Updates from: 01/21/2021 04:05:27
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md
@@ -6,7 +6,7 @@ services: active-directory
ms.service: active-directory ms.subservice: authentication ms.topic: conceptual
-ms.date: 12/04/2020
+ms.date: 01/19/2021
ms.author: justinha author: justinha
@@ -27,18 +27,18 @@ This article outlines what combined security registration is. To get started wit
> [!div class="nextstepaction"] > [Enable combined security registration](howto-registration-mfa-sspr-combined.md)
-![My Profile showing registered Security info for a user](media/concept-registration-mfa-sspr-combined/combined-security-info-defualts-registered.png)
+![My Account showing registered Security info for a user](media/concept-registration-mfa-sspr-combined/combined-security-info-defaults-registered.png)
Before enabling the new experience, review this administrator-focused documentation and the user-focused documentation to ensure you understand the functionality and effect of this feature. Base your training on the [user documentation](../user-help/security-info-setup-signin.md) to prepare your users for the new experience and help to ensure a successful rollout. Azure AD combined security information registration is not currently available to national clouds like Azure Germany or Azure China 21Vianet. It is available for Azure US Government. > [!IMPORTANT]
-> Users that are enabled for both the original preview and the enhanced combined registration experience see the new behavior. Users that are enabled for both experiences see only the new My Profile experience. The new *My Profile* aligns with the look and feel of combined registration and provides a seamless experience for users. Users can see My Profile by going to [https://myprofile.microsoft.com](https://myprofile.microsoft.com).
+> Users that are enabled for both the original preview and the enhanced combined registration experience see the new behavior. Users that are enabled for both experiences see only the My Account experience. The *My Account* aligns with the look and feel of combined registration and provides a seamless experience for users. Users can see My Account by going to [https://myaccount.microsoft.com](https://myaccount.microsoft.com).
> > You might encounter an error message while trying to access the Security info option, such as, "Sorry, we can't sign you in". Confirm that you don't have any configuration or group policy object that blocks third-party cookies on the web browser.
-*My Profile* pages are localized based on the language settings of the computer accessing the page. Microsoft stores the most recent language used in the browser cache, so subsequent attempts to access the pages continue to render in the last language used. If you clear the cache, the pages re-render.
+*My Account* pages are localized based on the language settings of the computer accessing the page. Microsoft stores the most recent language used in the browser cache, so subsequent attempts to access the pages continue to render in the last language used. If you clear the cache, the pages re-render.
If you want to force a specific language, you can add `?lng=<language>` to the end of the URL, where `<language>` is the code of the language you want to render.
@@ -113,7 +113,7 @@ If the SSPR policy requires users to review their security info at regular inter
### Manage mode
-Users can access manage mode by going to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) or by selecting **Security info** from My Profile. From there, users can add methods, delete or change existing methods, change the default method, and more.
+Users can access manage mode by going to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) or by selecting **Security info** from My Account. From there, users can add methods, delete or change existing methods, change the default method, and more.
## Key usage scenarios
@@ -123,17 +123,17 @@ An admin has enforced registration.
A user has not set up all required security info and goes to the Azure portal. After entering the user name and password, the user is prompted to set up security info. The user then follows the steps shown in the wizard to set up the required security info. If your settings allow it, the user can choose to set up methods other than those shown by default. After completing the wizard, users review the methods they set up and their default method for Multi-Factor Authentication. To complete the setup process, the user confirms the info and continues to the Azure portal.
-### Set up security info from My Profile
+### Set up security info from My Account
An admin has not enforced registration.
-A user who hasn't yet set up all required security info goes to [https://myprofile.microsoft.com](https://myprofile.microsoft.com). The user selects **Security info** in the left pane. From there, the user chooses to add a method, selects any of the methods available, and follows the steps to set up that method. When finished, the user sees the method that was set up on the Security info page.
+A user who hasn't yet set up all required security info goes to [https://myaccount.microsoft.com](https://myaccount.microsoft.com). The user selects **Security info** in the left pane. From there, the user chooses to add a method, selects any of the methods available, and follows the steps to set up that method. When finished, the user sees the method that was set up on the Security info page.
-### Delete security info from My Profile
+### Delete security info from My Account
A user who has previously set up at least one method navigates to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). The user chooses to delete one of the previously registered methods. When finished, the user no longer sees that method on the Security info page.
-### Change the default method from My Profile
+### Change the default method from My Account
A user who has previously set up at least one method that can be used for Multi-Factor Authentication navigates to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). The user changes the current default method to a different default method. When finished, the user sees the new default method on the Security info page.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-registration-mfa-sspr-combined-troubleshoot.md
@@ -6,7 +6,7 @@ services: active-directory
ms.service: active-directory ms.subservice: authentication ms.topic: troubleshooting
-ms.date: 04/15/2020
+ms.date: 01/19/2021
ms.author: justinha author: justinha
@@ -21,7 +21,7 @@ The information in this article is meant to guide admins who are troubleshooting
## Audit logs
-The events logged for combined registration are in the Authentication Methods category in the Azure AD audit logs.
+The events logged for combined registration are in the Authentication Methods service in the Azure AD audit logs.
![Azure AD Audit logs interface showing registration events](media/howto-registration-mfa-sspr-combined-troubleshoot/combined-security-info-audit-log.png)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-provisioning/how-to-configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-provisioning/how-to-configure.md deleted file mode 100644
@@ -1,93 +0,0 @@
-title: 'Azure AD Connect cloud provisioning new agent configuration'
-description: This article describes how to install cloud provisioning.
-services: active-directory
-author: billmath
-manager: daveba
-ms.service: active-directory
-ms.workload: identity
-ms.topic: how-to
-ms.date: 02/26/2020
-ms.subservice: hybrid
-ms.author: billmath
-ms.collection: M365-identity-device-management
-
-# Create a new configuration for Azure AD Connect cloud-based provisioning
-
-After you've installed the agent, you need to sign in to the Azure portal and configure Azure Active Directory (Azure AD) Connect cloud provisioning. Follow these steps to enable the agent.
-
-## Configure provisioning
-To configure provisioning, follow these steps.
-
- 1. In the Azure portal, select **Azure Active Directory**
- 2. Select **Azure AD Connect**.
- 3. Select **Manage provisioning**.
-
- ![Manage provisioning](media/how-to-configure/manage1.png)
-
- 4. Select **New configuration**.
- 5. On the configuration screen, select your domain and whether to enable password hash sync. Click **Create**.
-
- ![Create new configuration](media/how-to-configure/configure1.png)
--
- 6. The Edit provisioning configuration screen will open.
-
- ![Edit configuration](media/how-to-configure/configure2.png)
-
- 7. Enter a **Notification email**. This email will be notified when provisioning isn't healthy.
- 8. Move the selector to Enable, and select Save.
-
-## Scope provisioning to specific users and groups
-You can scope the agent to synchronize specific users and groups by using on-premises Active Directory groups or organizational units. You can't configure groups and organizational units within a configuration.
-
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. Select **Azure AD Connect**.
- 3. Select **Manage provisioning (Preview)**.
- 4. Under **Configuration**, select your configuration.
-
- ![Configuration section](media/how-to-configure/scope1.png)
-
- 5. Under **Configure**, select **Edit scoping filters** to change the scope of the configuration rule.
- ![Edit scope](media/how-to-configure/scope3.png)
- 7. On the right, you can change the scope. Click **Done** and **Save** when you have finished.
- 8. Once you have changed the scope, you should [restart provisioning](#restart-provisioning) to initiate an immediate synchronization of the changes.
-
-## Attribute mapping
-Azure AD Connect cloud provisioning allows you to easily map attributes between your on-premises user/group objects and the objects in Azure AD. You can customize the default attribute-mappings according to your business needs. So, you can change or delete existing attribute-mappings, or create new attribute-mappings. For more information see [attribute mapping](how-to-attribute-mapping.md).
-
-## On-demand provisioning
-Azure AD Connect cloud provisioning allows you to test configuration changes, by applying these changes to a single user or group. You can use this to validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Azure AD. For more information see [on-demand provisioning](how-to-on-demand-provision.md).
-
-## Restart provisioning
-If you don't want to wait for the next scheduled run, trigger the provisioning run by using the **Restart provisioning** button.
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. Select **Azure AD Connect**.
- 3. Select **Manage provisioning (Preview)**.
- 4. Under **Configuration**, select your configuration.
-
- ![Configuration selection to restart provisioning](media/how-to-configure/scope1.png)
-
- 5. At the top, select **Restart provisioning**.
-
-## Remove a configuration
-To delete a configuration, follow these steps.
-
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. Select **Azure AD Connect**.
- 3. Select **Manage provisioning (Preview)**.
- 4. Under **Configuration**, select your configuration.
-
- ![Configuration selection to remove configuration](media/how-to-configure/scope1.png)
-
- 5. At the top of the configuration screen, select **Delete**.
-
->[!IMPORTANT]
->There's no confirmation prior to deleting a configuration. Make sure this is the action you want to take before you select **Delete**.
--
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud provisioning?](what-is-cloud-provisioning.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/concept-attributes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/concept-attributes.md new file mode 100644
@@ -0,0 +1,254 @@
+---
+title: 'Understand the Azure AD schema and custom expressions'
+description: This article describes the Azure AD schema, the attributes that the provisioning agent flows, and custom expressions.
+services: active-directory
+documentationcenter: ''
+author: billmath
+manager: daveba
+editor: ''
+ms.service: active-directory
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 02/18/2019
+ms.subservice: hybrid
+ms.author: billmath
+
+ms.collection: M365-identity-device-management
+---
++
+# Understand the Azure AD schema
+An object in Azure Active Directory (Azure AD), like any directory, is a programmatic high-level data construct that represents such things as users, groups, and contacts. When you create a new user or contact in Azure AD, you're creating a new instance of that object. These instances can be differentiated based on their properties.
+
+Properties in Azure AD are the elements responsible for storing information about an instance of an object in Azure AD.
+
+The Azure AD schema defines the rules for which properties might be used in an entry, the kinds of values that those properties might have, and how users might interact with those values.
+
+Azure AD has two types of properties:
+- **Built-in properties**: Properties that are predefined by the Azure AD schema. These properties provide different uses and might or might not be accessible.
+- **Directory extensions**: Properties that are provided so that you can customize Azure AD for your own use. For example, if you've extended your on-premises Active Directory with a certain attribute and want to flow that attribute, you can use one of the custom properties that's provided.
+
+## Attributes and expressions
+When an object such as a user is provisioned to Azure AD, a new instance of the user object is created. This creation includes the properties of that object, which are also known as attributes. Initially, the newly created object has its attributes set to values that are determined by the synchronization rules. These attributes are then kept up to date via the cloud provisioning agent.
+
+![Object provisioning](media/concept-attributes/attribute-1.png)
+
+For example, a user might be part of a Marketing department. Their Azure AD department attribute is initially created when they're provisioned, and the value is set to Marketing. Six months later if they change to Sales, their on-premises Active Directory department attribute is changed to Sales. This change synchronizes to Azure AD and is reflected in their Azure AD user object.
+
+Attribute synchronization might be direct, where the value in Azure AD is directly set to the value of the on-premises attribute. Or, a programmatic expression might handle the synchronization. A programmatic expression is needed in cases where some logic or a determination must be made to populate the value.
+
+For example, if you had the mail attribute "john.smith@contoso.com" and needed to strip out the "@contoso.com" portion and flow only the value "john.smith," you'd use something like this:
+
+`Replace([mail], "@contoso.com", , ,"", ,)`
+
+**Sample input/output:** <br>
+
+* **INPUT** (mail): "john.smith@contoso.com"
+* **OUTPUT**: "john.smith"
+
+For more information on how to write custom expressions and the syntax, see [Writing expressions for attribute mappings in Azure Active Directory](../app-provisioning/functions-for-customizing-application-data.md).
+
+The following table lists common attributes and how they're synchronized to Azure AD.
++
+|On-premises Active Directory|Mapping type|Azure AD|
+|-----|-----|-----|
+|cn|Direct|commonName
+|countryCode|Direct|countryCode|
+|displayName|Direct|displayName|
+|givenName|Expression|givenName|
+|objectGUID|Direct|sourceAnchorBinary|
+|userprincipalName|Direct|userPrincipalName|
+|ProxyAdress|Direct|ProxyAddress|
+
+## View the schema
+> [!WARNING]
+> The cloud sync configuration creates a service principal. The service principal is visible in the Azure portal. You should not modify the attribute mappings using the service principal experience in the Azure portal. This is not supported.
+
+To view the schema and verify it, follow these steps.
+
+1. Go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+1. Sign in with your global administrator account.
+1. On the left, select **modify permissions** and ensure that **Directory.ReadWrite.All** is *Consented*.
+1. Run the query `https://graph.microsoft.com/beta/serviceprincipals/?$filter=startswith(Displayname,'Active')`. This query returns a filtered list of service principals.
+1. Locate `"appDisplayName": "Active Directory to Azure Active Directory Provisioning"` and note the value for `"id"`.
+ ```
+ "value": [
+ {
+ "id": "00d41b14-7958-45ad-9d75-d52fa29e02a1",
+ "deletedDateTime": null,
+ "accountEnabled": true,
+ "appDisplayName": "Active Directory to Azure Active Directory Provisioning",
+ "appId": "1a4721b3-e57f-4451-ae87-ef078703ec94",
+ "applicationTemplateId": null,
+ "appOwnerOrganizationId": "47df5bb7-e6bc-4256-afb0-dd8c8e3c1ce8",
+ "appRoleAssignmentRequired": false,
+ "displayName": "Active Directory to Azure Active Directory Provisioning",
+ "errorUrl": null,
+ "homepage": "https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=AD2AADProvisioning|ISV9.1|primary|z",
+ "loginUrl": null,
+ "logoutUrl": null,
+ "notificationEmailAddresses": [],
+ "preferredSingleSignOnMode": null,
+ "preferredTokenSigningKeyEndDateTime": null,
+ "preferredTokenSigningKeyThumbprint": null,
+ "publisherName": "Active Directory Application Registry",
+ "replyUrls": [],
+ "samlMetadataUrl": null,
+ "samlSingleSignOnSettings": null,
+ "servicePrincipalNames": [
+ "http://adapplicationregistry.onmicrosoft.com/adprovisioningtoaad/primary",
+ "1a4721b3-e57f-4451-ae87-ef078703ec94"
+ ],
+ "signInAudience": "AzureADMultipleOrgs",
+ "tags": [
+ "WindowsAzureActiveDirectoryIntegratedApp"
+ ],
+ "addIns": [],
+ "api": {
+ "resourceSpecificApplicationPermissions": []
+ },
+ "appRoles": [
+ {
+ "allowedMemberTypes": [
+ "User"
+ ],
+ "description": "msiam_access",
+ "displayName": "msiam_access",
+ "id": "a0326856-1f51-4311-8ae7-a034d168eedf",
+ "isEnabled": true,
+ "origin": "Application",
+ "value": null
+ }
+ ],
+ "info": {
+ "termsOfServiceUrl": null,
+ "supportUrl": null,
+ "privacyStatementUrl": null,
+ "marketingUrl": null,
+ "logoUrl": null
+ },
+ "keyCredentials": [],
+ "publishedPermissionScopes": [
+ {
+ "adminConsentDescription": "Allow the application to access Active Directory to Azure Active Directory Provisioning on behalf of the signed-in user.",
+ "adminConsentDisplayName": "Access Active Directory to Azure Active Directory Provisioning",
+ "id": "d40ed463-646c-4efe-bb3e-3fa7d0006688",
+ "isEnabled": true,
+ "type": "User",
+ "userConsentDescription": "Allow the application to access Active Directory to Azure Active Directory Provisioning on your behalf.",
+ "userConsentDisplayName": "Access Active Directory to Azure Active Directory Provisioning",
+ "value": "user_impersonation"
+ }
+ ],
+ "passwordCredentials": []
+ },
+ ```
+1. Replace `{Service Principal id}` with your value, and run the query `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal id}/synchronization/jobs/`.
+1. Locate `"id": "AD2AADProvisioning.fd1c9b9e8077402c8bc03a7186c8f976"` and note the value for `"id"`.
+ ```
+ {
+ "id": "AD2AADProvisioning.fd1c9b9e8077402c8bc03a7186c8f976",
+ "templateId": "AD2AADProvisioning",
+ "schedule": {
+ "expiration": null,
+ "interval": "PT2M",
+ "state": "Active"
+ },
+ "status": {
+ "countSuccessiveCompleteFailures": 0,
+ "escrowsPruned": false,
+ "code": "Active",
+ "lastSuccessfulExecutionWithExports": null,
+ "quarantine": null,
+ "steadyStateFirstAchievedTime": "2019-11-08T15:48:05.7360238Z",
+ "steadyStateLastAchievedTime": "2019-11-20T16:17:24.7957721Z",
+ "troubleshootingUrl": "",
+ "lastExecution": {
+ "activityIdentifier": "2dea06a7-2960-420d-931e-f6c807ebda24",
+ "countEntitled": 0,
+ "countEntitledForProvisioning": 0,
+ "countEscrowed": 15,
+ "countEscrowedRaw": 15,
+ "countExported": 0,
+ "countExports": 0,
+ "countImported": 0,
+ "countImportedDeltas": 0,
+ "countImportedReferenceDeltas": 0,
+ "state": "Succeeded",
+ "error": null,
+ "timeBegan": "2019-11-20T16:15:21.116098Z",
+ "timeEnded": "2019-11-20T16:17:24.7488681Z"
+ },
+ "lastSuccessfulExecution": {
+ "activityIdentifier": null,
+ "countEntitled": 0,
+ "countEntitledForProvisioning": 0,
+ "countEscrowed": 0,
+ "countEscrowedRaw": 0,
+ "countExported": 5,
+ "countExports": 0,
+ "countImported": 0,
+ "countImportedDeltas": 0,
+ "countImportedReferenceDeltas": 0,
+ "state": "Succeeded",
+ "error": null,
+ "timeBegan": "0001-01-01T00:00:00Z",
+ "timeEnded": "2019-11-20T14:09:46.8855027Z"
+ },
+ "progress": [],
+ "synchronizedEntryCountByType": [
+ {
+ "key": "group to Group",
+ "value": 33
+ },
+ {
+ "key": "user to User",
+ "value": 3
+ }
+ ]
+ },
+ "synchronizationJobSettings": [
+ {
+ "name": "Domain",
+ "value": "{\"DomainFQDN\":\"contoso.com\",\"DomainNetBios\":\"CONTOSO\",\"ForestFQDN\":\"contoso.com\",\"ForestNetBios\":\"CONTOSO\"}"
+ },
+ {
+ "name": "DomainFQDN",
+ "value": "contoso.com"
+ },
+ {
+ "name": "DomainNetBios",
+ "value": "CONTOSO"
+ },
+ {
+ "name": "ForestFQDN",
+ "value": "contoso.com"
+ },
+ {
+ "name": "ForestNetBios",
+ "value": "CONTOSO"
+ },
+ {
+ "name": "QuarantineTooManyDeletesThreshold",
+ "value": "500"
+ }
+ ]
+ }
+ ```
+1. Now run the query `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal Id}/synchronization/jobs/{AD2AAD Provisioning id}/schema`.
+
+ Example: https://graph.microsoft.com/beta/serviceprincipals/653c0018-51f4-4736-a3a3-94da5dcb6862/synchronization/jobs/AD2AADProvisioning.e9287a7367e444c88dc67a531c36d8ec/schema
+
+ Replace `{Service Principal Id}` and `{AD2ADD Provisioning Id}` with your values.
+
+1. This query returns the schema.
+
+ ![Returned schema](media/concept-attributes/schema-1.png)
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/concept-how-it-works https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/concept-how-it-works.md new file mode 100644
@@ -0,0 +1,92 @@
+---
+title: 'Azure AD Connect cloud sync deep dive - how it works'
+description: This topic provides deep dive information on how cloud sync works.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 12/05/2019
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Cloud sync deep dive - how it works
+
+## Overview of components
+
+![How it works](media/concept-how-it-works/how-1.png)
+
+Cloud sync is built on top of the Azure AD services and has 2 key components:
+
+- **Provisioning agent**: The Azure AD Connect cloud provisioning agent is the same agent as Workday inbound and built on the same server-side technology as app proxy and Pass Through Authentication. It requires and outbound connection only and agents are auto-updated.
+- **Provisioning service**: Same provisioning service as outbound provisioning and Workday inbound provisioning which uses a scheduler-based model. In case of cloud sync, the changes are provisioned every 2 mins.
++
+## Initial setup
+During initial setup, the a few things are done that makes cloud sync happen. These are:
+
+- **During agent installation**: You configure the agent for the AD domains you want to provision from. This configuration registers the domains in the hybrid identity service and establishes an outbound connection to the service bus listening for requests.
+- **When you enable provisioning**: You select the AD domain and enable provisioning which runs every 2 mins. Optionally you may deselect password hash sync and define notification email. You can also manage attribute transformation using Microsoft Graph APIs.
++
+## Agent installation
+The following is a walk-through of what occurs when the cloud provisioning agent is installed.
+
+- First, the Installer installs the Agent binaries and the Agent Service running under the Virtual Service Account (NETWORK SERVICE\AADProvisioningAgent). A virtual service account is a special type of account that does not have a password and is managed by Windows.
+- The Installer then starts the Wizard.
+- The Wizard will prompt for Azure AD credentials, will then authenticate, and retrieve a token.
+- The wizard then asks for the current machine Domain Administrators credentials.
+- Using these credentials, the agent general managed service account (GMSA) for this domain is either created or located and reused if it already exists.
+- The agent service is now reconfigured to run under the GMSA.
+- The wizard now asks for domain configuration along with the Enterprise Admin (EA)/Domain Admin(DA) Account for each domain you want the agent to service.
+- The GMSA account is then updated with permissions that enable it access to each domain entered above.
+- Next, the wizard triggers agent registration
+- The agent creates a certificate and using the Azure AD token, registers itself and the certificate with the Hybrid Identity Service(HIS) Registration Service
+- The Wizard triggers an AgentResourceGrouping call. This call to HIS Admin Service is to assign the agent to one or more AD Domains in the HIS configuration.
+- The wizard now restarts the agent service.
+- The agent calls a Bootstrap Service on restart (and every 10 mins afterwards) to check for configuration updates. The bootstrap service validates the agent identity. It also updates the last bootstrap time. This is important because if agents don't bootstrap, they are not getting updated Service Bus endpoints and may not be able to receive requests.
++
+## What is System for Cross-domain Identity Management (SCIM)?
+
+The [SCIM specification](https://tools.ietf.org/html/draft-scim-core-schema-01) is a standard that is used to automate the exchanging of user or group identity information between identity domains such as Azure AD. SCIM is becoming the de facto standard for provisioning and, when used in conjunction with federation standards like SAML or OpenID Connect, provides administrators an end-to-end standards-based solution for access management.
+
+The Azure AD Connect cloud provisioning agent uses SCIM with Azure AD to provision and deprovision users and groups.
+
+## Synchronization flow
+![provisioning](media/concept-how-it-works/provisioning-4.png)
+Once you have installed the agent and enabled provisioning, the following flow occurs.
+
+1. Once configured, the Azure AD Provisioning service calls the Azure AD hybrid service to add a request to the Service bus. The agent constantly maintains an outbound connection to the Service Bus listening for requests and picks up the System for Cross-domain Identity Management (SCIM) request immediately.
+2. The agent breaks up the request into separate queries based on object type.
+3. AD returns the result to the agent and the agent filters this data before sending it to Azure AD.
+4. Agent returns the SCIM response to Azure AD. These responses are based on the filtering that happened within the agent. The agent uses scoping to filter the results.
+5. The provisioning service writes the changes to Azure AD.
+6. If this is a delta Sync as opposed to a full sync, then cookie/watermark is used. New queries will get changes from that cookie/watermark onwards.
+
+## Supported scenarios:
+The following scenarios are supported for cloud sync.
++
+- **Existing hybrid customer with a new forest**: Azure AD Connect sync is used for primary forests. Cloud sync is used for provisioning from an AD forest (including disconnected). For more information see the tutorial [here](tutorial-existing-forest.md).
+
+ ![Existing hybrid](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
+- **New hybrid customer**: Azure AD Connect sync is not used. Cloud sync is used for provisioning from an AD forest. For more information see the tutorial [here](tutorial-single-forest.md).
+
+ ![New customers](media/tutorial-single-forest/diagram-2.png)
+
+- **Existing hybrid customer**: Azure AD Connect sync is used for primary forests. Cloud sync is piloted for a small set of users in the primary forests [here](tutorial-existing-forest.md).
+
+ ![Existing pilot](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
+
+For more information, see [Supported topologies](plan-cloud-sync-topologies.md).
+++
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-accidental-deletes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-accidental-deletes.md new file mode 100644
@@ -0,0 +1,47 @@
+---
+title: 'Azure AD Connect cloud sync accidental deletes'
+description: This topic describes how to use the accidental delete feature to prevent deletions.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 10/19/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Accidental delete prevention
+
+The following document describes the accidental deletion feature for Azure AD Connect cloud sync. The accidental delete feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and groups. This feature allows you to:
+
+- configure the ability to prevent accidental deletes automatically.
+- Set the # of objects (threshold) beyond which the configuration will take effect
+- setup a notification email address so they can get an email notification once the sync job in question is put in quarantine for this scenario
+
+To use this feature, you set the threshold for the number of objects that, if deleted, synchronization should stop. So if this number is reached, the synchronization will stop and a notification will be sent to the email that is specified. This allows you to investigate what is going on.
++
+## Configure accidental delete prevention
+To use the new feature, follow the steps below.
++
+1. In the Azure portal, select **Azure Active Directory**.
+2. Select **Azure AD Connect**.
+3. Select **Manage cloud sync**.
+4. Under **Configuration**, select your configuration.
+5. Under **Settings** fill in the following:
+ - **Notification email** - email used for notifications
+ - **Prevent accidental deletions** - check this box to enable the feature
+ - **Accidental deletion threshold** - enter a number of objects to trigger synchronization stop and notification
+
+![Accidental deletes](media/how-to-accidental-deletes/accident-1.png)
+
+## Next steps
+
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [How to install Azure AD Connect cloud sync](how-to-install.md)
+
+
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-attribute-mapping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-attribute-mapping.md new file mode 100644
@@ -0,0 +1,102 @@
+---
+title: 'Azure AD Connect cloud sync attribute editor'
+description: This article describes how to use the attribute editor.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 09/22/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Azure AD Connect cloud sync attribute mapping
+
+Azure AD Connect cloud sync has introduced a new feature, that will allow you easily map attributes between your on-premises user/group objects and the objects in Azure AD. This feature has been added to the cloud sync configuration.
+
+You can customize the default attribute-mappings according to your business needs. So, you can change or delete existing attribute-mappings, or create new attribute-mappings. For a list of attributes that are synchronized see [attributes that are synchronized](../hybrid/reference-connect-sync-attributes-synchronized.md?context=azure%2factive-directory%2fcloud-provisioning%2fcontext%2fcp-context/hybrid/reference-connect-sync-attributes-synchronized.md).
+
+## Understanding attribute-mapping types
+With attribute-mappings, you control how attributes are populated in Azure AD.
+There are four different mapping types supported:
+
+- **Direct** ΓÇô the target attribute is populated with the value of an attribute of the linked object in AD.
+- **Constant** ΓÇô the target attribute is populated with a specific string you specified.
+- **Expression** - the target attribute is populated based on the result of a script-like expression.
+ For more information, see [Writing Expressions for Attribute-Mappings](reference-expressions.md).
+- **None** - the target attribute is left unmodified. However, if the target attribute is ever empty, it's populated with the Default value that you specify.
+
+Along with these four basic types, custom attribute-mappings support the concept of an optional **default** value assignment. The default value assignment ensures that a target attribute is populated with a value if there's not a value in Azure AD or on the target object. The most common configuration is to leave this blank.
+
+## Understanding attribute-mapping properties
+
+In the previous section, you were already introduced to the attribute-mapping type property.
+Along with this property, attribute-mappings also support the following attributes:
+
+- **Source attribute** - The user attribute from the source system (example: Active Directory).
+- **Target attribute** ΓÇô The user attribute in the target system (example: Azure Active Directory).
+- **Default value if null (optional)** - The value that will be passed to the target system if the source attribute is null. This value will only be provisioned when a user is created. The "default value when null" will not be provisioned when updating an existing user.
+- **Apply this mapping**
+ - **Always** ΓÇô Apply this mapping on both user creation and update actions.
+ - **Only during creation** - Apply this mapping only on user creation actions.
+
+> [!NOTE]
+> This document describes how to use the Azure portal to map attributes. For information on using Graph see [Transformations](how-to-transformation.md)
+
+## Using attribute mapping
+
+To use the new feature, follow the steps below.
+
+1. In the Azure portal, select **Azure Active Directory**.
+2. Select **Azure AD Connect**.
+3. Select **Manage cloud sync**.
+
+ ![Manage provisioning](media/how-to-install/install-6.png)
+
+4. Under **Configuration**, select your configuration.
+5. Select **Click to edit mappings**. This will open the attribute mapping screen.
+
+ ![Adding attributes](media/how-to-attribute-mapping/mapping-6.png)
+
+6. Click **Add Attribute**.
+
+ ![Mapping type](media/how-to-attribute-mapping/mapping-1.png)
+
+7. Select the **Mapping type**. In this example we use Expression.
+8. Enter the expression in the box. For this example we are using: `Replace([mail], "@contoso.com", , ,"", ,).`
+9. Enter the target attribute. In this example we use ExtensionAttribute15.
+10. Select when to apply this and then click **Apply**
+
+ ![Edit mappings](media/how-to-attribute-mapping/mapping-2a.png)
+
+11. Back on the attribute mapping screen you should see your new attribute mapping.
+12. Click **Save Schema**.
+
+ ![Save Schema](media/how-to-attribute-mapping/mapping-3.png)
+
+## Test your attribute mapping
+
+To test your attribute mapping, you can use [on-demand provisioning](how-to-on-demand-provision.md). From the
+
+1. In the Azure portal, select **Azure Active Directory**.
+2. Select **Azure AD Connect**.
+3. Select **Manage provisioning**.
+4. Under **Configuration**, select your configuration.
+5. Under **Validate** click the **Provision a user** button.
+6. On the on-demand provisioning screen. Enter the **distinguished name** of a user or group and click the **Provision** button.
+7. Once it completes, you should see a success screen and 4 green check boxes indicating it was successfully provisioned.
+
+ ![Success for provisioning](media/how-to-attribute-mapping/mapping-4.png)
+
+8. Under **Perform Action** click **View details**. On the right, you should see the new attribute synchronized and the expression applied.
+
+ ![Perform action](media/how-to-attribute-mapping/mapping-5.png)
+
+## Next Steps
+
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Writing Expressions for Attribute-Mappings](reference-expressions.md)
+- [Attributes that are synchronized](../hybrid/reference-connect-sync-attributes-synchronized.md?context=azure%2factive-directory%2fcloud-provisioning%2fcontext%2fcp-context/hybrid/reference-connect-sync-attributes-synchronized.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-automatic-upgrade https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-automatic-upgrade.md new file mode 100644
@@ -0,0 +1,49 @@
+---
+title: 'Azure AD Connect cloud provisioning agent: Automatic upgrade | Microsoft Docs'
+description: This article describes the built-in automatic upgrade feature in the Azure AD Connect cloud provisioning agent.
+services: active-directory
+documentationcenter: ''
+author: billmath
+manager: daveba
+editor: ''
+ms.service: active-directory
+ms.devlang: na
+ms.topic: how-to
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 12/02/2019
+ms.subservice: hybrid
+ms.author: billmath
+
+ms.collection: M365-identity-device-management
+---
+# Azure AD Connect cloud provisioning agent: Automatic upgrade
+
+Making sure your Azure Active Directory (Azure AD) Connect cloud provisioning agent installation is always up to date is easy with the automatic upgrade feature.
+
+The agent is installed here: "Program files\Azure AD Connect Provisioning Agent\AADConnectProvisioningAgent.exe"
+
+To verify your version, right-click the executable and select properties and then details.
+
+![Agent file version](media/how-to-automatic-upgrade/agent-1.png)
+
+The agent updater is installed here: "Program files\Azure AD Connect Provisioning Agent Updater\AzureADConnectAgentUpdater.exe"
+
+To verify your version, right-click the executable and select properties and then details.
+
+![Agent updater version](media/how-to-automatic-upgrade/agent-2.png)
+
+## Uninstall the agent
+To remove the agent, go to **Uninstall or change a program** and uninstall the following:
+
+- **Microsoft Azure AD Connect Agent Updater**
+- **Microsoft Azure AD Connect Provisioning Agent**
+- **Microsoft Azure AD Connect Provisioning Agent Package**
+
+![Agent removal](media/how-to-automatic-upgrade/agent-3.png)
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-configure.md new file mode 100644
@@ -0,0 +1,105 @@
+---
+title: 'Azure AD Connect cloud sync new agent configuration'
+description: This article describes how to install cloud sync.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 02/26/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Create a new configuration for Azure AD Connect cloud sync
+
+After you've installed the Azure AD Connect provisioning agent, you need to sign in to the Azure portal and configure it. Follow these steps to enable the agent.
+
+## Configure provisioning
+To configure provisioning, follow these steps.
+
+ 1. In the Azure portal, select **Azure Active Directory**
+ 2. Select **Azure AD Connect**.
+ 3. Select **Manage cloud sync**.
+
+ ![Manage provisioning](media/how-to-install/install-6.png)
+
+ 4. Select **New configuration**.
+ 5. On the configuration screen, select your domain and whether to enable password hash sync. Click **Create**.
+
+ ![Create new configuration](media/how-to-configure/configure-1.png)
++
+ 6. The Edit provisioning configuration screen will open.
+
+ ![Edit configuration](media/how-to-configure/con-1.png)
+
+ 7. Enter a **Notification email**. This email will be notified when provisioning isn't healthy. It is recommended that you keep **Prevent accidental deletion** enabled and set the **Accidental deletion threshold** to a number that you wish to be notified about. For more information see [accidental deletes](#accidental-deletions) below.
+ 8. Move the selector to Enable, and select Save.
+
+## Scope provisioning to specific users and groups
+You can scope the agent to synchronize specific users and groups by using on-premises Active Directory groups or organizational units. You can't configure groups and organizational units within a configuration.
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. Select **Azure AD Connect**.
+ 3. Select **Manage cloud sync**.
+ 4. Under **Configuration**, select your configuration.
+
+ ![Configuration section](media/how-to-configure/scope-1.png)
+
+ 5. Under **Configure**, select **Edit scoping filters** to change the scope of the configuration rule.
+ ![Edit scope](media/how-to-configure/scope-3.png)
+ 7. On the right, you can change the scope. Click **Done** and **Save** when you have finished.
+ 8. Once you have changed the scope, you should [restart provisioning](#restart-provisioning) to initiate an immediate synchronization of the changes.
+
+## Attribute mapping
+Azure AD Connect cloud sync allows you to easily map attributes between your on-premises user/group objects and the objects in Azure AD. You can customize the default attribute-mappings according to your business needs. So, you can change or delete existing attribute-mappings, or create new attribute-mappings. For more information see [attribute mapping](how-to-attribute-mapping.md).
+
+## On-demand provisioning
+Azure AD Connect cloud sync allows you to test configuration changes, by applying these changes to a single user or group. You can use this to validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Azure AD. For more information see [on-demand provisioning](how-to-on-demand-provision.md).
+
+## Accidental deletions
+The accidental delete feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and groups. This feature allows you to:
+
+- configure the ability to prevent accidental deletes automatically.
+- Set the # of objects (threshold) beyond which the configuration will take effect
+- setup a notification email address so they can get an email notification once the sync job in question is put in quarantine for this scenario
+
+For more information see [Accidental deletes](how-to-accidental-deletes.md)
+
+## Quarantines
+Cloud sync monitors the health of your configuration and places unhealthy objects in a quarantine state. If most or all of the calls made against the target system consistently fail because of an error, for example, invalid admin credentials, the sync job is marked as in quarantine. For more information see the troubleshooting section on [quarantines](how-to-troubleshoot.md#provisioning-quarantined-problems).
+
+## Restart provisioning
+If you don't want to wait for the next scheduled run, trigger the provisioning run by using the **Restart provisioning** button.
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. Select **Azure AD Connect**.
+ 3. Select **Manage cloud sync**.
+ 4. Under **Configuration**, select your configuration.
+
+ ![Configuration selection to restart provisioning](media/how-to-configure/scope-1.png)
+
+ 5. At the top, select **Restart provisioning**.
+
+## Remove a configuration
+To delete a configuration, follow these steps.
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. Select **Azure AD Connect**.
+ 3. Select **Manage cloud sync**.
+ 4. Under **Configuration**, select your configuration.
+
+ ![Configuration selection to remove configuration](media/how-to-configure/scope-1.png)
+
+ 5. At the top of the configuration screen, select **Delete**.
+
+>[!IMPORTANT]
+>There's no confirmation prior to deleting a configuration. Make sure this is the action you want to take before you select **Delete**.
++
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-gmsa-cmdlets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-gmsa-cmdlets.md new file mode 100644
@@ -0,0 +1,96 @@
+---
+title: 'Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets'
+description: Learn how to use the Azure AD Connect cloud provisioning agent gMSA powershell cmdlets.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 11/16/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets
+
+The purpose of this document is to describe the Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gmsa). By default, Azure AD Connect cloud sync applies all permissions similar to Azure AD Connect on the default gmsa or a custom gmsa.
+
+This document will cover the following cmdlets:ΓÇ»
+
+`Set-AADCloudSyncRestrictedPermissions`
+
+`Ste-AADCloudSyncPermissions`
+
+## How to use the cmdlets:ΓÇ»
+
+The following prerequisites are required to use these cmdlets.
+
+1. Install provisioning agent.
+2. Import Provisioning Agent PS module into a PowerShell session.
+
+ ```PowerShell
+ Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.Powershell.dll" 
+ ```
+3. Remove existing permissions. To remove all existing permissions on the service account, except SELF use: `Set-AADCloudSyncRestrictedPermission`.
+
+ This cmdlet requires a parameter called `Credential` which can be passed, or it will prompt if called without it.
+
+ To create a variable use
+
+ `$credential = Get-Credential`
+
+ This will prompt the user to enter username and password. The credentials must be at a minimum domain administrator(of the domain where agent is installed), could be enterprise admin as well.
+
+4. Then you can call the cmdlet to remove extra permissions:
+ ```PowerShell
+ Set-AADCloudSyncRestrictedPermissions -Credential $credential
+ ```
+5. Or you could simply call
+
+ `Set-AADCloudSyncRestrictedPermissions` which will prompt for credentials.
+
+ 6. Add specific permission type. Permissions added are same as Azure AD Connect. See [Using Set-AADCloudSyncPermissions](#using-set-aadcloudsyncpermissions) below for examples on setting the permissions.
+
+## Using Set-AADCloudSyncPermissions
+`Set-AADCloudSyncPermissions` supports the following permission types which are identical to the permissions used by Azure AD Connect. The following permission types are supported:
+
+|Permission type|Description|
+|-----|-----|
+|BasicRead| See [BasicRead](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#configure-basic-read-only-permissions) permissions for Azure AD Connect|
+|PasswordHashSync|See [PasswordHashSync](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-password-hash-synchronization) permissions for Azure AD Connect|
+|PasswordWriteBack|See [PasswordWriteBack](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-password-writeback) permissions for Azure AD Connect|
+|HybridExchangePermissions|See [HybridExchangePermissions](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-exchange-hybrid-deployment) permissions for Azure AD Connect|
+|ExchangeMailPublicFolderPermissions| See [ExchangeMailPublicFolderPermissions](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-exchange-mail-public-folders-preview) permissions for Azure AD Connect|
+|CloudHR| Applies 'Full control' on 'Descendant User objects' and 'Create/delete User objects' on 'This object and all descendant objects'|
+|All|adds all the above permissions.|
+++
+You can use AADCloudSyncPermissions in one of two ways:
+- [Grant a certain permission to all configured domains](#grant-a-certain-permission-to-all-configured-domains)
+- [Grant a certain permission to a specific domain](#grant-a-certain-permission-to-a-specific-domain)
+## Grant a certain permission to all configured domains
+Granting certain permissions to all configured domains will require the use of an enterprise admin account.
