3. **Azure AD Domain Services** must be enabled for the Azure AD directory. If you haven't done so, follow all the tasks outlined in the [Getting Started guide](active-directory-ds-getting-started.md).
 4. A **certificate to be used to enable secure LDAP**.
 
-   * **Recommended** - Obtain a certificate from your enterprise CA or public certification authority. This configuration option is more secure.
+   * **Recommended** - Obtain a certificate from a trusted public certification authority. This configuration option is more secure.
    * Alternately, you may also choose to [create a self-signed certificate](#task-1---obtain-a-certificate-for-secure-ldap) as shown later in this article.
 
 <br>
 
 ### Requirements for the secure LDAP certificate
 Acquire a valid certificate per the following guidelines, before you enable secure LDAP. You encounter failures if you try to enable secure LDAP for your managed domain with an invalid/incorrect certificate.
 
-1. **Trusted issuer** - The certificate must be issued by an authority trusted by computers that need to connect to the domain using secure LDAP. This authority may be your organization's enterprise certification authority or a public certification authority trusted by these computers.
+1. **Trusted issuer** - The certificate must be issued by an authority trusted by computers that need to connect to the domain using secure LDAP. This authority may be a public certification authority trusted by these computers.
 2. **Lifetime** - The certificate must be valid for at least the next 3-6 months. Secure LDAP access to your managed domain is disrupted when the certificate expires.
 3. **Subject name** - The subject name on the certificate must be a wildcard for your managed domain. For instance, if your domain is named 'contoso100.com', the certificate's subject name must be '*.contoso100.com'. Set the DNS name (subject alternate name) to this wildcard name.
 4. **Key usage** - The certificate must be configured for the following uses - Digital signatures and key encipherment.
 5. **Certificate purpose** - The certificate must be valid for SSL server authentication.
 
+> [!NOTE]
+> **Enterprise Certification Authorities:** Azure AD Domain Services does not currently support using secure LDAP certificates issued by your organization's enterprise certification authority. This restriction is because the service does not trust your enterprise CA as a root certification authority. We expect to add support for enterprise CAs in the future. If you absolutely must use certificates issued by your enterprise CA, [contact us](active-directory-ds-contact-us.md) for assistance.
+> 
+> 
+
 <br>
 
 ## Task 1 - Obtain a certificate for secure LDAP
 The first task involves obtaining a certificate used for secure LDAP access to the managed domain. You have two options:
 
-* Obtain a certificate from a certification authority. The authority may be your organization's enterprise CA or a public certification authority.
+* Obtain a certificate from a certification authority. The authority may be a public certification authority.
 * Create a self-signed certificate.
 
 ### Option A (Recommended) - Obtain a secure LDAP certificate from a certification authority
-If your organization deploys an enterprise public key infrastructure (PKI), you need to obtain a certificate from the enterprise certification authority (CA) for your organization. If your organization obtains its certificates from a public certification authority, you need to obtain the secure LDAP certificate from that public certification authority.
+If your organization obtains its certificates from a public certification authority, you need to obtain the secure LDAP certificate from that public certification authority.
 
 When requesting a certificate, ensure that you follow the requirements outlined in [Requirement for the secure LDAP certificate](#requirements-for-the-secure-ldap-certificate).
 
 > [!NOTE]
-> Client computers that need to connect to the managed domain using secure LDAP must trust the issuer of the LDAPS certificate.
+> Client computers that need to connect to the managed domain using secure LDAP must trust the issuer of the secure LDAP certificate.
 > 
 > 
 
 ### Option B - Create a self-signed certificate for secure LDAP
-You may choose to create a self-signed certificate for secure LDAP, if:
-
-* certificates in your organization are not issued by an enterprise certification authority or
-* you do not expect to use a certificate from a public certification authority.
+If you do not expect to use a certificate from a public certification authority, you may choose to create a self-signed certificate for secure LDAP.
 
 **Create a self-signed certificate using PowerShell**
 
@@ -81,7 +83,7 @@ In the preceding sample, replace 'contoso100.com' with the DNS domain name of yo
 The newly created self-signed certificate is placed in the local machine's certificate store.
 
 ## Task 2 - Export the secure LDAP certificate to a .PFX file
-Before you start this task, ensure that you have obtained the secure LDAP certificate from your enterprise certification authority or a public certification authority or have created a self-signed certificate.
+Before you start this task, ensure that you have obtained the secure LDAP certificate from a public certification authority or have created a self-signed certificate.
 
 Perform the following steps, to export the LDAPS certificate to a .PFX file.
 
