Update apache-domain-joined-configure-using-azure-adds.md

Removed service endpoint requirement due to AAD saying it's only supported for Gen1 storage and added link to ID Broker for users that need MFA or have issues with conditional access policy.

Author: nicjohn79

articles/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds.md

@@ -55,9 +55,9 @@ New-SelfSignedCertificate -Subject contoso100.onmicrosoft.com `
 ```
 
 > [!NOTE]  
-> Only tenant administrators have the privileges to enable Azure AD DS. If the cluster storage is Azure Data Lake Storage Gen1 or Gen2, you must disable Azure AD Multi-Factor Authentication only for users who will need to access the cluster by using basic Kerberos authentication.
+> Only tenant administrators have the privileges to enable Azure AD DS. If the cluster storage is Azure Data Lake Storage Gen1 or Gen2, you must disable Azure AD Multi-Factor Authentication only for users who will need to access the cluster by using basic Kerberos authentication.  If your organization requires Multi-Factor Authentication, try using the [HDInsight ID Broker feature](identity-broker.md).
 >
-> You can use [trusted IPs](../../active-directory/authentication/howto-mfa-mfasettings.md#trusted-ips) or [Conditional Access](../../active-directory/conditional-access/overview.md) to disable Multi-Factor Authentication for specific users *only* when they're accessing the IP range for the HDInsight cluster's virtual network. If you're using Conditional Access, make sure that the Active Directory service endpoint in enabled on the HDInsight virtual network.
+> You can use [trusted IPs](../../active-directory/authentication/howto-mfa-mfasettings.md#trusted-ips) or [Conditional Access](../../active-directory/conditional-access/overview.md) to disable Multi-Factor Authentication for specific users *only* when they're accessing the IP range for the HDInsight cluster's virtual network.
 >
 > If the cluster storage is Azure Blob storage, do not disable Multi-Factor Authentication.