++
+ ```PowerShell
+Set-AADCloudSyncPermissions -PermissionType ΓÇ£Any mentioned aboveΓÇ¥ -EACredential $credential (prepopulated same as above [$credential = Get-Credential])
+```
+
+## Grant a certain permission to a specific domain
+Granting certain permissions to a specific domain will require the use of, at minimum a domain admin account of the domain you are attempting to add.
++
+ ```PowerShell
+Set-AADCloidSyncPermissions -PermissionType ΓÇ£Any mentioned aboveΓÇ¥ -TargetDomain ΓÇ£FQDN of domainΓÇ¥ (has to be already configured through wizard) -TargetDomaincredential $credential(same as above)
+```
+
+
+Note: for 1. The credentials must be at a minimum Enterprise admin.
+
+For 2. The Credentials can be either Domain admin or enterprise admin.
+
+ΓÇ»
+
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-inbound-synch-ms-graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-inbound-synch-ms-graph.md new file mode 100644
@@ -0,0 +1,257 @@
+---
+title: 'Inbound synchronization for cloud sync using MS Graph API'
+description: This topic describes how to enable inbound synchronization using just the Graph API
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 12/04/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+# Inbound synchronization for cloud sync using MS Graph API
+
+The following document describes how to replicate a synchronization profile from scratch using only MSGraph APIs.
+The structure of how to do this consists of the following steps. They are:
+
+- [Basic setup](#basic-setup)
+- [Create Service Principals](#create-service-principals)
+- [Create Sync Job](#create-sync-job)
+- [Update targeted domain](#update-targeted-domain)
+- [Enable sync password hashes](#enable-sync-password-hashes-on-configuration-blade)
+- [Start sync job](#start-sync-job)
+- [Review status](#review-status)
+
+Use these [Microsoft Azure Active Directory Module for Windows PowerShell](https://docs.microsoft.com/powershell/module/msonline/) commands to enable synchronization for a production tenant, a pre-requisite for being able to call the Administration Web Service for that tenant.
+
+## Basic setup
+
+### Enable tenant flags
+
+ ```PowerShell
+ Connect-MsolService ('-AzureEnvironment <AzureEnvironmnet>')
+ Set-MsolDirSyncEnabled -EnableDirSync $true
+ ```
+The first of those two commands, require Azure Active Directory credentials. These commandlets implicitly identify the tenant and enable it for synchronization.
+
+## Create service principals
+Next, we need to create the [AD2AAD application/ service principal](/graph/api/applicationtemplate-instantiate?view=graph-rest-beta&tabs=http)
+
+You need to use this application ID 1a4721b3-e57f-4451-ae87-ef078703ec94. The displayName is the AD domain url, if used in the portal (for example, contoso.com), but it may be named something else.
+
+ ```
+ POST https://graph.microsoft.com/beta/applicationTemplates/1a4721b3-e57f-4451-ae87-ef078703ec94/instantiate
+ Content-type: application/json
+ {
+ displayName: [your app name here]
+ }
+ ```
++
+## Create sync job
+The output of the above command will return the objectId of the service principal that was created. For this example, the objectId is 614ac0e9-a59b-481f-bd8f-79a73d167e1c. Use Microsoft Graph to add a synchronizationJob to that service principal.
+
+Documentation for creating a sync job can be found [here](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-post?view=graph-rest-beta&tabs=http).
+
+If you did not record the ID above, you can find the service principal by running the following MS Graph call. You'll need Directory.Read.All permissions to make that call:
+
+ `GET https://graph.microsoft.com/beta/servicePrincipals `
+
+Then look for your app name in the output.
+
+Run the following two commands to create two jobs: one for user/group provisioning, and one for password hash syncing. It's the same request twice but with different template IDs.
++
+Call the following two requests:
+
+ ```
+ POST https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs
+ Content-type: application/json
+ {
+ "templateId":"AD2AADProvisioning"
+ }
+ ```
+
+ ```
+ POST https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs
+ Content-type: application/json
+ {
+ "templateId":"AD2AADPasswordHash"
+ }
+ ```
+
+You will need two calls if you want to create both.
+
+Example return value (for provisioning):
+
+ ```
+HTTP 201/Created
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals('614ac0e9-a59b-481f-bd8f-79a73d167e1c')/synchronization/jobs/$entity",
+ "id": "AD2AADProvisioning.fc96887f36da47508c935c28a0c0b6da",
+ "templateId": "ADDCInPassthrough",
+ "schedule": {
+ "expiration": null,
+ "interval": "PT40M",
+ "state": "Disabled"
+ },
+ "status": {
+ "countSuccessiveCompleteFailures": 0,
+ "escrowsPruned": false,
+ "code": "Paused",
+ "lastExecution": null,
+ "lastSuccessfulExecution": null,
+ "lastSuccessfulExecutionWithExports": null,
+ "quarantine": null,
+ "steadyStateFirstAchievedTime": "0001-01-01T00:00:00Z",
+ "steadyStateLastAchievedTime": "0001-01-01T00:00:00Z",
+ "troubleshootingUrl": null,
+ "progress": [],
+ "synchronizedEntryCountByType": []
+ }
+}
+```
+
+## Update targeted domain
+For this tenant, the object identifier and application identifier of the service principal are as follows:
+
+ObjectId: 8895955e-2e6c-4d79-8943-4d72ca36878f
+AppId: 00000014-0000-0000-c000-000000000000
+DisplayName: testApp
+
+We're going to need to update the domain this configuration is targeting, so update the secrets for this domain.
+
+Make sure the domain name you use is the same url you set for your on-prem domain controller
+
+ ```
+ PUT ΓÇô https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/secrets
+ ```
+ Add the following Key/value pair in the below value array based on what youΓÇÖre trying to do:
+ - Enable both PHS and sync tenant flags
+{ key: "AppKey", value: "{"appKeyScenario":"AD2AADPasswordHash"}" }
+
+ - Enable only sync tenant flag (do not turn on PHS)
+{ key: "AppKey", value: "{"appKeyScenario":"AD2AADProvisioning"}" }
+ ```
+ Request body ΓÇô
+ {
+ "value": [
+ {
+ "key": "Domain",
+ "value": "{\"domain\":\"ad2aadTest.com\"}"
+ }
+ ]
+ }
+```
+
+The expected response is …
+HTTP 204/No content
+
+Here, the highlighted "Domain" value is the name of the on-premises Active Directory domain from which entries are to be provisioned to Azure Active Directory.
+
+## Enable Sync password hashes on configuration blade
+
+ This section will cover enabling syncing password hashes for a particular configuration. This is different than the AppKey secret that enables the tenant-level feature flag - this is only for a single domain/config. You will need to set the application key to the PHS one for this to work end to end.
+
+1. Grab the schema (warning this is pretty large)
+ ```
+ GET ΓÇôhttps://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/ [AD2AADProvisioningJobId]/schema
+ ```
+2. Take this CredentialData attribute mapping:
+ ```
+ {
+ "defaultValue": null,
+ "exportMissingReferences": false,
+ "flowBehavior": "FlowWhenChanged",
+ "flowType": "Always",
+ "matchingPriority": 0,
+ "targetAttributeName": "CredentialData",
+ "source": {
+ "expression": "[PasswordHash]",
+ "name": "PasswordHash",
+ "type": "Attribute",
+ "parameters": []
+ }
+ ```
+3. Find the following object mappings with the following names in the schema
+ - Provision Active Directory Users
+ - Provision Active Directory inetOrgPersons
+
+ Object mappings are within the schema.synchronizationRules[0].objectMappings (For now you can assume thereΓÇÖs only 1 Synchronization Rule)
+
+4. Take the CredentialData Mapping from Step (2) and insert it into the object mappings in Step (3)
+
+ Your object mapping looks something like this:
+ ```
+ {
+ "enabled": true,
+ "flowTypes": "Add,Update,Delete",
+ "name": "Provision Active Directory users",
+ "sourceObjectName": "user",
+ "targetObjectName": "User",
+ "attributeMappings": [
+ ...
+ }
+ ```
+ Copy/paste the mapping from the **Create AD2AADProvisioning and AD2AADPasswordHash jobs** step above into the attributeMappings array.
+
+ Order of elements in this array doesn't matter (backend will sort for you). Be careful about adding this attribute mapping if the name exists already in the array (e.g. if there's already an item in attributeMappings that has the targetAttributeName CredentialData) - you may get conflict errors, or the preexisting and new mappings may be combined together (usually not desired outcome). Backend does not dedupe for you.
+
+ Remember to do this for both Users and inetOrgpersons
+
+5. Save the schema youΓÇÖve created
+ ```
+ PUT ΓÇô
+ https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/ [AD2AADProvisioningJobId]/schema
+```
+
+ Add the Schema in the request body.
+
+## Start sync job
+The job can be retrieved again via the following command:
+
+ `GET https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/ `
+
+Documentation for retrieving jobs can be found [here](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-list?view=graph-rest-beta&tabs=http).
+
+To start the job, issue this request, using the objectId of the service principal created in the first step, and the job identifier returned from the request that created the job.
+
+Documentation for how to start a job can be found [here](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-start?view=graph-rest-beta&tabs=http).
+
+ ```
+ POST https://graph.microsoft.com/beta/servicePrincipals/8895955e-2e6c-4d79-8943-4d72ca36878f/synchronization/jobs/AD2AADProvisioning.fc96887f36da47508c935c28a0c0b6da/start
+ ```
+
+The expected response is …
+HTTP 204/No content.
+
+Other commands for controlling the job are documented [here](https://docs.microsoft.com/graph/api/resources/synchronization-synchronizationjob?view=graph-rest-beta).
+
+To restart a job, one would use …
+
+ ```
+ POST https://graph.microsoft.com/beta/servicePrincipals/8895955e-2e6c-4d79-8943-4d72ca36878f/synchronization/jobs/AD2AADProvisioning.fc96887f36da47508c935c28a0c0b6da/restart
+ {
+ "criteria": {
+ "resetScope": "Full"
+ }
+ }
+ ```
+
+## Review status
+Retrieve your job statuses via …
+
+ ```
+ GET https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/
+ ```
+
+Look under the 'status' section of the return object for relevant details
+
+## Next steps
+
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Transformations](how-to-transformation.md)
+- [Azure AD Synchronization API](https://docs.microsoft.com/graph/api/resources/synchronization-overview?view=graph-rest-beta)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-install-pshell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-install-pshell.md new file mode 100644
@@ -0,0 +1,107 @@
+---
+title: 'Install the Azure AD Connect cloud provisioning agent using powershell'
+description: Learn how to install the Azure AD Connect cloud provisioning agent using powershell cmdlets.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 11/16/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
++
+# Install the Azure AD Connect provisioning agent using powershell cmdlets
+The following document will guide show you how to install the Azure AD Connect provisioning agent using PowerShell cmdlets.
+
+
+## Prerequisite:
++
+>[!IMPORTANT]
+>The following installation instructions assume that all of the [Prerequisites](how-to-prerequisites.md) have been met.
+>
+> The windows server needs to have TLS 1.2 enabled before you install the Azure AD Connect provisioning agent using powershell cmdlets. To enable TLS 1.2 you can use the steps found [here](how-to-prerequisites.md#tls-requirements).
+
+
+
+## Install the Azure AD Connect provisioning agent using powershell cmdlets
++
+ 1. Sign in to the Azure portal, and then go to **Azure Active Directory**.
+ 2. In the left menu, select **Azure AD Connect**.
+ 3. Select **Manage provisioning (preview)** > **Review all agents**.
+ 4. Download the Azure AD Connect provisioning agent from the Azure portal to a locally.
+
+ ![Download on-premises agent](media/how-to-install/install-9.png)</br>
+ 5. For purposes of these instructions, the agent was downloaded to the following folder: ΓÇ£C:\ProvisioningSetupΓÇ¥ folder.
+ 6. Install ProvisioningAgent in quiet mode
+
+ ```
+ $installerProcess = Start-Process c:\temp\AADConnectProvisioningAgent.Installer.exe /quiet -NoNewWindow -PassThru
+ $installerProcess.WaitForExit()
+ ```
+ 7. Import Provisioning Agent PS module
+
+ ```
+ Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.Powershell.dll"
+ ```
+ 8. Connect to AzureAD using global administrator credentials, you can customize this section to fetch password from a secure store.
+
+ ```
+ $globalAdminPassword = ConvertTo-SecureString -String "Global admin password" -AsPlainText -Force
+
+ $globalAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("GlobalAdmin@contoso.onmicrosoft.com", $globalAdminPassword)
+ ```
+
+ Connect-AADCloudSyncAzureAD -Credential $globalAdminCreds
+
+ 9. Add the gMSA account, provide credentials of the domain admin to create default gMSA account
+
+ ```
+ $domainAdminPassword = ConvertTo-SecureString -String "Domain admin password" -AsPlainText -Force
+
+ $domainAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("DomainName\DomainAdminAccountName", $domainAdminPassword)
+
+ Add-AADCloudSyncGMSA -Credential $domainAdminCreds
+ ```
+ 10. Or use the above cmdlet as below to provide a pre-created gMSA account
+
+
+ ```
+ Add-AADCloudSyncGMSA -CustomGMSAName preCreatedGMSAName$
+ ```
+ 11. Add domain
+
+ ```
+ $contosoDomainAdminPassword = ConvertTo-SecureString -String "Domain admin password" -AsPlainText -Force
+
+ $contosoDomainAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("DomainName\DomainAdminAccountName", $contosoDomainAdminPassword)
+
+ Add-AADCloudSyncADDomain -DomainName contoso.com -Credential $contosoDomainAdminCreds
+ ```
+ 12. Or use the above cmdlet as below to configure preferred domain controllers
+
+ ```
+ $preferredDCs = @("PreferredDC1", "PreferredDC2", "PreferredDC3")
+
+ Add-AADCloudSyncADDomain -DomainName contoso.com -Credential $contosoDomainAdminCreds -PreferredDomainControllers $preferredDCs
+ ```
+ 13. Repeat the previous step to add more domains, please provide the account names and domain names of the respective domains
+ 14. Restart the service
+ ```
+ Restart-Service -Name AADConnectProvisioningAgent
+ ```
+ 15. Go to the azure portal to create the cloud sync configuration.
+
+## Provisioning agent gMSA PowerShell cmdlets
+Now that you have installed the agent, you can apply more granular permissions to the gMSA. See [Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md) for information and step-by-step instructions on configuring the permissions.
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-install.md new file mode 100644
@@ -0,0 +1,107 @@
+---
+title: 'Install the Azure AD Connect provisioning agent'
+description: Learn how to install the Azure AD Connect provisioning agent and how to configure it in the Azure portal.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 11/16/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Install the Azure AD Connect provisioning agent
+This document walks you through the installation process for the Azure Active Directory (Azure AD) Connect provisioning agent and how to initially configure it in the Azure portal.
+
+>[!IMPORTANT]
+>The following installation instructions assume that all of the [Prerequisites](how-to-prerequisites.md) have been met.
+
+Installing and configuring the Azure AD Connect cloud sync is accomplished in the following steps:
+
+- [Group Managed Service Accounts](#group-managed-service-accounts)
+- [Install the agent](#install-the-agent)
+- [Verify agent installation](#verify-agent-installation)
++
+## Group Managed Service Accounts
+A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management,the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Azure AD Connect Cloud Sync supports and recommends the use of a group Managed Service Account for running the agent. For more information on a gMSA, see [Group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
++
+### Upgrading an existing agent to use the gMSA account
+To upgrade an existing agent to use the gMSA account created during installation, simply update the agent service to the latest version by running the AADConnectProvisioningAgent.msi. This will upgrade the service to the latest version. Now run through the installation wizard again and provide the credentials to create the account when prompted.
+++
+## Install the agent
+To install the agent, follow these steps.
+
+ 1. Sign in to the server you'll use with enterprise admin permissions.
+ 2. Sign in to the Azure portal, and then go to **Azure Active Directory**.
+ 3. In the left menu, select **Azure AD Connect**.
+ 4. Select **Manage cloud sync** > **Review all agents**.
+ 5. Download the Azure AD Connect provisioning agent from the Azure portal.
+ ![Download on-premises agent](media/how-to-install/install-9.png)</br>
+ 6. Accept the terms and click download.
+ 7. Run the Azure AD Connect provisioning installer AADConnectProvisioningAgentSetup.msi.
+ 8. On the **Microsoft Azure AD Connect Provisioning Agent Package** screen, accept the licensing terms and select **Install**.
+ ![Microsoft Azure AD Connect Provisioning Agent Package screen](media/how-to-install/install-1.png)</br>
+ 9. After this operation finishes, the configuration wizard starts. Sign in with your Azure AD global administrator account.
+ 10. On the **Configure Service Account screen** select either **create gMSA** or **Use custom gMSA**. If you allow the agent to create the account it will be named provAgentgMSA$. If you specify **Use custom gMSA** you will be prompted to provide this account.
+ 11. Enter the domain admin credentials to create the group Managed Service account that will be used to run the agent service. Click **Next**.
+ ![Create gMSA](media/how-to-install/install-12.png)</br>
+ 12. On the **Connect Active Directory** screen, select **Add Directory**. Then sign in with your Active Directory administrator account. This operation adds your on-premises directory.
+ 13. Optionally, you can manage the preference of domain controllers the agent will use by selecting **Select domain controller priority** and ordering the list of domain controllers. Click **OK**.
+ ![Order domain controllers](media/how-to-install/install-2a.png)</br>
+ 14. Select **Next**.
+ ![Connect Active Directory screen](media/how-to-install/install-3a.png)</br>
+ 15. On the **Agent Installation** screen confirm settings and the account that will be created and click **Confirm**.
+ ![Confirm settings](media/how-to-install/install-11.png)</br>
+ 16. After this operation finishes, you should see **Your agent installation is complete.** Select **Exit**.
+ ![Configuration complete screen](media/how-to-install/install-4a.png)</br>
+ 17. If you still see the initial **Microsoft Azure AD Connect Provisioning Agent Package** screen, select **Close**.
+
+## Verify agent installation
+Agent verification occurs in the Azure portal and on the local server that's running the agent.
+
+### Azure portal agent verification
+To verify the agent is being seen by Azure, follow these steps.
+
+ 1. Sign in to the Azure portal.
+ 2. On the left, select **Azure Active Directory** > **Azure AD Connect**. In the center, select **Manage cloud sync**.
+
+ ![Azure portal](media/how-to-install/install-6.png)</br>
+
+ 3. On the **Azure AD Connect cloud sync** screen, select **Review all agents**.
+
+ ![Review all agents option](media/how-to-install/install-7.png)</br>
+
+ 4. On the **On-premises provisioning agents** screen, you see the agents you installed. Verify that the agent in question is there and is marked *active*.
+
+ ![On-premises provisioning agents screen](media/how-to-install/verify-1.png)</br>
+++
+### On the local server
+To verify that the agent is running, follow these steps.
+
+1. Sign in to the server with an administrator account.
+1. Open **Services** by either navigating to it or by going to **Start** > **Run** > **Services.msc**.
+1. Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are there and their status is *Running*.
+
+ ![Services screen](media/how-to-install/troubleshoot-1.png)
+
+>[!IMPORTANT]
+>The agent has been installed but it must be configured and enabled before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
++++
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
+
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-manage-registry-options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-manage-registry-options.md new file mode 100644
@@ -0,0 +1,98 @@
+---
+title: 'Azure AD Connect cloud provisioning agent: Manage registry options | Microsoft Docs'
+description: This article describes how to manage registry options in the Azure AD Connect cloud provisioning agent.
+services: active-directory
+documentationcenter: ''
+author: billmath
+manager: daveba
+editor: ''
+ms.service: active-directory
+ms.devlang: na
+ms.topic: how-to
+ms.tgt_pltfrm: na
+ms.workload: identity
+ms.date: 12/11/2020
+ms.subservice: hybrid
+ms.reviewer: chmutali
+ms.author: billmath
+
+ms.collection: M365-identity-device-management
+---
+# Manage agent registry options
+
+This section describes registry options that you can set to control the runtime processing behavior of the Azure AD Connect provisioning agent.
+
+## Configure LDAP connection timeout
+When performing LDAP operations on configured Active Directory domain controllers, by default, the provisioning agent uses the default connection timeout value of 30 seconds. If your domain controller takes more time to respond, then you may see the following error message in the agent log file:
+
+`
+System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.
+`
+
+LDAP search operations can take longer if the search attribute is not indexed. As a first step, if you get the above error, first check if the search/lookup attribute is [indexed](https://docs.microsoft.com/windows/win32/ad/indexed-attributes). If the search attributes are indexed and the error persists, you can increase the LDAP connection timeout using the following steps:
+
+1. Log on as Administrator on the Windows server running the Azure AD Connect Provisioning Agent.
+1. Use the *Run* menu item to open the registry editor (regedit.exe)
+1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent**
+1. Right-click and select "New -> String Value"
+1. Provide the name:
+ `LdapConnectionTimeoutInMilliseconds`
+1. Double-click on the **Value Name** and enter the value data as `60000` milliseconds.
+ > [!div class="mx-imgBorder"]
+ > ![LDAP Connection Timeout](media/how-to-manage-registry-options/ldap-connection-timeout.png)
+1. Restart the Azure AD Connect Provisioning Service from the *Services* console.
+1. If you have deployed multiple provisioning agents, apply this registry change to all agents for consistency.
+
+## Configure referral chasing
+By default, the Azure AD Connect provisioning agent does not chase [referrals](https://docs.microsoft.com/windows/win32/ad/referrals).
+You may want to enable referral chasing, to support certain HR inbound provisioning scenarios such as:
+* Checking uniqueness of UPN across multiple domains
+* Resolving cross-domain manager references
+
+Use the following steps to turn on referral chasing:
+
+1. Log on as Administrator on the Windows server running the Azure AD Connect Provisioning Agent.
+1. Use the *Run* menu item to open the registry editor (regedit.exe)
+1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent**
+1. Right-click and select "New -> String Value"
+1. Provide the name:
+ `ReferralChasingOptions`
+1. Double-click on the **Value Name** and enter the value data as `96`. This value corresponds to the constant value for `ReferralChasingOptions.All` and specifies that both subtree and base-level referrals will be followed by the agent.
+ > [!div class="mx-imgBorder"]
+ > ![Referral Chasing](media/how-to-manage-registry-options/referral-chasing.png)
+1. Restart the Azure AD Connect Provisioning Service from the *Services* console.
+1. If you have deployed multiple provisioning agents, apply this registry change to all agents for consistency.
+
+## Skip GMSA configuration
+With agent version 1.1.281.0+, by default, when you run the agent configuration wizard, you are prompted to setup [Group Managed Service Account (GMSA)](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview). The GMSA setup by the wizard is used at runtime for all sync and provisioning operations.
+
+If you are upgrading from a prior version of the agent and have setup a custom service account with delegated OU-level permissions specific to your Active Directory topology, you may want to skip/postpone GMSA configuration and plan for this change.
+
+> [!NOTE]
+> This guidance specifically applies to customers who have configured HR (Workday/SuccessFactors) inbound provisioning with agent versions prior to 1.1.281.0 and have setup a custom service account for agent operations. In the long run, we recommend switching to GMSA as a best practice.
+
+In this scenario, you can still upgrade the agent binaries and skip the GMSA configuration using the following steps:
+
+1. Log on as Administrator on the Windows server running the Azure AD Connect Provisioning Agent.
+1. Run the agent installer to install the new agent binaries. Close the agent configuration wizard which opens up automatically after the installation is successful.
+1. Use the *Run* menu item to open the registry editor (regedit.exe)
+1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent**
+1. Right-click and select "New -> DWORD Value"
+1. Provide the name:
+ `UseCredentials`
+1. Double-click on the **Value Name** and enter the value data as `1`.
+ > [!div class="mx-imgBorder"]
+ > ![Use Credentials](media/how-to-manage-registry-options/use-credentials.png)
+1. Restart the Azure AD Connect Provisioning Service from the *Services* console.
+1. If you have deployed multiple provisioning agents, apply this registry change to all agents for consistency.
+1. From the desktop short cut, run the agent configuration wizard. The wizard will skip the GMSA configuration.
++
+> [!NOTE]
+> You can confirm the registry options have been set by enabling [verbose logging](how-to-troubleshoot.md#log-files). The logs emitted during agent startup will display the config values picked from the registry.
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-on-demand-provision https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-on-demand-provision.md new file mode 100644
@@ -0,0 +1,93 @@
+---
+title: 'Azure AD Connect cloud sync on-demand provisioning'
+description: This article describes the on-demand provisioning feature.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 09/14/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Azure AD Connect cloud sync on-demand provisioning
+
+Azure AD Connect cloud sync has introduced a new feature, that will allow you to test configuration changes, by applying these changes to a single user. You can use this to validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Azure AD.
+
+> [!IMPORTANT]
+> When you use on-demand provisioning, the scoping filters are not applied to the user you selected. This means that you can use on-demand provisioning on users that are outside the OUs you have specified.
++
+## Using on-demand provisioning
+To use the new feature, follow the steps below.
++
+1. In the Azure portal, select **Azure Active Directory**.
+2. Select **Azure AD Connect**.
+3. Select **Manage cloud sync**.
+
+ ![Manage provisioning](media/how-to-install/install-6.png)
+4. Under **Configuration**, select your configuration.
+5. Under **Validate** click the **Provision a user** button.
+
+ ![Provision a user](media/how-to-on-demand-provision/on-demand-2.png)
+
+6. On the on-demand provisioning screen. Enter the **distinguished name** of a user and click the **Provision** button.
+
+ ![Provisioning on-demand](media/how-to-on-demand-provision/on-demand-3.png)
+7. Once it completes, you should see a success screen and 4 green check boxes indicating it was successfully provisioned. Any errors will appear to the left.
+
+ ![Success](media/how-to-on-demand-provision/on-demand-4.png)
+
+Now you can look at the user and determine if the changes you made in the configuration have been applied. The remainder of this document will describe the individual sections that are displayed in the details of a successfully synchronized user.
+
+## Import User details
+This section provides information on the user that was imported from Active Directory. This is what the user looks like before it is provisioned into Azure AD. Click the **View details** link to display this information.
+
+![Import user](media/how-to-on-demand-provision/on-demand-5.png)
+
+Using this information, you can see the various attributes, and their values, that were imported. If you have created a custom attribute mapping, you will be able to see the value here.
+![Import user details](media/how-to-on-demand-provision/on-demand-6.png)
+
+## Determine if user is in scope details
+This section provides information on whether the user that was imported to Azure AD is in scope. Click the **View details** link to display this information.
+
+![User scope](media/how-to-on-demand-provision/on-demand-7.png)
+
+Using this information, you can see additional information about the scope of your users.
+
+![User scope details](media/how-to-on-demand-provision/on-demand-10a.png)
+
+## Match user between source and target system details
+This section provides information on whether the user already exists in Azure AD and should a join occur instead of provisioning a new user. Click the **View details** link to display this information.
+![View details](media/how-to-on-demand-provision/on-demand-8.png)
+
+Using this information, you can see whether a match was found or if a new user is going to be created.
+
+![User information](media/how-to-on-demand-provision/on-demand-11.png)
+
+The Matching details will show a message with one of the three following operations. They are:
+- Create - a user is created in Azure AD
+- Update - a user is updated based on a change made in the configuration
+- Delete - a user is removed from Azure AD.
+
+Depending on the type of operation you have performed, the message will vary.
+
+## Perform action details
+This section provides information on the user that was provisioned or exported into Azure AD after the configuration is applied. This is what the user looks like once it is provisioned into Azure AD. Click the **View details** link to display this information.
+![Perform action details](media/how-to-on-demand-provision/on-demand-9.png)
+
+Using this information, you can see the values of the attributes after the configuration is applied. Do they look similar to what was imported or are the different? Does the configuration apply successful?
+
+This will process allow you to trace the attribute transformation as it moves through the cloud and into your Azure AD tenant.
+
+![trace attribute](media/how-to-on-demand-provision/on-demand-12.png)
+
+## Next steps
+
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [How to install Azure AD Connect cloud sync](how-to-install.md)
+
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-prerequisites.md new file mode 100644
@@ -0,0 +1,128 @@
+---
+title: 'Prerequisites for Azure AD Connect cloud sync in Azure AD'
+description: This article describes the prerequisites and hardware requirements you need for cloud sync.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 12/11/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Prerequisites for Azure AD Connect cloud sync
+This article provides guidance on how to choose and use Azure Active Directory (Azure AD) Connect cloud sync as your identity solution.
+
+## Cloud provisioning agent requirements
+You need the following to use Azure AD Connect cloud sync:
+
+- Domain Administrator or Enterprise Administrator credentials to create the Azure AD Connect Cloud Sync gMSA (group Managed Service Account) to run the agent service.
+- A hybrid identity administrator account for your Azure AD tenant that is not a guest user.
+- An on-premises server for the provisioning agent with Windows 2012 R2 or later. This server should be a tier 0 server based on the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material).
+- On-premises firewall configurations.
+
+## Group Managed Service Accounts
+A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management,the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Azure AD Connect Cloud Sync supports and uses a gMSA for running the agent. You will be prompted for administrative credentials during setup, in order to create this account. The account will appear as (domain\provAgentgMSA$). For more information on a gMSA, see [Group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
+
+### Prerequisites for gMSA:
+1. The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012
+2. [PowerShell RSAT modules](/windows-server/remote/remote-server-administration-tools) on a domain controller
+3. At least one domain controller in the domain must be running Windows Server 2012.
+4. A domain joined server where the agent is being installed needs to be either Windows Server 2012 or later.
+
+### Custom gMSA account
+If you are creating a custom gMSA account, you need to ensure that the account has the following permissions.
+
+|Type |Name |Access |Applies To|
+|-----|-----|-----|-----|
+|Allow |gMSA Account |Read all properties |Descendant device objects|
+|Allow |gMSA Account|Read all properties |Descendant InetOrgPerson objects|
+|Allow |gMSA Account |Read all properties |Descendant Computer objects|
+|Allow |gMSA Account |Read all properties |Descendant foreignSecurityPrincipal objects|
+|Allow |gMSA Account |Full control |Descendant Group objects|
+|Allow |gMSA Account |Read all properties |Descendant User objects|
+|Allow |gMSA Account |Read all properties |Descendant Contact objects|
+|Allow |gMSA Account |Create/delete User objects|This object and all descendant objects|
+
+For steps on how to upgrade an existing agent to use a gMSA account see [Group Managed Service Accounts](how-to-install.md#group-managed-service-accounts).
+
+### In the Azure Active Directory admin center
+
+1. Create a cloud-only hybrid identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant if your on-premises services fail or become unavailable. Learn about how to [add a cloud-only hybrid identity administrator account](../fundamentals/add-users-azure-active-directory.md). Finishing this step is critical to ensure that you don't get locked out of your tenant.
+1. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
+
+### In your directory in Active Directory
+
+Run the [IdFix tool](/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix) to prepare the directory attributes for synchronization.
+
+### In your on-premises environment
+
+1. Identify a domain-joined host server running Windows Server 2012 R2 or greater with a minimum of 4-GB RAM and .NET 4.7.1+ runtime.
+
+2. The PowerShell execution policy on the local server must be set to Undefined or RemoteSigned.
+
+3. If there's a firewall between your servers and Azure AD, configure the following items:
+ - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
+
+ | Port number | How it's used |
+ | --- | --- |
+ | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate. |
+ | **443** | Handles all outbound communication with the service. |
+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |
+
+ - If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
+ - If your firewall or proxy allows you to specify safe suffixes, add connections to \*.msappproxy.net and \*.servicebus.windows.net. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
+ - Your agents need access to login.windows.net and login.microsoftonline.com for initial registration. Open your firewall for those URLs as well.
+ - For certificate validation, unblock the following URLs: mscrl.microsoft.com:80, crl.microsoft.com:80, ocsp.msocsp.com:80, and www\.microsoft.com:80. These URLs are used for certificate validation with other Microsoft products, so you might already have these URLs unblocked.
+
+ >[!NOTE]
+ > Installing the cloud provisioning agent on Windows Server Core is not supported.
+
+### Additional requirements
+
+- [Microsoft .NET Framework 4.7.1](https://www.microsoft.com/download/details.aspx?id=56116)
+
+#### TLS requirements
+
+> [!NOTE]
+> Transport Layer Security (TLS) is a protocol that provides for secure communications. Changing the TLS settings affects the entire forest. For more information, see [Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows](https://support.microsoft.com/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi).
+
+The Windows server that hosts the Azure AD Connect cloud provisioning agent must have TLS 1.2 enabled before you install it.
+
+To enable TLS 1.2, follow these steps.
+
+1. Set the following registry keys:
+
+ ```
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
+ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
+ ```
+
+1. Restart the server.
+
+## Known limitations
+
+The following are known limitations:
+
+### Delta Synchronization
+
+- Group scope filtering for delta sync does not support more than 1500 members.
+- When you delete a group that's used as part of a group scoping filter, users who are members of the group, don't get deleted.
+- When you rename the OU or group that's in scope, delta sync will not remove the users.
+
+### Provisioning Logs
+- Provisioning logs do not clearly differentiate between create and update operations. You may see a create operation for an update and an update operation for a create.
+
+### Group re-naming or OU re-naming
+- If you rename a group or OU in AD that's in scope for a given configuration, the cloud sync job will not be able to recognize the name change in AD. The job won't go into quarantine and will remain healthy.
++
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-sso https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-sso.md new file mode 100644
@@ -0,0 +1,28 @@
+---
+title: 'How to use Single Sign-on with cloud sync'
+description: This article describes how to install and use sso with cloud sync.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 01/28/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Using Single Sign-On with cloud sync
+The following document describes how to use single sign-on with cloud sync.
+
+[!INCLUDE [active-directory-cloud-provisioning-sso.md](../../../includes/active-directory-cloud-provisioning-sso.md)]
+++++
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-transformation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-transformation.md new file mode 100644
@@ -0,0 +1,112 @@
+---
+title: Azure AD Connect cloud sync transformations
+description: This article describes how to use transformations to alter the default attribute mappings.
+author: billmath
+ms.author: billmath
+manager: davba
+ms.date: 12/02/2019
+ms.topic: how-to
+ms.prod: windows-server-threshold
+ms.technology: identity-adfs
+---
+
+# Transformations
+
+With a transformation, you can change the default behavior of how an attribute is synchronized with Azure Active Directory (Azure AD) by using cloud sync.
+
+To do this task, you need to edit the schema and then resubmit it via a web request.
+
+For more information on cloud sync attributes, see [Understanding the Azure AD schema](concept-attributes.md).
++
+## Retrieve the schema
+To retrieve the schema, follow the steps in [View the schema](concept-attributes.md#view-the-schema).
+
+## Custom attribute mapping
+To add a custom attribute mapping, follow these steps.
+
+1. Copy the schema into a text or code editor such as [Visual Studio Code](https://code.visualstudio.com/).
+1. Locate the object that you want to update in the schema.
+
+ ![Object in the schema](media/how-to-transformation/transform-1.png)</br>
+1. Locate the code for `ExtensionAttribute3` under the user object.
+
+ ```
+ {
+ "defaultValue": null,
+ "exportMissingReferences": false,
+ "flowBehavior": "FlowWhenChanged",
+ "flowType": "Always",
+ "matchingPriority": 0,
+ "targetAttributeName": "ExtensionAttribute3",
+ "source": {
+ "expression": "Trim([extensionAttribute3])",
+ "name": "Trim",
+ "type": "Function",
+ "parameters": [
+ {
+ "key": "source",
+ "value": {
+ "expression": "[extensionAttribute3]",
+ "name": "extensionAttribute3",
+ "type": "Attribute",
+ "parameters": []
+ }
+ }
+ ]
+ }
+ },
+ ```
+1. Edit the code so that the company attribute is mapped to `ExtensionAttribute3`.
+
+ ```
+ {
+ "defaultValue": null,
+ "exportMissingReferences": false,
+ "flowBehavior": "FlowWhenChanged",
+ "flowType": "Always",
+ "matchingPriority": 0,
+ "targetAttributeName": "ExtensionAttribute3",
+ "source": {
+ "expression": "Trim([company])",
+ "name": "Trim",
+ "type": "Function",
+ "parameters": [
+ {
+ "key": "source",
+ "value": {
+ "expression": "[company]",
+ "name": "company",
+ "type": "Attribute",
+ "parameters": []
+ }
+ }
+ ]
+ }
+ },
+ ```
+ 1. Copy the schema back into Graph Explorer, change the **Request Type** to **PUT**, and select **Run Query**.
+
+ ![Run Query](media/how-to-transformation/transform-2.png)
+
+ 1. Now, in the Azure portal, go to the cloud sync configuration and select **Restart provisioning**.
+
+ ![Restart provisioning](media/how-to-transformation/transform-3.png)
+
+ 1. After a little while, verify the attributes are being populated by running the following query in Graph Explorer: `https://graph.microsoft.com/beta/users/{Azure AD user UPN}`.
+ 1. You should now see the value.
+
+ ![The value appears](media/how-to-transformation/transform-4.png)
+
+## Custom attribute mapping with function
+For more advanced mapping, you can use functions that allow you to manipulate the data and create values for attributes to suit your organization's needs.
+
+To do this task, follow the previous steps and then edit the function that's used to construct the final value.
+
+For information on the syntax and examples of expressions, see [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md).
++
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-troubleshoot.md new file mode 100644
@@ -0,0 +1,224 @@
+---
+title: Azure AD Connect cloud sync troubleshooting
+description: This article describes how to troubleshoot problems that might arise with the cloud provisioning agent.
+author: billmath
+ms.author: billmath
+manager: daveba
+ms.date: 01/19/2021
+ms.topic: how-to
+ms.prod: windows-server-threshold
+ms.technology: identity-adfs
+---
+
+# Cloud sync troubleshooting
+
+Cloud sync touches many different things and has many different dependencies. This broad scope can give rise to various problems. This article helps you troubleshoot these problems. It introduces the typical areas for you to focus on, how to gather additional information, and the various techniques you can use to track down problems.
++
+## Common troubleshooting areas
+
+|Name|Description|
+|-----|-----|
+|[Agent problems](#agent-problems)|Verify that the agent was installed correctly and that it communicates with Azure Active Directory (Azure AD).|
+|[Object synchronization problems](#object-synchronization-problems)|Use provisioning logs to troubleshoot object synchronization problems.|
+|[Provisioning quarantined problems](#provisioning-quarantined-problems)|Understand provisioning quarantine problems and how to fix them.|
++
+## Agent problems
+Some of the first things that you want to verify with the agent are:
+
+- Is it installed?
+- Is the agent running locally?
+- Is the agent in the portal?
+- Is the agent marked as healthy?
+
+These items can be verified in the Azure portal and on the local server that's running the agent.
+
+### Azure portal agent verification
+
+To verify that the agent is seen by Azure and is healthy, follow these steps.
+
+1. Sign in to the Azure portal.
+1. On the left, select **Azure Active Directory** > **Azure AD Connect**. In the center, select **Manage sync**.
+1. On the **Azure AD Connect cloud sync** screen, select **Review all agents**.
+
+ ![Review all agents](media/how-to-install/install-7.png)</br>
+
+1. On the **On-premises provisioning agents** screen, you see the agents you've installed. Verify that the agent in question is there and is marked *Healthy*.
+
+ ![On-premises provisioning agents screen](media/how-to-install/install-8.png)</br>
+
+### Verify the port
+
+Verify that Azure is listening on port 443 and that your agent can communicate with it.
+
+This test verifies that your agents can communicate with Azure over port 443. Open a browser, and go to the previous URL from the server where the agent is installed.
+
+![Verification of port reachability](media/how-to-install/verify-2.png)
+
+### On the local server
+
+To verify that the agent is running, follow these steps.
+
+1. On the server with the agent installed, open **Services** by either navigating to it or by going to **Start** > **Run** > **Services.msc**.
+1. Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are there and their status is *Running*.
+
+ ![Services screen](media/how-to-troubleshoot/troubleshoot-1.png)
+
+### Common agent installation problems
+
+The following sections describe some common agent installation problems and typical resolutions.