@@ -170,7 +172,7 @@ To enable secure LDAP, perform the following configuration steps:
     ![Secure LDAP - pending state](./media/active-directory-domain-services-admin-guide/secure-ldap-pending-state.png)
 
    > [!NOTE]
-   > It takes about 10 to 15 minutes to enable secure LDAP for your managed domain. If the provided secure LDAP certificate does not match the required criteria, secure LDAP is not enabled for your directory and you see a failure. For example, the domain name is incorrect, the certificate is expired or expires soon etc.
+   > It takes about 10 to 15 minutes to enable secure LDAP for your managed domain. If the provided secure LDAP certificate does not match the required criteria, secure LDAP is not enabled for your directory and you see a failure. For example, the domain name is incorrect, the certificate has already expired or expires soon.
    > 
    > 
 9. When secure LDAP is successfully enabled for your managed domain, the **Pending...** message should disappear. You should see the thumbprint of the certificate displayed.

articles/active-directory/develop/active-directory-devquickstarts-angular.md

@@ -18,7 +18,6 @@ ms.author: dastrock
 
 ---
 # Securing AngularJS Single Page Apps with Azure AD
-[!INCLUDE [active-directory-devquickstarts-switcher](../../../includes/active-directory-devquickstarts-switcher.md)]
 
 [!INCLUDE [active-directory-devguide](../../../includes/active-directory-devguide.md)]
 
@@ -54,6 +53,7 @@ To enable your app to authenticate users and get tokens, you'll first need to re
   * Click the application and choose **Manifest** to open the inline manifest editor.
   * Locate the `oauth2AllowImplicitFlow` property. Set its value to `true`.
   * Click **Save** to save the manifest.
+8. Grant permissions across your tenant for your application. Go to Settings -> Properties -> Required Permissions, and click the **Grant Permissions** button in the top bar. Click **Yes** to confirm. 
 
 ## 2. Install ADAL & Configure the SPA
 Now that you have an application in Azure AD, you can install adal.js and write your identity-related code.

articles/app-service-web/TOC.md

@@ -7,12 +7,13 @@
 # Get started
 
 ## Web Apps
-### [.NET](web-sites-dotnet-get-started.md)
-### [Node.js](app-service-web-nodejs-get-started.md)
-### [Python](web-sites-python-ptvs-django-mysql.md)
-### [Java](web-sites-java-get-started.md)
+### [HTML](app-service-web-get-started-html.md)
+### [.NET](app-service-web-get-started-dotnet.md)
+### [Node.js](app-service-web-get-started-nodejs.md)
+### [Python](app-service-web-get-started-python.md)
+### [Java](app-service-web-get-started-java.md)
 ### [Marketplace app](web-sites-php-web-site-gallery.md)
-### [PHP](app-service-web-php-get-started.md)	
+### [PHP](app-service-web-get-started-php.md)	
 
 ## API Apps
 ### [.NET](../app-service-api/app-service-api-dotnet-get-started.md)
@@ -60,26 +61,26 @@
 ### [WebJobs SDK](websites-dotnet-webjobs-sdk-get-started.md)
 
 ### ASP.NET apps
-#### [Deploy your first .NET web app to Azure in five minutes](app-service-web-get-started-dotnet.md)
+#### [Create an ASP.NET app in Azure with Visual Studio](web-sites-dotnet-get-started.md)
 #### [Create a REST service using ASP.NET Web API](web-sites-dotnet-rest-service-aspnet-api-sql-database.md)
 #### [Create an ASP.NET 5 web app in Visual Studio Code](web-sites-create-web-app-using-vscode.md)
 
 ### Node.js apps
+#### [Develop Node.js for App Service](app-service-web-nodejs-get-started.md)
 #### [Create a Node.js web app](web-sites-nodejs-develop-deploy-mac.md)
 #### [Create a Node.js chat application with Socket.IO](web-sites-nodejs-chat-app-socketio.md)
 #### [How to use io.js with Web Apps](web-sites-nodejs-iojs.md)
 #### [Deploy a Sails.js web app to Azure App Service](app-service-web-nodejs-sails.md)
 #### [Build and deploy using WebMatrix](web-sites-nodejs-use-webmatrix.md)
 
 ### PHP apps
-#### [Deploy your first PHP web app to Azure in five minutes](app-service-web-get-started-php.md)
+#### [Develop PHP apps for App Service](app-service-web-php-get-started.md)	
 #### [Create a PHP-SQL web app and deploy using Git](web-sites-php-sql-database-deploy-use-git.md)
 #### [Create a WordPress web app in Azure App Service](web-sites-php-web-site-gallery.md)
 #### [Create and connect to a MySQL database in Azure](../store-php-create-mysql-database.md?toc=%2fazure%2fapp-service-web%2ftoc.json)
 #### [Enterprise-class WordPress on Azure App Service](web-sites-php-enterprise-wordpress.md)
 