+
+#### Agent failed to start
+
+You might receive an error message that states:
+
+**Service 'Microsoft Azure AD Connect Provisioning Agent' failed to start. Verify that you have sufficient privileges to start the system services.**
+
+This problem is typically caused by a group policy that prevented permissions from being applied to the local NT Service log-on account created by the installer (NT SERVICE\AADConnectProvisioningAgent). These permissions are required to start the service.
+
+To resolve this problem, follow these steps.
+
+1. Sign in to the server with an administrator account.
+1. Open **Services** by either navigating to it or by going to **Start** > **Run** > **Services.msc**.
+1. Under **Services**, double-click **Microsoft Azure AD Connect Provisioning Agent**.
+1. On the **Log On** tab, change **This account** to a domain admin. Then restart the service.
+
+ ![Log On tab](media/how-to-troubleshoot/troubleshoot-3.png)
+
+#### Agent times out or certificate is invalid
+
+You might get the following error message when you attempt to register the agent.
+
+![Time-out error message](media/how-to-troubleshoot/troubleshoot-4.png)
+
+This problem is usually caused by the agent being unable to connect to the Hybrid Identity Service and requires you to configure an HTTP proxy. To resolve this problem, configure an outbound proxy.
+
+The provisioning agent supports use of an outbound proxy. You can configure it by editing the agent config file *C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\AADConnectProvisioningAgent.exe.config*.
+Add the following lines into it, toward the end of the file just before the closing `</configuration>` tag.
+Replace the variables `[proxy-server]` and `[proxy-port]` with your proxy server name and port values.
+
+```xml
+ <system.net>
+ <defaultProxy enabled="true" useDefaultCredentials="true">
+ <proxy
+ usesystemdefault="true"
+ proxyaddress="http://[proxy-server]:[proxy-port]"
+ bypassonlocal="true"
+ />
+ </defaultProxy>
+ </system.net>
+```
+
+#### Agent registration fails with security error
+
+You might get an error message when you install the cloud provisioning agent.
+
+This problem is typically caused by the agent being unable to execute the PowerShell registration scripts due to local PowerShell execution policies.
+
+To resolve this problem, change the PowerShell execution policies on the server. You need to have Machine and User policies set as *Undefined* or *RemoteSigned*. If they're set as *Unrestricted*, you'll see this error. For more information, see [PowerShell execution policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-6).
+
+### Log files
+
+By default, the agent emits minimal error messages and stack trace information. You can find these trace logs in the folder **C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace**.
+
+To gather additional details for troubleshooting agent-related problems, follow these steps.
+
+1. Install the AADCloudSyncTools PowerShell module as described [here](reference-powershell.md#install-the-aadcloudsynctools-powershell-module).
+2. Use the `Export-AADCloudSyncToolsLogs` PowerShell cmdlet to capture the information. You can use the following switches to fine tune your data collection.
+ - SkipVerboseTrace to only export current logs without capturing verbose logs (default = false)
+ - TracingDurationMins to specify a different capture duration (default = 3 mins)
+ - OutputPath to specify a different output path (default = UserΓÇÖs Documents)
++
+## Object synchronization problems
+
+The following section contains information on troubleshooting object synchronization.
+
+### Provisioning logs
+
+In the Azure portal, provisioning logs can be used to help track down and troubleshoot object synchronization problems. To view the logs, select **Logs**.
+
+![Logs button](media/how-to-troubleshoot/log-1.png)
+
+Provisioning logs provide a wealth of information on the state of the objects being synchronized between your on-premises Active Directory environment and Azure.
+
+![Provisioning Logs screen](media/how-to-troubleshoot/log-2.png)
+
+You can use the drop-down boxes at the top of the page to filter the view to zero in on specific problems, such as dates. Double-click an individual event to see additional information.
+
+![Provisioning Logs drop-down box information](media/how-to-troubleshoot/log-3.png)
+
+This information provides detailed steps and where the synchronization problem is occurring. In this way, you can pinpoint the exact spot of the problem.
++
+## Provisioning quarantined problems
+
+Cloud sync monitors the health of your configuration and places unhealthy objects in a quarantine state. If most or all of the calls made against the target system consistently fail because of an error, for example, invalid admin credentials, the sync job is marked as in quarantine.
+
+![Quarantine status](media/how-to-troubleshoot/quarantine-1.png)
+
+By selecting the status, you can see additional information about the quarantine. You can also obtain the error code and message.
+
+![Quarantine status information](media/how-to-troubleshoot/quarantine-2.png)
+
+Right clicking on the status will bring up additional options:
+
+ - view provisioning logs
+ - view agent
+ - clear quarantine
+
+![Quarantine status information](media/how-to-troubleshoot/quarantine-4.png)
++
+### Resolve a quarantine
+There are two different ways to resolve a quarantine. They are:
+
+ - clear quarantine - clears the watermark and runs a delta sync
+ - restart the provisioning job - clears the watermark and runs an initial sync
+
+#### Clear quarantine
+To clear the watermark and run a delta sync on the provisioning job once you have verified it, simply right-click on the status and select **clear quarantine**.
+
+You should see an notice that the quarantine is clearing.
+
+![Quarantine status information](media/how-to-troubleshoot/quarantine-5.png)
+
+Then you should see the status on your agent as healthy.
+
+![Quarantine status information](media/how-to-troubleshoot/quarantine-6.png)
+
+#### Restart the provisioning job
+Use the Azure portal to restart the provisioning job. On the agent configuration page, select **Restart provisioning**.
+
+ ![Restart provisioning](media/how-to-troubleshoot/quarantine-3.png)
+
+- Use Microsoft Graph to [restart the provisioning job](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta). You'll have full control over what you restart. You can choose to clear:
+ - Escrows, to restart the escrow counter that accrues toward quarantine status.
+ - Quarantine, to remove the application from quarantine.
+ - Watermarks.
+
+ Use the following request:
+
+ `POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/restart`
+
+## Repairing the the Cloud Sync service account
+If you need to repair the cloud sync service account you can use the `Repair-AADCloudSyncToolsAccount`.
++
+ 1. Use the installation steps outlined [here](reference-powershell.md#install-the-aadcloudsynctools-powershell-module) to begin and then continue with the remaining steps.
+ 2. From a Windows PowerShell session with administrative privileges, type or copy and paste the following:
+ ```
+ Connect-AADCloudSyncTools
+ ```
+ 3. Enter your Azure AD global admin credentials
+ 4. Type or copy and paste the following:
+ ```
+ Repair-AADCloudSyncToolsAccount
+ ```
+ 5. Once this completes it should say that the account was repaired successfully.
+
+## Next steps
+
+- [Known limitations](how-to-prerequisites.md#known-limitations)
+- [Error codes](reference-error-codes.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/plan-cloud-sync-topologies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/plan-cloud-sync-topologies.md new file mode 100644
@@ -0,0 +1,60 @@
+---
+title: Azure AD Connect cloud sync supported topologies and scenarios
+description: Learn about various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect cloud sync.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 02/26/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
++
+# Azure AD Connect cloud sync supported topologies and scenarios
+This article describes various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect cloud sync. This article includes only supported configurations and scenarios.
+
+> [!IMPORTANT]
+> Microsoft doesn't support modifying or operating Azure AD Connect cloud sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Azure AD Connect cloud sync. As a result, Microsoft can't provide technical support for such deployments.
+
+## Things to remember about all scenarios and topologies
+The following is a list of information to keep in mind when selecting a solution.
+
+- Users and groups must be uniquely identified across all forests
+- Matching across forests does not occur with cloud sync
+- A user or group must be represented only once across all forests
+- The source anchor for objects is chosen automatically. It uses ms-DS-ConsistencyGuid if present, otherwise ObjectGUID is used.
+- You cannot change the attribute that is used for source anchor.
+
+## Single forest, single Azure AD tenant
+![Diagram that shows the topology for a single forest and a single tenant.](media/tutorial-single-forest/diagram-2.png)
+
+The simplest topology is a single on-premises forest, with one or multiple domains, and a single Azure AD tenant. For an example of this scenario see [Tutorial: A single forest with a single Azure AD tenant](tutorial-single-forest.md)
++
+## Multi-forest, single Azure AD tenant
+![Topology for a multi-forest and a single tenant](media/plan-cloud-provisioning-topologies/multi-forest-2.png)
+
+A common topology is a multiple AD forests, with one or multiple domains, and a single Azure AD tenant.
+
+## Existing forest with Azure AD Connect, new forest with cloud Provisioning
+![Diagram that shows the topology for an existing forest and a new forest.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
+
+This scenario is topology is similar to the multi-forest scenario, however this one involves an existing Azure AD Connect environment and then bringing on a new forest using Azure AD Connect cloud sync. For an example of this scenario see [Tutorial: An existing forest with a single Azure AD tenant](tutorial-existing-forest.md)
+
+## Piloting Azure AD Connect cloud sync in an existing hybrid AD forest
+![Topology for a single forest and a single tenant](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
+The piloting scenario involves the existence of both Azure AD Connect and Azure AD Connect cloud sync in the same forest and scoping the users and groups accordingly. NOTE: An object should be in scope in only one of the tools.
+
+For an example of this scenario see [Tutorial: Pilot Azure AD Connect cloud sync in an existing synced AD forest](tutorial-pilot-aadc-aadccp.md)
+++
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-cloud-sync-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/reference-cloud-sync-faq.md new file mode 100644
@@ -0,0 +1,100 @@
+---
+title: Azure AD Connect cloud sync FAQ
+description: This document describes frequently asked questions for cloud sync.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: reference
+ms.date: 06/25/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+# Azure Active Directory Connect cloud sync FAQ
+
+Read about frequently asked questions for Azure Active Directory (Azure AD) Connect cloud sync.
+
+## General installation
+
+**Q: How often does cloud sync run?**
+
+Cloud provisioning is scheduled to run every 2 mins. Every 2 mins, any user, group and password hash changes will be provisioned to Azure AD.
+
+**Q: Seeing password hash sync failures on the first run. Why?**
+
+This is expected. The failures are due to the user object not present in Azure AD. Once the user is provisioned to Azure AD, password hashes should provisioning in the subsequent run. Wait for a couple of runs and confirm that password hash sync no longer has the errors.
+
+**Q: What happens if the Active Directory instance has attributes that are not supported by cloud sync (for instance, directory extensions)?**
+
+Cloud provisioning will run and provision the supported attributes. The unsupported attributes will not be provisioned to Azure AD. Review the directory extensions in Active Directory and ensure that you don't need those attributes to flow to Azure AD. If one or more attributes are required, consider using Azure AD Connect sync or moving the required information to one of the supported attributes (for instance, extension attributes 1-15).
+
+**Q: What's the difference between Azure AD Connect sync and cloud sync?**
+
+With Azure AD Connect sync, provisioning runs on the on-premises sync server. Configuration is stored on the on-premises sync server. With Azure AD Connect cloud sync, the provisioning configuration is stored in the cloud and runs in the cloud as part of the Azure AD provisioning service.
+
+**Q: Can I use cloud sync to sync from multiple Active Directory forests?**
+
+Yes. Cloud provisioning can be used to sync from multiple Active Directory forests. In the multi-forest environment, all the references (example, manager) need to be within the domain.
+
+**Q: How is the agent updated?**
+
+The agents are auto upgraded by Microsoft. For the IT team, this reduces the burden of having to test and validate new agent versions.
+
+**Q: Can I disable auto upgrade?**
+
+There is no supported way to disable auto upgrade.
+
+**Q: Can I change the source anchor for cloud sync?**
+
+By default, cloud sync uses ms-ds-consistency-GUID with a fallback to ObjectGUID as source anchor. There is no supported way to change the source anchor.
+
+**Q: I see new service principals with the AD domain name(s) when using cloud sync. Is it expected?**
+
+Yes, cloud sync creates a service principal for the provisioning configuration with the domain name as the service principal name. Do not make any changes to the service principal configuration.
+
+**Q: What happens when a synced user is required to change password on next logon?**
+
+If password hash sync is enabled in cloud sync and the synced user is required to change password on next logon in on-premises AD, cloud sync does not provision the "to-be-changed" password hash to Azure AD. Once the user changes the password, the user password hash is provisioned from AD to Azure AD.
+
+**Q: Does cloud sync support writeback of ms-ds-consistencyGUID for any object?**
+
+No, cloud sync does not support writeback of ms-ds-consistencyGUID for any object (including user objects).
+
+**Q: I am provisioning users using cloud sync. I deleted the configuration. Why do I still see the old synced objects in Azure AD?**
+
+When you delete the configuration, cloud sync does not automatically remove the synced objects in Azure AD. To ensure you do not have the old objects, change the scope of the configuration to an empty group or Organizational Units. Once the provisioning runs and cleans up the objects, disable and delete the configuration.
+
+**Q: What does it mean that Exchange hybrid is not supported?**
+
+The Exchange Hybrid Deployment feature allows for the co-existence of Exchange mailboxes both on-premises and in Microsoft 365. Azure AD Connect is synchronizing a specific set of attributes from Azure AD back into your on-premises directory. The cloud provisioning agent currently does not synchronize these attributes back into your on-premises directory and thus it is not supported as a replacement for Azure AD Connect.
+
+**Q: Can I install the cloud provisioning agent on Windows Server Core?**
+
+No, installing the agent on server core is not supported.
+
+**Q: Can I use a staging server with the cloud provisioning agent?**
+
+No, staging servers are not supported.
+
+**Q: Can I synchronize Guest user accounts?**
+
+No, synchronizing guest user accounts is not supported.
+
+**Q: If I move a user from an OU that is scoped for cloud sync to an OU that is scoped for Azure AD Connect, what happens?**
+
+The user will be deleted and re-created. Moving a user from an OU that is scoped for cloud sync will be viewed as a delete operation. If the user is moved to an OU that is managed by Azure AD Connect, it will be re-provisioned to Azure AD and a new user created.
+
+**Q: If I rename or move the OU that is in scope for the cloud sync filter, what happens to the user that were created in Azure AD?**
+
+Nothing. The users will not be deleted if the OU is renamed or moved.
+
+**Q: Does Azure AD Connect cloud sync support large groups?**
+
+Yes. Today we support up to 50K group members synchronized using the OU scope filtering. At the same time, when you use the group scope filtering, we recommend that you keep your group size to less than 1500 members. The reason for this is that even though you can sync a large group as part of group scoping filter, when you add members to that group by batches of greater than 1500, the delta synchronization will fail.
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-error-codes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/reference-error-codes.md new file mode 100644
@@ -0,0 +1,38 @@
+---
+title: Azure AD Connect cloud sync error codes and descriptions
+description: reference article for cloud sync error codes
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: reference
+ms.date: 01/14/2021
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Azure AD Connect cloud sync error codes and descriptions
+The following is a list of error codes and their description
++
+## Error codes
+
+|Error code|Details|Scenario|Resolution|
+|-----|-----|-----|-----|
+|TimeOut|Error Message: We've detected a request timeout error when contacting the on-premises agent and synchronizing your configuration. For additional issues related to your cloud sync agent, please see our troubleshooting guidance.|Request to HIS timed out. Current Timeout value is 10 minutes.|See our [troubleshooting guidance](how-to-troubleshoot.md)|
+|HybridSynchronizationActiveDirectoryInternalServerError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.30b500eaf9c643b2b78804e80c1421fe.5c291d3c-d29f-4570-9d6b-f0c2fa3d5926. Additional details: Processing of the HTTP request resulted in an exception. |Could not process the parameters received in SCIM request to a Search request.|Please see the HTTP response returned by the 'Response' property of this exception for details.|
+|HybridIdentityServiceNoAgentsAssigned|Error Message: We are unable to find an active agent for the domain you are trying to sync. Please check to see if the agents have been removed. If so, re-install the agent again.|There are no agents running. Probably agents have been removed. Register a new agent.|"In this case, you will not see any agent assigned to the domain in portal.|
+|HybridIdentityServiceNoActiveAgents|Error Message: We are unable to find an active agent for the domain you are trying to sync. Please check to see if the agent is running by going to the server, where the agent is installed, and check to see if "Microsoft Azure AD Cloud Sync Agent" under Services is running.|"Agents are not listening to the ServiceBus endpoint. [The agent is behind a firewall that does not allow connections to service bus](../../active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers.md#use-the-outbound-proxy-server)|
+|HybridIdentityServiceInvalidResource|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.3a2a0d8418f34f54a03da5b70b1f7b0c.d583d090-9cd3-4d0a-aee6-8d666658c3e9. Additional details: There seems to be an issue with your cloud sync setup. Please re-register your cloud sync agent on your on-prem AD domain and restart configuration from Azure Portal.|The resource name must be set so HIS knows which agent to contact.|Please re-register your cloud sync agent on your on-prem AD domain and restart configuration from Azure Portal.|
+|HybridIdentityServiceAgentSignalingError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.92d2e8750f37407fa2301c9e52ad7e9b.efb835ef-62e8-42e3-b495-18d5272eb3f9. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration).|Service Bus is not able to send a message to the agent. Could be an outage in service bus, or the agent is not responsive.|If this issue persists, please contact support with Job ID (from status pane of your configuration).|
+|AzureDirectoryServiceServerBusy|Error Message: An error occurred. Error Code: 81. Error Description: Azure Active Directory is currently busy. This operation will be retried automatically. If this issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8a4ab3b5-3664-4278-ab64-9cff37fd3f4f Server Name:|Azure Active Directory is currently busy.|If this issue persists for more than 24 hours, contact Technical Support.|
+|AzureActiveDirectoryInvalidCredential|Error Message: We found an issue with the service account that is used to run Azure AD Connect Cloud Sync. You can repair the cloud service account by following the instructions at [here](https://go.microsoft.com/fwlink/?linkid=2150988). If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsInvalid AADSTS50034: The user account {EmailHidden} does not exist in the skydrive365.onmicrosoft.com directory. To sign into this application, the account must be added to the directory. Trace ID: 14b63033-3bc9-4bd4-b871-5eb4b3500200 Correlation ID: 57d93ed1-be4d-483c-997c-a3b6f03deb00 Timestamp: 2021-01-12 21:08:29Z |This error is thrown when the sync service account ADToAADSyncServiceAccount doesn't exist in the tenant. It can be due to accidental deletion of the account.|Use [Repair-AADCloudSyncToolsAccount](reference-powershell.md#repair-aadcloudsynctoolsaccount) to fix the service account.|
+|AzureActiveDirectoryExpiredCredentials|Error Message: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsExpired AADSTS50055: The password is expired. Trace ID: 989b1841-dbe5-49c9-ab6c-9aa25f7b0e00 Correlation ID: 1c69b196-1c3a-4381-9187-c84747807155 Timestamp: 2021-01-12 20:59:31Z | Response status code does not indicate success: 401 (Unauthorized).|AAD Sync service account credentials are expired.|You can repair the cloud service account by following the instructions at https://go.microsoft.com/fwlink/?linkid=2150988. If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: Your administrative Azure Active Directory tenant credentials were exchanged for an OAuth token that has since expired."|
+|AzureActiveDirectoryAuthenticationFailed|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.60b943e88f234db2b887f8cb91dee87c.707be0d2-c6a9-405d-a3b9-de87761dc3ac. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: UnexpectedError.|Unknown error.|If this issue persists, please contact support with Job ID (from status pane of your configuration).|
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-expressions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/reference-expressions.md new file mode 100644
@@ -0,0 +1,815 @@
+---
+title: Azure AD Connect cloud sync expressions and function reference
+description: reference
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: reference
+ms.date: 12/02/2019
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
++
+# Writing expressions for attribute mappings in Azure Active Directory
+When you configure cloud sync, one of the types of attribute mappings that you can specify is an expression mapping.
+
+The expression mapping allows you to customize attributes using a script-like expression. This allows you to transform the on-premises data into an new or different value. For example, you may want to combine two attributes into a single attribute because this single attribute is used by one of your cloud applications.
+
+The following document will cover the script-like expressions that are used to transform the data. This is only part of the process. Next you will need to use this expression and place it in a web request to your tenant. For more information on that see [Transformations](how-to-transformation.md)
+
+## Syntax overview
+The syntax for Expressions for Attribute Mappings is reminiscent of Visual Basic for Applications (VBA) functions.
+
+* The entire expression must be defined in terms of functions, which consist of a name followed by arguments in parentheses: <br>
+ *FunctionName(`<<argument 1>>`,`<<argument N>>`)*
+* You may nest functions within each other. For example: <br> *FunctionOne(FunctionTwo(`<<argument1>>`))*
+* You can pass three different types of arguments into functions:
+
+ 1. Attributes, which must be enclosed in square brackets. For example: [attributeName]
+ 2. String constants, which must be enclosed in double quotes. For example: "United States"
+ 3. Other Functions. For example: FunctionOne(`<<argument1>>`, FunctionTwo(`<<argument2>>`))
+* For string constants, if you need a backslash ( \ ) or quotation mark ( " ) in the string, it must be escaped with the backslash ( \ ) symbol. For example: "Company name: \\"Contoso\\""
+
+## List of functions
+| List of functions | Description |
+|-----|----|
+|[Append](#append)|Takes a source string value and appends the suffix to the end of it.|
+|[BitAnd](#bitand)|The BitAnd function sets specified bits on a value.|
+|[CBool](#cbool)|The CBool function returns a Boolean based on the evaluated expression|
+|[ConvertFromBase64](#convertfrombase64)|The ConvertFromBase64 function converts the specified base64 encoded value to a regular string.|
+|[ConvertToBase64](#converttobase64)|The ConvertToBase64 function converts a string to a Unicode base64 string. |
+|[ConvertToUTF8Hex](#converttoutf8hex)|The ConvertToUTF8Hex function converts a string to a UTF8 Hex encoded value.|
+|[Count](#count)|The Count function returns the number of elements in a multi-valued attribute|
+|[Cstr](#cstr)|The CStr function converts to a string data type.|
+|[DateFromNum](#datefromnum)|The DateFromNum function converts a value in ADΓÇÖs date format to a DateTime type.|
+|[DNComponent](#dncomponent)|The DNComponent function returns the value of a specified DN component going from left.|
+|[Error](#error)|The Error function is used to return a custom error.|
+|[FormatDateTime](#formatdatetime) |Takes a date string from one format and converts it into a different format.|
+|[GUID](#guid)|The function Guid generates a new random GUID.|
+|[IIF](#iif)|The IIF function returns one of a set of possible values based on a specified condition.|
+|[InStr](#instr)|The InStr function finds the first occurrence of a substring in a string.|
+|[IsNull](#isnull)|If the expression evaluates to Null, then the IsNull function returns true.|
+|[IsNullOrEmpty](#isnullorempty)|If the expression is null or an empty string, then the IsNullOrEmpty function returns true.|
+|[IsPresent](#ispresent)|If the expression evaluates to a string that is not Null and is not empty, then the IsPresent function returns true.|
+|[IsString](#isstring)|If the expression can be evaluated to a string type, then the IsString function evaluates to True.|
+|[Item](#item)|The Item function returns one item from a multi-valued string/attribute.|
+|[Join](#join) |Join() is similar to Append(), except that it can combine multiple **source** string values into a single string, and each value will be separated by a **separator** string.|
+|[Left](#left)|The Left function returns a specified number of characters from the left of a string.|
+|[Mid](#mid) |Returns a substring of the source value. A substring is a string that contains only some of the characters from the source string.|
+|[NormalizeDiacritics](#normalizediacritics)|Requires one string argument. Returns the string, but with any diacritical characters replaced with equivalent non-diacritical characters.|
+|[Not](#not) |Flips the boolean value of the **source**. If **source** value is "*True*", returns "*False*". Otherwise, returns "*True*".|
+|[RemoveDuplicates](#removeduplicates)|The RemoveDuplicates function takes a multi-valued string and make sure each value is unique.|
+|[Replace](#replace) |Replaces values within a string. |
+|[SelectUniqueValue](#selectuniquevalue)|Requires a minimum of two arguments, which are unique value generation rules defined using expressions. The function evaluates each rule and then checks the value generated for uniqueness in the target app/directory.|
+|[SingleAppRoleAssignment](#singleapproleassignment)|Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application.|
+|[Split](#split)|Splits a string into a multi-valued array, using the specified delimiter character.|
+|[StringFromSID](#stringfromsid)|The StringFromSid function converts a byte array containing a security identifier to a string.|
+|[StripSpaces](#stripspaces) |Removes all space (" ") characters from the source string.|
+|[Switch](#switch)|When **source** value matches a **key**, returns **value** for that **key**. |
+|[ToLower](#tolower)|Takes a *source* string value and converts it to lower case using the culture rules that are specified.|
+|[ToUpper](#toupper)|Takes a *source* string value and converts it to upper case using the culture rules that are specified.|
+|[Trim](#trim)|The Trim function removes leading and trailing white spaces from a string.|
+|[Word](#word)|The Word function returns a word contained within a string, based on parameters describing the delimiters to use and the word number to return.|
+
+---
+### Append
+**Function:**<br>
+Append(source, suffix)
+
+**Description:**<br>
+Takes a source string value and appends the suffix to the end of it.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |String |Usually name of the attribute from the source object. |
+ | **suffix** |Required |String |The string that you want to append to the end of the source value. |
+
+---
+### BitAnd
+**Description:**
+The BitAnd function sets specified bits on a value.
+
+**Syntax:**
+`num BitAnd(num value1, num value2)`
+
+* value1, value2: numeric values that should be ANDΓÇÖed together
+
+**Remarks:**
+This function converts both parameters to the binary representation and sets a bit to:
+
+* 0 - if one or both of the corresponding bits in *value1* and *value2* are 0
+* 1 - if both of the corresponding bits are 1.
+
+In other words, it returns 0 in all cases except when the corresponding bits of both parameters are 1.
+
+**Example:**
+
+ `BitAnd(&HF, &HF7)`</br>
+ Returns 7 because hexadecimal "F" AND "F7" evaluate to this value.
+
+---
+
+### CBool
+**Description:**
+The CBool function returns a Boolean based on the evaluated expression
+
+**Syntax:**
+`bool CBool(exp Expression)`
+
+**Remarks:**
+If the expression evaluates to a non-zero value, then CBool returns True, else it returns False.
+
+**Example:**
+`CBool([attrib1] = [attrib2])`
+
+Returns True if both attributes have the same value.
+
+---
+### ConvertFromBase64
+**Description:**
+The ConvertFromBase64 function converts the specified base64 encoded value to a regular string.
+
+**Syntax:**
+`str ConvertFromBase64(str source)` - assumes Unicode for encoding
+`str ConvertFromBase64(str source, enum Encoding)`
+
+* source: Base64 encoded string
+* Encoding: Unicode, ASCII, UTF8
+
+**Example**
+`ConvertFromBase64("SABlAGwAbABvACAAdwBvAHIAbABkACEA")`
+`ConvertFromBase64("SGVsbG8gd29ybGQh", UTF8)`
+
+Both examples return "*Hello world!*"
+
+---
+### ConvertToBase64
+**Description:**
+The ConvertToBase64 function converts a string to a Unicode base64 string.
+Converts the value of an array of integers to its equivalent string representation that is encoded with base-64 digits.
+
+**Syntax:**
+`str ConvertToBase64(str source)`
+
+**Example:**
+`ConvertToBase64("Hello world!")`
+Returns "SABlAGwAbABvACAAdwBvAHIAbABkACEA"
+
+---
+### ConvertToUTF8Hex
+**Description:**
+The ConvertToUTF8Hex function converts a string to a UTF8 Hex encoded value.
+
+**Syntax:**
+`str ConvertToUTF8Hex(str source)`
+
+**Remarks:**
+The output format of this function is used by Azure Active Directory as DN attribute format.
+
+**Example:**
+`ConvertToUTF8Hex("Hello world!")`
+Returns 48656C6C6F20776F726C6421
+
+---
+### Count
+**Description:**
+The Count function returns the number of elements in a multi-valued attribute
+
+**Syntax:**
+`num Count(mvstr attribute)`
+
+---
+### CStr
+**Description:**
+The CStr function converts to a string data type.
+
+**Syntax:**
+`str CStr(num value)`
+`str CStr(ref value)`
+`str CStr(bool value)`
+
+* value: Can be a numeric value, reference attribute, or Boolean.
+
+**Example:**
+`CStr([dn])`
+Could return "cn=Joe,dc=contoso,dc=com"
+
+---
+### DateFromNum
+**Description:**
+The DateFromNum function converts a value in ADΓÇÖs date format to a DateTime type.
+
+**Syntax:**
+`dt DateFromNum(num value)`
+
+**Example:**
+`DateFromNum([lastLogonTimestamp])`
+`DateFromNum(129699324000000000)`
+Returns a DateTime representing 2012-01-01 23:00:00
+
+---
+### DNComponent
+**Description:**
+The DNComponent function returns the value of a specified DN component going from left.
+
+**Syntax:**
+`str DNComponent(ref dn, num ComponentNumber)`
+
+* dn: the reference attribute to interpret
+* ComponentNumber: The component in the DN to return
+
+**Example:**
+`DNComponent(CRef([dn]),1)`
+If dn is "cn=Joe,ou=…," it returns Joe
+
+---
+### Error
+**Description:**
+The Error function is used to return a custom error.
+
+**Syntax:**
+`void Error(str ErrorMessage)`
+
+**Example:**
+`IIF(IsPresent([accountName]),[accountName],Error("AccountName is required"))`
+If the attribute accountName is not present, throw an error on the object.
+
+---
+### FormatDateTime
+**Function:**<br>
+FormatDateTime(source, inputFormat, outputFormat)
+
+**Description:**<br>
+Takes a date string from one format and converts it into a different format.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |String |Usually name of the attribute from the source object. |
+ | **inputFormat** |Required |String |Expected format of the source value. For supported formats, see [/dotnet/standard/base-types/custom-date-and-time-format-strings](/dotnet/standard/base-types/custom-date-and-time-format-strings). |
+ | **outputFormat** |Required |String |Format of the output date. |
+
+---
+### Guid
+**Description:**
+The function Guid generates a new random GUID
+
+**Syntax:**
+`str Guid()`
+
+---
+### IIF
+**Description:**
+The IIF function returns one of a set of possible values based on a specified condition.
+
+**Syntax:**
+`var IIF(exp condition, var valueIfTrue, var valueIfFalse)`
+
+* condition: any value or expression that can be evaluated to true or false.
+* valueIfTrue: If the condition evaluates to true, the returned value.
+* valueIfFalse: If the condition evaluates to false, the returned value.
+
+**Example:**
+`IIF([employeeType]="Intern","t-" & [alias],[alias])`
+ If the user is an intern, returns the alias of a user with "t-" added to the beginning of it, else returns the userΓÇÖs alias as is.
+
+---
+### InStr
+**Description:**
+The InStr function finds the first occurrence of a substring in a string
+
+**Syntax:**
+
+`num InStr(str stringcheck, str stringmatch)`
+`num InStr(str stringcheck, str stringmatch, num start)`
+`num InStr(str stringcheck, str stringmatch, num start, enum compare)`
+
+* stringcheck: string to be searched
+* stringmatch: string to be found
+* start: starting position to find the substring
+* compare: vbTextCompare or vbBinaryCompare
+
+**Remarks:**
+Returns the position where the substring was found or 0 if not found.
+
+**Example:**
+`InStr("The quick brown fox","quick")`
+Evalues to 5
+
+`InStr("repEated","e",3,vbBinaryCompare)`
+Evaluates to 7
+
+---
+### IsNull
+**Description:**
+If the expression evaluates to Null, then the IsNull function returns true.
+
+**Syntax:**
+`bool IsNull(var Expression)`
+
+**Remarks:**
+For an attribute, a Null is expressed by the absence of the attribute.
+
+**Example:**
+`IsNull([displayName])`
+Returns True if the attribute is not present in the CS or MV.
+
+---
+### IsNullOrEmpty
+**Description:**
+If the expression is null or an empty string, then the IsNullOrEmpty function returns true.
+
+**Syntax:**
+`bool IsNullOrEmpty(var Expression)`
+
+**Remarks:**
+For an attribute, this would evaluate to True if the attribute is absent or is present but is an empty string.
+The inverse of this function is named IsPresent.
+
+**Example:**
+`IsNullOrEmpty([displayName])`
+Returns True if the attribute is not present or is an empty string in the CS or MV.
+
+---
+### IsPresent
+**Description:**
+If the expression evaluates to a string that is not Null and is not empty, then the IsPresent function returns true.
+
+**Syntax:**
+`bool IsPresent(var expression)`
+
+**Remarks:**
+The inverse of this function is named IsNullOrEmpty.
+
+**Example:**
+`Switch(IsPresent([directManager]),[directManager], IsPresent([skiplevelManager]),[skiplevelManager], IsPresent([director]),[director])`
+
+---
+### Item
+**Description:**
+The Item function returns one item from a multi-valued string/attribute.
+
+**Syntax:**
+`var Item(mvstr attribute, num index)`
+
+* attribute: multi-valued attribute
+* index: index to an item in the multi-valued string.
+
+**Remarks:**
+The Item function is useful together with the Contains function since the latter function returns the index to an item in the multi-valued attribute.
+
+Throws an error if index is out of bounds.
+
+**Example:**
+`Mid(Item([proxyAddresses],Contains([proxyAddresses], "SMTP:")),6)`
+Returns the primary email address.
+
+---
+### IsString
+**Description:**
+If the expression can be evaluated to a string type, then the IsString function evaluates to True.
+
+**Syntax:**
+`bool IsString(var expression)`
+
+**Remarks:**
+Used to determine if CStr() can be successful to parse the expression.
+
+---
+### Join
+**Function:**<br>
+Join(separator, source1, source2, …)
+
+**Description:**<br>
+Join() is similar to Append(), except that it can combine multiple **source** string values into a single string, and each value will be separated by a **separator** string.
+
+If one of the source values is a multi-value attribute, then every value in that attribute will be joined together, separated by the separator value.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **separator** |Required |String |String used to separate source values when they are concatenated into one string. Can be "" if no separator is required. |
+ | **source1 … sourceN** |Required, variable-number of times |String |String values to be joined together. |
+
+---
+### Left
+**Description:**
+The Left function returns a specified number of characters from the left of a string.
+
+**Syntax:**
+`str Left(str string, num NumChars)`
+
+* string: the string to return characters from
+* NumChars: a number identifying the number of characters to return from the beginning (left) of string
+
+**Remarks:**
+A string containing the first numChars characters in string:
+
+* If numChars = 0, return empty string.
+* If numChars < 0, return input string.
+* If string is null, return empty string.
+
+If string contains fewer characters than the number specified in numChars, a string identical to string (that is, containing all characters in parameter 1) is returned.
+
+**Example:**
+`Left("John Doe", 3)`
+Returns `Joh`.
+
+---
+### Mid
+**Function:**<br>
+Mid(source, start, length)
+
+**Description:**<br>
+Returns a substring of the source value. A substring is a string that contains only some of the characters from the source string.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |String |Usually name of the attribute. |
+ | **start** |Required |integer |Index in the **source** string where substring should start. First character in the string will have index of 1, second character will have index 2, and so on. |
+ | **length** |Required |integer |Length of the substring. If length ends outside the **source** string, function will return substring from **start** index till end of **source** string. |
+
+---
+### NormalizeDiacritics
+**Function:**<br>
+NormalizeDiacritics(source)
+
+**Description:**<br>
+Requires one string argument. Returns the string, but with any diacritical characters replaced with equivalent non-diacritical characters. Typically used to convert first names and last names containing diacritical characters (accent marks) into legal values that can be used in various user identifiers such as user principal names, SAM account names, and email addresses.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |String | Usually a first name or last name attribute. |
+
+---
+### Not
+**Function:**<br>
+Not(source)
+
+**Description:**<br>
+Flips the boolean value of the **source**. If **source** value is "*True*", returns "*False*". Otherwise, returns "*True*".
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |Boolean String |Expected **source** values are "True" or "False". |
+
+---
+### RemoveDuplicates
+**Description:**
+The RemoveDuplicates function takes a multi-valued string and make sure each value is unique.
+
+**Syntax:**
+`mvstr RemoveDuplicates(mvstr attribute)`
+
+**Example:**
+`RemoveDuplicates([proxyAddresses])`
+Returns a sanitized proxyAddress attribute where all duplicate values have been removed.
+
+---
+### Replace
+**Function:**<br>
+Replace(source, oldValue, regexPattern, regexGroupName, replacementValue, replacementAttributeName, template)
+
+**Description:**<br>
+Replaces values within a string. It works differently depending on the parameters provided:
+
+* When **oldValue** and **replacementValue** are provided:
+
+ * Replaces all occurrences of **oldValue** in the **source** with **replacementValue**
+* When **oldValue** and **template** are provided:
+
+ * Replaces all occurrences of the **oldValue** in the **template** with the **source** value
+* When **regexPattern** and **replacementValue** are provided:
+
+ * The function applies the **regexPattern** to the **source** string and you can use the regex group names to construct the string for **replacementValue**
+* When **regexPattern**, **regexGroupName**, **replacementValue** are provided:
+
+ * The function applies the **regexPattern** to the **source** string and replaces all values matching **regexGroupName** with **replacementValue**
+* When **regexPattern**, **regexGroupName**, **replacementAttributeName** are provided:
+
+ * If **source** has no value, **source** is returned
+ * If **source** has a value, the function applies the **regexPattern** to the **source** string and replaces all values matching **regexGroupName** with the value associated with **replacementAttributeName**
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |String |Usually name of the attribute from the **source** object. |
+ | **oldValue** |Optional |String |Value to be replaced in **source** or **template**. |
+ | **regexPattern** |Optional |String |Regex pattern for the value to be replaced in **source**. Or, when **replacementPropertyName** is used, pattern to extract value from **replacementPropertyName**. |
+ | **regexGroupName** |Optional |String |Name of the group inside **regexPattern**. Only when **replacementPropertyName** is used, we will extract value of this group as **replacementValue** from **replacementPropertyName**. |
+ | **replacementValue** |Optional |String |New value to replace old one with. |
+ | **replacementAttributeName** |Optional |String |Name of the attribute to be used for replacement value |
+ | **template** |Optional |String |When **template** value is provided, we will look for **oldValue** inside the template and replace it with **source** value. |
+
+---
+### SelectUniqueValue
+**Function:**<br>
+SelectUniqueValue(uniqueValueRule1, uniqueValueRule2, uniqueValueRule3, …)
+
+**Description:**<br>
+Requires a minimum of two arguments, which are unique value generation rules defined using expressions. The function evaluates each rule and then checks the value generated for uniqueness in the target app/directory. The first unique value found will be the one returned. If all of the values already exist in the target, the entry will get escrowed and the reason gets logged in the audit logs. There is no upper bound to the number of arguments that can be provided.
+
+> [!NOTE]
+> - This is a top-level function, it cannot be nested.
+> - This function cannot be applied to attributes that have a matching precedence.
+> - This function is only meant to be used for entry creations. When using it with an attribute, set the **Apply Mapping** property to **Only during object creation**.
+> - This function is currently only supported for "Workday to Active Directory User Provisioning". It cannot be used with other provisioning applications.
++
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **uniqueValueRule1 … uniqueValueRuleN** |At least 2 are required, no upper bound |String | List of unique value generation rules to evaluate. |
++
+---
+### SingleAppRoleAssignment
+**Function:**<br>
+SingleAppRoleAssignment([appRoleAssignments])
+
+**Description:**<br>
+Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application. This function is required to convert the appRoleAssignments object into a single role name string. Note that the best practice is to ensure only one appRoleAssignment is assigned to one user at a time, and if multiple roles are assigned the role string returned may not be predictable.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ |--- | --- | --- | --- |
+ | **[appRoleAssignments]** |Required |String |**[appRoleAssignments]** object. |
+
+---
+### Split
+**Function:**<br>
+Split(source, delimiter)
+
+**Description:**<br>
+Splits a string into a multi-valued array, using the specified delimiter character.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |String |**source** value to update. |
+ | **delimiter** |Required |String |Specifies the character that will be used to split the string (example: ",") |
+
+---
+### StringFromSid
+**Description:**
+The StringFromSid function converts a byte array containing a security identifier to a string.
+
+**Syntax:**
+`str StringFromSid(bin ObjectSID)`
+
+---
+### StripSpaces
+**Function:**<br>
+StripSpaces(source)
+
+**Description:**<br>
+Removes all space (" ") characters from the source string.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |String |**source** value to update. |
+
+---
+### Switch
+**Function:**<br>
+Switch(source, defaultValue, key1, value1, key2, value2, …)
+
+**Description:**<br>
+When **source** value matches a **key**, returns **value** for that **key**. If **source** value doesn't match any keys, returns **defaultValue**. **Key** and **value** parameters must always come in pairs. The function always expects an even number of parameters.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |String |**Source** value to check. |
+ | **defaultValue** |Optional |String |Default value to be used when source doesn't match any keys. Can be empty string (""). |
+ | **key** |Required |String |**Key** to compare **source** value with. |
+ | **value** |Required |String |Replacement value for the **source** matching the key. |
+
+---
+### ToLower
+**Function:**<br>
+ToLower(source, culture)
+
+**Description:**<br>
+Takes a *source* string value and converts it to lower case using the culture rules that are specified. If there is no *culture* info specified, then it will use Invariant culture.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |String |Usually name of the attribute from the source object |
+ | **culture** |Optional |String |The format for the culture name based on RFC 4646 is *languagecode2-country/regioncode2*, where *languagecode2* is the two-letter language code and *country/regioncode2* is the two-letter subculture code. Examples include ja-JP for Japanese (Japan) and en-US for English (United States). In cases where a two-letter language code is not available, a three-letter code derived from ISO 639-2 is used.|
+
+---
+
+### ToUpper
+**Function:**<br>
+ToUpper(source, culture)
+
+**Description:**<br>
+Takes a *source* string value and converts it to upper case using the culture rules that are specified. If there is no *culture* info specified, then it will use Invariant culture.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | --- | --- | --- | --- |
+ | **source** |Required |String |Usually name of the attribute from the source object. |
+ | **culture** |Optional |String |The format for the culture name based on RFC 4646 is *languagecode2-country/regioncode2*, where *languagecode2* is the two-letter language code and *country/regioncode2* is the two-letter subculture code. Examples include ja-JP for Japanese (Japan) and en-US for English (United States). In cases where a two-letter language code is not available, a three-letter code derived from ISO 639-2 is used.|
+
+---
+
+### Trim
+**Description:**
+The Trim function removes leading and trailing white spaces from a string.
+
+**Syntax:**
+`str Trim(str value)`
+
+**Example:**
+`Trim(" Test ")`
+Returns "Test".
+
+`Trim([proxyAddresses])`
+Removes leading and trailing spaces for each value in the proxyAddress attribute.
+
+---
+### Word
+**Description:**
+The Word function returns a word contained within a string, based on parameters describing the delimiters to use and the word number to return.
+
+**Syntax:**
+`str Word(str string, num WordNumber, str delimiters)`
+
+* string: the string to return a word from.
+* WordNumber: a number identifying which word number should return.
+* delimiters: a string representing the delimiter(s) that should be used to identify words
+
+**Remarks:**
+Each string of characters in string separated by the one of the characters in delimiters are identified as words:
+
+* If number < 1, returns empty string.
+* If string is null, returns empty string.
+
+If string contains less than number words, or string does not contain any words identified by delimiters, an empty string is returned.
+
+**Example:**
+`Word("The quick brown fox",3," ")`
+Returns "brown"
+
+`Word("This,string!has&many separators",3,",!&#")`
+Would return "has"
+
+## Examples
+### Strip known domain name
+You need to strip a known domain name from a userΓÇÖs email to obtain a user name. <br>
+For example, if the domain is "contoso.com", then you could use the following expression:
+
+**Expression:** <br>
+`Replace([mail], "@contoso.com", , ,"", ,)`
+
+**Sample input / output:** <br>
+
+* **INPUT** (mail): "john.doe@contoso.com"
+* **OUTPUT**: "john.doe"
+
+### Append constant suffix to user name
+If you are using a Salesforce Sandbox, you might need to append an additional suffix to all your user names before synchronizing them.
+
+**Expression:** <br>
+`Append([userPrincipalName], ".test")`
+
+**Sample input/output:** <br>
+
+* **INPUT**: (userPrincipalName): "John.Doe@contoso.com"
+* **OUTPUT**: "John.Doe@contoso.com.test"
+
+### Generate user alias by concatenating parts of first and last name
+You need to generate a user alias by taking first 3 letters of user's first name and first 5 letters of user's last name.
+
+**Expression:** <br>
+`Append(Mid([givenName], 1, 3), Mid([surname], 1, 5))`
+
+**Sample input/output:** <br>
+
+* **INPUT** (givenName): "John"
+* **INPUT** (surname): "Doe"
+* **OUTPUT**: "JohDoe"
+
+### Remove diacritics from a string
+You need to replace characters containing accent marks with equivalent characters that don't contain accent marks.
+
+**Expression:** <br>
+NormalizeDiacritics([givenName])
+
+**Sample input/output:** <br>
+
+* **INPUT** (givenName): "Zoë"
+* **OUTPUT**: "Zoe"
+
+### Split a string into a multi-valued array
+You need to take a comma-delimited list of strings, and split them into an array that can be plugged into a multi-value attribute like Salesforce's PermissionSets attribute. In this example, a list of permission sets has been populated in extensionAttribute5 in Azure AD.
+
+**Expression:** <br>
+Split([extensionAttribute5], ",")
+
+**Sample input/output:** <br>
+
+* **INPUT** (extensionAttribute5): "PermissionSetOne, PermissionSetTwo"
+* **OUTPUT**: ["PermissionSetOne", "PermissionSetTwo"]
+
+### Output date as a string in a certain format
+You want to send dates to a SaaS application in a certain format. <br>
+For example, you want to format dates for ServiceNow.
+
+**Expression:** <br>
+
+`FormatDateTime([extensionAttribute1], "yyyyMMddHHmmss.fZ", "yyyy-MM-dd")`
+
+**Sample input/output:**
+
+* **INPUT** (extensionAttribute1): "20150123105347.1Z"
+* **OUTPUT**: "2015-01-23"
+
+### Replace a value based on predefined set of options
+
+You need to define the time zone of the user based on the state code stored in Azure AD. <br>
+If the state code doesn't match any of the predefined options, use default value of "Australia/Sydney".
+
+**Expression:** <br>
+`Switch([state], "Australia/Sydney", "NSW", "Australia/Sydney","QLD", "Australia/Brisbane", "SA", "Australia/Adelaide")`
+
+**Sample input/output:**
+
+* **INPUT** (state): "QLD"
+* **OUTPUT**: "Australia/Brisbane"
+
+### Replace characters using a regular expression
+You need to find characters that match a regular expression value and remove them.
+
+**Expression:** <br>
+
+Replace([mailNickname], , "[a-zA-Z_]*", , "", , )
+
+**Sample input/output:**
+
+* **INPUT** (mailNickname: "john_doe72"
+* **OUTPUT**: "72"
+
+### Convert generated userPrincipalName (UPN) value to lower case
+In the example below, the UPN value is generated by concatenating the PreferredFirstName and PreferredLastName source fields and the ToLower function operates on the generated string to convert all characters to lower case.
+
+`ToLower(Join("@", NormalizeDiacritics(StripSpaces(Join(".", [PreferredFirstName], [PreferredLastName]))), "contoso.com"))`
+
+**Sample input/output:**
+
+* **INPUT** (PreferredFirstName): "John"
+* **INPUT** (PreferredLastName): "Smith"
+* **OUTPUT**: "john.smith@contoso.com"
+
+### Generate unique value for userPrincipalName (UPN) attribute
+Based on the user's first name, middle name and last name, you need to generate a value for the UPN attribute and check for its uniqueness in the target AD directory before assigning the value to the UPN attribute.
+
+**Expression:** <br>
+
+```ad-attr-mapping-expr
+ SelectUniqueValue(
+ Join("@", NormalizeDiacritics(StripSpaces(Join(".", [PreferredFirstName], [PreferredLastName]))), "contoso.com"),
+ Join("@", NormalizeDiacritics(StripSpaces(Join(".", Mid([PreferredFirstName], 1, 1), [PreferredLastName]))), "contoso.com"),
+ Join("@", NormalizeDiacritics(StripSpaces(Join(".", Mid([PreferredFirstName], 1, 2), [PreferredLastName]))), "contoso.com")
+ )
+```
+
+**Sample input/output:**
+
+* **INPUT** (PreferredFirstName): "John"
+* **INPUT** (PreferredLastName): "Smith"
+* **OUTPUT**: "John.Smith@contoso.com" if UPN value of John.Smith@contoso.com doesn't already exist in the directory
+* **OUTPUT**: "J.Smith@contoso.com" if UPN value of John.Smith@contoso.com already exists in the directory
+* **OUTPUT**: "Jo.Smith@contoso.com" if the above two UPN values already exist in the directory
++
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/reference-powershell.md new file mode 100644
@@ -0,0 +1,127 @@
+---
+title: 'AADCloudSyncTools PowerShell Module for Azure AD Connect cloud sync'
+description: This article describes how to install the Azure AD Connect cloud provisioning agent.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 11/30/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# AADCloudSyncTools PowerShell Module for Azure AD Connect cloud sync
+
+With the release of public preview refresh 2, Microsoft has introduced the AADCloudSyncTools PowerShell Module. This module provides a set of useful tools that you can use to help manage your Azure AD Connect Cloud Sync deployments.
+
+## Pre-requisites
+The following pre-requisites are required:
+- This module uses MSAL authentication, so it requires MSAL.PS module installed. It no longer depends on Azure AD or Azure AD Preview. To verify, in an Admin PowerShell window, execute `Get-module MSAL.PS`. If the module is installed correctly you will get a response. You can use `Install-AADCloudSyncToolsPrerequisites` to install the latest version of MSAL.PS
+- The AzureAD PowerShell module. Some of the cmdlets rely on pieces of the AzureAD PowerShell module to accomplish their tasks. To verify, in an Admin PowerShell window execute `Get-module AzureAD`. You should get a response. You can use `Install-AADCloudSyncToolsPrerequisites` to install the latest version of the AzureAD PowerShell module.
+- Installing modules from PowerShell may enforce using TLS 1.2. To ensure you can install modules, set the following: \
+`[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 `
+
+## Install the AADCloudSyncTools PowerShell module
+To install and use the AADCloudSyncTools module use the following steps:
+
+1. Open Windows PowerShell with administrative privileges
+2. Type `[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12` and hit enter.
+3. Type or copy and paste the following:
+ ``` powershell
+ Import-module -Name "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools"
+ ```
+3. Hit enter.
+4. To verify the module was installed, enter or copy and paste the following"
+ ```powershell
+ Get-module AADCloudSyncTools
+ ```
+5. You should now see information about the module.
+6. Next run
+ ``` powershell
+ Install-AADCloudSyncToolsPrerequisites
+ ```
+7. This will install the PowerShell Get modules. Close the PowerShell Window.
+8. Open Windows PowerShell with administrative privileges
+9. Import the module again using step 3.
+10. Run `Install-AADCloudSyncToolsPrerequisites` to install the MSAL and AzureAD modules
+11. All pre-reqs should be successfully installed
+ ![Install module](media/reference-powershell/install-1.png)
+
+## AADCloudSyncTools Cmdlets
+### Connect-AADCloudSyncTools
+Uses AzureAD module to connect to Azure AD and the MSAL.PS module to request a token for Microsoft Graph
++
+### Export-AADCloudSyncToolsLogs
+Exports and packages all the troubleshooting data in a compressed file, as follows:
+ 1. Starts a verbose tracing with Start-AADCloudSyncToolsVerboseLogs. You can find these trace logs in the folder C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace.
+ 2. Collects a trace log for 3 minutes.
+ You can specify a different time with -TracingDurationMins or skip verbose tracing with -SkipVerboseTrace
+ 3. Stops verbose tracing with Stop-AADCloudSyncToolsVerboseLogs
+ 4. Collects Event Viewer Logs for the last 24 hours
+ 5. Compresses all the agent logs, verbose logs and event viewer logs into a compressed zip file under the User's Documents folder.
+ </br>You can specify a different output folder with -OutputPath \<folder path\>
+
+### Get-AADCloudSyncToolsInfo
+Shows Azure AD Tenant details and internal variables state
+
+### Get-AADCloudSyncToolsJob
+Uses Graph to get AD2AAD Service Principals and returns the Synchronization Job information.
+Can be also called using the specific Sync Job ID as a parameter.
+
+### Get-AADCloudSyncToolsJobSchedule
+Uses Graph to get AD2AAD Service Principals and returns the Synchronization Job's Schedule.
+Can be also called using the specific Sync Job ID as a parameter.
+
+### Get-AADCloudSyncToolsJobSchema
+Uses Graph to get AD2AAD Service Principals and returns the Synchronization Job's Schema.
+
+### Get-AADCloudSyncToolsJobScope
+Uses Graph to get the Synchronization Job's Schema for the provided Sync Job ID and outputs all filter group's scopes.
+
+### Get-AADCloudSyncToolsJobSettings
+Uses Graph to get AD2AAD Service Principals and returns the Synchronization Job's Settings.
+Can be also called using the specific Sync Job ID as a parameter.
+
+### Get-AADCloudSyncToolsJobStatus
+Uses Graph to get AD2AAD Service Principals and returns the Synchronization Job's Status.
+Can be also called using the specific Sync Job ID as a parameter.
+
+### Get-AADCloudSyncToolsServicePrincipal
+Uses Graph to get the Service Principal(s) for AD2AAD and/or SyncFabric.
+Without parameters, will only return AD2AAD Service Principal(s).
+
+### Install-AADCloudSyncToolsPrerequisites
+Checks for the presence of PowerShellGet v2.2.4.1 or later and Azure AD and MSAL.PS modules and installs these if missing.
+
+### Invoke-AADCloudSyncToolsGraphQuery
+Invokes a Web request for the URI, Method and Body specified as parameters
+
+### Repair-AADCloudSyncToolsAccount
+Uses Azure AD PowerShell to delete the current account (if present) and resets the Sync Account authentication with a new synchronization account in Azure AD.
+
+### Restart-AADCloudSyncToolsJob
+Restarts a full synchronization.
+
+### Resume-AADCloudSyncToolsJob
+Continues synchronization from the previous watermark.
+
+### Start-AADCloudSyncToolsVerboseLogs
+Modifies the 'AADConnectProvisioningAgent.exe.config' to enable verbose tracing and restarts the AADConnectProvisioningAgent service
+You can use -SkipServiceRestart to prevent service restart but any config changes will not take effect. You can find these trace logs in the folder C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace.
+
+### Stop-AADCloudSyncToolsVerboseLogs
+Modifies the 'AADConnectProvisioningAgent.exe.config' to disable verbose tracing and restarts the AADConnectProvisioningAgent service.
+You can use -SkipServiceRestart to prevent service restart but any config changes will not take effect.
+
+### Suspend-AADCloudSyncToolsJob
+Pauses synchronization.
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/reference-version-history https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/reference-version-history.md new file mode 100644
@@ -0,0 +1,18 @@
+---
+title: 'Azure AD Connect cloud provisioning agent: Version release history | Microsoft Docs'
+description: This article lists all releases of Azure AD Connect cloud provisioning agent and describes new features and fixed issues
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.topic: reference
+ms.workload: identity
+ms.date: 11/19/2020
+ms.subservice: app-provisioning
+ms.author: billmath
+ms.reviewer: daveba
+---
+
+# Azure AD Connect cloud provisioning agent: Version release history
+
+[!INCLUDE [active-directory-cloud-sync-version-history.md](../../../includes/active-directory-cloud-sync-version-history.md)]
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-basic-ad-azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/tutorial-basic-ad-azure.md new file mode 100644
@@ -0,0 +1,413 @@
+---
+title: Tutorial - Basic Active Directory on-premises and Azure AD environment.
+services: active-directory
+description: Learn how to create a basic AD and Azure AD environment.
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 12/02/2019
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Tutorial: Basic Active Directory environment
+
+This tutorial walks you through creating a basic Active Directory environment.
+
+![Diagram that shows a basic Azure A D environment.](media/tutorial-single-forest/diagram-2.png)
+
+You can use the environment you create in the tutorial to test various aspects of hybrid identity scenarios and will be a prerequisite for some of the tutorials. If you already have an existing Active Directory environment you can use that as a substitute. This information is provided for individuals who my be starting from nothing.
+
+This tutorial consists of
+## Prerequisites
+The following are prerequisites required for completing this tutorial
+- A computer with [Hyper-V](/windows-server/virtualization/hyper-v/hyper-v-technology-overview) installed. It is suggested to do this on either a [Windows 10](/virtualization/hyper-v-on-windows/about/supported-guest-os) or a [Windows Server 2016](/windows-server/virtualization/hyper-v/supported-windows-guest-operating-systems-for-hyper-v-on-windows) computer.
+- An [external network adapter](/virtualization/hyper-v-on-windows/quick-start/connect-to-network) to allow the virtual machine to communicate with the internet.
+- An [Azure subscription](https://azure.microsoft.com/free)
+- A copy of Windows Server 2016
+- [Microsoft .NET framework 4.7.1](https://www.microsoft.com/download/details.aspx?id=56115)
+
+> [!NOTE]
+> This tutorial uses PowerShell scripts so that you can create the tutorial environment in the quickest amount of time. Each of the scripts uses variables that are declared at the beginning of the scripts. You can and should change the variables to reflect your environment.
+>
+>The scripts used create a general Active Directory environment prior to installing the Azure AD Connect cloud provisioning agent. They are relevant for all of the tutorials.
+>
+> Copies of the PowerShell scripts that are used in this tutorial are available on GitHub [here](https://github.com/billmath/tutorial-phs).
+
+## Create a virtual machine
+The first thing that you need to do, in order to get our hybrid identity environment up and running is to create a virtual machine that will be used as our on-premises Active Directory server. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ #Declare variables
+ $VMName = 'DC1'
+ $Switch = 'External'
+ $InstallMedia = 'D:\ISO\en_windows_server_2016_updated_feb_2018_x64_dvd_11636692.iso'
+ $Path = 'D:\VM'
+ $VHDPath = 'D:\VM\DC1\DC1.vhdx'
+ $VHDSize = '64424509440'
+
+ #Create New Virtual Machine
+ New-VM -Name $VMName -MemoryStartupBytes 16GB -BootDevice VHD -Path $Path -NewVHDPath $VHDPath -NewVHDSizeBytes $VHDSize -Generation 2 -Switch $Switch
+
+ #Set the memory to be non-dynamic
+ Set-VMMemory $VMName -DynamicMemoryEnabled $false
+
+ #Add DVD Drive to Virtual Machine
+ Add-VMDvdDrive -VMName $VMName -ControllerNumber 0 -ControllerLocation 1 -Path $InstallMedia
+
+ #Mount Installation Media
+ $DVDDrive = Get-VMDvdDrive -VMName $VMName
+
+ #Configure Virtual Machine to Boot from DVD
+ Set-VMFirmware -VMName $VMName -FirstBootDevice $DVDDrive
+ ```
+
+## Complete the operating system deployment
+In order to finish building the virtual machine, you need to finish the operating system installation.
+
+1. Hyper-V Manager, double-click on the virtual machine
+2. Click on the Start button.
+3. You will be prompted to ΓÇÿPress any key to boot from CD or DVDΓÇÖ. Go ahead and do so.
+4. On the Windows Server start up screen select your language and click **Next**.
+5. Click **Install Now**.
+6. Enter your license key and click **Next**.
+7. Check **I accept the license terms and click **Next**.
+8. Select **Custom: Install Windows Only (Advanced)**
+9. Click **Next**
+10. Once the installation has completed, restart the virtual machine, sign-in and run Windows updates to ensure the VM is the most up-to-date. Install the latest updates.
+
+## Install Active Directory prerequisites
+Now that you have a virtual machine up, you need to do a few things prior to installing Active Directory. That is, you need to rename the virtual machine, set a static IP address and DNS information, and install the Remote Server Administration tools. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ #Declare variables
+ $ipaddress = "10.0.1.117"
+ $ipprefix = "24"
+ $ipgw = "10.0.1.1"
+ $ipdns = "10.0.1.117"
+ $ipdns2 = "8.8.8.8"
+ $ipif = (Get-NetAdapter).ifIndex
+ $featureLogPath = "c:\poshlog\featurelog.txt"
+ $newname = "DC1"
+ $addsTools = "RSAT-AD-Tools"
+
+ #Set static IP address
+ New-NetIPAddress -IPAddress $ipaddress -PrefixLength $ipprefix -InterfaceIndex $ipif -DefaultGateway $ipgw
+
+ # Set the DNS servers
+ Set-DnsClientServerAddress -InterfaceIndex $ipif -ServerAddresses ($ipdns, $ipdns2)
+
+ #Rename the computer
+ Rename-Computer -NewName $newname -force
+
+ #Install features
+ New-Item $featureLogPath -ItemType file -Force
+ Add-WindowsFeature $addsTools
+ Get-WindowsFeature | Where installed >>$featureLogPath
+
+ #Restart the computer
+ Restart-Computer
+ ```
+
+## Create a Windows Server AD environment
+Now that you have the VM created and it has been renamed and has a static IP address, you can go ahead and install and configure Active Directory Domain Services. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ #Declare variables
+ $DatabasePath = "c:\windows\NTDS"
+ $DomainMode = "WinThreshold"
+ $DomainName = "contoso.com"
+ $DomaninNetBIOSName = "CONTOSO"
+ $ForestMode = "WinThreshold"
+ $LogPath = "c:\windows\NTDS"
+ $SysVolPath = "c:\windows\SYSVOL"
+ $featureLogPath = "c:\poshlog\featurelog.txt"
+ $Password = "Pass1w0rd"
+ $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
+
+ #Install AD DS, DNS and GPMC
+ start-job -Name addFeature -ScriptBlock {
+ Add-WindowsFeature -Name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools
+ Add-WindowsFeature -Name "dns" -IncludeAllSubFeature -IncludeManagementTools
+ Add-WindowsFeature -Name "gpmc" -IncludeAllSubFeature -IncludeManagementTools }
+ Wait-Job -Name addFeature
+ Get-WindowsFeature | Where installed >>$featureLogPath
+
+ #Create New AD Forest
+ Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath $DatabasePath -DomainMode $DomainMode -DomainName $DomainName -SafeModeAdministratorPassword $SecureString -DomainNetbiosName $DomainNetBIOSName -ForestMode $ForestMode -InstallDns:$true -LogPath $LogPath -NoRebootOnCompletion:$false -SysvolPath $SysVolPath -Force:$true
+ ```
+
+## Create a Windows Server AD user
+Now that you have our Active Directory environment, you need to a test account. This account will be created in our on-premises AD environment and then synchronized to Azure AD. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ # Filename: 4_CreateUser.ps1
+ # Description: Creates a user in Active Directory. This is part of
+ # the Azure AD Connect password hash sync tutorial.
+ #
+ # DISCLAIMER:
+ # Copyright (c) Microsoft Corporation. All rights reserved. This
+ # script is made available to you without any express, implied or
+ # statutory warranty, not even the implied warranty of
+ # merchantability or fitness for a particular purpose, or the
+ # warranty of title or non-infringement. The entire risk of the
+ # use or the results from the use of this script remains with you.
+ #
+ #
+ #
+ #
+ #Declare variables
+ $Givenname = "Allie"
+ $Surname = "McCray"
+ $Displayname = "Allie McCray"
+ $Name = "amccray"
+ $Password = "Pass1w0rd"
+ $Identity = "CN=ammccray,CN=Users,DC=contoso,DC=com"
+ $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
++
+ #Create the user
+ New-ADUser -Name $Name -GivenName $Givenname -Surname $Surname -DisplayName $Displayname -AccountPassword $SecureString
+
+ #Set the password to never expire
+ Set-ADUser -Identity $Identity -PasswordNeverExpires $true -ChangePasswordAtLogon $false -Enabled $true
+ ```
++
+## Create an Azure AD tenant
+Now you need to create an Azure AD tenant so that you can synchronize our users to the cloud. To create a new Azure AD tenant, do the following.
+
+1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
+2. Select the **plus icon (+)** and search for **Azure Active Directory**.
+3. Select **Azure Active Directory** in the search results.
+4. Select **Create**.</br>
+![Screenshot that shows the Azure Active Directory page in the Azure portal.](media/tutorial-single-forest/create-1.png)</br>
+5. Provide a **name for the organization** along with the **initial domain name**. Then select **Create**. This will create your directory.
+6. Once this has completed, click the **here** link, to manage the directory.
+
+## Create a global administrator in Azure AD
+Now that you have an Azure AD tenant, you will create a global administrator account. To create the global administrator account do the following.
+
+1. Under **Manage**, select **Users**.</br>
+![Screenshot that shows the "Overview" menu with "Users" selected.](media/tutorial-single-forest/administrator-1.png)</br>
+2. Select **All users** and then select **+ New user**.
+3. Provide a name and username for this user. This will be your Global Admin for the tenant. You will also want to change the **Directory role** to **Global administrator.** You can also show the temporary password. When you are done, select **Create**.</br>
+![Create](media/tutorial-single-forest/administrator-2.png)</br>
+4. Once this has completed, open a new web browser and sign-in to myapps.microsoft.com using the new global administrator account and the temporary password.
+5. Change the password for the global administrator to something that you will remember.
+
+## Optional: Additional server and forest
+The following is an optional section that provides steps to creating an additional server and or forest. This can be used in some of the more advanced tutorials such as [Pilot for Azure AD Connect to cloud sync](tutorial-pilot-aadc-aadccp.md).
+
+If you only need an additional server, you can stop after the - **Create the virtual machine** step and join the server to the existing domain that was created above.
+
+### Create a virtual machine
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ # Filename: 1_CreateVM_CP.ps1
+ # Description: Creates a VM to be used in the tutorial.
+ #
+ # DISCLAIMER:
+ # Copyright (c) Microsoft Corporation. All rights reserved. #This script is made available to you without any express, implied or statutory warranty, not even the implied warranty of merchantability or fitness for a particular purpose, or the warranty of title or non-infringement. The entire risk of the use or the results from the use of this script remains with you.
+ #
+ #
+ #
+ #
+ #Declare variables
+ $VMName = 'CP1'
+ $Switch = 'External'
+ $InstallMedia = 'D:\ISO\en_windows_server_2016_updated_feb_2018_x64_dvd_11636692.iso'
+ $Path = 'D:\VM'
+ $VHDPath = 'D:\VM\CP1\CP1.vhdx'
+ $VHDSize = '64424509440'
+
+ #Create New Virtual Machine
+ New-VM -Name $VMName -MemoryStartupBytes 16GB -BootDevice VHD -Path $Path -NewVHDPath $VHDPath -NewVHDSizeBytes $VHDSize -Generation 2 -Switch $Switch
+
+ #Set the memory to be non-dynamic
+ Set-VMMemory $VMName -DynamicMemoryEnabled $false
+
+ #Add DVD Drive to Virtual Machine
+ Add-VMDvdDrive -VMName $VMName -ControllerNumber 0 -ControllerLocation 1 -Path $InstallMedia
+
+ #Mount Installation Media
+ $DVDDrive = Get-VMDvdDrive -VMName $VMName
+
+ #Configure Virtual Machine to Boot from DVD
+ Set-VMFirmware -VMName $VMName -FirstBootDevice $DVDDrive
+ ```
+
+### Complete the operating system deployment
+In order to finish building the virtual machine, you need to finish the operating system installation.
+
+1. Hyper-V Manager, double-click on the virtual machine
+2. Click on the Start button.
+3. You will be prompted to ΓÇÿPress any key to boot from CD or DVDΓÇÖ. Go ahead and do so.
+4. On the Windows Server start up screen select your language and click **Next**.
+5. Click **Install Now**.
+6. Enter your license key and click **Next**.
+7. Check **I accept the license terms and click **Next**.
+8. Select **Custom: Install Windows Only (Advanced)**
+9. Click **Next**
+10. Once the installation has completed, restart the virtual machine, sign-in and run Windows updates to ensure the VM is the most up-to-date. Install the latest updates.
+
+### Install Active Directory prerequisites
+Now that you have a virtual machine up, you need to do a few things prior to installing Active Directory. That is, you need to rename the virtual machine, set a static IP address and DNS information, and install the Remote Server Administration tools. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ # Filename: 2_ADPrep_CP.ps1
+ # Description: Prepares your environment for Active Directory. This is part of
+ # the Azure AD Connect password hash sync tutorial.
+ #
+ # DISCLAIMER:
+ # Copyright (c) Microsoft Corporation. All rights reserved. This
+ # script is made available to you without any express, implied or
+ # statutory warranty, not even the implied warranty of
+ # merchantability or fitness for a particular purpose, or the
+ # warranty of title or non-infringement. The entire risk of the
+ # use or the results from the use of this script remains with you.
+ #
+ #
+ #
+ #
+ #Declare variables
+ $ipaddress = "10.0.1.118"
+ $ipprefix = "24"
+ $ipgw = "10.0.1.1"
+ $ipdns = "10.0.1.118"
+ $ipdns2 = "8.8.8.8"
+ $ipif = (Get-NetAdapter).ifIndex
+ $featureLogPath = "c:\poshlog\featurelog.txt"
+ $newname = "CP1"
+ $addsTools = "RSAT-AD-Tools"
+
+ #Set static IP address
+ New-NetIPAddress -IPAddress $ipaddress -PrefixLength $ipprefix -InterfaceIndex $ipif -DefaultGateway $ipgw
+
+ #Set the DNS servers
+ Set-DnsClientServerAddress -InterfaceIndex $ipif -ServerAddresses ($ipdns, $ipdns2)
+
+ #Rename the computer
+ Rename-Computer -NewName $newname -force
+
+ #Install features
+ New-Item $featureLogPath -ItemType file -Force
+ Add-WindowsFeature $addsTools
+ Get-WindowsFeature | Where installed >>$featureLogPath
+
+ #Restart the computer
+ Restart-Computer
+ ```
+### Create a Windows Server AD environment
+Now that you have the VM created and it has been renamed and has a static IP address, you can go ahead and install and configure Active Directory Domain Services. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ # Filename: 3_InstallAD_CP.ps1
+ # Description: Creates an on-premises AD environment. This is part of
+ # the Azure AD Connect password hash sync tutorial.
+ #
+ # DISCLAIMER:
+ # Copyright (c) Microsoft Corporation. All rights reserved. This
+ # script is made available to you without any express, implied or
+ # statutory warranty, not even the implied warranty of
+ # merchantability or fitness for a particular purpose, or the
+ # warranty of title or non-infringement. The entire risk of the
+ # use or the results from the use of this script remains with you.
+ #
+ #
+ #
+ #
+ #Declare variables
+ $DatabasePath = "c:\windows\NTDS"
+ $DomainMode = "WinThreshold"
+ $DomainName = "fabrikam.com"
+ $DomaninNetBIOSName = "FABRIKAM"
+ $ForestMode = "WinThreshold"
+ $LogPath = "c:\windows\NTDS"
+ $SysVolPath = "c:\windows\SYSVOL"
+ $featureLogPath = "c:\poshlog\featurelog.txt"
+ $Password = "Pass1w0rd"
+ $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
+
+ #Install AD DS, DNS and GPMC
+ start-job -Name addFeature -ScriptBlock {
+ Add-WindowsFeature -Name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools
+ Add-WindowsFeature -Name "dns" -IncludeAllSubFeature -IncludeManagementTools
+ Add-WindowsFeature -Name "gpmc" -IncludeAllSubFeature -IncludeManagementTools }
+ Wait-Job -Name addFeature
+ Get-WindowsFeature | Where installed >>$featureLogPath
+
+ #Create New AD Forest
+ Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath $DatabasePath -DomainMode $DomainMode -DomainName $DomainName -SafeModeAdministratorPassword $SecureString -DomainNetbiosName $DomainNetBIOSName -ForestMode $ForestMode -InstallDns:$true -LogPath $LogPath -NoRebootOnCompletion:$false -SysvolPath $SysVolPath -Force:$true
+ ```
+
+### Create a Windows Server AD user
+Now that you have our Active Directory environment, you need to a test account. This account will be created in our on-premises AD environment and then synchronized to Azure AD. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ # Filename: 4_CreateUser_CP.ps1
+ # Description: Creates a user in Active Directory. This is part of
+ # the Azure AD Connect password hash sync tutorial.
+ #
+ # DISCLAIMER:
+ # Copyright (c) Microsoft Corporation. All rights reserved. This
+ # script is made available to you without any express, implied or
+ # statutory warranty, not even the implied warranty of
+ # merchantability or fitness for a particular purpose, or the
+ # warranty of title or non-infringement. The entire risk of the
+ # use or the results from the use of this script remains with you.
+ #
+ #
+ #
+ #
+ #Declare variables
+ $Givenname = "Anna"
+ $Surname = "Ringdal"
+ $Displayname = "Anna Ringdal"
+ $Name = "aringdal"
+ $Password = "Pass1w0rd"
+ $Identity = "CN=aringdal,CN=Users,DC=fabrikam,DC=com"
+ $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
++
+ #Create the user
+ New-ADUser -Name $Name -GivenName $Givenname -Surname $Surname -DisplayName $Displayname -AccountPassword $SecureString
+
+ #Set the password to never expire
+ Set-ADUser -Identity $Identity -PasswordNeverExpires $true -ChangePasswordAtLogon $false -Enabled $true
+ ```
+
+## Conclusion
+Now you have an environment that can be used for existing tutorials and to test additional features cloud sync provides.
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-existing-forest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/tutorial-existing-forest.md new file mode 100644
@@ -0,0 +1,131 @@
+---
+title: Tutorial - Integrate an existing forest and a new forest with a single Azure AD tenant using Azure AD Connect cloud sync.
+description: Learn how to add cloud sync to an existing hybrid identity environment.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 12/05/2019
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Integrate an existing forest and a new forest with a single Azure AD tenant
+
+This tutorial walks you through adding cloud sync to an existing hybrid identity environment.
+
+![Create](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
+
+You can use the environment you create in this tutorial for testing or for getting more familiar with how a hybrid identity works.
+
+In this scenario, there is an existing forest synced using Azure AD Connect sync to an Azure AD tenant. And you have a new forest that you want to sync to the same Azure AD tenant. You will setup cloud sync for the new forest.
+
+## Prerequisites
+### In the Azure Active Directory admin center
+
+1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant.
+2. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
+
+### In your on-premises environment
+
+1. Identify a domain-joined host server running Windows Server 2012 R2 or greater with minimum of 4 GB RAM and .NET 4.7.1+ runtime
+
+2. If there is a firewall between your servers and Azure AD, configure the following items:
+ - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
+
+ | Port number | How it's used |
+ | --- | --- |
+ | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate |
+ | **443** | Handles all outbound communication with the service |
+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal. |
+
+ If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
+ - If your firewall or proxy allows you to specify safe suffixes, then add connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
+ - Your agents need access to **login.windows.net** and **login.microsoftonline.com** for initial registration. Open your firewall for those URLs as well.
+ - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products you may already have these URLs unblocked.
+
+## Install the Azure AD Connect provisioning agent
+1. Sign in to the domain joined server. If you are using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1.
+2. Sign in to the Azure portal using cloud-only global admin credentials.
+3. On the left, select **Azure Active Directory**, click **Azure AD Connect** and in the center select **Manage cloud sync**.</br>
+![Azure portal](media/how-to-install/install-6.png)</br>
+4. Click on "Download agent"
+5. Run the Azure AD Connect provisioning agent
+6. On the splash screen, **Accept** the licensing terms and click **Install**.</br>
+![Screenshot that shows the "Microsoft Azure AD Connect Provisioning Agent Package" splash screen.](media/how-to-install/install-1.png)</br>
+
+7. Once this operation completes, the configuration wizard will launch. Sign in with your Azure AD global administrator account. Note that if you have IE enhanced security enabled this will block the sign-in. If this is the case, close the installation, disable IE enhanced security in Server Manager, and click the **AAD Connect Provisioning Agent Wizard** to restart the installation.
+8. On the **Connect Active Directory** screen, click **Add directory** and then sign in with your Active Directory domain administrator account. The domain administrator account should not have password change requirements. In case the password expires or changes, you will need to re-configure the agent with the new credentials. This operation will add your on-premises directory. Click **Next**.</br>
+![Screenshot that shows the "Connect Active Directory" screen.](media/how-to-install/install-3a.png)</br>
+
+9. On the **Configuration complete** screen, click **Confirm**. This operation will register and restart the agent.</br>
+![Screenshot that shows the "Configuration complete" screen.](media/how-to-install/install-4a.png)</br>
+
+10. Once this operation completes you should see a notice: **Your agent configuration was successfully verified.** You can click **Exit**.</br>
+![Welcome screen](media/how-to-install/install-5.png)</br>
+11. If you still see the initial splash screen, click **Close**.
++
+## Verify agent installation
+Agent verification occurs in the Azure portal and on the local server that is running the agent.
+
+### Azure portal agent verification
+To verify the agent is being seen by Azure follow these steps:
+
+1. Sign in to the Azure portal.
+2. On the left, select **Azure Active Directory**, click **Azure AD Connect** and in the center select **Manage cloud sync**.</br>
+![Azure portal](media/how-to-install/install-6.png)</br>
+
+3. On the **Azure AD Connect cloud sync** screen click **Review all agents**.
+![Azure AD Provisioning](media/how-to-install/install-7.png)</br>
+
+4. On the **On-premises provisioning agents screen** you will see the agents you have installed. Verify that the agent in question is there and is marked **active**.
+![Provisioning agents](media/how-to-install/verify-1.png)</br>
+
+### On the local server
+To verify that the agent is running follow these steps:
+
+1. Log on to the server with an administrator account
+2. Open **Services** by either navigating to it or by going to Start/Run/Services.msc.
+3. Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are present and the status is **Running**.
+![Services](media/how-to-install/troubleshoot-1.png)
+
+## Configure Azure AD Connect cloud sync
+ Use the following steps to configure provisioning
+
+1. Sign in to the Azure AD portal.
+2. Click **Azure Active Directory**
+3. Click **Azure AD Connect**
+4. Select **Manage cloud sync**
+![Screenshot showing "Manage cloud sync" link.](media/how-to-configure/manage-1.png)
+5. Click **New Configuration**
+![Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)
+7. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and click **Save**.
+![Screenshot of Configure screen with Notification email filled in and Enable selected.](media/how-to-configure/configure-2.png)
+1. The configuration status should now be **Healthy**.
+![Screenshot of Azure AD Connect cloud sync screen showing Healthy status.](media/how-to-configure/manage-4.png)
+
+## Verify users are created and synchronization is occurring
+You will now verify that the users that you had in our on-premises directory have been synchronized and now exist in our Azure AD tenant. Be aware that this may take a few hours to complete. To verify users are synchronized do the following.
++
+1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
+2. On the left, select **Azure Active Directory**
+3. Under **Manage**, select **Users**.
+4. Verify that you see the new users in our tenant</br>
+
+## Test signing in with one of our users
+
+1. Browse to [https://myapps.microsoft.com](https://myapps.microsoft.com)
+2. Sign in with a user account that was created in our new tenant. You will need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.</br>
+ ![Verify](media/tutorial-single-forest/verify-1.png)</br>
+
+You have now successfully set up a hybrid identity environment that you can use to test and familiarize yourself with what Azure has to offer.
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-pilot-aadc-aadccp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/tutorial-pilot-aadc-aadccp.md new file mode 100644
@@ -0,0 +1,227 @@
+---
+title: Tutorial - Pilot Azure AD Connect cloud sync for an existing synced AD forest
+description: Learn how to pilot cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 05/19/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
++
+# Pilot cloud sync for an existing synced AD forest
+
+This tutorial walks you through piloting cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.
+
+![Create](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
+
+## Considerations
+Before you try this tutorial, consider the following items:
+1. Ensure that you're familiar with basics of cloud sync.
+2. Ensure that you're running Azure AD Connect sync version 1.4.32.0 or later and have configured the sync rules as documented. When piloting, you will be removing a test OU or group from Azure AD Connect sync scope. Moving objects out of scope leads to deletion of those objects in Azure AD. In case of user objects, the objects in Azure AD are soft-deleted and can be restored. In case of group objects, the objects in Azure AD are hard-deleted and cannot be restored. A new link type has been introduced in Azure AD Connect sync which will prevent the deletion in case of a piloting scenario.