 ### Java apps
-#### [Deploy your first Java web app to Azure in five minutes](web-sites-java-get-started.md)
 #### Create a Hello World app
 ##### [Eclipse](app-service-web-eclipse-create-hello-world-web-app.md)
 ##### [IntelliJ](app-service-web-intellij-create-hello-world-web-app.md)

articles/azure-government/TOC.md

@@ -36,3 +36,4 @@
 ## [Pricing](https://azure.microsoft.com/pricing/)
 ## [Trial](https://azuregov.microsoft.com/trial/azuregovtrial)
 ## [Blog](https://blogs.msdn.microsoft.com/azuregov/)
+## [Azure Government Website](https://azure.microsoft.com/overview/clouds/government/)

articles/data-factory/data-factory-compute-linked-services.md

@@ -86,7 +86,7 @@ To use a Windows-based HDInsight cluster, set **osType** to **windows** or do no
 | clusterSize |Number of worker/data nodes in the cluster. The HDInsight cluster is created with 2 head nodes along with the number of worker nodes you specify for this property. The nodes are of size Standard_D3 that has 4 cores, so a 4 worker node cluster takes 24 cores (4*4 for worker nodes + 2*4 for head nodes). See [Create Linux-based Hadoop clusters in HDInsight](../hdinsight/hdinsight-hadoop-provision-linux-clusters.md) for details about the Standard_D3 tier. |Yes |
 | timetolive |The allowed idle time for the on-demand HDInsight cluster. Specifies how long the on-demand HDInsight cluster stays alive after completion of an activity run if there are no other active jobs in the cluster.<br/><br/>For example, if an activity run takes 6 minutes and timetolive is set to 5 minutes, the cluster stays alive for 5 minutes after the 6 minutes of processing the activity run. If another activity run is executed with the 6 minutes window, it is processed by the same cluster.<br/><br/>Creating an on-demand HDInsight cluster is an expensive operation (could take a while), so use this setting as needed to improve performance of a data factory by reusing an on-demand HDInsight cluster.<br/><br/>If you set timetolive value to 0, the cluster is deleted as soon as the activity run in processed. On the other hand, if you set a high value, the cluster may stay idle unnecessarily resulting in high costs. Therefore, it is important that you set the appropriate value based on your needs.<br/><br/>Multiple pipelines can share the same instance of the on-demand HDInsight cluster if the timetolive property value is appropriately set |Yes |
 | version |Version of the HDInsight cluster. The default value is 3.1 for Windows cluster and 3.2 for Linux cluster. |No |
-| linkedServiceName |Azure Storage linked service to be used by the on-demand cluster for storing and processing data. |Yes |
+| linkedServiceName |Azure Storage linked service to be used by the on-demand cluster for storing and processing data. <p>Currently, you cannot create an on-demand HDInsight cluster that uses an Azure Data Lake Store as the storage. If you want to store the result data from HDInsight processing in an Azure Data Lake Store, use a Copy Activity to copy the data from the Azure Blob Storage to the Azure Data Lake Store.</p>  | Yes |
 | additionalLinkedServiceNames |Specifies additional storage accounts for the HDInsight linked service so that the Data Factory service can register them on your behalf. |No |
 | osType |Type of operating system. Allowed values are: Windows (default) and Linux |No |
 | hcatalogLinkedServiceName |The name of Azure SQL linked service that point to the HCatalog database. The on-demand HDInsight cluster is created by using the Azure SQL database as the metastore. |No |
@@ -208,7 +208,7 @@ You can create an Azure HDInsight linked service to register your own HDInsight
 | clusterUri |The URI of the HDInsight cluster. |Yes |
 | username |Specify the name of the user to be used to connect to an existing HDInsight cluster. |Yes |
 | password |Specify password for the user account. |Yes |
-| linkedServiceName |Name of the linked service for the blob storage used by this HDInsight cluster. |Yes |
+| linkedServiceName |Name of the linked service for the Azure Blob Storage / Azure Data Lake Store used by this HDInsight cluster. |Yes |
 
 ## Azure Batch Linked Service
 You can create an Azure Batch linked service to register a Batch pool of virtual machines (VMs) to a data factory. You can run .NET custom activities using either Azure Batch or Azure HDInsight.

articles/log-analytics/TOC.md

@@ -10,7 +10,7 @@
 ## [Log Analytics FAQ](log-analytics-faq.md)
 