+3. Ensure that the objects in the pilot scope have ms-ds-consistencyGUID populated so cloud sync hard matches the objects.
+
+ > [!NOTE]
+ > Azure AD Connect sync does not populate *ms-ds-consistencyGUID* by default for group objects.
+
+4. This is an advanced scenario. Ensure that you follow the steps documented in this tutorial precisely.
+
+## Prerequisites
+The following are prerequisites required for completing this tutorial
+- A test environment with Azure AD Connect sync version 1.4.32.0 or later
+- An OU or group that is in scope of sync and can be used the pilot. We recommend starting with a small set of objects.
+- A server running Windows Server 2012 R2 or later that will host the provisioning agent. This cannot be the same server as the Azure AD Connect server.
+- Source anchor for Azure AD Connect sync should be either *objectGuid* or *ms-ds-consistencyGUID*
+
+## Update Azure AD Connect
+
+As a minimum, you should have [Azure AD connect](https://www.microsoft.com/download/details.aspx?id=47594) 1.4.32.0. To update Azure AD Connect sync, complete the steps in [Azure AD Connect: Upgrade to the latest version](../hybrid/how-to-upgrade-previous-version.md).
+
+## Stop the scheduler
+Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. In order to modify and add custom rules, you want to disable the scheduler so that synchronizations will not run while you are working on this. Use the following steps:
+
+1. On the server that is running Azure AD Connect sync open PowerShell with Administrative Privileges.
+2. Run `Stop-ADSyncSyncCycle`. Hit Enter.
+3. Run `Set-ADSyncScheduler -SyncCycleEnabled $false`.
+
+>[!NOTE]
+>If you are running your own custom scheduler for Azure AD Connect sync, then please disable the scheduler.
+
+## Create custom user inbound rule
+
+ 1. Launch the synchronization editor from the application menu in desktop as shown below:</br>
+ ![Synchronization Rule Editor Menu](media/tutorial-migrate-aadc-aadccp/user-8.png)</br>
+
+ 2. Select **Inbound** from the drop-down list for Direction and click on **Add new rule**.
+ ![Screenshot that shows the "View and manage your synchronization rules" window with "Inbound" and the "Add new rule" button selected.](media/tutorial-migrate-aadc-aadccp/user-1.png)</br>
+
+ 3. On the **Description** page, enter the following and click **Next**:
+
+ **Name:** Give the rule a meaningful name<br>
+ **Description:** Add a meaningful description<br>
+ **Connected System:** Choose the AD connector that you are writing the custom sync rule for<br>
+ **Connected System Object Type:** User<br>
+ **Metaverse Object Type:** Person<br>
+ **Link Type:** Join<br>
+ **Precedence:** Provide a value that is unique in the system<br>
+ **Tag:** Leave this empty<br>
+ ![Screenshot that shows the "Create inbound synchronization rule - Description" page with values entered.](media/tutorial-migrate-aadc-aadccp/user-2.png)</br>
+
+ 4. On the **Scoping filter** page, enter the OU or security group that you want the pilot based off. To filter on OU, add the OU portion of the distinguished name. This rule will be applied to all users who are in that OU. So, if DN ends with "OU=CPUsers,DC=contoso,DC=com, you would add this filter. Then click **Next**.
+
+ |Rule|Attribute|Operator|Value|
+ |-----|----|----|-----|
+ |Scoping OU|DN|ENDSWITH|Distinguished name of the OU.|
+ |Scoping group||ISMEMBEROF|Distinguished name of the security group.|
+
+ ![Screenshot that shows the "Create inbound synchronization rule - Scoping filter" page with a scoping filter value entered.](media/tutorial-migrate-aadc-aadccp/user-3.png)</br>
+
+ 5. On the **Join** rules page, click **Next**.
+ 6. On the **Transformations** page, add a Constant transformation: flow True to cloudNoFlow attribute. Click **Add**.
+ ![Screenshot that shows the "Create inbound synchronization rule - Transformations" page with a "Constant transformation" flow added.](media/tutorial-migrate-aadc-aadccp/user-4.png)</br>
+
+Same steps need to be followed for all object types (user, group and contact). Repeat steps per configured AD Connector / per AD forest.
+
+## Create custom user outbound rule
+
+ 1. Select **Outbound** from the drop-down list for Direction and click on **Add rule**.
+ ![Screenshot that shows the "Outbound" Direction selected and the "Add new rule" button highlighted.](media/tutorial-migrate-aadc-aadccp/user-5.png)</br>
+
+ 2. On the **Description** page, enter the following and click **Next**:
+
+ **Name:** Give the rule a meaningful name<br>
+ **Description:** Add a meaningful description<br>
+ **Connected System:** Choose the Azure AD connector that you are writing the custom sync rule for<br>
+ **Connected System Object Type:** User<br>
+ **Metaverse Object Type:** Person<br>
+ **Link Type:** JoinNoFlow<br>
+ **Precedence:** Provide a value that is unique in the system<br>
+ **Tag:** Leave this empty<br>
+
+ ![Screenshot that shows the "Description" page with properties entered.](media/tutorial-migrate-aadc-aadccp/user-6.png)</br>
+
+ 3. On the **Scoping filter** page, choose **cloudNoFlow** equal **True**. Then click **Next**.
+ ![Custom rule](media/tutorial-migrate-aadc-aadccp/user-7.png)</br>
+
+ 4. On the **Join** rules page, click **Next**.
+ 5. On the **Transformations** page, click **Add**.
+
+Same steps need to be followed for all object types (user, group and contact).
+
+## Install the Azure AD Connect provisioning agent
+1. Sign in to the server you will use with enterprise admin permissions. If you are using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial it would be CP1.
+2. Download the Azure AD Connect cloud provisioning agent using the steps outlined [here](how-to-install.md#install-the-agent).
+3. Run the Azure AD Connect cloud sync (AADConnectProvisioningAgent.Installer)
+3. On the splash screen, **Accept** the licensing terms and click **Install**.</br>
+![Screenshot that shows the "Microsoft Azure A D Connect Provisioning Agent" splash screen.](media/how-to-install/install-1.png)</br>
+
+4. Once this operation completes, the configuration wizard will launch. Sign in with your Azure AD global administrator account.
+5. On the **Connect Active Directory** screen, click **Add directory** and then sign in with your Active Directory administrator account. This operation will add your on-premises directory. Click **Next**.</br>
+![Screenshot that shows the "Connect Active Directory" screen with a directory value entered.](media/how-to-install/install-3a.png)</br>
+
+6. On the **Configuration complete** screen, click **Confirm**. This operation will register and restart the agent.</br>
+![Screenshot that shows the "Configuration complete" screen with the "Confirm" button selected.](media/how-to-install/install-4a.png)</br>
+
+7. Once this operation completes you should see a notice **Your was successfully verified.** You can click **Exit**.</br>
+![Welcome screen](media/how-to-install/install-5.png)</br>
+8. If you still see the initial splash screen, click **Close**.
+
+## Verify agent installation
+Agent verification occurs in the Azure portal and on the local server that is running the agent.
+
+### Azure portal agent verification
+To verify the agent is being seen by Azure follow these steps:
+
+1. Sign in to the Azure portal.
+2. On the left, select **Azure Active Directory**, click **Azure AD Connect** and in the center select **Manage cloud sync**.</br>
+![Azure portal](media/how-to-install/install-6.png)</br>
+
+3. On the **Azure AD Connect cloud sync** screen click **Review all agents**.
+![Azure AD Provisioning](media/how-to-install/install-7.png)</br>
+
+4. On the **On-premises provisioning agents screen** you will see the agents you have installed. Verify that the agent in question is there and is marked **Disabled**. The agent is disabled by default
+![Provisioning agents](media/how-to-install/verify-1.png)</br>
+
+### On the local server
+To verify that the agent is running follow these steps:
+
+1. Log on to the server with an administrator account
+2. Open **Services** by either navigating to it or by going to Start/Run/Services.msc.
+3. Under **Services** make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are there and the status is **Running**.
+![Services](media/how-to-install/troubleshoot-1.png)
+
+## Configure Azure AD Connect cloud sync
+Use the following steps to configure provisioning:
+
+ 1. Sign-in to the Azure AD portal.
+ 2. Click **Azure Active Directory**
+ 3. Click **Azure AD Connect**
+ 4. Select **Manage cloud sync**
+ ![Screenshot showing "Manage cloud sync" link.](media/how-to-configure/manage-1.png)</br>
+ 5. Click **New Configuration**
+ ![Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)</br>
+ 6. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and click **Save**.
+ ![Screenshot of Configure screen with Notification email filled in and Enable selected.](media/tutorial-single-forest/configure-2.png)</br>
+ 7. Under **Configure**, select **All users** to change the scope of the configuration rule.
+ ![Screenshot of Configure screen with "All users" highlighted next to "Scope users".](media/how-to-configure/scope-2.png)</br>
+ 8. On the right, change the scope to include the specific OU you just created "OU=CPUsers,DC=contoso,DC=com".
+ ![Screenshot of the Scope users screen highlighting the scope changed to the OU you created.](media/tutorial-existing-forest/scope-2.png)</br>
+ 9. Click **Done** and **Save**.
+ 10. The scope should now be set to one organizational unit.
+ ![Screenshot of Configure screen with "1 organizational unit" highlighted next to "Scope users".](media/tutorial-existing-forest/scope-3.png)</br>
+
+
+## Verify users are provisioned by cloud sync
+You will now verify that the users that you had in our on-premises directory have been synchronized and now exist in out Azure AD tenant. Be aware that this may take a few hours to complete. To verify users are provisioning by cloud sync, follow these steps:
+
+1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
+2. On the left, select **Azure Active Directory**
+3. Click on **Azure AD Connect**
+4. Click on **Manage cloud sync**
+5. Click on **Logs** button
+6. Search for a username to confirm that the user is provisioned by cloud sync
+
+Additionally, you can verify that the user and group exist in Azure AD.
+
+## Start the scheduler
+Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. Now that you have modified the rules, you can re-start the scheduler. Use the following steps:
+
+1. On the server that is running Azure AD Connect sync open PowerShell with Administrative Privileges
+2. Run `Set-ADSyncScheduler -SyncCycleEnabled $true`.
+3. Run `Start-ADSyncSyncCycle`. Hit Enter.
+
+>[!NOTE]
+>If you are running your own custom scheduler for Azure AD Connect sync, then please enable the scheduler.
+
+Once the scheduler is enabled, Azure AD Connect will stop exporting any changes on objects with `cloudNoFlow=true` in the metaverse, unless any reference attribute (eg. manager) is being updated. In case there is any reference attribute update on the object, Azure AD Connect will ignore the `cloudNoFlow` signal and export all updates on the object.
+
+## Something went wrong
+In case the pilot does not work as expected, you can go back to the Azure AD Connect sync setup by following the steps below:
+1. Disable provisioning configuration in the Azure portal.
+2. Disable all the custom sync rules created for Cloud Provisioning using the Sync Rule Editor tool. Disabling should cause full sync on all the connectors.
+
+## Configure Azure AD Connect sync to exclude the pilot OU
+Once you have verified that users from the pilot OU are successfully managed by cloud sync, you can re-configure Azure AD Connect to exclude the pilot OU that was created above. The cloud provisioning agent will handle synchronization for these users going forward. Use the following steps to scope Azure AD Connect.
+
+ 1. On the server that is running Azure AD Connect, double-click on the Azure AD Connect icon.
+ 2. Click **Configure**
+ 3. Select **Customize synchronization options** and click next.
+ 4. Sign-in to Azure AD and click **Next**.
+ 5. On the **Connect your directories** screen click **Next**.
+ 6. On the **Domain and OU filtering** screen, select **Sync selected domains and OUs**.
+ 7. Expand your domain and **de-select** the **CPUsers** OU. Click **Next**.
+![scope](media/tutorial-existing-forest/scope-1.png)</br>
+ 9. On the **Optional features** screen, click **Next**.
+ 10. On the **Ready to configure** screen click **Configure**.
+ 11. Once that has completed, click **Exit**.
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-single-forest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/tutorial-single-forest.md new file mode 100644
@@ -0,0 +1,135 @@
+---
+title: Tutorial - Integrate a single forest with a single Azure AD tenant
+description: This topic describes the pre-requisites and the hardware requirements cloud sync.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 12/05/2019
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# Tutorial: Integrate a single forest with a single Azure AD tenant
+
+This tutorial walks you through creating a hybrid identity environment using Azure Active Directory (Azure AD) Connect cloud sync.
+
+![Create](media/tutorial-single-forest/diagram-2.png)
+
+You can use the environment you create in this tutorial for testing or for getting more familiar with cloud sync.
+
+## Prerequisites
+### In the Azure Active Directory admin center
+
+1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant.
+2. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
+
+### In your on-premises environment
+
+1. Identify a domain-joined host server running Windows Server 2012 R2 or greater with minimum of 4 GB RAM and .NET 4.7.1+ runtime
+
+2. If there is a firewall between your servers and Azure AD, configure the following items:
+ - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
+
+ | Port number | How it's used |
+ | --- | --- |
+ | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate |
+ | **443** | Handles all outbound communication with the service |
+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal. |
+
+ If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
+ - If your firewall or proxy allows you to specify safe suffixes, then add connections t to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
+ - Your agents need access to **login.windows.net** and **login.microsoftonline.com** for initial registration. Open your firewall for those URLs as well.
+ - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products you may already have these URLs unblocked.
+
+## Install the Azure AD Connect provisioning agent
+1. Sign in to the domain joined server. If you are using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1.
+2. Sign in to the Azure portal using cloud-only global admin credentials.
+3. On the left, select **Azure Active Directory**, click **Azure AD Connect**, and in the center select **Manage cloud sync**.
+
+ ![Azure portal](media/how-to-install/install-6.png)
+
+4. Click **Download agent**.
+5. Run the Azure AD Connect provisioning agent.
+6. On the splash screen, **Accept** the licensing terms and click **Install**.
+
+ ![Screenshot that shows the "Microsoft Azure A D Connect Provisioning Agent Package" splash screen.](media/how-to-install/install-1.png)
+
+7. Once this operation completes, the configuration wizard will launch. Sign in with your Azure AD global administrator account. Note that if you have IE enhanced security enabled this will block the sign-in. If this is the case, close the installation, disable IE enhanced security in Server Manager, and click the **AAD Connect Provisioning Agent Wizard** to restart the installation.
+8. On the **Connect Active Directory** screen, click **Add directory** and then sign in with your Active Directory domain administrator account. NOTE: The domain administrator account should not have password change requirements. In case the password expires or changes, you will need to re-configure the agent with the new credentials. This operation will add your on-premises directory. Click **Next**.
+
+ ![Screenshot of the "Connect Active Directory" screen.](media/how-to-install/install-3a.png)
+
+9. On the **Configuration complete** screen, click **Confirm**. This operation will register and restart the agent.
+
+ ![Screenshot that shows the "Configuration complete" screen.](media/how-to-install/install-4a.png)
+
+10. Once this operation completes you should see a notice: **Your agent configuration was successfully verified.** You can click **Exit**.</br>
+![Welcome screen](media/how-to-install/install-5.png)</br>
+11. If you still see the initial splash screen, click **Close**.
++
+## Verify agent installation
+Agent verification occurs in the Azure portal and on the local server that is running the agent.
+
+### Azure portal agent verification
+To verify the agent is being seen by Azure follow these steps:
+
+1. Sign in to the Azure portal.
+2. On the left, select **Azure Active Directory**, click **Azure AD Connect** and in the center select **Manage cloud sync**.</br>
+![Azure portal](media/how-to-install/install-6.png)</br>
+
+3. On the **Azure AD Connect cloud sync** screen click **Review all agents**.
+![Azure AD Provisioning](media/how-to-install/install-7.png)</br>
+
+4. On the **On-premises provisioning agents screen** you will see the agents you have installed. Verify that the agent in question is there and is marked **active**.
+![Provisioning agents](media/how-to-install/verify-1.png)</br>
+
+### On the local server
+To verify that the agent is running follow these steps:
+
+1. Log on to the server with an administrator account
+2. Open **Services** by either navigating to it or by going to Start/Run/Services.msc.
+3. Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are present and the status is **Running**.
+![Services](media/how-to-install/troubleshoot-1.png)
+
+## Configure Azure AD Connect cloud sync
+ Use the following steps to configure provisioning
+
+1. Sign in to the Azure AD portal.
+2. Click **Azure Active Directory**
+3. Click **Azure AD Connect**
+4. Select **Manage cloud sync**
+![Screenshot showing "Manage cloud sync" link.](media/how-to-configure/manage-1.png)
+5. Click **New Configuration**
+![Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)
+7. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and click **Save**.
+![Screenshot of Configure screen with Notification email filled in and Enable selected.](media/how-to-configure/configure-2.png)
+1. The configuration status should now be **Healthy**.
+![Screenshot of Azure AD Connect cloud sync screen showing Healthy status.](media/how-to-configure/manage-4.png)
+
+## Verify users are created and synchronization is occurring
+You will now verify that the users that you had in our on-premises directory have been synchronized and now exist in our Azure AD tenant. Be aware that this may take a few hours to complete. To verify users are synchronized do the following.
++
+1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
+2. On the left, select **Azure Active Directory**
+3. Under **Manage**, select **Users**.
+4. Verify that you see the new users in our tenant</br>
+
+## Test signing in with one of our users
+
+1. Browse to [https://myapps.microsoft.com](https://myapps.microsoft.com)
+2. Sign in with a user account that was created in our new tenant. You will need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.</br>
+ ![Verify](media/tutorial-single-forest/verify-1.png)</br>
+
+You have now successfully setup a hybrid identity environment that you can use to test and familiarize yourself with what Azure has to offer.
++
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [What is Azure AD Connect cloud provisioning?](what-is-cloud-sync.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-cloud-sync https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/what-is-cloud-sync.md new file mode 100644
@@ -0,0 +1,78 @@
+---
+title: 'What is Azure AD Connect cloud sync. | Microsoft Docs'
+description: Describes Azure AD Connect cloud sync.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: overview
+ms.date: 12/11/2020
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# What is Azure AD Connect cloud sync?
+Azure AD Connect cloud sync is new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups and contacts to Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application. However, it can be used alongside Azure AD Connect sync and it provides the following benefits:
+
+- Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment: The common scenarios include merger & acquisition, where the acquired company's AD forests are isolated from the parent company's AD forests and companies that have historically had multiple AD forests.
+- Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Azure AD, with all the sync configuration managed in the cloud.
+- Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.
+- Support for large groups with up to 50K members. It is recommended to use only the OU scoping filter when synchronizing large groups.
++
+![What is Azure AD Connect](media/what-is-cloud-sync/architecture-1.png)
+
+## How is Azure AD Connect cloud sync different from Azure AD Connect sync?
+With Azure AD Connect cloud sync, provisioning from AD to Azure AD is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises and IaaS-hosted environment, a lightweight agent that acts as a bridge between Azure AD and AD. The provisioning configuration is stored in Azure AD and managed as part of the service.
+
+## Azure AD Connect cloud sync video
+The following short video provides an excellent overview of Azure AD Connect cloud sync:
+
+> [!VIDEO https://youtube.com/embed/mOT3ID02_YQ]
++
+## Comparison between Azure AD Connect and cloud sync
+
+The following table provides a comparison between Azure AD Connect and Azure AD Connect cloud sync:
+
+| Feature | Azure Active Directory Connect sync| Azure Active Directory Connect cloud sync |
+|:--- |:---:|:---:|
+|Connect to single on-premises AD forest|ΓùÅ |ΓùÅ |
+| Connect to multiple on-premises AD forests |ΓùÅ |ΓùÅ |
+| Connect to multiple disconnected on-premises AD forests | |ΓùÅ |
+| Lightweight agent installation model | |ΓùÅ |
+| Multiple active agents for high availability | |ΓùÅ |
+| Connect to LDAP directories|ΓùÅ| |
+| Support for user objects |ΓùÅ |ΓùÅ |
+| Support for group objects |ΓùÅ |ΓùÅ |
+| Support for contact objects |ΓùÅ |ΓùÅ |
+| Support for device objects |ΓùÅ | |
+| Allow basic customization for attribute flows |ΓùÅ |ΓùÅ |
+| Synchronize Exchange online attributes |ΓùÅ |ΓùÅ |
+| Synchronize extension attributes 1-15 |ΓùÅ |ΓùÅ |
+| Synchronize customer defined AD attributes (directory extensions) |ΓùÅ | |
+| Support for Password Hash Sync |ΓùÅ|ΓùÅ|
+| Support for Pass-Through Authentication |ΓùÅ||
+| Support for federation |ΓùÅ|ΓùÅ|
+| Seamless Single Sign-on|ΓùÅ |ΓùÅ|
+| Supports installation on a Domain Controller |ΓùÅ |ΓùÅ |
+| Support for Windows Server 2012 and Windows Server 2012 R2 |ΓùÅ |ΓùÅ |
+| Filter on Domains/OUs/groups |ΓùÅ |ΓùÅ |
+| Filter on objects' attribute values |ΓùÅ | |
+| Allow minimal set of attributes to be synchronized (MinSync) |ΓùÅ |ΓùÅ |
+| Allow removing attributes from flowing from AD to Azure AD |ΓùÅ |ΓùÅ |
+| Allow advanced customization for attribute flows |ΓùÅ | |
+| Support for writeback (passwords, devices, groups) |ΓùÅ | |
+| Azure AD Domain Services support|ΓùÅ | |
+| [Exchange hybrid writeback](../hybrid/reference-connect-sync-attributes-synchronized.md#exchange-hybrid-writeback) |ΓùÅ | |
+| Support for up to 150,000 objects per AD domain |ΓùÅ |ΓùÅ |
+| Large group support - groups with up to 50,000 members |ΓùÅ |ΓùÅ |
+| Cross domain references|ΓùÅ | |
+| On-demand provisioning| |ΓùÅ |
+
+## Next steps
+
+- [What is provisioning?](what-is-provisioning.md)
+- [Install cloud sync](how-to-install.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/what-is-provisioning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/what-is-provisioning.md new file mode 100644
@@ -0,0 +1,63 @@
+---
+title: 'What is identity provisioning with Azure AD? | Microsoft Docs'
+description: Describes overview of identity provisioning.
+services: active-directory
+author: billmath
+manager: daveba
+ms.service: active-directory
+ms.workload: identity
+ms.topic: overview
+ms.date: 12/05/2019
+ms.subservice: hybrid
+ms.author: billmath
+ms.collection: M365-identity-device-management
+---
+
+# What is identity provisioning?
+
+Today, businesses, and corporations are becoming more and more a mixture of on-premises and cloud applications. Users require access to applications both on-premises and in the cloud. There is need to have a single identity across these various applications (on-premises as well as cloud).
+
+Provisioning is the process of creating an object based on certain conditions, keeping the object up to date and deleting the object when conditions are no longer met. For example, when a new user joins your organization, that user is entered in to the HR system. At that point, provisioning can create a corresponding user account in the cloud, in Active Directory, and different applications that the user needs access to. This allows the user to start work and have access to the applications and systems they need on day one.
+
+![Diagram that shows cloud provisioning with Azure Active Directory.](media/what-is-provisioning/cloud-1.png)
+
+With regard to Azure Active Directory, provisioning can be broken down in to the following key scenarios.
+
+- **[HR-driven provisioning](#hr-driven-provisioning)**
+- **[App provisioning](#app-provisioning)**
+- **[Directory provisioning](#directory-provisioning)**
+
+## HR-driven provisioning
+
+![Diagram that shows HR-driven provisioning with Cloud HR, On-premises HR, and Azure Active Directory.](media/what-is-provisioning/cloud-2.png)
+
+Provisioning from HR to the cloud involves the creation of objects (users, roles, groups, etc.) based on the information that is in your HR system.
+
+The most common scenario would be, when a new employee joins your company, they are entered into the HR system. Once that occurs, they are provisioned to the cloud. In this case, Azure AD. Provisioning from HR can cover the following scenarios.
+
+- **Hiring new employees** - When a new employee is added to cloud HR, a user account is automatically created in Active Directory, Azure Active Directory, and optionally Microsoft 365 and other SaaS applications supported by Azure AD, with write-back of the email address to Cloud HR.
+- **Employee attribute and profile updates** - When an employee record is updated in cloud HR (such as their name, title, or manager), their user account will be automatically updated in Active Directory, Azure Active Directory, and optionally Microsoft 365 and other SaaS applications supported by Azure AD.
+- **Employee terminations** - When an employee is terminated in cloud HR, their user account is automatically disabled in Active Directory, Azure Active Directory, and optionally Office 365 and other SaaS applications supported by Azure AD.
+- **Employee rehires** - When an employee is rehired in cloud HR, their old account can be automatically reactivated or re-provisioned (depending on your preference) to Active Directory, Azure Active Directory, and optionally Microsoft 365 and other SaaS applications supported by Azure AD.
++
+## App provisioning
+
+![Diagram that shows App provisioning with On-premises apps, Non-Microsoft cloud apps, and Azure Active Directory.](media/what-is-provisioning/cloud-3.png)
+
+In Azure Active Directory (Azure AD), the term **[app provisioning](../app-provisioning/user-provisioning.md)** refers to automatically creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into applications like [Dropbox](../saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../saas-apps/servicenow-provisioning-tutorial.md), and more.
+
+## Directory provisioning
+
+![cloud provisioning](media/what-is-provisioning/cloud-4.png)
+
+On-premises provisioning involves provisioning from on-premises sources (like Active Directory) to Azure AD.
+
+The most common scenario would be, when a user in Active Directory (AD) is provisioned into Azure AD.
+
+This has been accomplished by Azure AD Connect sync, Azure AD Connect cloud provisioning and Microsoft Identity Manager.
+
+## Next steps
+
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Install cloud provisioning](how-to-install.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-provisioning-logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-provisioning-logs.md
@@ -25,7 +25,7 @@ ms.collection: M365-identity-device-management
The reporting architecture in Azure Active Directory (Azure AD) consists of the following components: - **Activity**
- - **Sign-ins** ΓÇô Information about the usage of managed applications and user sign-in activities.
+ - **Sign-ins** ΓÇô Information about the usage of managed applications, and user sign-in activities.
- **Audit logs** - [Audit logs](concept-audit-logs.md) provide system activity information about users and group management, managed applications and directory activities. - **Provisioning logs** - Provide system activity about user, groups, and roles that are provisioned by the Azure AD provisioning service.
@@ -33,7 +33,11 @@ The reporting architecture in Azure Active Directory (Azure AD) consists of the
- **Risky sign-ins** - A [risky sign-in](../identity-protection/overview-identity-protection.md) is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. - **Users flagged for risk** - A [risky user](../identity-protection/overview-identity-protection.md) is an indicator for a user account that might have been compromised.
-This topic gives you an overview of the provisioning report.
+This topic gives you an overview of the provisioning logs. They provide answers to questions such as:
+
+* What groups were successfully created in ServiceNow?
+* What users were successfully removed from Adobe?
+* What users from Workday were successfully created in Active Directory?
## Prerequisites
@@ -48,14 +52,16 @@ This topic gives you an overview of the provisioning report.
Your tenant must have an Azure AD Premium license associated with it to see the all up provisioning activity report. See [Getting started with Azure Active Directory Premium](../fundamentals/active-directory-get-started-premium.md) to upgrade your Azure Active Directory edition.
-## Provisioning logs
-The provisioning logs provide answers to the following questions:
+## Ways of interacting with the provisioning logs
+Customers have four ways of interacting with the provisioning logs:
-* What groups were successfully created in ServiceNow?
-* What users were successfully removed from Adobe?
-* What users were unsuccessfully created in DropBox?
+1. Accessing the logs from the Azure portal as described below.
+1. Streaming the provisioning logs into [Azure Monitor](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-log-analytics), allowing for extended data retention, building custom dashboard, alerts, and queries.
+1. Querying the [Microsoft Graph API](https://docs.microsoft.com/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta) for the provisioning logs.
+1. Downloading the provisioning logs as a CSV file or json.
+## Access the logs from the Azure portal
You can access the provisioning logs by selecting **Provisioning Logs** in the **Monitoring** section of the **Azure Active Directory** blade in the [Azure portal](https://portal.azure.com). It can take up to two hours for some provisioning records to show up in the portal. ![Provisioning logs](./media/concept-provisioning-logs/access-provisioning-logs.png "Provisioning logs")
@@ -201,11 +207,58 @@ The **troubleshoot and recommendations** tab provides the error code and reason.
The **modified properties** shows the old value and new value. In cases where there is no old value the old value column is blank. - ### Summary The **summary** tab provides an overview of what happened and identifiers for the object in the source and target system.
+## Download logs as CSV or JSON
+
+You can download the provisioning logs for use later by navigating to the logs in the Azure portal and clicking download. The file will be filtered based on the filter criteria you have selected. You may want to make the filters as specific as possible to reduce the time it takes to download and the size of the download. The CSV download is broken up into three files:
+
+* ProvisioningLogs: Downloads all the logs, except the provisioning steps and modified properties.
+* ProvisioningLogs_ProvisioningSteps: Contains the provisioning steps and the change ID. The change ID can be used to join the event with the other two files.
+* ProvisioningLogs_ModifiedProperties: Contains the attributes that were changed and the change ID. The change ID can be used to join the event with the other two files.
+
+#### Opening the JSON file
+To open the Json file, use a text editor such as [Microsoft Visual Studio Code](https://aka.ms/vscode). Visual Studio Code makes it easier to read by providing syntax highlighting. The json file can also be opened using browsers in a non editable format e.g. [Microsoft Edge](https://aka.ms/msedge)
+
+#### Prettifying the JSON file
+The JSON file is downloaded in minified format to reduce the size of the download. This, in turn, can make the payload difficult to read. Check out two options to prettify the file:
+
+1. Use Visual Studio Code to format the JSON
+
+Follow the instructions defined [here](https://code.visualstudio.com/docs/languages/json#_formatting) to format the JSON file using Visual Studio Code.
+
+2. Use PowerShell to format the JSON
+
+This script will output the json in a prettified format with tabs and spaces.
+
+` $JSONContent = Get-Content -Path "<PATH TO THE PROVISIONING LOGS FILE>" | ConvertFrom-JSON`
+
+`$JSONContent | ConvertTo-Json > <PATH TO OUTPUT THE JSON FILE>`
+
+#### Parsing the JSON file
+
+Here are some sample commands to work with the JSON file using PowerShell. You can use any programming language that you are comfortable with.
+
+First, [read the JSON file](https://docs.microsoft.com/powershell/module/microsoft.powershell.utility/convertfrom-json?view=powershell-7.1) by running:
+
+` $JSONContent = Get-Content -Path "<PATH TO THE PROVISIONING LOGS FILE>" | ConvertFrom-JSON`
+
+Now you can parse the data per your scenario. Here are a couple examples:
+
+1. Output all jobIDs in the JsonFile
+
+`foreach ($provitem in $JSONContent) { $provitem.jobId }`
+
+2. Output all changeIds for events where the action was "create"
+
+`foreach ($provitem in $JSONContent) { `
+` if ($provItem.action -eq 'Create') {`
+` $provitem.changeId `
+` }`
+`}`
+ ## What you should know - The Azure portal stores reported provisioning data for 30 days if you have a premium edition and 7 days if you have a free edition.The provisioning logs can be published to [log analytics](../app-provisioning/application-provisioning-log-analytics.md) for retention beyond 30 days.
@@ -230,14 +283,14 @@ Use the table below to better understand how to resolve errors you may find in t
|InsufficientRights, MethodNotAllowed, NotPermitted, Unauthorized| Azure AD was able to authenticate with the target application, but was not authorized to perform the update. Please review any instructions provided by the target application as well as the respective application [tutorial](../saas-apps/tutorial-list.md).| |UnprocessableEntity|The target application returned an unexpected response. The configuration of the target application may not be correct, or there may be a service issue with the target application that is preventing this from working.| |WebExceptionProtocolError |An HTTP protocol error occurred while connecting to the target application. There is nothing to do. This attempt will automatically be retired in 40 minutes.|
-|InvalidAnchor|A user that was previously created or matched by the provisioning service no longer exists. Check to ensure the user exists. To force a re-match of all users, use the MS Graph API to [restart job](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta). Note that restarting provisioning will trigger an initial cycle, which can take time to complete. It also deletes the cache the provisioning service uses to operate, meaning that all users and groups in the tenant will have to be evaluated again and certain provisioning events could be dropped.|
-|NotImplemented | The target app returned an unexpected response. The configuration of the app may not be correct, or there may be a service issue with the target app that is preventing this from working. Please review any instructions provided by the target application as well as the respective application [tutorial](../saas-apps/tutorial-list.md). |
+|InvalidAnchor|A user that was previously created or matched by the provisioning service no longer exists. Check to ensure the user exists. To force a re-match of all users, use the MS Graph API to [restart job](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta). Restarting provisioning will trigger an initial cycle, which can take time to complete. It also deletes the cache the provisioning service uses to operate, meaning that all users and groups in the tenant will have to be evaluated again and certain provisioning events could be dropped.|
+|NotImplemented | The target app returned an unexpected response. The configuration of the app may not be correct, or there may be a service issue with the target app that is preventing this from working. Please review any instructions provided by the target application and the respective application [tutorial](../saas-apps/tutorial-list.md). |
|MandatoryFieldsMissing, MissingValues |The user could not be created because required values are missing. Correct the missing attribute values in the source record, or review your matching attribute configuration to ensure the required fields are not omitted. [Learn more](../app-provisioning/customize-application-attributes.md) about configuring matching attributes.| |SchemaAttributeNotFound |Could not perform the operation because an attribute was specified that does not exist in the target application. See the [documentation](../app-provisioning/customize-application-attributes.md) on attribute customization and ensure your configuration is correct.| |InternalError |An internal service error occurred within the Azure AD provisioning service. There is nothing to do. This attempt will automatically be retried in 40 minutes.| |InvalidDomain |The operation could not be performed due to an attribute value containing an invalid domain name. Update the domain name on the user or add it to the permitted list in the target application. | |Timeout |The operation could not be completed because the target application took too long to respond. There is nothing to do. This attempt will automatically be retried in 40 minutes.|
-|LicenseLimitExceeded|The user could not be created in the target application because there are no available licenses for this user. Either procure additional licenses for the target application, or review your user assignments and attribute mapping configuration to ensure that the correct users are assigned with the correct attributes.|
+|LicenseLimitExceeded|The user could not be created in the target application because there are no available licenses for this user. Either procure more licenses for the target application, or review your user assignments and attribute mapping configuration to ensure that the correct users are assigned with the correct attributes.|
|DuplicateTargetEntries |The operation could not be completed because more than one user in the target application was found with the configured matching attributes. Either remove the duplicate user from the target application, or reconfigure your attribute mappings as described [here](../app-provisioning/customize-application-attributes.md).| |DuplicateSourceEntries | The operation could not be completed because more than one user was found with the configured matching attributes. Either remove the duplicate user, or reconfigure your attribute mappings as described [here](../app-provisioning/customize-application-attributes.md).| |ImportSkipped | When each user is evaluated, we attempt to import the user from the source system. This error commonly occurs when the user being imported is missing the matching property defined in your attribute mappings. Without a value present on the user object for the matching attribute, we cannot evaluate scoping, matching, or export changes. Note, presence of this error does not indicate that the user is in scope as we have not yet evaluated scoping for the user.|
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md
@@ -1966,6 +1966,7 @@ Application Developer | Application developer | CF1C38E5-3621-4004-A7CB-879624DC
Authentication Administrator | Authentication administrator | c4e39bd9-1100-46d3-8c65-fb160da0071f Attack Payload Author | Attack payload author | 9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f Attack Simulation Administrator | Attack simulation administrator | c430b396-e693-46cc-96f3-db01bf8bb62a
+Azure AD Joined Device Local Administrator | Azure AD Joined Device Local Administrator | 9f06204d-73c1-4d4c-880a-6edb90606fd8
Azure DevOps Administrator | Azure DevOps administrator | e3973bdf-4987-49ae-837a-ba8e231c7286 Azure Information Protection Administrator | Azure Information Protection administrator | 7495fdc4-34c4-4d15-a289-98788ce399fd B2C IEF Keyset Administrator | B2C IEF Keyset Administrator | aaf43236-0c0d-4d5f-883a-6955382ac081
@@ -1973,24 +1974,23 @@ B2C IEF Policy Administrator | B2C IEF Policy Administrator | 3edaf663-341e-4475
Billing Administrator | Billing administrator | b0f54661-2d74-4c50-afa3-1ec803f12efe Cloud Application Administrator | Cloud application administrator | 158c047a-c907-4556-b7ef-446551a6b5f7 Cloud Device Administrator | Cloud device administrator | 7698a772-787b-4ac8-901f-60d6b08affd2
-Company Administrator | Global administrator | 62e90394-69f5-4237-9190-012177145e10
Compliance Administrator | Compliance administrator | 17315797-102d-40b4-93e0-432062caca18 Compliance Data Administrator | Compliance data administrator | e6d1a23a-da11-4be4-9570-befc86d067a7 Conditional Access Administrator | Conditional Access administrator | b1be1c3e-b65d-4f19-8427-f6fa0d97feb9
-CRM Service Administrator | Dynamics 365 administrator | 44367163-eba1-44c3-98af-f5787879f96a
Customer LockBox Access Approver | Customer Lockbox access approver | 5c4f9dcd-47dc-4cf7-8c9a-9e4207cbfc91 Desktop Analytics Administrator | Desktop Analytics Administrator | 38a96431-2bdf-4b4c-8b6e-5d3d8abac1a4
-Device Administrators | Device administrators | 9f06204d-73c1-4d4c-880a-6edb90606fd8
Device Join | Deprecated | 9c094953-4995-41c8-84c8-3ebb9b32c93f Device Managers | Deprecated | 2b499bcd-da44-4968-8aec-78e1674fa64d Device Users | Deprecated | d405c6df-0af8-4e3b-95e4-4d06e542189e Directory Readers | Directory readers | 88d8e3e3-8f55-4a1e-953a-9b9898b8876b Directory Synchronization Accounts | Not shown because it shouldn't be used | d29b2b05-8046-44ba-8758-1e26182fcf32 Directory Writers | Directory Writers | 9360feb5-f418-4baa-8175-e2a00bac4301
-Exchange Service Administrator | Exchange administrator | 29232cdf-9323-42fd-ade2-1d097af3e4de
+Dynamics 365 Administrator | Dynamics 365 administrator | 44367163-eba1-44c3-98af-f5787879f96a
+Exchange Administrator | Exchange administrator | 29232cdf-9323-42fd-ade2-1d097af3e4de
External Id User flow Administrator | External Id User flow Administrator | 6e591065-9bad-43ed-90f3-e9424366d2f0 External Id User Flow Attribute Administrator | External Id User Flow Attribute Administrator | 0f971eea-41eb-4569-a71e-57bb8a3eff1e External Identity Provider Administrator | External Identity Provider Administrator | be2f45a1-457d-42af-a067-6ec1fa63bc45
+Global Administrator | Global administrator | 62e90394-69f5-4237-9190-012177145e10
Global Reader | Global reader | f2ef992c-3afb-46b9-b7cf-a126ee74c451 Groups Administrator | Groups administrator | fdd7a751-b60b-444a-984c-02652fe8fa1c Guest Inviter | Guest inviter | 95e79109-95c0-4d8e-aee3-d01accf2d47b
@@ -1998,10 +1998,9 @@ Helpdesk Administrator | Helpdesk administrator | 729827e3-9c14-49f7-bb1b-9608f1
Hybrid Identity Administrator | Hybrid identity administrator | 8ac3fc64-6eca-42ea-9e69-59f4c7b60eb2 Insights Administrator | Insights administrator | eb1f4a8d-243a-41f0-9fbd-c7cdf6c5ef7c Insights Business Leader | Insights business leader | 31e939ad-9672-4796-9c2e-873181342d2d
-Intune Service Administrator | Intune administrator | 3a2c62db-5318-420d-8d74-23affee5d9d5
+Intune Administrator | Intune administrator | 3a2c62db-5318-420d-8d74-23affee5d9d5
Kaizala Administrator | Kaizala administrator | 74ef975b-6605-40af-a5d2-b9539d836353 License Administrator | License administrator | 4d6ac14f-3453-41d0-bef9-a3e0c569773a
-Lync Service Administrator | Skype for Business administrator | 75941009-915a-4869-abe7-691bff18279e
Message Center Privacy Reader | Message center privacy reader | ac16e43d-7b2d-40e0-ac05-243ff356ab5b Message Center Reader | Message center reader | 790c1fb9-7f7d-4f88-86a1-ef1f95c05c1b Modern Commerce User | Modern Commerce User | d24aef57-1500-4070-84db-2666f29cf966
@@ -2010,7 +2009,7 @@ Office Apps Administrator | Office apps administrator | 2b745bdf-0803-4d80-aa65-
Partner Tier1 Support | Not shown because it shouldn't be used | 4ba39ca4-527c-499a-b93d-d9b492c50246 Partner Tier2 Support | Not shown because it shouldn't be used | e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 Password Administrator | Password administrator | 966707d0-3269-4727-9be2-8c3a10f19b9d
-Power BI Service Administrator | Power BI administrator | a9ea8996-122f-4c74-9520-8edcd192826c
+Power BI Administrator | Power BI administrator | a9ea8996-122f-4c74-9520-8edcd192826c
Power Platform Administrator | Power platform administrator | 11648597-926c-4cf3-9c36-bcebb0ba8dcc Printer Administrator | Printer administrator | 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f Printer Technician | Printer technician | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477
@@ -2023,15 +2022,16 @@ Security Administrator | Security administrator | 194ae4cb-b126-40b2-bd5b-6091b3
Security Operator | Security operator | 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f Security Reader | Security reader | 5d6b6bb7-de71-4623-b4af-96380a352509 Service Support Administrator | Service support administrator | f023fd81-a637-4b56-95fd-791ac0226033
-SharePoint Service Administrator | SharePoint administrator | f28a1f50-f6e7-4571-818b-6a12f2af6b6c
+SharePoint Administrator | SharePoint administrator | f28a1f50-f6e7-4571-818b-6a12f2af6b6c
+Skype for Business Administrator | Skype for Business administrator | 75941009-915a-4869-abe7-691bff18279e
Teams Communications Administrator | Teams Communications Administrator | baf37b3a-610e-45da-9e62-d9d1e5e8914b Teams Communications Support Engineer | Teams Communications Support Engineer | f70938a0-fc10-4177-9e90-2178f8765737 Teams Communications Support Specialist | Teams Communications Support Specialist | fcf91098-03e3-41a9-b5ba-6f0ec8188a12 Teams Devices Administrator | Teams Devices Administrator | 3d762c5a-1b6c-493f-843e-55a3b42923d4
-Teams Service Administrator | Teams Service Administrator | 69091246-20e8-4a56-aa4d-066075b2a7a8
+Teams Administrator | Teams Administrator | 69091246-20e8-4a56-aa4d-066075b2a7a8
Usage Summary Reports Reader | Usage summary reports reader | 75934031-6c7e-415a-99d7-48dbd49e875e User | Not shown because it can't be used | a0b1b346-4d3e-4e8b-98f8-753987be4970
-User Account Administrator | User administrator | fe930be7-5e62-47db-91af-98c3a49a38b1
+User Administrator | User administrator | fe930be7-5e62-47db-91af-98c3a49a38b1
Workplace Device Join | Deprecated | c34f683f-4d5a-4403-affd-6615e00e3a7f ## Deprecated roles
@@ -2052,15 +2052,11 @@ Not every role returned by PowerShell or MS Graph API is visible in Azure portal
API name | Azure portal name | Notes -------- | ------------------- | -------------
-Company Administrator | Global Administrator | [Name changed for better clarity](permissions-reference.md#role-template-ids)
-CRM Service Administrator | Dynamics 365 administrator | [Reflects current product branding](permissions-reference.md#role-template-ids)
Device Join | Deprecated | [Deprecated roles documentation](permissions-reference.md#deprecated-roles) Device Managers | Deprecated | [Deprecated roles documentation](permissions-reference.md#deprecated-roles) Device Users | Deprecated | [Deprecated roles documentation](permissions-reference.md#deprecated-roles) Directory Synchronization Accounts | Not shown because it shouldn't be used | [Directory Synchronization Accounts documentation](permissions-reference.md#directory-synchronization-accounts)
-Directory Writers | Not shown because it shouldn't be used | [Directory Writers documentation](permissions-reference.md#directory-writers)
Guest User | Not shown because it can't be used | NA
-Lync Service Administrator | Skype for Business administrator | [Reflects current product branding](permissions-reference.md#role-template-ids)
Partner Tier 1 Support | Not shown because it shouldn't be used | [Partner Tier1 Support documentation](permissions-reference.md#partner-tier1-support) Partner Tier 2 Support | Not shown because it shouldn't be used | [Partner Tier2 Support documentation](permissions-reference.md#partner-tier2-support) Restricted Guest User | Not shown because it can't be used | NA
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/adobe-creative-cloud-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/adobe-creative-cloud-tutorial.md
@@ -9,23 +9,18 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 07/14/2020
+ms.date: 01/13/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory single sign-on (SSO) integration with Adobe Creative Cloud
-> [!NOTE]
-> This article describes Adobe Admin Console's custom SAML-based setup for Azure Active Directory (Azure AD). For brand-new configurations, we recommend that you use the [Azure AD Connector](https://helpx.adobe.com/enterprise/using/sso-setup-azure.html). Azure AD Connector can be set up in minutes and shortens the process of domain claim, single sign-on setup, and user sync.
- In this tutorial, you'll learn how to integrate Adobe Creative Cloud with Azure Active Directory (Azure AD). When you integrate Adobe Creative Cloud with Azure AD, you can: * Control in Azure AD who has access to Adobe Creative Cloud. * Enable your users to be automatically signed-in to Adobe Creative Cloud with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -38,25 +33,23 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Adobe Creative Cloud supports **SP** initiated SSO
-* Once you configure Adobe Creative Cloud you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-## Adding Adobe Creative Cloud from the gallery
+## Add Adobe Creative Cloud from the gallery
To configure the integration of Adobe Creative Cloud into Azure AD, you need to add Adobe Creative Cloud from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Adobe Creative Cloud** in the search box. 1. Select **Adobe Creative Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Adobe Creative Cloud Configure and test Azure AD SSO with Adobe Creative Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Adobe Creative Cloud.
-To configure and test Azure AD SSO with Adobe Creative Cloud, complete the following building blocks:
+To configure and test Azure AD SSO with Adobe Creative Cloud, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -69,15 +62,15 @@ To configure and test Azure AD SSO with Adobe Creative Cloud, complete the follo
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Adobe Creative Cloud** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Adobe Creative Cloud** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL:
+ a. In the **Sign on URL** text box, type the URL:
`https://adobe.com` b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
@@ -90,7 +83,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
![image](common/edit-attribute.png)
-1. In addition to above, Adobe Creative Cloud application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
+1. In addition to above, Adobe Creative Cloud application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirement.
| Name | Source Attribute| |----- | --------- |
@@ -123,21 +116,15 @@ In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Adobe Creative Cloud.
+In this section, you enable B.Simon to use Azure single sign-on by granting access to Adobe Creative Cloud.
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the Azure portal, select **Enterprise Applications** > **All applications**.
1. In the applications list, select **Adobe Creative Cloud**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
+1. In the app's overview page, find the **Manage** section, and select **Users and groups**.
+1. Select **Add user**. Then, in the **Add Assignment** dialog box, select **Users and groups**.
+1. In the **Users and groups** dialog box, select **B.Simon** from the list of users. Then choose **Select** at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog box, select **Assign**.
## Configure Adobe Creative Cloud SSO
@@ -161,7 +148,6 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Select **Save**. - ### Create Adobe Creative Cloud test user In order to enable Azure AD users to sign into Adobe Creative Cloud, they must be provisioned into Adobe Creative Cloud. In the case of Adobe Creative Cloud, provisioning is a manual task.
@@ -170,29 +156,23 @@ In order to enable Azure AD users to sign into Adobe Creative Cloud, they must b
1. Sign in to [Adobe Admin Console](https://adminconsole.adobe.com) site as an administrator.
-2. Add the user within AdobeΓÇÖs console as Federated ID and assign them to a Product Profile. For detailed information on adding users, see [Add users in Adobe Admin Console](https://helpx.adobe.com/enterprise/using/users.html#Addusers)
+2. Add the user within AdobeΓÇÖs console as Federated ID and assign them to a Product Profile. For detailed information on adding users, see [Add users in Adobe Admin Console](https://helpx.adobe.com/enterprise/using/users.html#Addusers).
3. At this point, type your email address/upn into the Adobe sign in form, press tab, and you should be federated back to Azure AD: * Web access: www\.adobe.com > sign-in * Within the desktop app utility > sign-in * Within the application > help > sign-in
-## Test SSO
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Adobe Creative Cloud tile in the Access Panel, you should be automatically signed in to the Adobe Creative Cloud for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+## Test SSO
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to Adobe Creative Cloud Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to Adobe Creative Cloud Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Adobe Creative Cloud tile in the My Apps, this will redirect to Adobe Creative Cloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [Try Adobe Creative Cloud with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [Set up an identity (adobe.com)](https://helpx.adobe.com/enterprise/using/set-up-identity.html)
-
-- [Configure Azure for use with Adobe SSO (adobe.com)](https://helpx.adobe.com/enterprise/kb/configure-microsoft-azure-with-adobe-sso.html)\ No newline at end of file
+Once you configure Adobe Creative Cloud you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bamboo-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bamboo-tutorial.md
@@ -9,20 +9,16 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 04/16/2019
+ms.date: 01/12/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with SAML SSO for Bamboo by resolution GmbH
-In this tutorial, you learn how to integrate SAML SSO for Bamboo by resolution GmbH with Azure Active Directory (Azure AD).
-Integrating SAML SSO for Bamboo by resolution GmbH with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate SAML SSO for Bamboo by resolution GmbH with Azure Active Directory (Azure AD). When you integrate SAML SSO for Bamboo by resolution GmbH with Azure AD, you can:
-* You can control in Azure AD who has access to SAML SSO for Bamboo by resolution GmbH.
-* You can enable your users to be automatically signed-in to SAML SSO for Bamboo by resolution GmbH (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to SAML SSO for Bamboo by resolution GmbH.
+* Enable your users to be automatically signed in to SAML SSO for Bamboo by resolution GmbH with their Azure AD accounts.
+* Manage your accounts in one central location: the Azure portal.
## Prerequisites
@@ -38,64 +34,41 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* SAML SSO for Bamboo by resolution GmbH supports **SP and IDP** initiated SSO * SAML SSO for Bamboo by resolution GmbH supports **Just In Time** user provisioning
-## Adding SAML SSO for Bamboo by resolution GmbH from the gallery
+## Add SAML SSO for Bamboo by resolution GmbH from the gallery
To configure the integration of SAML SSO for Bamboo by resolution GmbH into Azure AD, you need to add SAML SSO for Bamboo by resolution GmbH from the gallery to your list of managed SaaS apps.
-**To add SAML SSO for Bamboo by resolution GmbH from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **SAML SSO for Bamboo by resolution GmbH**, select **SAML SSO for Bamboo by resolution GmbH** from result panel then click **Add** button to add the application.
-
- ![SAML SSO for Bamboo by resolution GmbH in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with SAML SSO for Bamboo by resolution GmbH based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in SAML SSO for Bamboo by resolution GmbH needs to be established.
-
-To configure and test Azure AD single sign-on with SAML SSO for Bamboo by resolution GmbH, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure SAML SSO for Bamboo by resolution GmbH Single Sign-On](#configure-saml-sso-for-bamboo-by-resolution-gmbh-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create SAML SSO for Bamboo by resolution GmbH test user](#create-saml-sso-for-bamboo-by-resolution-gmbh-test-user)** - to have a counterpart of Britta Simon in SAML SSO for Bamboo by resolution GmbH that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SAML SSO for Bamboo by resolution GmbH** in the search box.
+1. Select **SAML SSO for Bamboo by resolution GmbH** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO with SAML SSO for Bamboo by resolution GmbH
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with SAML SSO for Bamboo by resolution GmbH, by using a test user called **B.Simon**. For SSO to work, you need to establish a linked relationship between an Azure AD user and the related user in SAML SSO for Bamboo by resolution GmbH.
-To configure Azure AD single sign-on with SAML SSO for Bamboo by resolution GmbH, perform the following steps:
+To configure and test Azure AD SSO with SAML SSO for Bamboo by resolution GmbH, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **SAML SSO for Bamboo by resolution GmbH** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+2. **[Configure SAML SSO for Bamboo by resolution GmbH SSO](#configure-saml-sso-for-bamboo-by-resolution-gmbh-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create SAML SSO for Bamboo by resolution GmbH test user](#create-saml-sso-for-bamboo-by-resolution-gmbh-test-user)** - to have a counterpart of Britta Simon in SAML SSO for Bamboo by resolution GmbHby resolution GmbH that is linked to the Azure AD representation of user.
+6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+### Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+In this section, you enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **SAML SSO for Bamboo by resolution GmbH** application integration page, find the **Manage** section and select **Single Sign-On**.
+1. On the **Select a Single Sign-On Method** page, select **SAML**.
+1. On the **Set up Single Sign-On with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![SAML S S O for Bamboo by resolution GmbH Domain and URLs single sign-on information.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `https://<server-base-url>/plugins/servlet/samlsso`
@@ -104,9 +77,7 @@ To configure Azure AD single sign-on with SAML SSO for Bamboo by resolution GmbH
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
-
- In the **Sign-on URL** text box, type a URL using the following pattern:
+ In the **Sign-on URL** text box, type a URL using the following pattern:
`https://<server-base-url>/plugins/servlet/samlsso` > [!NOTE]
@@ -120,13 +91,32 @@ To configure Azure AD single sign-on with SAML SSO for Bamboo by resolution GmbH
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
- b. Azure AD Identifier
+### Create an Azure AD test user
+
+In this section, you create a test user in the Azure portal called B.Simon.
- c. Logout URL
+1. From the left pane in the Azure portal, select **Azure Active Directory** > **Users** > **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write the password down.
+ 1. Select **Create**.
-### Configure SAML SSO for Bamboo by resolution GmbH Single Sign-On
+### Assign the Azure AD test user
+
+In this section, you enable B.Simon to use Azure single sign-on by granting access to SAML SSO for bamboo by resolution GmbH.
+
+1. In the Azure portal, select **Enterprise Applications** > **All applications**.
+1. In the applications list, select **SAML SSO for bamboo by resolution GmbH**.
+1. In the app's overview page, find the **Manage** section, and select **Users and groups**.
+1. Select **Add user**. Then, in the **Add Assignment** dialog box, select **Users and groups**.
+1. In the **Users and groups** dialog box, select **B.Simon** from the list of users. Then choose **Select** at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog box, select **Assign**.
+
+### Configure SAML SSO for Bamboo by resolution GmbH SSO
1. Sign-on to your SAML SSO for Bamboo by resolution GmbH company site as administrator.
@@ -166,72 +156,26 @@ To configure Azure AD single sign-on with SAML SSO for Bamboo by resolution GmbH
1. Click **Save settings**.
- ![The save](./media/bamboo-tutorial/tutorial_bamboo_save.png)
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to SAML SSO for Bamboo by resolution GmbH.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SAML SSO for Bamboo by resolution GmbH**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **SAML SSO for Bamboo by resolution GmbH**.
-
- ![The SAML SSO for Bamboo by resolution GmbH link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create SAML SSO for Bamboo by resolution GmbH test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+The objective of this section is to create a user called Britta Simon in SAML SSO for Bamboo by resolution GmbH. SAML SSO for Bamboo by resolution GmbH supports just-in-time provisioning and also users can be created manually, contact [SAML SSO for Bamboo by resolution GmbH Client support team](https://marketplace.atlassian.com/plugins/com.resolution.atlasplugins.samlsso-bamboo/server/support) as per your requirement.
-7. In the **Add Assignment** dialog click the **Assign** button.
+### Test SSO
-### Create SAML SSO for Bamboo by resolution GmbH test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-The objective of this section is to create a user called Britta Simon in SAML SSO for Bamboo by resolution GmbH. SAML SSO for Bamboo by resolution GmbH supports just-in-time provisioning and also users can be created manually, contact [SAML SSO for Bamboo by resolution GmbH Client support team](https://marketplace.atlassian.com/plugins/com.resolution.atlasplugins.samlsso-bamboo/server/support) as per your requirement.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to SAML SSO for Bamboo by resolution GmbH Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to SAML SSO for Bamboo by resolution GmbH Sign-on URL directly and initiate the login flow from there.
-When you click the SAML SSO for Bamboo by resolution GmbH tile in the Access Panel, you should be automatically signed in to the SAML SSO for Bamboo by resolution GmbH for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SAML SSO for Bamboo by resolution GmbH for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the SAML SSO for Bamboo by resolution GmbH tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SAML SSO for Bamboo by resolution GmbH for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure SAML SSO for Bamboo by resolution GmbH you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bitbucket-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bitbucket-tutorial.md
@@ -9,20 +9,17 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 12/27/2018
+ms.date: 01/12/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with SAML SSO for Bitbucket by resolution GmbH
-In this tutorial, you learn how to integrate SAML SSO for Bitbucket by resolution GmbH with Azure Active Directory (Azure AD).
-Integrating SAML SSO for Bitbucket by resolution GmbH with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate SAML SSO for Bitbucket by resolution GmbH with Azure Active Directory (Azure AD). When you integrate SAML SSO for Bitbucket by resolution GmbH with Azure AD, you can:
-* You can control in Azure AD who has access to SAML SSO for Bitbucket by resolution GmbH.
-* You can enable your users to be automatically signed-in to SAML SSO for Bitbucket by resolution GmbH (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
+* Control in Azure AD who has access toSAML SSO for Bitbucket by resolution GmbH.
+* Enable your users to be automatically signed in toSAML SSO for Bitbucket by resolution GmbH with their Azure AD accounts.
+* Manage your accounts in one central location: the Azure portal.
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
## Prerequisites
@@ -39,63 +36,43 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* SAML SSO for Bitbucket by resolution GmbH supports **Just In Time** user provisioning
-## Adding SAML SSO for Bitbucket by resolution GmbH from the gallery
+## Add SAML SSO for Bitbucket by resolution GmbH from the gallery
To configure the integration of SAML SSO for Bitbucket by resolution GmbH into Azure AD, you need to add SAML SSO for Bitbucket by resolution GmbH from the gallery to your list of managed SaaS apps.
-**To add SAML SSO for Bitbucket by resolution GmbH from the gallery, perform the following steps:**
+1. Sign in to the Azure portal by using either a work or school account, or a personal Microsoft account.
+1. On the left pane, select **Azure Active Directory**.
+1. Go to **Enterprise Applications**, and then select **All Applications**.
+1. To add a new application, select **New application**.
+1. In the **Add from the gallery** section, type **SAML SSO for Bitbucket by resolution GmbH** in the search box.
+1. Select **SAML SSO for Bitbucket by resolution GmbH** from the results, and then add the app. Wait a few seconds while the app is added to your tenant.
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
+## Configure and test Azure AD SSO for SAML SSO for Bitbucket by resolution GmbH
- ![The Azure Active Directory button](common/select-azuread.png)
+Configure and test Azure AD SSO with SAML SSO for Bitbucket by resolution GmbH, by using a test user called **B.Simon**. For SSO to work, you need to establish a linked relationship between an Azure AD user and the related user in SAML SSO for Bitbucket by resolution GmbH.
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
+To configure and test Azure AD SSO with SAML SSO for Bitbucket by resolution GmbH, perform the following steps:
- ![The Enterprise applications blade](common/enterprise-applications.png)
-3. To add new application, click **New application** button on the top of dialog.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+2. **[Configure SAML SSO for Bitbucket by resolution GmbH SSO](#configure-saml-sso-for-bitbucket-by-resolution-gmbh-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create SAML SSO for Bitbucket by resolution GmbH test user](#create-saml-sso-for-bitbucket-by-resolution-gmbh-test-user)** - to have a counterpart of Britta Simon in SAML SSO for Bitbucket by resolution GmbH that is linked to the Azure AD representation of user.
+6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![The New application button](common/add-new-app.png)
+## Configure Azure AD SSO
-4. In the search box, type **SAML SSO for Bitbucket by resolution GmbH**, select **SAML SSO for Bitbucket by resolution GmbH** from result panel then click **Add** button to add the application.
-
- ![SAML SSO for Bitbucket by resolution GmbH in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with SAML SSO for Bitbucket by resolution GmbH based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in SAML SSO for Bitbucket by resolution GmbH needs to be established.
-
-To configure and test Azure AD single sign-on with SAML SSO for Bitbucket by resolution GmbH, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure SAML SSO for Bitbucket by resolution GmbH Single Sign-On](#configure-saml-sso-for-bitbucket-by-resolution-gmbh-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create SAML SSO for Bitbucket by resolution GmbH test user](#create-saml-sso-for-bitbucket-by-resolution-gmbh-test-user)** - to have a counterpart of Britta Simon in SAML SSO for Bitbucket by resolution GmbH that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
-
-In this section, you enable Azure AD single sign-on in the Azure portal.
-
-To configure Azure AD single sign-on with SAML SSO for Bitbucket by resolution GmbH, perform the following steps:
-
-1. In the [Azure portal](https://portal.azure.com/), on the **SAML SSO for Bitbucket by resolution GmbH** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+In this section, you enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **SAML SSO for Bitbucket by resolution GmbH** application integration page, find the **Manage** section and select **Single Sign-On**.
+1. On the **Select a Single Sign-On Method** page, select **SAML**.
+1. On the **Set up Single Sign-On with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, perform the following steps if you wish to configure the application in **IDP** initiated mode:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
a. In the **Identifier** text box, type a URL using the following pattern: `https://<server-base-url>/plugins/servlet/samlsso`
@@ -104,9 +81,7 @@ To configure Azure AD single sign-on with SAML SSO for Bitbucket by resolution G
`https://<server-base-url>/plugins/servlet/samlsso` c. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:-
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
-
+
In the **Sign-on URL** text box, type a URL using the following pattern: `https://<server-base-url>/plugins/servlet/samlsso`
@@ -117,7 +92,31 @@ To configure Azure AD single sign-on with SAML SSO for Bitbucket by resolution G
![The Certificate download link](common/metadataxml.png)
-### Configure SAML SSO for Bitbucket by resolution GmbH Single Sign-On
+### Create an Azure AD test user
+
+In this section, you create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory** > **Users** > **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write the password down.
+ 1. Select **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you enable B.Simon to use Azure single sign-on by granting access to SAML SSO for Bitbucket by resolution GmbH.
+
+1. In the Azure portal, select **Enterprise Applications** > **All applications**.
+1. In the applications list, select **SAML SSO for Bitbucket by resolution GmbH**.
+1. In the app's overview page, find the **Manage** section, and select **Users and groups**.
+1. Select **Add user**. Then, in the **Add Assignment** dialog box, select **Users and groups**.
+1. In the **Users and groups** dialog box, select **B.Simon** from the list of users. Then choose **Select** at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog box, select **Assign**.
+
+## Configure SAML SSO for Bitbucket by resolution GmbH SSO
1. Sign-on to your SAML SSO for Bitbucket by resolution GmbH company site as administrator.
@@ -157,71 +156,28 @@ To configure Azure AD single sign-on with SAML SSO for Bitbucket by resolution G
![The save](./media/bitbucket-tutorial/tutorial_bitbucket_save.png)
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
+## Create SAML SSO for Bitbucket by resolution GmbH test user
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to SAML SSO for Bitbucket by resolution GmbH.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SAML SSO for Bitbucket by resolution GmbH**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, type and select **SAML SSO for Bitbucket by resolution GmbH**.
-
- ![The SAML SSO for Bitbucket by resolution GmbH link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+The objective of this section is to create a user called Britta Simon in SAML SSO for Bitbucket by resolution GmbH. SAML SSO for Bitbucket by resolution GmbH supports just-in-time provisioning and also users can be created manually, contact [SAML SSO for Bitbucket by resolution GmbH Client support team](https://marketplace.atlassian.com/plugins/com.resolution.atlasplugins.samlsso-bitbucket/server/support) as per your requirement.
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+## Test SSO
-7. In the **Add Assignment** dialog click the **Assign** button.
+In this section, you test your Azure AD single sign-on configuration with following options.
-### Create SAML SSO for Bitbucket by resolution GmbH test user
+#### SP initiated:
-The objective of this section is to create a user called Britta Simon in SAML SSO for Bitbucket by resolution GmbH. SAML SSO for Bitbucket by resolution GmbH supports just-in-time provisioning and also users can be created manually, contact [SAML SSO for Bitbucket by resolution GmbH Client support team](https://marketplace.atlassian.com/plugins/com.resolution.atlasplugins.samlsso-bitbucket/server/support) as per your requirement.
+* Click on **Test this application** in Azure portal. This will redirect to SAML SSO for Bitbucket by resolution GmbH Sign on URL where you can initiate the login flow.
-### Test single sign-on
+* Go to SAML SSO for Bitbucket by resolution GmbH Sign-on URL directly and initiate the login flow from there.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+#### IDP initiated:
-When you click the SAML SSO for Bitbucket by resolution GmbH tile in the Access Panel, you should be automatically signed in to the SAML SSO for Bitbucket by resolution GmbH for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SAML SSO for Bitbucket by resolution GmbH for which you set up the SSO.
-## Additional Resources
+You can also use Microsoft My Apps to test the application in any mode. When you click the SAML SSO for Bitbucket by resolution GmbH tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SAML SSO for Bitbucket by resolution GmbH for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md) -- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure the SAML SSO for Bitbucket by resolution GmbH you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/blackboard-learn-shibboleth-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/blackboard-learn-shibboleth-tutorial.md
@@ -9,27 +9,23 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 02/07/2019
+ms.date: 01/19/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with Blackboard Learn - Shibboleth
-In this tutorial, you learn how to integrate Blackboard Learn - Shibboleth with Azure Active Directory (Azure AD).
-Integrating Blackboard Learn - Shibboleth with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Blackboard Learn - Shibboleth with Azure Active Directory (Azure AD). When you integrate Blackboard Learn - Shibboleth with Azure AD, you can:
-* You can control in Azure AD who has access to Blackboard Learn - Shibboleth.
-* You can enable your users to be automatically signed-in to Blackboard Learn - Shibboleth (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Blackboard Learn - Shibboleth.
+* Enable your users to be automatically signed-in to Blackboard Learn - Shibboleth with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Blackboard Learn - Shibboleth, you need the following items:
-
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Blackboard Learn - Shibboleth single sign-on enabled subscription
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* A Blackboard Learn - Shibboleth single sign-on (SSO)-enabled subscription.
## Scenario description
@@ -37,64 +33,46 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Blackboard Learn - Shibboleth supports **SP** initiated SSO
-## Adding Blackboard Learn - Shibboleth from the gallery
+## Add Blackboard Learn - Shibboleth from the gallery
To configure the integration of Blackboard Learn - Shibboleth into Azure AD, you need to add Blackboard Learn - Shibboleth from the gallery to your list of managed SaaS apps.
-**To add Blackboard Learn - Shibboleth from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Blackboard Learn - Shibboleth**, select **Blackboard Learn - Shibboleth** from result panel then click **Add** button to add the application.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Blackboard Learn - Shibboleth** in the search box.
+1. Select **Blackboard Learn - Shibboleth** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- ![Blackboard Learn - Shibboleth in the results list](common/search-new-app.png)
+## Configure and test Azure AD SSO for Blackboard Learn - Shibboleth
-## Configure and test Azure AD single sign-on
+Configure and test Azure AD SSO with Blackboard Learn - Shibboleth using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Blackboard Learn - Shibboleth.
-In this section, you configure and test Azure AD single sign-on with Blackboard Learn - Shibboleth based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Blackboard Learn - Shibboleth needs to be established.
+To configure and test Azure AD SSO with Blackboard Learn - Shibboleth, perform the following steps:
-To configure and test Azure AD single sign-on with Blackboard Learn - Shibboleth, you need to complete the following building blocks:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Blackboard Learn - Shibboleth SSO](#configure-blackboard-learn---shibboleth-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Blackboard Learn - Shibboleth test user](#create-blackboard-learn---shibboleth-test-user)** - to have a counterpart of B.Simon in Blackboard Learn - Shibboleth that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Blackboard Learn - Shibboleth Single Sign-On](#configure-blackboard-learn---shibboleth-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Blackboard Learn - Shibboleth test user](#create-blackboard-learn---shibboleth-test-user)** - to have a counterpart of Britta Simon in Blackboard Learn - Shibboleth that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+### Configure Azure AD SSO
In this section, you enable Azure AD single sign-on in the Azure portal. To configure Azure AD single sign-on with Blackboard Learn - Shibboleth, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **Blackboard Learn - Shibboleth** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **Blackboard Learn - Shibboleth** application integration page, select **Single sign-on**.
2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+3. On the **Set up Single Sign-On with SAML** page, click pencil icon to open **Basic SAML Configuration** dialog.
![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Blackboard Learn - Shibboleth Domain and URLs single sign-on information](common/sp-identifier-reply.png)
- a. In the **Sign-on URL** text box, type a URL using the following pattern: `https://<yourblackoardlearnserver>.blackboardlearn.com/Shibboleth.sso/Login`
@@ -115,81 +93,49 @@ To configure Azure AD single sign-on with Blackboard Learn - Shibboleth, perform
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Blackboard Learn - Shibboleth Single Sign-On
-
-To configure single sign-on on **Blackboard Learn - Shibboleth** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Blackboard Learn - Shibboleth support team](https://www.blackboard.com/forms/contact-us_form.aspx). They set this setting to have the SAML SSO connection set properly on both sides.
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
+In this section, you'll create a test user in the Azure portal called B.Simon.
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Blackboard Learn - Shibboleth.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Blackboard Learn - Shibboleth**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Blackboard Learn - Shibboleth.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Blackboard Learn - Shibboleth**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **Blackboard Learn - Shibboleth**.
+### Configure Blackboard Learn - Shibboleth SSO
- ![The Blackboard Learn - Shibboleth link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Blackboard Learn - Shibboleth** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Blackboard Learn - Shibboleth support team](https://www.blackboard.com/forms/contact-us_form.aspx). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Blackboard Learn - Shibboleth test user In this section, you create a user called Britta Simon in Blackboard Learn - Shibboleth. Work with [Blackboard Learn - Shibboleth support team](https://www.blackboard.com/forms/contact-us_form.aspx) to add the users in the Blackboard Learn - Shibboleth platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+### Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Blackboard Learn - Shibboleth tile in the Access Panel, you should be automatically signed in to the Blackboard Learn - Shibboleth for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Blackboard Learn - Shibboleth Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Blackboard Learn - Shibboleth Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Blackboard Learn - Shibboleth tile in the My Apps, you should be automatically signed in to the Blackboard Learn - Shibboleth for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure Blackboard Learn - Shibboleth you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cherwell-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cherwell-tutorial.md
@@ -9,27 +9,24 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 08/27/2020
+ms.date: 01/14/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with Cherwell
-In this tutorial, you learn how to integrate Cherwell with Azure Active Directory (Azure AD).
-Integrating Cherwell with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Cherwell with Azure Active Directory (Azure AD). When you integrate Cherwell with Azure AD, you can:
-* You can control in Azure AD who has access to Cherwell.
-* You can enable your users to be automatically signed-in to Cherwell (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Cherwell.
+* Enable your users to be automatically signed-in to Cherwell with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Cherwell, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Cherwell single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+
+* Cherwell single sign-on enabled subscription.
## Scenario description
@@ -37,55 +34,50 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Cherwell supports **SP** initiated SSO
-* Once you configure Cherwell you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
- > [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Cherwell from the gallery
+## Add Cherwell from the gallery
To configure the integration of Cherwell into Azure AD, you need to add Cherwell from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Cherwell** in the search box. 1. Select **Cherwell** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO
+## Configure and test Azure AD SSO for Cherwell
-In this section, you configure and test Azure AD single sign-on with Cherwell based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Cherwell needs to be established.
+Configure and test Azure AD SSO with Cherwell using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Cherwell.
-To configure and test Azure AD single sign-on with Cherwell, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Cherwell, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 2. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
2. **[Configure Cherwell SSO](#configure-cherwell-sso)** - to configure the Single Sign-On settings on application side.
- * **[Create Cherwell test user](#create-cherwell-test-user)** - to have a counterpart of Britta Simon in Cherwell that is linked to the Azure AD representation of user.
+ 1. **[Create Cherwell test user](#create-cherwell-test-user)** - to have a counterpart of B.Simon in Cherwell that is linked to the Azure AD representation of user.
3. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Cherwell** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Cherwell** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-4. On the **Basic SAML Configuration** section, perform the following step:
-
- ![Cherwell Domain and URLs single sign-on information](common/sp-signonurl.png)
+4. On the **Basic SAML Configuration** section, perform the following steps:
a. In the **Sign-on URL** text box, type a URL using the following pattern: `https://<companyname>.cherwellondemand.com/cherwellclient`
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<companyname>.cherwellondemand.com/cherwellclient`
+ b. In the **Reply URL** text box, type the URL using the following pattern:
+ `https://*.cherwellondemand.com`
> [!NOTE] > The value is not real. Update the value with the actual Sign-on URL and Reply URL. Contact [Cherwell Client support team](https://cherwellsupport.com/CherwellPortal) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
@@ -98,12 +90,6 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
- ### Create an Azure AD test user In this section, you'll create a test user named B.Simon in the Azure portal.
@@ -123,18 +109,11 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Cherwell**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button. - ## Configure Cherwell SSO To configure single sign-on on **Cherwell** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Cherwell support team](https://cherwellsupport.com/CherwellPortal). They set this setting to have the SAML SSO connection set properly on both sides.
@@ -151,14 +130,14 @@ To enable Azure AD users to sign in to Cherwell, they must be provisioned into C
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Cherwell tile in the Access Panel, you should be automatically signed in to the Cherwell for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Cherwell Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Cherwell Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Cherwell tile in the My Apps, you should be automatically signed in to the Cherwell for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure Cherwell you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/coupa-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/coupa-tutorial.md
@@ -9,27 +9,23 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 01/25/2019
+ms.date: 01/14/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with Coupa
-In this tutorial, you learn how to integrate Coupa with Azure Active Directory (Azure AD).
-Integrating Coupa with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Coupa with Azure Active Directory (Azure AD). When you integrate Coupa with Azure AD, you can:
-* You can control in Azure AD who has access to Coupa.
-* You can enable your users to be automatically signed-in to Coupa (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Coupa.
+* Enable your users to be automatically signed-in to Coupa with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Coupa, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Coupa single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* Coupa single sign-on enabled subscription.
## Scenario description
@@ -37,71 +33,49 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Coupa supports **SP** initiated SSO
-## Adding Coupa from the gallery
+## Add Coupa from the gallery
To configure the integration of Coupa into Azure AD, you need to add Coupa from the gallery to your list of managed SaaS apps.
-**To add Coupa from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Coupa**, select **Coupa** from result panel then click **Add** button to add the application.
-
- ![Coupa in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Coupa based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Coupa needs to be established.
-
-To configure and test Azure AD single sign-on with Coupa, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Coupa** in the search box.
+1. Select **Coupa** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Coupa Single Sign-On](#configure-coupa-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Coupa test user](#create-coupa-test-user)** - to have a counterpart of Britta Simon in Coupa that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Coupa
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Coupa using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Coupa.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Coupa, perform the following steps:
-To configure Azure AD single sign-on with Coupa, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Coupa SSO](#configure-coupa-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Coupa test user](#create-coupa-test-user)** - to have a counterpart of B.Simon inCoupa that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Coupa** application integration page, select **Single sign-on**.
+### Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Coupa** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Coupa Domain and URLs single sign-on information](common/sp-identifier-reply.png)
- a. In the **Sign-on URL** text box, type a URL using the following pattern: `https://<companyname>.coupahost.com` > [!NOTE] > The Sign-on URL value is not real. Update this value with the actual Sign-On URL. Contact [Coupa Client support team](https://success.coupa.com/Support/Contact_Us?) to get this value.
- b. In the **Identifier** box, type a URL:
+ b. In the **Identifier** box, type the URL:
| Environment | URL | |:-------------|----|
@@ -109,7 +83,7 @@ To configure Azure AD single sign-on with Coupa, perform the following steps:
| Production | `sso-prd1.coupahost.com`| | | |
- c. In the **Reply URL** text box, type a URL:
+ c. In the **Reply URL** text box, type the URL:
| Environment | URL | |------------- |----|
@@ -125,13 +99,31 @@ To configure Azure AD single sign-on with Coupa, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
- b. Azure Ad Identifier
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
- c. Logout URL
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Coupa.
-### Configure Coupa Single Sign-On
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Coupa**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+### Configure Coupa SSO
1. Sign on to your Coupa company site as an administrator.
@@ -149,57 +141,6 @@ To configure Azure AD single sign-on with Coupa, perform the following steps:
c. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Coupa.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Coupa**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Coupa**.
-
- ![The Coupa link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Coupa test user In order to enable Azure AD users to log into Coupa, they must be provisioned into Coupa.
@@ -233,16 +174,16 @@ In order to enable Azure AD users to log into Coupa, they must be provisioned in
>[!NOTE] >You can use any other Coupa user account creation tools or APIs provided by Coupa to provision Azure AD user accounts.
-### Test single sign-on
+### Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Coupa tile in the Access Panel, you should be automatically signed in to the Coupa for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Coupa Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Coupa Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Coupa tile in the My Apps, you should be automatically signed in to the Coupa for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure Coupa you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/displayr-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/displayr-tutorial.md
@@ -74,6 +74,10 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
`https://<YOURDOMAIN>.displayr.com` b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:`<YOURDOMAIN>.displayr.com`
+
+ c. In the **Reply URL** text box, type `https://app.displayr.com/Login/ProcessSamlResponse`.
+
+ d. Click **Save**.
>[!NOTE] >These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Displayr Client support team](mailto:support@displayr.com) to get these values. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.
@@ -84,25 +88,23 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
1. Displayr application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog.
- ![Screenshot that shows the "User Attributes" section with the "Edit" icon highlighted.](common/edit-attribute.png)
+ ![Screenshot that shows the "User Attributes" section with the "Edit" icon highlighted.](common/edit-attribute.png)
1. In addition to above, Displayr application expects few more attributes to be passed back in SAML response. In the **User Attributes & Claims** section on the **Group Claims (Preview)** dialog, perform the following steps:
- a. Click the **pen** next to **Groups returned in claim**.
-
- ![Screenshot that shows the "User Attributes & Claims" section with the "Pen" icon next to "Groups returned in claim" selected.](./media/displayr-tutorial/config04.png)
+ a. Click **Add a group claim**.
- ![Screenshot that shows the "Group Claims (Preview) window with settings selected.](./media/displayr-tutorial/config05.png)
+ ![Screenshot that shows the "Group Claims (Preview) window with settings selected.](./media/displayr-tutorial/config05.png)
- b. Select **All Groups** from the radio list.
+ b. Select **All Groups** from the radio list.
- c. Select **Source Attribute** of **Group ID**.
+ c. Select **Source Attribute** of **Group ID**.
- d. Check **Customize the name of the group claim**.
+ d. Check **Customize the name of the group claim**.
- e. Check **Emit groups as role claims**.
+ e. Check **Emit groups as role claims**.
- f. Click **Save**.
+ f. Click **Save**.
1. On the **Set-up Displayr** section, copy the appropriate URL(s) based on your requirement.
@@ -214,4 +216,4 @@ When you select the Displayr tile in the Access Panel, you should be automatical
- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) -- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/freshdesk-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/freshdesk-tutorial.md
@@ -9,40 +9,35 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 08/24/2020
+ms.date: 01/20/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with FreshDesk
-In this tutorial, you learn how to integrate FreshDesk with Azure Active Directory (Azure AD).
-Integrating FreshDesk with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate FreshDesk with Azure Active Directory (Azure AD). When you integrate FreshDesk with Azure AD, you can:
-* You can control in Azure AD who has access to FreshDesk.
-* You can enable your users to be automatically signed-in to FreshDesk (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to FreshDesk.