 # How To
-## Integrate
+## Collect data
 ### Connected sources
 #### [Windows agents](log-analytics-windows-agents.md)
 #### [Linux agents](log-analytics-linux-agents.md)
@@ -19,19 +19,23 @@
 #### [Operations Manager](log-analytics-om-agents.md)
 #### [Configuration Manager](log-analytics-sccm.md)
 #### [OMS Gateway](log-analytics-oms-gateway.md)
-### Data Sources
+### Data sources
 #### [Data sources overview](log-analytics-data-sources.md)
 #### [Windows events](log-analytics-data-sources-windows-events.md)
 #### [Syslog](log-analytics-data-sources-syslog.md)
 #### [Performance counters](log-analytics-data-sources-performance-counters.md)
 #### [IIS logs](log-analytics-data-sources-iis-logs.md)
 #### [Custom logs](log-analytics-data-sources-custom-logs.md)
 #### [Custom fields](log-analytics-custom-fields.md)
-## Develop
+## Query data
 ### [Log searches overview](log-analytics-log-searches.md)
 ### [Search reference](log-analytics-search-reference.md)
 ### [Computer groups](log-analytics-computer-groups.md)
 ### [Alerts](log-analytics-alerts.md)
+## Analyze data
+### [Dashboards](log-analytics-dashboards.md)
+### [View Designer](log-analytics-view-designer.md)
+### [Power BI](log-analytics-powerbi.md)
 ### Solutions
 #### [Solutions overview](log-analytics-add-solutions.md)
 #### [AD Assessment](log-analytics-ad-assessment.md)
@@ -52,11 +56,7 @@
 #### [VMware](log-analytics-vmware.md)
 #### [Wire Data](log-analytics-wire-data.md)
 #### [SCOM Assessment](log-analytics-scom-assessment.md)
-## Analyze
-### [Dashboards](log-analytics-dashboards.md)
-### [View Designer](log-analytics-view-designer.md)
-### [Power BI](log-analytics-powerbi.md)
-## Automate
+## Develop
 ### [Data collector API](log-analytics-data-collector-api.md)
 ### [PowerShell cmdlets](log-analytics-powershell-workspace-configuration.md)
 ### [Log Search API](log-analytics-log-search-api.md)

articles/storage/storage-disaster-recovery-guidance.md

@@ -13,10 +13,11 @@ ms.workload: storage
 ms.tgt_pltfrm: na
 ms.devlang: dotnet
 ms.topic: article
-ms.date: 12/08/2016
+ms.date: 1/19/2017
 ms.author: robinsh
 
 ---
+
 # What to do if an Azure Storage outage occurs
 At Microsoft, we work hard to make sure our services are always available. Sometimes, forces beyond our control impact us in ways that cause unplanned service outages in one or more regions. To help you handle these rare occurrences, we provide the following high-level guidance for Azure Storage services.
 
@@ -51,7 +52,9 @@ A couple of points regarding the storage geo-failover experience:
 * Storage geo-failover will only be triggered by the Azure Storage team – there is no customer action required.
 * Your existing storage service endpoints for blobs, tables, queues, and files will remain the same after the failover; the DNS entry will need to be updated to switch from the primary region to the secondary region.
 * Before and during the geo-failover, you won’t have write access to your storage account due to the impact of the disaster but you can still read from the secondary if your storage account has been configured as RA-GRS.
-* When the geo-failover has been completed and the DNS changes propagated, your read and write access to your storage account will be resumed. You can query [“Last Geo Failover Time” of your storage account](https://msdn.microsoft.com/library/azure/ee460802.aspx) to get more details.
+* When the geo-failover has been completed and the DNS changes propagated, read and write access to your storage account will be resumed; this points to what used to be your secondary endpoint. 
+* Note that you will have write access if you have GRS or RA-GRS configured for the storage account. 
+* You can query [“Last Geo Failover Time” of your storage account](https://msdn.microsoft.com/library/azure/ee460802.aspx) to get more details.
 * After the failover, your storage account will be fully functioning, but in a “degraded” status, as it is actually hosted in a standalone region with no geo-replication possible. To mitigate this risk, we will restore the original primary region and then do a geo-failback to restore the original state. If the original primary region is unrecoverable, we will allocate another secondary region.
   For more details on the infrastructure of Azure Storage geo replication, please refer to the article on the Storage team blog about [Redundancy Options and RA-GRS](https://blogs.msdn.microsoft.com/windowsazurestorage/2013/12/11/windows-azure-storage-redundancy-options-and-read-access-geo-redundant-storage/).
 
@@ -63,3 +66,5 @@ There are some recommended approaches to back up your storage data on a regular
 * Tables – use [AzCopy](storage-use-azcopy.md) to export the table data into another storage account in another region.
 * Files – use [AzCopy](storage-use-azcopy.md) or [Azure PowerShell](storage-powershell-guide-full.md) to copy your files to another storage account in another region.
 
+For information about creating applications that take full advantage of the RA-GRS feature, please check out [Designing Highly Available Applications using RA-GRS Storage](storage-designing-ha-apps-with-ragrs.md)
+