+* Enable your users to be automatically signed-in to FreshDesk with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with FreshDesk, you need the following items:
-
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* FreshDesk single sign-on enabled subscription
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* A FreshDesk single sign-on (SSO)-enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment. * FreshDesk supports **SP** initiated SSO
-* Once you configure FreshDesk you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-## Adding FreshDesk from the gallery
+## Add FreshDesk from the gallery
To configure the integration of FreshDesk into Azure AD, you need to add FreshDesk from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
@@ -53,20 +48,20 @@ To configure the integration of FreshDesk into Azure AD, you need to add FreshDe
Configure and test Azure AD SSO with FreshDesk using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in FreshDesk.
-To configure and test Azure AD SSO with FreshDesk, complete the following building blocks:
+To configure and test Azure AD SSO with FreshDesk, perform the following steps:
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-1. **[Configure FreshDesk Single Sign-On](#configure-freshdesk-single-sign-on)** - to configure the Single Sign-On settings on application side.
+1. **[Configure FreshDesk SSO](#configure-freshdesk-sso)** - to configure the Single Sign-On settings on application side.
1. **[Create FreshDesk test user](#create-freshdesk-test-user)** - to have a counterpart of Britta Simon in FreshDesk that is linked to the Azure AD representation of user.
-1. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-## Configure Azure AD single sign-on
+## Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **FreshDesk** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **FreshDesk** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set-up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set-up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -96,65 +91,32 @@ To configure and test Azure AD SSO with FreshDesk, complete the following buildi
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+In this section, you'll create a test user in the Azure portal called B.Simon.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to FreshDesk.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **FreshDesk**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, type and select **FreshDesk**.
-
- ![The FreshDesk link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to FreshDesk.
-7. In the **Add Assignment** dialog, click the **Assign** button.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **FreshDesk**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure FreshDesk Single Sign-On
+## Configure FreshDesk SSO
1. In a different web browser window, log into your Freshdesk company site as an administrator.
@@ -205,16 +167,16 @@ In the case of FreshDesk, provisioning is a manual task.
>[!NOTE] >You can use any other Freshdesk user account creation tools or APIs provided by Freshdesk to provision Azure AD user accounts to FreshDesk.
-### Test single sign-on
+### Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the FreshDesk tile in the Access Panel, you should be automatically signed in to the FreshDesk for which you set-up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to FreshDesk Sign-on URL where you can initiate the login flow.
-## Additional resources
+* Go to FreshDesk Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the FreshDesk tile in the My Apps, you should be automatically signed in to the FreshDesk for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure FreshDesk you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/freshservice-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/freshservice-tutorial.md
@@ -9,7 +9,7 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 08/31/2020
+ms.date: 01/15/2021
ms.author: jeedes ---
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Freshservice with Azure Active D
* Enable your users to be automatically signed-in to Freshservice with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -38,13 +36,12 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Freshservice supports **SP** initiated SSO
-* Once you configure Freshservice you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-## Adding Freshservice from the gallery
+## Add Freshservice from the gallery
To configure the integration of Freshservice into Azure AD, you need to add Freshservice from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
@@ -68,9 +65,9 @@ To configure and test Azure AD SSO with Freshservice, complete the following bui
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Freshservice** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Freshservice** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -115,15 +112,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Freshservice**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Freshservice SSO
@@ -142,7 +133,7 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
![Admin](./media/freshservice-tutorial/configure-1.png "Admin")
-1. In the **Security**, click on **Go to Freshworks 360 Security**.
+1. In the **Security**, click on **Go to Freshservice 360 Security**.
![Security](./media/freshservice-tutorial/configure-2.png "Security")
@@ -197,16 +188,14 @@ To enable Azure AD users to sign in to FreshService, they must be provisioned in
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Freshservice tile in the Access Panel, you should be automatically signed in to the Freshservice for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Freshservice Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Freshservice Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Freshservice tile in the My Apps, you should be automatically signed in to the Freshservice for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Freshservice with Azure AD](https://aad.portal.azure.com/)\ No newline at end of file
+ Once you configure Freshservice you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/freshworks-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/freshworks-tutorial.md
@@ -9,7 +9,7 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 10/11/2019
+ms.date: 01/20/2021
ms.author: jeedes ---
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Freshworks with Azure Active Dir
* Enable your users to be automatically signed-in to Freshworks with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -39,22 +37,22 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
* Freshworks supports **SP** initiated SSO
-## Adding Freshworks from the gallery
+## Add Freshworks from the gallery
To configure the integration of Freshworks into Azure AD, you need to add Freshworks from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Freshworks** in the search box. 1. Select **Freshworks** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Freshworks
+## Configure and test Azure AD SSO for Freshworks
Configure and test Azure AD SSO with Freshworks using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Freshworks.
-To configure and test Azure AD SSO with Freshworks, complete the following building blocks:
+To configure and test Azure AD SSO with Freshworks, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -67,9 +65,9 @@ To configure and test Azure AD SSO with Freshworks, complete the following build
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Freshworks** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Freshworks** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -121,15 +119,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Freshworks**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Freshworks SSO
@@ -160,16 +152,14 @@ In this section, you create a user called B.Simon in Freshworks. Work with [Fre
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Freshworks tile in the Access Panel, you should be automatically signed in to the Freshworks for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Freshworks Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Freshworks Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Freshworks tile in the My Apps, you should be automatically signed in to the Freshworks for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Freshworks with Azure AD](https://aad.portal.azure.com/)\ No newline at end of file
+Once you configure Freshworks you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/logicmonitor-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/logicmonitor-tutorial.md
@@ -9,27 +9,23 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 02/25/2019
+ms.date: 01/15/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with LogicMonitor
-In this tutorial, you learn how to integrate LogicMonitor with Azure Active Directory (Azure AD).
-Integrating LogicMonitor with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate LogicMonitor with Azure Active Directory (Azure AD). When you integrate LogicMonitor with Azure AD, you can:
-* You can control in Azure AD who has access to LogicMonitor.
-* You can enable your users to be automatically signed-in to LogicMonitor (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to LogicMonitor.
+* Enable your users to be automatically signed-in to LogicMonitor with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with LogicMonitor, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* LogicMonitor single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* LogicMonitor single sign-on enabled subscription.
## Scenario description
@@ -37,59 +33,39 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* LogicMonitor supports **SP** initiated SSO
-## Adding LogicMonitor from the gallery
+## Add LogicMonitor from the gallery
To configure the integration of LogicMonitor into Azure AD, you need to add LogicMonitor from the gallery to your list of managed SaaS apps.
-**To add LogicMonitor from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **LogicMonitor**, select **LogicMonitor** from result panel then click **Add** button to add the application.
-
- ![LogicMonitor in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with LogicMonitor based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in LogicMonitor needs to be established.
-
-To configure and test Azure AD single sign-on with LogicMonitor, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **LogicMonitor** in the search box.
+1. Select **LogicMonitor** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure LogicMonitor Single Sign-On](#configure-logicmonitor-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create LogicMonitor test user](#create-logicmonitor-test-user)** - to have a counterpart of Britta Simon in LogicMonitor that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for LogicMonitor
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with LogicMonitor using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in LogicMonitor.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with LogicMonitor, perform the following steps:
-To configure Azure AD single sign-on with LogicMonitor, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure LogicMonitor SSO](#configure-logicmonitor-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create LogicMonitor test user](#create-logicmonitor-test-user)** - to have a counterpart of B.Simon in LogicMonitor that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **LogicMonitor** application integration page, select **Single sign-on**.
+### Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **LogicMonitor** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
@@ -112,13 +88,32 @@ To configure Azure AD single sign-on with LogicMonitor, perform the following st
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
- b. Azure Ad Identifier
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure LogicMonitor Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to LogicMonitor.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **LogicMonitor**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+### Configure LogicMonitor SSO
1. Log in to your **LogicMonitor** company site as an administrator.
@@ -126,7 +121,7 @@ To configure Azure AD single sign-on with LogicMonitor, perform the following st
![Settings](./media/logicmonitor-tutorial/ic790052.png "Settings")
-3. In the navigation bat on the left side, click **Single Sign On**
+3. In the navigation bat on the left side, click **Single Sign On**.
![Single Sign-On](./media/logicmonitor-tutorial/ic790053.png "Single Sign-On")
@@ -142,57 +137,6 @@ To configure Azure AD single sign-on with LogicMonitor, perform the following st
d. Click **Save Changes**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to LogicMonitor.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **LogicMonitor**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **LogicMonitor**.
-
- ![The LogicMonitor link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create LogicMonitor test user For Azure AD users to be able to sign in, they must be provisioned to the LogicMonitor application using their Azure Active Directory user names.
@@ -220,16 +164,16 @@ For Azure AD users to be able to sign in, they must be provisioned to the LogicM
> [!NOTE] > You can use any other LogicMonitor user account creation tools or APIs provided by LogicMonitor to provision Azure Active Directory user accounts.
-### Test single sign-on
+### Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the LogicMonitor tile in the Access Panel, you should be automatically signed in to the LogicMonitor for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to LogicMonitor Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to LogicMonitor Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the LogicMonitor tile in the My Apps, you should be automatically signed in to the LogicMonitor for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure LogicMonitor you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/lucidchart-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/lucidchart-tutorial.md
@@ -9,7 +9,7 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 01/16/2020
+ms.date: 01/15/2021
ms.author: jeedes ---
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Lucidchart with Azure Active Dir
* Enable your users to be automatically signed-in to Lucidchart with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -36,13 +34,12 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
* Lucidchart supports **SP** initiated SSO * Lucidchart supports **Just In Time** user provisioning
-* Once you configure the Lucidchart you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
-## Adding Lucidchart from the gallery
+## Add Lucidchart from the gallery
To configure the integration of Lucidchart into Azure AD, you need to add Lucidchart from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
@@ -50,11 +47,11 @@ To configure the integration of Lucidchart into Azure AD, you need to add Lucidc
1. Select **Lucidchart** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Lucidchart
+## Configure and test Azure AD SSO for Lucidchart
Configure and test Azure AD SSO with Lucidchart using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Lucidchart.
-To configure and test Azure AD SSO with Lucidchart, complete the following building blocks:
+To configure and test Azure AD SSO with Lucidchart, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -67,15 +64,15 @@ To configure and test Azure AD SSO with Lucidchart, complete the following build
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Lucidchart** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Lucidchart** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+4. On the **Basic SAML Configuration** section, enter the values for the following fields:
- In the **Sign-on URL** text box, type a URL as:
+ In the **Sign-on URL** text box, type the URL as:
`https://chart2.office.lucidchart.com/saml/sso/azure` 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
@@ -86,12 +83,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
+
### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
@@ -111,15 +103,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Lucidchart**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Lucidchart SSO
@@ -160,20 +146,14 @@ If there is no user account available yet, it is automatically created by Lucidc
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Lucidchart tile in the Access Panel, you should be automatically signed in to the Lucidchart for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal. This will redirect to Lucidchart Sign-on URL where you can initiate the login flow.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Go to Lucidchart Sign-on URL directly and initiate the login flow from there.
-- [Try Lucidchart with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the Lucidchart tile in the My Apps, you should be automatically signed in to the Lucidchart for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Lucidchart with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)\ No newline at end of file
+ Once you configure the Lucidchart you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/mimecast-admin-console-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mimecast-admin-console-tutorial.md
@@ -9,7 +9,7 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 05/21/2020
+ms.date: 01/15/2021
ms.author: jeedes ---
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Mimecast Admin Console with Azur
* Enable your users to be automatically signed-in to Mimecast Admin Console with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -35,24 +33,23 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Mimecast Admin Console supports **SP and IDP** initiated SSO
-* Once you configure Mimecast Admin Console you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-## Adding Mimecast Admin Console from the gallery
+## Add Mimecast Admin Console from the gallery
To configure the integration of Mimecast Admin Console into Azure AD, you need to add Mimecast Admin Console from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Mimecast Admin Console** in the search box. 1. Select **Mimecast Admin Console** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Mimecast Admin Console
+## Configure and test Azure AD SSO for Mimecast Admin Console
Configure and test Azure AD SSO with Mimecast Admin Console using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mimecast Admin Console.
-To configure and test Azure AD SSO with Mimecast Admin Console, complete the following building blocks:
+To configure and test Azure AD SSO with Mimecast Admin Console, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -65,15 +62,15 @@ To configure and test Azure AD SSO with Mimecast Admin Console, complete the fol
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Mimecast Admin Console** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Mimecast Admin Console** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, if you wish to configure the application in IDP initiated mode, perform the following steps:
- a. In the **Identifier** textbox, type a URL using the following pattern:
+ a. In the **Identifier** textbox, type the URL using the following pattern:
| Region | Value | | --------------- | --------------- |
@@ -86,7 +83,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
> [!NOTE] > You will find the `accountcode` value in the Mimecast Admin Console under **Account** > **Settings** > **Account Code**. Append the `accountcode` to the Identifier.
- b. In the **Reply URL** textbox, type a URL:
+ b. In the **Reply URL** textbox, type the URL:
| Region | Value | | --------------- | --------------- |
@@ -98,7 +95,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
1. If you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** textbox, type a URL:
+ In the **Sign-on URL** textbox, type the URL:
| Region | Value | | --------------- | --------------- |
@@ -133,15 +130,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Mimecast Admin Console**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Mimecast Admin Console SSO
@@ -200,7 +191,7 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
a. In the **Email Address** textbox, enter the email address of the user like `B.Simon@yourdomainname.com`.
- b. In the **GLobal Name** textbox, enter the **Full name** of the user.
+ b. In the **Global Name** textbox, enter the **Full name** of the user.
c. In the **Password** and **Confirm Password** textboxes, enter the password of the user.
@@ -214,20 +205,20 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Mimecast Admin Console tile in the Access Panel, you should be automatically signed in to the Mimecast Admin Console for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Mimecast Admin Console Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Mimecast Admin Console Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Mimecast Admin Console for which you set up the SSO
-- [Try Mimecast Admin Console with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Mimecast Admin Console tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Mimecast Admin Console for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Mimecast Admin Console with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)\ No newline at end of file
+Once you configure Mimecast Admin Console you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/mimecast-personal-portal-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mimecast-personal-portal-tutorial.md
@@ -9,7 +9,7 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 05/21/2020
+ms.date: 01/15/2021
ms.author: jeedes ---
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Mimecast Personal Portal with Az
* Enable your users to be automatically signed-in to Mimecast Personal Portal with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -35,24 +33,23 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Mimecast Personal Portal supports **SP and IDP** initiated SSO
-* Once you configure Mimecast Personal Portal you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-
-## Adding Mimecast Personal Portal from the gallery
+
+## Add Mimecast Personal Portal from the gallery
To configure the integration of Mimecast Personal Portal into Azure AD, you need to add Mimecast Personal Portal from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Mimecast Personal Portal** in the search box. 1. Select **Mimecast Personal Portal** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Mimecast Personal Portal
+## Configure and test Azure AD SSO for Mimecast Personal Portal
Configure and test Azure AD SSO with Mimecast Personal Portal using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mimecast Personal Portal.
-To configure and test Azure AD SSO with Mimecast Personal Portal, complete the following building blocks:
+To configure and test Azure AD SSO with Mimecast Personal Portal, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -65,15 +62,15 @@ To configure and test Azure AD SSO with Mimecast Personal Portal, complete the f
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Mimecast Personal Portal** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Mimecast Personal Portal** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, if you wish to configure the application in IDP initiated mode, perform the following steps:
- a. In the **Identifier** textbox, type a URL using the following pattern:
+ a. In the **Identifier** textbox, type the URL using the following pattern:
| Region | Value | | --------------- | --------------- |
@@ -86,7 +83,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
> [!NOTE] > You will find the `accountcode` value in the Mimecast Personal Portal under **Account** > **Settings** > **Account Code**. Append the `accountcode` to the Identifier.
- b. In the **Reply URL** textbox, type a URL:
+ b. In the **Reply URL** textbox, type the URL:
| Region | Value | | --------------- | --------------- |
@@ -98,7 +95,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
1. If you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** textbox, type a URL:
+ In the **Sign-on URL** textbox, type the URL:
| Region | Value | | --------------- | --------------- |
@@ -128,20 +125,14 @@ In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mimecast Personal Portal.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mimecast Personal Portal .
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Mimecast Personal Portal**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Mimecast Personal Portal SSO
@@ -200,7 +191,7 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
a. In the **Email Address** textbox, enter the email address of the user like `B.Simon@yourdomainname.com`.
- b. In the **GLobal Name** textbox, enter the **Full name** of the user.
+ b. In the **Global Name** textbox, enter the **Full name** of the user.
c. In the **Password** and **Confirm Password** textboxes, enter the password of the user.
@@ -214,21 +205,20 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Test SSO
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Mimecast Personal Portal tile in the Access Panel, you should be automatically signed in to the Mimecast Personal Portal for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Mimecast Personal Portal Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Mimecast Personal Portal Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Mimecast Personal Portal for which you set up the SSO
-- [Try Mimecast Personal Portal with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Mimecast Personal Portal tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Mimecast Personal Portal for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Mimecast Personal Portal with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)\ No newline at end of file
+Once you configure Mimecast Personal Portal you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/mobileiron-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mobileiron-tutorial.md
@@ -9,20 +9,16 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 12/31/2018
+ms.date: 01/12/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with MobileIron
-In this tutorial, you learn how to integrate MobileIron with Azure Active Directory (Azure AD).
-Integrating MobileIron with Azure AD provides you with the following benefits:
+ In this tutorial, you'll learn how to integrate MobileIron with Azure Active Directory (Azure AD). When you integrate MobileIron with Azure AD, you can:
-* You can control in Azure AD who has access to MobileIron.
-* You can enable your users to be automatically signed-in to MobileIron (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to MobileIron.
+* Enable your users to be automatically signed in to MobileIron with their Azure AD accounts.
+* Manage your accounts in one central location: the Azure portal.
## Prerequisites
@@ -37,76 +33,52 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* MobileIron supports **SP and IDP** initiated SSO
-## Adding MobileIron from the gallery
+## Add MobileIron from the gallery
To configure the integration of MobileIron into Azure AD, you need to add MobileIron from the gallery to your list of managed SaaS apps.
-**To add MobileIron from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **MobileIron**, select **MobileIron** from result panel then click **Add** button to add the application.
-
- ![MobileIron in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with MobileIron based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in MobileIron needs to be established.
-
-To configure and test Azure AD single sign-on with MobileIron, you need to complete the following building blocks:
+1. Sign in to the Azure portal by using either a work or school account, or a personal Microsoft account.
+1. On the left pane, select **Azure Active Directory**.
+1. Go to **Enterprise Applications**, and then select **All Applications**.
+1. To add a new application, select **New application**.
+1. In the **Add from the gallery** section, type **MobileIron** in the search box.
+1. Select **MobileIron** from the results, and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure MobileIron Single Sign-On](#configure-mobileiron-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create MobileIron test user](#create-mobileiron-test-user)** - to have a counterpart of Britta Simon in MobileIron that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for MobileIron
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with MobileIron, by using a test user called **B.Simon**. For SSO to work, you need to establish a linked relationship between an Azure AD user and the related user in MobileIron.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with MobileIron, perform the following steps:
-To configure Azure AD single sign-on with MobileIron, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+2. **[Configure MobileIron SSO](#configure-mobileiron-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create MobileIron test user](#create-mobileiron-test-user)** - to have a counterpart of Britta Simon in MobileIron that is linked to the Azure AD representation of user.
+6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **MobileIron** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+In this section, you enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **MobileIron** application integration page, find the **Manage** section and select **Single Sign-On**.
+1. On the **Select a Single Sign-On Method** page, select **SAML**.
+1. On the **Set up Single Sign-On with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, perform the following steps if you wish to configure the application in **IDP** initiated mode:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://www.mobileiron.com/<key>`
+ `https://www.MobileIron.com/<key>`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<host>.mobileiron.com/saml/SSO/alias/<key>`
+ `https://<host>.MobileIron.com/saml/SSO/alias/<key>`
c. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
-
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<host>.mobileiron.com/user/login.html`
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<host>.MobileIron.com/user/login.html`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. You will get the values of key and host from the ΓÇïadministrativeΓÇï ΓÇïportal of MobileIron which is explained later in the tutorial.
@@ -115,74 +87,48 @@ To configure Azure AD single sign-on with MobileIron, perform the following step
![The Certificate download link](common/metadataxml.png)
-### Configure MobileIron Single Sign-On
-
-1. In a different web browser window, log in to your MobileIron company site as an administrator.
-
-2. Go to **Admin** > **Identity** and select **AAD** option in the **Info on Cloud IDP Setup** field.
-
- ![Screenshot shows the Admin tab of MobileIron site with Identity selected.](./media/mobileiron-tutorial/tutorial_mobileiron_admin.png)
-
-3. Copy the values of **Key** and **Host** and paste them to complete the URLs in the **Basic SAML Configuration** section in Azure portal.
-
- ![Screenshot shows the Setting Up SAML option with a key and host value.](./media/mobileiron-tutorial/key.png)
-
-4. In the **ExportΓÇïΓÇï ΓÇïmetadataΓÇï file ΓÇïfromΓÇï ΓÇïAΓÇïADΓÇï and import to MobileIron Cloud Field** click **Choose File** to upload the downloaded metadata from Azure portal. Click **Done** once uploaded.
-
- ![Configure Single Sign-On admin metadata button](./media/mobileiron-tutorial/tutorial_mobileiron_adminmetadata.png)
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
+In this section, you create a test user in the Azure portal called B.Simon.
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory** > **Users** > **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write the password down.
+ 1. Select **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to MobileIron.
+In this section, you enable B.Simon to use Azure single sign-on by granting access to MobileIron.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **MobileIron**.
+1. In the Azure portal, select **Enterprise Applications** > **All applications**.
+1. In the applications list, select **MobileIron**.
+1. In the app's overview page, find the **Manage** section, and select **Users and groups**.
+1. Select **Add user**. Then, in the **Add Assignment** dialog box, select **Users and groups**.
+1. In the **Users and groups** dialog box, select **B.Simon** from the list of users. Then choose **Select** at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog box, select **Assign**.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure MobileIron SSO
-2. In the applications list, type and select **MobileIron**.
-
- ![The MobileIron link in the Applications list](common/all-applications.png)
+1. In a different web browser window, log in to your MobileIron company site as an administrator.
-3. In the menu on the left, select **Users and groups**.
+2. Go to **Admin** > **Identity** and select **AAD** option in the **Info on Cloud IDP Setup** field.
- ![The "Users and groups" link](common/users-groups-blade.png)
+ ![Screenshot shows the Admin tab of MobileIron site with Identity selected.](./media/MobileIron-tutorial/tutorial_MobileIron_admin.png)
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
+3. Copy the values of **Key** and **Host** and paste them to complete the URLs in the **Basic SAML Configuration** section in Azure portal.
- ![The Add Assignment pane](common/add-assign-user.png)
+ ![Screenshot shows the Setting Up SAML option with a key and host value.](./media/MobileIron-tutorial/key.png)
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+4. In the **ExportΓÇïΓÇï ΓÇïmetadataΓÇï file ΓÇïfromΓÇï ΓÇïAΓÇïADΓÇï and import to MobileIron Cloud Field** click **Choose File** to upload the downloaded metadata from Azure portal. Click **Done** once uploaded.
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+ ![Configure Single Sign-On admin metadata button](./media/MobileIron-tutorial/tutorial_MobileIron_adminmetadata.png)
-7. In the **Add Assignment** dialog click the **Assign** button.
-### Create MobileIron test user
+## Create MobileIron test user
To enable Azure AD users to log in to MobileIron, they must be provisioned into MobileIron. In the case of MobileIron, provisioning is a manual task.
@@ -193,11 +139,11 @@ In the case of MobileIron, provisioning is a manual task.
1. Go to **Users** and Click on **Add** > **Single User**.
- ![Configure Single Sign-On user button](./media/mobileiron-tutorial/tutorial_mobileiron_user.png)
+ ![Configure Single Sign-On user button](./media/MobileIron-tutorial/tutorial_MobileIron_user.png)
1. On the **ΓÇ£Single UserΓÇ¥** dialog page, perform the following steps:
- ![Configure Single Sign-On user add button](./media/mobileiron-tutorial/tutorial_mobileiron_useradd.png)
+ ![Configure Single Sign-On user add button](./media/MobileIron-tutorial/tutorial_MobileIron_useradd.png)
a. In **E-mail Address** text box, enter the email of user like brittasimon@contoso.com.
@@ -207,16 +153,22 @@ In the case of MobileIron, provisioning is a manual task.
d. Click **Done**.
-### Test single sign-on
+## Test SSO
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+## SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to MobileIron Sign on URL where you can initiate the login flow.
+
+* Go to MobileIron Sign-on URL directly and initiate the login flow from there.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## IDP initiated:
-When you click the MobileIron tile in the Access Panel, you should be automatically signed in to the MobileIron for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the MobileIron for which you set up the SSO.
-## Additional Resources
+You can also use Microsoft My Apps to test the application in any mode. When you click the MobileIron tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MobileIron for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md) -- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure the MobileIron you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/netdocuments-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netdocuments-tutorial.md
@@ -9,7 +9,7 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 09/03/2019
+ms.date: 01/12/2021
ms.author: jeedes ---
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate NetDocuments with Azure Active D
* Enable your users to be automatically signed-in to NetDocuments with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -40,14 +38,14 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
To configure the integration of NetDocuments into Azure AD, you need to add NetDocuments from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **NetDocuments** in the search box. 1. Select **NetDocuments** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for NetDocuments
+## Configure and test Azure AD SSO for NetDocuments
Configure and test Azure AD SSO with NetDocuments using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in NetDocuments.
@@ -64,7 +62,7 @@ To configure and test Azure AD SSO with NetDocuments, complete the following bui
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **NetDocuments** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **NetDocuments** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
@@ -72,25 +70,46 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://vault.netvoyage.com/neWeb2/docCent.aspx?whr=<Repository ID>`
+ a. In the **Sign on URL** text box, type one of the following URL patterns:
- b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://vault.netvoyage.com/neWeb2/docCent.aspx?whr=<Repository ID>`
-
- c. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `http://netdocuments.com/VAULT`
+ |Sign on URL|
+ |-----------|
+ |`https://vault.netvoyage.com/neWeb2/docCent.aspx?whr=<Repository ID>`|
+ |`https://eu.netdocuments.com/neWeb2/docCent.aspx?whr=<Repository ID>`|
+ |`https://de.netdocuments.com/neWeb2/docCent.aspx?whr=<Repository ID>`|
+ |`https://au.netdocuments.com/neWeb2/docCent.aspx?whr=<Repository ID>`|
+ |
+
+ b. In the **Identifier (Entity ID)** text box, type one of the URLs:
+
+ |Identifier|
+ |-----------|
+ |`http://netdocuments.com/VAULT`|
+ |`http://netdocuments.com/EU`|
+ |`http://netdocuments.com/AU`|
+ |`http://netdocuments.com/DE`|
+ |
+
+ c. In the **Reply URL** text box, type one of the following URL patterns:
+
+ |Reply URL|
+ |-----------|
+ |`https://vault.netvoyage.com/neWeb2/docCent.aspx?whr=<Repository ID>`|
+ |`https://eu.netdocuments.com/neWeb2/docCent.aspx?whr=<Repository ID>`|
+ |`https://de.netdocuments.com/neWeb2/docCent.aspx?whr=<Repository ID>`|
+ |`https://au.netdocuments.com/neWeb2/docCent.aspx?whr=<Repository ID>`|
+ |
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Reply URL. Repository ID is a value starting with **CA-** followed by 8 character code associated with your NetDocuments Repository. You can check the [NetDocuments Federated Identity support document](https://support.netdocuments.com/hc/en-us/articles/205220410-Federated-Identity-Login) for more information. Alternatively you can contact [NetDocuments Client support team](https://support.netdocuments.com/hc/) to get these values if you have difficulties configuring using the above information. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Sign on URL and Reply URL. Repository ID is a value starting with **CA-** followed by 8 character code associated with your NetDocuments Repository. You can check the [NetDocuments Federated Identity support document](https://support.netdocuments.com/hc/en-us/articles/205220410-Federated-Identity-Login) for more information. Alternatively you can contact [NetDocuments Client support team](https://support.netdocuments.com/hc/) to get these values if you have difficulties configuring using the above information . You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. NetDocuments application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. NetDocuments application expects **nameidentifier** to be mapped with **employeeid** or any other claim which is applicable to your Organization as **nameidentifier**, so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping.
+1. NetDocuments application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. NetDocuments application expects **nameidentifier** to be mapped with **ObjectID** or any other claim which is applicable to your Organization as **nameidentifier**, so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping.
![image](common/edit-attribute.png)
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **App Federation Metadata URL** and copy the URL.
- ![The Certificate download link](common/metadataxml.png)
+ ![The Certificate download link](common/copy-metadataurl.png)
1. On the **Set up NetDocuments** section, copy the appropriate URL(s) based on your requirement.
@@ -115,15 +134,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **NetDocuments**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure NetDocuments SSO
@@ -134,7 +147,7 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
3. Select **Security Center**.
- ![Screenshot shows Security Center selected from Legal Documents.](./media/netdocuments-tutorial/security-center.png "Security Center")
+ ![Repository](./media/netdocuments-tutorial/security-center.png "Security Center")
4. Select **Advanced Authentication**.
@@ -142,9 +155,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
5. On the **Federated ID** tab, perform the following steps:
- ![Federated Identity](./media/netdocuments-tutorial/federated-id.png "Federated Identity")
+ [ ![Federated Identity](./media/netdocuments-tutorial/federated-id.png "Federated Identity")](./media/netdocuments-tutorial/federated-id.png#lightbox)
- a. As **Federated identity server type**, select **Active Directory Federation Services**.
+ a. For **Federated identity server type**, select as **Windows Azure Active Directory**.
b. Select **Choose File**, to upload the downloaded metadata file which you have downloaded from Azure portal.
@@ -164,7 +177,7 @@ To enable Azure AD users to sign in to NetDocuments, they must be provisioned in
3. Select **Users and groups**.
- ![Screenshot shows Users & Groups selected from Legal Documents.](./media/netdocuments-tutorial/users-groups.png "Repository")
+ ![Users and groups](./media/netdocuments-tutorial/users-groups.png "Repository")
4. In the **Email Address** textbox, type the email address of a valid Azure Active Directory account you want to provision, and then click **Add User**.
@@ -176,16 +189,15 @@ To enable Azure AD users to sign in to NetDocuments, they must be provisioned in
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the NetDocuments tile in the Access Panel, you should be automatically signed in to the NetDocuments for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to NetDocuments Sign-on URL where you can initiate the login flow.
-## Additional resources
+* Go to NetDocuments Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the NetDocuments tile in the My Apps, you should be automatically signed in to the NetDocuments for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md) -- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try NetDocuments with Azure AD](https://aad.portal.azure.com/)\ No newline at end of file
+Once you configure NetDocuments you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/netsuite-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netsuite-tutorial.md
@@ -9,7 +9,7 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 11/09/2020
+ms.date: 01/20/2021
ms.author: jeedes ---
@@ -36,7 +36,6 @@ NetSuite supports:
* IDP-initiated SSO. * JIT (just-in-time) user provisioning.
-* [Automated user provisioning](NetSuite-provisioning-tutorial.md).
> [!NOTE] > Because the identifier of this application is a fixed string value, only one instance can be configured in one tenant.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/onetrust-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/onetrust-tutorial.md
@@ -9,27 +9,23 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 03/13/2019
+ms.date: 01/13/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with OneTrust Privacy Management Software
-In this tutorial, you learn how to integrate OneTrust Privacy Management Software with Azure Active Directory (Azure AD).
-Integrating OneTrust Privacy Management Software with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate OneTrust Privacy Management Software with Azure Active Directory (Azure AD). When you integrate OneTrust Privacy Management Software with Azure AD, you can:
-* You can control in Azure AD who has access to OneTrust Privacy Management Software.
-* You can enable your users to be automatically signed-in to OneTrust Privacy Management Software (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to OneTrust Privacy Management Software.
+* Enable your users to be automatically signed in to OneTrust Privacy Management Software with their Azure AD accounts.
+* Manage your accounts in one central location: the Azure portal.
## Prerequisites To configure Azure AD integration with OneTrust Privacy Management Software, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* OneTrust Privacy Management Software single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* OneTrust Privacy Management Software single sign-on enabled subscription.
## Scenario description
@@ -39,65 +35,46 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* OneTrust Privacy Management Software supports **Just In Time** user provisioning
-## Adding OneTrust Privacy Management Software from the gallery
-
-To configure the integration of OneTrust Privacy Management Software into Azure AD, you need to add OneTrust Privacy Management Software from the gallery to your list of managed SaaS apps.
-
-**To add OneTrust Privacy Management Software from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **OneTrust Privacy Management Software**, select **OneTrust Privacy Management Software** from result panel then click **Add** button to add the application.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
- ![OneTrust Privacy Management Software in the results list](common/search-new-app.png)
+## Add OneTrust Privacy Management Software from the gallery
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with OneTrust Privacy Management Software based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in OneTrust Privacy Management Software needs to be established.
-
-To configure and test Azure AD single sign-on with OneTrust Privacy Management Software, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure OneTrust Privacy Management Software Single Sign-On](#configure-onetrust-privacy-management-software-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create OneTrust Privacy Management Software test user](#create-onetrust-privacy-management-software-test-user)** - to have a counterpart of Britta Simon in OneTrust Privacy Management Software that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
-
-### Configure Azure AD single sign-on
+To configure the integration of OneTrust Privacy Management Software into Azure AD, you need to add OneTrust Privacy Management Software from the gallery to your list of managed SaaS apps.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **OneTrust Privacy Management Software** in the search box.
+1. Select **OneTrust Privacy Management Software** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure Azure AD single sign-on with OneTrust Privacy Management Software, perform the following steps:
+## Configure and test Azure AD SSO for OneTrust Privacy Management Software
-1. In the [Azure portal](https://portal.azure.com/), on the **OneTrust Privacy Management Software** application integration page, select **Single sign-on**.
+Configure and test Azure AD SSO with OneTrust Privacy Management Software using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in OneTrust Privacy Management Software.
- ![Configure single sign-on link](common/select-sso.png)
+To configure and test Azure AD SSO with OneTrust Privacy Management Software, perform the following steps:
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure OneTrust Privacy Management Software SSO](#configure-onetrust-privacy-management-software-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create OneTrust Privacy Management Software test user](#create-onetrust-privacy-management-software-test-user)** - to have a counterpart of B.Simon inOneTrust Privacy Management Software that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Single sign-on select mode](common/select-saml-option.png)
+### Configure Azure AD SSO
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+In this section, you enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **OneTrust Privacy Management Software** application integration page, find the **Manage** section and select **Single Sign-On**.
+1. On the **Select a Single Sign-On Method** page, select **SAML**.
+1. On the **Set up Single Sign-On with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot that shows the "Basic S A M L Configuration" section with the "Identifier" and "Reply U R L" text boxes highlighted, and the "Save" button selected.](common/idp-intiated.png)
-
- a. In the **Identifier** text box, type a URL:
+ a. In the **Identifier** text box, type the URL:
`https://www.onetrust.com/saml2` b. In the **Reply URL** text box, type a URL using the following pattern:
@@ -105,9 +82,7 @@ To configure Azure AD single sign-on with OneTrust Privacy Management Software,
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![OneTrust Privacy Management Software Domain and URLs single sign-on information](common/metadata-upload-additional-signon.png)
-
- In the **Sign-on URL** text box, type a URL using the following pattern:
+ In the **Sign-on URL** text box, type a URL using the following pattern:
`https://<subdomain>.onetrust.com/auth/login` > [!NOTE]
@@ -121,66 +96,32 @@ To configure Azure AD single sign-on with OneTrust Privacy Management Software,
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure OneTrust Privacy Management Software Single Sign-On
-
-To configure single sign-on on **OneTrust Privacy Management Software** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [OneTrust Privacy Management Software support team](mailto:support@onetrust.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+In this section, you create a test user in the Azure portal called B.Simon.
+1. From the left pane in the Azure portal, select **Azure Active Directory** > **Users** > **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write the password down.
+ 1. Select **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to OneTrust Privacy Management Software.
+In this section, you enable B.Simon to use Azure single sign-on by granting access to OneTrust Privacy Management Software.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **OneTrust Privacy Management Software**.
+1. In the Azure portal, select **Enterprise Applications** > **All applications**.
+1. In the applications list, select **OneTrust Privacy Management Software**.
+1. In the app's overview page, find the **Manage** section, and select **Users and groups**.
+1. Select **Add user**. Then, in the **Add Assignment** dialog box, select **Users and groups**.
+1. In the **Users and groups** dialog box, select **B.Simon** from the list of users. Then choose **Select** at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog box, select **Assign**.
- ![Enterprise applications blade](common/enterprise-applications.png)
+### Configure OneTrust Privacy Management Software SSO
-2. In the applications list, select **OneTrust Privacy Management Software**.
-
- ![The OneTrust Privacy Management Software link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **OneTrust Privacy Management Software** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [OneTrust Privacy Management Software support team](mailto:support@onetrust.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create OneTrust Privacy Management Software test user
@@ -189,16 +130,22 @@ In this section, a user called Britta Simon is created in OneTrust Privacy Manag
>[!Note] >If you need to create a user manually, Contact [OneTrust Privacy Management Software support team](mailto:support@onetrust.com).
-### Test single sign-on
+### Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Click on **Test this application** in Azure portal. This will redirect to OneTrust Privacy Management Software Sign on URL where you can initiate the login flow.
+
+* Go to OneTrust Privacy Management Software Sign-on URL directly and initiate the login flow from there.
-When you click the OneTrust Privacy Management Software tile in the Access Panel, you should be automatically signed in to the OneTrust Privacy Management Software for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the OneTrust Privacy Management Software for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the OneTrust Privacy Management Software tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the OneTrust Privacy Management Software for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure OneTrust Privacy Management Software you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/overdrive-books-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/overdrive-books-tutorial.md
@@ -9,27 +9,23 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 03/14/2019
+ms.date: 01/18/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with Overdrive
-In this tutorial, you learn how to integrate Overdrive with Azure Active Directory (Azure AD).
-Integrating Overdrive with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Overdrive with Azure Active Directory (Azure AD). When you integrate Overdrive with Azure AD, you can:
-* You can control in Azure AD who has access to Overdrive.
-* You can enable your users to be automatically signed-in to Overdrive (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Overdrive.
+* Enable your users to be automatically signed-in to Overdrive with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Overdrive, you need the following items:
-
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Overdrive single sign-on enabled subscription
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* A Overdrive single sign-on (SSO)-enabled subscription.
## Scenario description
@@ -39,64 +35,42 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Overdrive supports **Just In Time** user provisioning
-## Adding Overdrive from the gallery
-
-To configure the integration of Overdrive into Azure AD, you need to add Overdrive from the gallery to your list of managed SaaS apps.
-
-**To add Overdrive from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+## Add Overdrive from the gallery
-4. In the search box, type **Overdrive**, select **Overdrive** from result panel then click **Add** button to add the application.
+To configure the integration of Overdrive into Azure AD, add Overdrive from the gallery to your list of managed SaaS apps by doing the following:
+
+1. Sign in to the Azure portal with either a work or school account, or a personal Microsoft account.
+1. In the left pane, select the **Azure Active Directory** service.
+1. Go to **Enterprise Applications**, and then select **All Applications**.
+1. To add a new application, select **New application**.
+1. In the **Add from the gallery** section, type **Overdrive** in the search box.
+1. In the results pane, select **Overdrive**, and then add the app. Wait a few seconds while the app is added to your tenant.
- ![Overdrive in the results list](common/search-new-app.png)
+## Configure and test Azure AD SSO for Overdrive
-## Configure and test Azure AD single sign-on
+Configure and test Azure AD SSO with Overdrive using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Overdrive.
-In this section, you configure and test Azure AD single sign-on with Overdrive based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Overdrive needs to be established.
+To configure and test Azure AD SSO with Overdrive, perform the following steps:
-To configure and test Azure AD single sign-on with Overdrive, you need to complete the following building blocks:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Overdrive SSO](#configure-overdrive-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Overdrive test user](#create-overdrive-test-user)** - to have a counterpart of B.Simon in Overdrive that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Overdrive Single Sign-On](#configure-overdrive-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Overdrive test user](#create-overdrive-test-user)** - to have a counterpart of Britta Simon in Overdrive that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+### Configure Azure AD SSO
-### Configure Azure AD single sign-on
+Follow these steps to enable Azure AD SSO in the Azure portal.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. In the Azure portal, on the **Overdrive** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-To configure Azure AD single sign-on with Overdrive, perform the following steps:
-
-1. In the [Azure portal](https://portal.azure.com/), on the **Overdrive** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Overdrive Domain and URLs single sign-on information](common/sp-signonurl.png)
- In the **Sign-on URL** text box, type a URL using the following pattern: `http://<subdomain>.libraryreserve.com`
@@ -111,40 +85,18 @@ To configure Azure AD single sign-on with Overdrive, perform the following steps
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Overdrive Single Sign-On
-
-To configure single sign-on on **Overdrive** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Overdrive support team](https://help.overdrive.com/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
@@ -152,26 +104,22 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Overdrive**.
- ![Enterprise applications blade](common/enterprise-applications.png)
- 2. In the applications list, select **Overdrive**.
- ![The Overdrive link in the Applications list](common/all-applications.png)
- 3. In the menu on the left, select **Users and groups**.
- ![The "Users and groups" link](common/users-groups-blade.png)
- 4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
- ![The Add Assignment pane](common/add-assign-user.png)
- 5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. 6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen. 7. In the **Add Assignment** dialog click the **Assign** button.
+### Configure Overdrive SSO
+
+To configure single sign-on on **Overdrive** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Overdrive support team](https://help.overdrive.com/). They set this setting to have the SAML SSO connection set properly on both sides.
+ ### Create Overdrive test user In this section, a user called Britta Simon is created in Overdrive. Overdrive supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Overdrive, a new one is created after authentication.
@@ -180,16 +128,16 @@ In this section, a user called Britta Simon is created in Overdrive. Overdrive s
>You can use any other OverDrive user account creation tools or APIs provided by OverDrive to provision Azure AD user accounts. >
-### Test single sign-on
+### Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Overdrive tile in the Access Panel, you should be automatically signed in to the Overdrive for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Overdrive Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Overdrive Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Overdrive tile in the My Apps, this will redirect to Overdrive Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure Overdrive you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/pagerduty-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/pagerduty-tutorial.md
@@ -9,7 +9,7 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 03/14/2019
+ms.date: 01/18/2021
ms.author: jeedes ---
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate PagerDuty with Azure Active Dire
* Enable your users to be automatically signed-in to PagerDuty with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -38,13 +36,12 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * PagerDuty supports **SP** initiated SSO
-* Once you configure PagerDuty you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-## Adding PagerDuty from the gallery
+## Add PagerDuty from the gallery
To configure the integration of PagerDuty into Azure AD, you need to add PagerDuty from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
@@ -68,9 +65,9 @@ To configure and test Azure AD SSO with PagerDuty, complete the following buildi
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **PagerDuty** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **PagerDuty** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -115,13 +112,7 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **PagerDuty**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
@@ -186,20 +177,14 @@ To enable Azure AD users to sign into PagerDuty, they must be provisioned into P
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the PagerDuty tile in the Access Panel, you should be automatically signed in to the PagerDuty for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal. This will redirect to PagerDuty Sign-on URL where you can initiate the login flow.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Go to PagerDuty Sign-on URL directly and initiate the login flow from there.
-- [Try PagerDuty with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the PagerDuty tile in the My Apps, this will redirect to PagerDuty Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect PagerDuty with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)\ No newline at end of file
+Once you configure PagerDuty you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/qualtrics-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/qualtrics-tutorial.md
@@ -9,7 +9,7 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 04/03/2020
+ms.date: 01/18/2021
ms.author: jeedes ---
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate SAP Qualtrics with Azure Active
* Enable your users to be automatically signed in to SAP Qualtrics with their Azure AD accounts. * Manage your accounts in one central location: the Azure portal.
-To learn more about software as a service (SaaS) app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need:
@@ -36,13 +34,12 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
* SAP Qualtrics supports **SP** and **IDP** initiated SSO. * SAP Qualtrics supports **Just In Time** user provisioning.
-* After you configure SAP Qualtrics, you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from conditional access. For more information, see [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
## Add SAP Qualtrics from the gallery To configure the integration of SAP Qualtrics into Azure AD, you need to add SAP Qualtrics from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) by using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal by using either a work or school account, or a personal Microsoft account.
1. On the left pane, select **Azure Active Directory**. 1. Go to **Enterprise Applications**, and then select **All Applications**. 1. To add a new application, select **New application**.
@@ -66,11 +63,11 @@ To configure and test Azure AD SSO with SAP Qualtrics, complete the following bu
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **SAP Qualtrics** application integration page, find the **Manage** section. Select **single sign-on**.
+1. In the Azure portal, on the **SAP Qualtrics** application integration page, find the **Manage** section. Select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Screenshot of Set up Single Sign-On with SAML page, with pencil icon highlighted](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
1. On the **Set up single sign-on with SAML** page, if you want to configure the application in **IDP** initiated mode, enter the values for the following fields:
@@ -97,7 +94,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, select the copy icon to copy **App Federation Metadata Url** and save it on your computer.
- ![Screenshot of SAML Signing Certificate, with copy icon highlighted](common/copy-metadataurl.png)
+ ![The Certificate download link](common/copy-metadataurl.png)
### Create an Azure AD test user
@@ -118,13 +115,7 @@ In this section, you enable B.Simon to use Azure single sign-on by granting acce
1. In the Azure portal, select **Enterprise Applications** > **All applications**. 1. In the applications list, select **SAP Qualtrics**. 1. In the app's overview page, find the **Manage** section, and select **Users and groups**.-
- ![Screenshot of the Manage section, with Users and groups highlighted](common/users-groups-blade.png)
- 1. Select **Add user**. Then in the **Add Assignment** dialog box, select **Users and groups**.-
- ![Screenshot of Users and groups page, with Add user highlighted](common/add-assign-user.png)
- 1. In the **Users and groups** dialog box, select **B.Simon** from the list of users. Then choose **Select** at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog box, select the appropriate role for the user from the list. Then choose **Select** at the bottom of the screen. 1. In the **Add Assignment** dialog box, select **Assign**.
@@ -139,20 +130,20 @@ SAP Qualtrics supports just-in-time user provisioning, which is enabled by defau
## Test SSO
-In this section, you test your Azure AD single sign-on configuration by using Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you select the SAP Qualtrics tile in Access Panel, you're automatically signed in to the SAP Qualtrics for which you set up SSO. For more information, see [Sign in and start apps from the My Apps portal](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to SAP Qualtrics Sign on URL where you can initiate the login flow.
-- [Tutorials for integrating SaaS applications with Azure Active Directory](./tutorial-list.md)
+* Go to SAP Qualtrics Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SAP Qualtrics for which you set up the SSO.
-- [Try SAP Qualtrics with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the SAP Qualtrics tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SAP Qualtrics for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [Protect SAP Qualtrics with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)\ No newline at end of file
+After you configure SAP Qualtrics, you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from conditional access. For more information, see [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/splunkenterpriseandsplunkcloud-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/splunkenterpriseandsplunkcloud-tutorial.md
@@ -9,27 +9,23 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 12/24/2018
+ms.date: 01/13/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with Splunk Enterprise and Splunk Cloud
-In this tutorial, you learn how to integrate Splunk Enterprise and Splunk Cloud with Azure Active Directory (Azure AD).
-Integrating Splunk Enterprise and Splunk Cloud with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Splunk Enterprise and Splunk Cloud with Azure Active Directory (Azure AD). When you integrate Splunk Enterprise and Splunk Cloud with Azure AD, you can:
-* You can control in Azure AD who has access to Splunk Enterprise and Splunk Cloud.
-* You can enable your users to be automatically signed-in to Splunk Enterprise and Splunk Cloud (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Splunk Enterprise and Splunk Cloud.
+* Enable your users to be automatically signed in to Splunk Enterprise and Splunk Cloud with their Azure AD accounts.
+* Manage your accounts in one central location: the Azure portal.
## Prerequisites
-To configure Azure AD integration with Splunk Enterprise and Splunk Cloud, you need the following items:
+To configure Azure AD integration with Splunk Enterprise and Splunk Cloud, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Splunk Enterprise and Splunk Cloud single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* Splunk Enterprise and Splunk Cloud single sign-on enabled subscription.
## Scenario description
@@ -37,66 +33,43 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Splunk Enterprise and Splunk Cloud supports **SP** initiated SSO
-## Adding Splunk Enterprise and Splunk Cloud from the gallery
+## Add Splunk Enterprise and Splunk Cloud from the gallery
To configure the integration of Splunk Enterprise and Splunk Cloud into Azure AD, you need to add Splunk Enterprise and Splunk Cloud from the gallery to your list of managed SaaS apps.
-**To add Splunk Enterprise and Splunk Cloud from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Splunk Enterprise and Splunk Cloud**, select **Splunk Enterprise and Splunk Cloud** from result panel then click **Add** button to add the application.
-
- ![Splunk Enterprise and Splunk Cloud in the results list](common/search-new-app.png)
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Splunk Enterprise and Splunk Cloud** in the search box.
+1. Select **Splunk Enterprise and Splunk Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Splunk Enterprise and Splunk Cloud
-In this section, you configure and test Azure AD single sign-on with Splunk Enterprise and Splunk Cloud based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Splunk Enterprise and Splunk Cloud needs to be established.
+Configure and test Azure AD SSO with Splunk Enterprise and Splunk Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Splunk Enterprise and Splunk Cloud.
-To configure and test Azure AD single sign-on with Splunk Enterprise and Splunk Cloud, you need to complete the following building blocks:
+To configure and test Azure AD SSO with Splunk Enterprise and Splunk Cloud, perform the following steps:
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Splunk Enterprise and Splunk Cloud Single Sign-On](#configure-splunk-enterprise-and-splunk-cloud-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Splunk Enterprise and Splunk Cloud test user](#create-splunk-enterprise-and-splunk-cloud-test-user)** - to have a counterpart of Britta Simon in Splunk Enterprise and Splunk Cloud that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Splunk Enterprise and Splunk Cloud SSO](#configure-splunk-enterprise-and-splunk-cloud-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Splunk Enterprise and Splunk Cloud test user](#create-splunk-enterprise-and-splunk-cloud-test-user)** - to have a counterpart of B.Simon in Splunk Enterprise and Splunk Cloud that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD single sign-on
+### Configure Azure AD SSO
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Follow these steps to enable Azure AD SSO in the Azure portal.
-To configure Azure AD single sign-on with Splunk Enterprise and Splunk Cloud, perform the following steps:
+1. In the Azure portal, on the **Splunk Enterprise and Splunk Cloud** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-1. In the [Azure portal](https://portal.azure.com/), on the **Splunk Enterprise and Splunk Cloud** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. On the **Basic SAML Configuration** section, perform the following steps:
-
- ![Splunk Enterprise and Splunk Cloud Domain and URLs single sign-on information](common/sp-identifier-reply.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+4. On the **Basic SAML Configuration** section, perform the following pattern:
a. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<splunkserverUrl>/en-US/app/launcher/home`
+ `https://<splunkserverUrl>/app/launcher/home`
b. In the **Identifier** box, type a URL using the following pattern: `<splunkserverUrl>`
@@ -111,75 +84,49 @@ To configure Azure AD single sign-on with Splunk Enterprise and Splunk Cloud, pe
![The Certificate download link](common/metadataxml.png)
-### Configure Splunk Enterprise and Splunk Cloud Single Sign-On
-
-To configure single sign-on on **Splunk Enterprise and Splunk Cloud** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Splunk Enterprise and Splunk Cloud support team](https://www.splunk.com/en_us/about-splunk/contact-us.html). They set this setting to have the SAML SSO connection set properly on both sides.
+### Create an Azure AD test user
-### Create an Azure AD test user
+In this section, you'll create a test user in the Azure portal called B.Simon.
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Splunk Enterprise and Splunk Cloud.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Splunk Enterprise and Splunk Cloud**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, type and select **Splunk Enterprise and Splunk Cloud**.
-
- ![The Splunk Enterprise and Splunk Cloud link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Splunk Enterprise and Splunk Cloud.
- ![The Add Assignment pane](common/add-assign-user.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Splunk Enterprise and Splunk Cloud**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Configure Splunk Enterprise and Splunk Cloud SSO
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+ To configure single sign-on on **Splunk Enterprise and Splunk Cloud** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Splunk Enterprise and Splunk Cloud support team](https://www.splunk.com/en_us/about-splunk/contact-us.html). They set this setting to have the SAML SSO connection set properly on both sides.
-7. In the **Add Assignment** dialog click the **Assign** button.
### Create Splunk Enterprise and Splunk Cloud test user In this section, you create a user called Britta Simon in Splunk Enterprise and Splunk Cloud. Work with [Splunk Enterprise and Splunk Cloud support team](https://www.splunk.com/en_us/about-splunk/contact-us.html) to add the users in the Splunk Enterprise and Splunk Cloud platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+### Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Splunk Enterprise and Splunk Cloud tile in the Access Panel, you should be automatically signed in to the Splunk Enterprise and Splunk Cloud for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Splunk Enterprise and Splunk Cloud Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Splunk Enterprise and Splunk Cloud Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Splunk Enterprise and Splunk Cloud tile in the My Apps, this will redirect to Splunk Enterprise and Splunk Cloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/user-help/my-apps-portal-end-user-access).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure Splunk Enterprise and Splunk Cloud you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/templafy-openid-connect-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/templafy-openid-connect-provisioning-tutorial.md new file mode 100644
@@ -0,0 +1,171 @@
+---
+title: 'Tutorial: Configure Templafy OpenID Connect for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Templafy OpenID Connect.
+services: active-directory
+author: zchia
+writer: zchia
+manager: CelesteDG
+ms.assetid: 8cbb387a-e3fb-4588-bb87-bf4f88144361
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 01/19/2021
+ms.author: zhchia
+---
+
+# Tutorial: Configure Templafy OpenID Connect for automatic user provisioning
+
+The objective of this tutorial is to demonstrate the steps to be performed in Templafy OpenID Connect and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Templafy OpenID Connect.
+
+> [!NOTE]
+> This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
+>
+> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* An Azure AD tenant.
+* [A Templafy tenant](https://www.templafy.com/pricing/).
+* A user account in Templafy with Admin permissions.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
+2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+3. Determine what data to [map between Azure AD and Templafy OpenID Connect](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+
+## Assigning users to Templafy OpenID Connect
+
+Azure Active Directory uses a concept called *assignments* to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been assigned to an application in Azure AD are synchronized.
+
+Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Templafy OpenID Connect. Once decided, you can assign these users and/or groups to Templafy OpenID Connect by following the instructions here:
+* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md)
+
+## Important tips for assigning users to Templafy OpenID Connect
+
+* It is recommended that a single Azure AD user is assigned to Templafy OpenID Connect to test the automatic user provisioning configuration. More users and/or groups may be assigned later.
+
+* When assigning a user to Templafy OpenID Connect, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning.
+
+## Step 2. Configure Templafy OpenID Connect to support provisioning with Azure AD
+
+Before configuring Templafy OpenID Connect for automatic user provisioning with Azure AD, you will need to enable SCIM provisioning on Templafy OpenID Connect.
+
+1. Sign in to your Templafy Admin Console. Click on **Administration**.
+
+ ![Templafy Admin Console](media/templafy-openid-connect-provisioning-tutorial/templafy-admin.png)
+
+2. Click on **Authentication Method**.
+
+ ![Screenshot of the Templafy administration section with the Authentication method option called out.](media/templafy-openid-connect-provisioning-tutorial/templafy-auth.png)
+
+3. Copy the **SCIM Api-key** value. This value will be entered in the **Secret Token** field in the Provisioning tab of your Templafy OpenID Connect application in the Azure portal.
+
+ ![A screenshot of the S C I M A P I key.](media/templafy-openid-connect-provisioning-tutorial/templafy-token.png)
+
+## Step 3. Add Templafy OpenID Connect from the gallery
+
+To configure Templafy OpenID Connect for automatic user provisioning with Azure AD, you need to add Templafy OpenID Connect from the Azure AD application gallery to your list of managed SaaS applications.
+
+**To add Templafy OpenID Connect from the Azure AD application gallery, perform the following steps:**
+
+1. In the **[Azure portal](https://portal.azure.com)**, in the left navigation panel, select **Azure Active Directory**.
+
+ ![The Azure Active Directory button](common/select-azuread.png)
+
+2. Go to **Enterprise applications**, and then select **All applications**.
+
+ ![The Enterprise applications blade](common/enterprise-applications.png)
+
+3. To add a new application, select the **New application** button at the top of the pane.
+
+ ![The New application button](common/add-new-app.png)
+
+4. In the search box, enter **Templafy OpenID Connect**, select **Templafy OpenID Connect** in the results panel, and then click the **Add** button to add the application.
+
+ ![Templafy OpenID Connect in the results list](common/search-new-app.png)
+
+## Step 4. Configure automatic user provisioning to Templafy OpenID Connect
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Templafy OpenID Connect based on user and/or group assignments in Azure AD.
+
+> [!TIP]
+> You may also choose to enable OpenID connect-based single sign-on for Templafy, following the instructions provided in the [Templafy Single sign-on tutorial](templafy-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, though these two features compliment each other.
+
+### To configure automatic user provisioning for Templafy OpenID Connect in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+2. In the applications list, select **Templafy OpenID Connect**.
+
+ ![The Templafy OpenID Connect link in the Applications list](common/all-applications.png)
+
+3. Select the **Provisioning** tab.
+
+ ![Screenshot of the Manage options with the Provisioning option called out.](common/provisioning.png)
+
+4. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Screenshot of the Provisioning Mode dropdown list with the Automatic option called out.](common/provisioning-automatic.png)
+
+5. Under the **Admin Credentials** section, input `https://scim.templafy.com/scim` in **Tenant URL**. Input the **SCIM API-key** value retrieved earlier in **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to Templafy. If the connection fails, ensure your Templafy account has Admin permissions and try again.
+
+ ![Tenant URL + Token](common/provisioning-testconnection-tenanturltoken.png)
+
+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+7. Click **Save**.
+
+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Templafy OpenID Connect**.
+
+ ![Templafy OpenID Connect User Mappings](media/templafy-openid-connect-provisioning-tutorial/user-mapping.png)
+
+9. Review the user attributes that are synchronized from Azure AD to Templafy OpenID Connect in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Templafy OpenID Connect for update operations. Select the **Save** button to commit any changes.
+
+ ![Templafy OpenID Connect User Attributes](media/templafy-openid-connect-provisioning-tutorial/user-attribute.png)
+
+10. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Templafy**.
+
+ ![Templafy OpenID Connect Group Mappings](media/templafy-openid-connect-provisioning-tutorial/group-mapping.png)
+
+11. Review the group attributes that are synchronized from Azure AD to Templafy OpenID Connect in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Templafy OpenID Connect for update operations. Select the **Save** button to commit any changes.
+
+ ![Templafy OpenID Connect Group Attributes](media/templafy-openid-connect-provisioning-tutorial/group-attribute.png)
+
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+13. To enable the Azure AD provisioning service for Templafy OpenID Connect, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+14. Define the users and/or groups that you would like to provision to Templafy OpenID Connect by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+15. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+ This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Templafy OpenID Connect.
+
+## Step 5. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+
+## Additional resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/templafy-saml-2-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/templafy-saml-2-provisioning-tutorial.md new file mode 100644
@@ -0,0 +1,171 @@
+---
+title: 'Tutorial: Configure Templafy SAML2 for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to Templafy SAML2.
+services: active-directory
+author: zchia
+writer: zchia
+manager: CelesteDG
+ms.assetid: 8a966ef5-e364-435b-9e29-3caf27ffb498
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 01/19/2021
+ms.author: zhchia
+---
+
+# Tutorial: Configure Templafy SAML2 for automatic user provisioning
+
+The objective of this tutorial is to demonstrate the steps to be performed in Templafy SAML2 and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users and/or groups to Templafy SAML2.
+
+> [!NOTE]
+> This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
+>
+> This connector is currently in Public Preview. For more information on the general Microsoft Azure terms of use for Preview features, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* An Azure AD tenant.
+* [A Templafy tenant](https://www.templafy.com/pricing/).
+* A user account in Templafy with Admin permissions.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
+2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+3. Determine what data to [map between Azure AD and Templafy SAML2](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+
+## Assigning users to Templafy SAML2
+
+Azure Active Directory uses a concept called *assignments* to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that have been assigned to an application in Azure AD are synchronized.
+
+Before configuring and enabling automatic user provisioning, you should decide which users and/or groups in Azure AD need access to Templafy SAML2. Once decided, you can assign these users and/or groups to Templafy SAML2 by following the instructions here:
+* [Assign a user or group to an enterprise app](../manage-apps/assign-user-or-group-access-portal.md)
+
+## Important tips for assigning users to Templafy SAML2
+
+* It is recommended that a single Azure AD user is assigned to Templafy SAML2 to test the automatic user provisioning configuration. More users and/or groups may be assigned later.
+
+* When assigning a user to Templafy SAML2, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning.
+
+## Step 2. Configure Templafy SAML2 to support provisioning with Azure AD
+
+Before configuring Templafy SAML2 for automatic user provisioning with Azure AD, you will need to enable SCIM provisioning on Templafy SAML2.
+
+1. Sign in to your Templafy Admin Console. Click on **Administration**.
+
+ ![Templafy Admin Console](media/templafy-saml-2-provisioning-tutorial/templafy-admin.png)
+
+2. Click on **Authentication Method**.
+
+ ![Screenshot of the Templafy administration section with the Authentication method option called out.](media/templafy-saml-2-provisioning-tutorial/templafy-auth.png)
+
+3. Copy the **SCIM Api-key** value. This value will be entered in the **Secret Token** field in the Provisioning tab of your Templafy SAML2 application in the Azure portal.
+
+ ![A screenshot of the S C I M A P I key.](media/templafy-saml-2-provisioning-tutorial/templafy-token.png)
+
+## Step 3. Add Templafy SAML2 from the gallery
+
+To configure Templafy SAML2 for automatic user provisioning with Azure AD, you need to add Templafy SAML2 from the Azure AD application gallery to your list of managed SaaS applications.
+
+**To add Templafy SAML2 from the Azure AD application gallery, perform the following steps:**
+
+1. In the **[Azure portal](https://portal.azure.com)**, in the left navigation panel, select **Azure Active Directory**.
+
+ ![The Azure Active Directory button](common/select-azuread.png)
+
+2. Go to **Enterprise applications**, and then select **All applications**.
+
+ ![The Enterprise applications blade](common/enterprise-applications.png)
+
+3. To add a new application, select the **New application** button at the top of the pane.
+
+ ![The New application button](common/add-new-app.png)
+
+4. In the search box, enter **Templafy SAML2**, select **Templafy SAML2** in the results panel, and then click the **Add** button to add the application.
+
+ ![Templafy SAML2 in the results list](common/search-new-app.png)
+
+## Step 4. Configure automatic user provisioning to Templafy SAML2
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Templafy SAML2 based on user and/or group assignments in Azure AD.
+
+> [!TIP]
+> You may also choose to enable SAML-based single sign-on for Templafy, following the instructions provided in the [Templafy Single sign-on tutorial](templafy-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, though these two features compliment each other.
+
+### To configure automatic user provisioning for Templafy SAML2 in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+2. In the applications list, select **Templafy SAML2**.
+
+ ![The Templafy SAML2 link in the Applications list](common/all-applications.png)
+
+3. Select the **Provisioning** tab.
+
+ ![Screenshot of the Manage options with the Provisioning option called out.](common/provisioning.png)
+
+4. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Screenshot of the Provisioning Mode dropdown list with the Automatic option called out.](common/provisioning-automatic.png)
+
+5. Under the **Admin Credentials** section, input `https://scim.templafy.com/scim` in **Tenant URL**. Input the **SCIM API-key** value retrieved earlier in **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to Templafy. If the connection fails, ensure your Templafy account has Admin permissions and try again.
+
+ ![Tenant URL + Token](common/provisioning-testconnection-tenanturltoken.png)
+
+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+7. Click **Save**.
+
+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Templafy SAML2**.
+
+ ![Templafy SAML2 User Mappings](media/templafy-saml-2-provisioning-tutorial/user-mapping.png)
+
+9. Review the user attributes that are synchronized from Azure AD to Templafy SAML2 in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the user accounts in Templafy SAML2 for update operations. Select the **Save** button to commit any changes.
+
+ ![Templafy SAML2 User Attributes](media/templafy-saml-2-provisioning-tutorial/user-attribute.png)
+
+10. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Templafy**.
+
+ ![Templafy SAML2 Group Mappings](media/templafy-saml-2-provisioning-tutorial/group-mapping.png)
+
+11. Review the group attributes that are synchronized from Azure AD to Templafy SAML2 in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the groups in Templafy SAML2 for update operations. Select the **Save** button to commit any changes.
+
+ ![Templafy SAML2 Group Attributes](media/templafy-saml-2-provisioning-tutorial/group-attribute.png)
+
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+13. To enable the Azure AD provisioning service for Templafy SAML2, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+14. Define the users and/or groups that you would like to provision to Templafy SAML2 by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+15. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+ This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on Templafy SAML2.
+
+## Step 5. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+
+## Additional resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/topdesk-secure-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/topdesk-secure-tutorial.md
@@ -9,27 +9,23 @@ ms.service: active-directory
ms.subservice: saas-app-tutorial ms.workload: identity ms.topic: tutorial
-ms.date: 12/27/2018
+ms.date: 01/18/2021
ms.author: jeedes --- # Tutorial: Azure Active Directory integration with TOPdesk - Secure
-In this tutorial, you learn how to integrate TOPdesk - Secure with Azure Active Directory (Azure AD).
-Integrating TOPdesk - Secure with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate TOPdesk - Secure with Azure Active Directory (Azure AD). When you integrate TOPdesk - Secure with Azure AD, you can:
-* You can control in Azure AD who has access to TOPdesk - Secure.
-* You can enable your users to be automatically signed-in to TOPdesk - Secure (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to TOPdesk - Secure.
+* Enable your users to be automatically signed-in to TOPdesk - Secure (Single Sign-On) with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with TOPdesk - Secure, you need the following items:
-
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* TOPdesk - Secure single sign-on enabled subscription
+To get started, you need the following items:
+
+ * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* A TOPdesk - Secure single sign-on (SSO)-enabled subscription.
## Scenario description
@@ -37,64 +33,47 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* TOPdesk - Secure supports **SP** initiated SSO
-## Adding TOPdesk - Secure from the gallery
+## Add TOPdesk - Secure from the gallery
To configure the integration of TOPdesk - Secure into Azure AD, you need to add TOPdesk - Secure from the gallery to your list of managed SaaS apps.
-**To add TOPdesk - Secure from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **TOPdesk - Secure** in the search box.
+1. Select **TOPdesk - Secure** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **TOPdesk - Secure**, select **TOPdesk - Secure** from result panel then click **Add** button to add the application.
-
- ![TOPdesk - Secure in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for TOPdesk - Secure
In this section, you configure and test Azure AD single sign-on with TOPdesk - Secure based on a test user called **Britta Simon**. For single sign-on to work, a link relationship between an Azure AD user and the related user in TOPdesk - Secure needs to be established.
-To configure and test Azure AD single sign-on with TOPdesk - Secure, you need to complete the following building blocks:
+To configure and test Azure AD single sign-on with TOPdesk - Secure, you need to perform the following steps:
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure TOPdesk - Secure Single Sign-On](#configure-topdesk---secure-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create TOPdesk - Secure test user](#create-topdesk---secure-test-user)** - to have a counterpart of Britta Simon in TOPdesk - Secure that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
+ 2. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
+2. **[Configure TOPdesk - Secure SSO](#configure-topdesk---secure-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create TOPdesk - Secure test user](#create-topdesk---secure-test-user)** - to have a counterpart of Britta Simon in TOPdesk - Secure that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-### Configure Azure AD single sign-on
+### Configure Azure AD SSO
In this section, you enable Azure AD single sign-on in the Azure portal. To configure Azure AD single sign-on with TOPdesk - Secure, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **TOPdesk - Secure** application integration page, select **Single sign-on**.
-
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **TOPdesk - Secure** application integration page, select **Single sign-on**.
2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+3. On the **Set up Single Sign-On with SAML** page, click pencil icon to open **Basic SAML Configuration** dialog.
![Edit Basic SAML Configuration](common/edit-urls.png) 4. On the **Basic SAML Configuration** section, perform the following steps:
- ![TOPdesk - Secure Domain and URLs single sign-on information](common/sp-identifier-reply.png)
- a. In the **Sign-on URL** text box, type a URL using the following pattern: `https://<companyname>.topdesk.net`
@@ -115,13 +94,31 @@ To configure Azure AD single sign-on with TOPdesk - Secure, perform the followin
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
- b. Azure Ad Identifier
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TOPdesk - Secure.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **TOPdesk - Secure**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure TOPdesk - Secure Single Sign-On
+### Configure TOPdesk - Secure SSO
1. Sign on to your **TOPdesk - Secure** company site as an administrator.
@@ -183,57 +180,6 @@ To configure Azure AD single sign-on with TOPdesk - Secure, perform the followin
g. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to TOPdesk - Secure.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **TOPdesk - Secure**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, type and select **TOPdesk - Secure**.
-
- ![The TOPdesk - Secure link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create TOPdesk - Secure test user In order to enable Azure AD users to log into TOPdesk - Secure, they must be provisioned into TOPdesk - Secure.
@@ -264,16 +210,17 @@ In the case of TOPdesk - Secure, provisioning is a manual task.
> [!NOTE] > You can use any other TOPdesk - Secure user account creation tools or APIs provided by TOPdesk - Secure to provision Azure AD user accounts.
-### Test single sign-on
+### Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Click on **Test this application** in Azure portal. This will redirect to TOPdesk - Secure Sign-on URL where you can initiate the login flow.
-When you click the TOPdesk - Secure tile in the Access Panel, you should be automatically signed in to the TOPdesk - Secure for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to TOPdesk - Secure Sign-on URL directly and initiate the login flow from there.
-## Additional Resources
+* You can use Microsoft My Apps. When you click the TOPdesk - Secure tile in the My Apps, you should be automatically signed in to the TOPdesk - Secure for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+## Next steps
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+Once you configure TOPdesk - Secure you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tutorial-list https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tutorial-list.md
@@ -50,6 +50,7 @@ To find more tutorials, use the table of contents on the left.
| :--- | :--- | | ![logo-8x8](./media/tutorial-list/active-directory-saas-8x8-virtual-office-tutorial.png)| [8x8](8x8virtualoffice-tutorial.md)| | ![logo-AcquireIO](./media/tutorial-list/active-directory-saas-acquireio-tutorial.png)| [AcquireIO](acquireio-tutorial.md)|
+| ![logo-Adobe Identity Management](./media/tutorial-list/active-directory-saas-adobe-identity-management-tutorial.png)| [Adobe Identity Management](adobe-identity-management-tutorial.md)|
| ![logo-Aha!](./media/tutorial-list/active-directory-saas-aha-tutorial.png)| [Aha!](aha-tutorial.md)| | ![logo-AlertOps](./media/tutorial-list/active-directory-saas-alertops-tutorial.png)| [AlertOps](alertops-tutorial.md)| | ![logo-Amplitude](./media/tutorial-list/active-directory-saas-amplitude-tutorial.png)| [Amplitude](amplitude-tutorial.md)|
@@ -91,6 +92,7 @@ To find more tutorials, use the table of contents on the left.
| ![logo-Kanbanize](./media/tutorial-list/active-directory-saas-kanbanize-tutorial.png)| [Kanbanize](kanbanize-tutorial.md)| | ![logo-Knowledge Anywhere LMS](./media/tutorial-list/active-directory-saas-knowlwdge-anywhere-lms-tutorial.png)| [Knowledge Anywhere LMS](knowledge-anywhere-lms-tutorial.md)| | ![logo-Litmus](./media/tutorial-list/active-directory-saas-litmus-tutorial.png)| [Litmus](litmus-tutorial.md)|
+| ![logo-Marketo](./media/tutorial-list/active-directory-saas-marketo-tutorial.png)| [Marketo](marketo-tutorial.md)|
| ![logo-Meraki Dashboard](./media/tutorial-list/active-directory-saas-meraki-dashboard-tutorial.png)| [Meraki Dashboard](meraki-dashboard-tutorial.md)| | ![logo-monday.com](./media/tutorial-list/active-directory-saas-mondaycom-tutorial.png)| [monday.com](mondaycom-tutorial.md)| | ![logo-MyWorkDrive](./media/tutorial-list/active-directory-saas-myworkdrive-tutorial.png)| [MyWorkDrive](myworkdrive-tutorial.md)|
aks https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/supported-kubernetes-versions.md
@@ -136,13 +136,14 @@ For the past release history, see [Kubernetes](https://en.wikipedia.org/wiki/Kub
| K8s version | Upstream release | AKS preview | AKS GA | End of life | |--------------|-------------------|--------------|---------|-------------|
-| 1.16 | Sep-19-19 | Jan 2019 | Mar 2020 | Jan 2021* |
+| 1.16 | Sep-19-19 | Jan 2019 | Mar 2020 | Jan 2021|
| 1.17 | Dec-09-19 | Jan 2019 | Jul 2020 | 1.20 GA | | 1.18 | Mar-23-20 | May 2020 | Aug 2020 | 1.21 GA | | 1.19 | Aug-04-20 | Sep 2020 | Nov 2020 | 1.22 GA | | 1.20 | Dec-08-20 | Jan 2021 | Mar 2021 | 1.23 GA |
+| 1.21 | Apr-08-21* | May 2021 | Jul 2021 | 1.24 GA |
-\* Due to the holiday season, AKS is extending the life of 1.16 from November 2020 until January 2021. [Read more](https://github.com/Azure/AKS/releases/tag/2020-10-12).
+\* The Kubernetes 1.21 Upstream release is subject to change as the Upstream calender as yet to be finalized.
## FAQ
aks https://docs.microsoft.com/en-us/azure/aks/windows-container-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/windows-container-powershell.md
@@ -123,7 +123,7 @@ By default, an AKS cluster is created with a node pool that can run Linux contai
Linux node pool. ```azurepowershell-interactive
-New-AzAksNodePool -ResourceGroupName myResourceGroup -ClusterName myAKSCluster -OsType Windows -Name npwin -KubernetesVersion 1.16.7
+New-AzAksNodePool -ResourceGroupName myResourceGroup -ClusterName myAKSCluster -VmSetType VirtualMachineScaleSets -OsType Windows -Name npwin -KubernetesVersion 1.16.7
``` The above command creates a new node pool named **npwin** and adds it to the **myAKSCluster**. When
app-service https://docs.microsoft.com/en-us/azure/app-service/environment/zone-redundancy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/environment/zone-redundancy.md
@@ -26,14 +26,12 @@ Unless the steps described in this article are followed, ILB ASEs are not automa
Zonal ILB ASEs can be created in any of the following regions: - Australia East-- Brazil South - Canada Central - Central US - East US - East US 2 - East US 2 (EUAP) - France Central -- Germany West Central - Japan East - North Europe - West Europe
app-service https://docs.microsoft.com/en-us/azure/app-service/tutorial-dotnetcore-sqldb-app https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-dotnetcore-sqldb-app.md
@@ -186,7 +186,7 @@ From the repository root, run the following commands. Replace *\<connection-stri
``` # Delete old migrations
-rm Migrations -r
+rm -r Migrations
# Recreate migrations dotnet ef migrations add InitialCreate
application-gateway https://docs.microsoft.com/en-us/azure/application-gateway/renew-certificates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/renew-certificates.md
@@ -6,7 +6,7 @@ author: vhorne
ms.service: application-gateway ms.topic: how-to
-ms.date: 8/15/2018
+ms.date: 01/20/2021
ms.author: victorh ---
@@ -18,11 +18,12 @@ You can renew a certificate associated with a listener using either the Azure po
## Azure portal
-To renew a listener certificate from the portal, navigate to your application gateway listeners. Click the listener that has a certificate that needs to be renewed, and then click **Renew or edit selected certificate**.
+To renew a listener certificate from the portal, navigate to your application gateway listeners.
+Select the listener that has a certificate that needs to be renewed, and then select **Renew or edit selected certificate**.
-![Renew certificate](media/renew-certificate/ssl-cert.png)
+:::image type="content" source="media/renew-certificate/ssl-cert.png" alt-text="Renew certificate":::
-Upload your new PFX certificate, give it a name, type the password, and then click **Save**.
+Upload your new PFX certificate, give it a name, type the password, and then select **Save**.
## Azure PowerShell
attestation https://docs.microsoft.com/en-us/azure/attestation/overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/overview.md
@@ -35,6 +35,12 @@ Client applications can be designed to take advantage of SGX enclaves by delegat
OE standardizes specific requirements for verification of an enclave evidence. This qualifies OE as a highly fitting attestation consumer of Azure Attestation.
+### TPM attestation
+
+Trusted Platform Module (TPM) based attestation is critical to provide proof of a platformsΓÇÖ state. TPM acts as the root of trust and the security coprocessor to provide cryptographic validity to the measurements(evidence). Devices with a TPM, can rely on attestation to prove that boot integrity is not compromised along with using the claims to detect feature states enablementΓÇÖs during boot.
+
+Client applications can be designed to take advantage of TPM attestation by delegating security-sensitive tasks to only take place after a platform has been validated to be secure. Such applications can then make use of Azure Attestation to routinely establish trust in the platform and its ability to access sensitive data.
+ ## Azure Attestation can run in a TEE Azure Attestation is critical to Confidential Computing scenarios, as it performs the following actions:
attestation https://docs.microsoft.com/en-us/azure/attestation/virtualization-based-security-protocol https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/virtualization-based-security-protocol.md
@@ -11,9 +11,11 @@ ms.author: mbaldwin
---
-# Virtualization-based Security (VBS) attestation protocol
+# Trusted Platform Module (TPM) and Virtualization based Security(VBS) enclave attestation protocol
-For Microsoft Azure Attestation to provide strong security guarantees that the data it is reporting is authentic, it is required to build a chain of trust from the firmware to the launch of the hypervisor and secure kernel. To achieve this Azure Attestation must attest to the boot state of the machine before we can establish trust in the secure enclave. The operating system, hypervisor and secure kernel binaries must be signed by the correct official Microsoft authorities and configured in a secure way. Once we have bound trust between the Trusted Platform Module (TPM) and the health of the hypervisor, we can trust the VBS IDKS provided in the Measured Boot Log. With this we can validate that a key pair was generated by the enclave and mint an attestation report that binds trust in that key and contains other claims such as the security level and boot attestation properties.
+Microsoft Azure Attestation to provide a strong security guarantee relies on verifying a chain of trust is maintained from a root of trust (TPM) to the launch of the hypervisor and secure kernel. To achieve this Azure Attestation must attest to the boot state of the machine before we can establish trust in the secure enclave. The operating system, hypervisor, and secure kernel binaries must be signed by the correct official Microsoft authorities and configured in a secure way. Once we have bound trust between the Trusted Platform Module (TPM) and the health of the hypervisor, we can trust the Virtualization Based Security(VBS) enclave IDKs provided in the Measured Boot Log, with this we can validate that a key pair was generated by the enclave and mint an attestation report that binds trust in that key and contains other claims such as the security level and boot attestation properties.
+
+VBS enclaves require a TPM to provide the measurement to validate the security foundation. VBS enclaves are attested by the TPM endpoint with an addition to the request object in the protocol.
## Protocol messages
@@ -26,9 +28,9 @@ Client -> Azure Attestation
#### Payload ```
-{
- "type": "aikcert"
-}
+{
+ "type": "aikcert"
+}
``` ΓÇ£typeΓÇ¥ (ASCII string): represents the type of attestation requested. Currently, only ΓÇ£aikcertΓÇ¥ is supported.
@@ -42,18 +44,15 @@ Azure Attestation -> Client
#### Payload ```
-{
-
- "challenge": "<BASE64URL(CHALLENGE)>",
-
- "service_context": "<BASE64URL(SERVICECONTEXT)>"
-
-}
+{
+ "challenge": "<BASE64URL(CHALLENGE)>",
+ "service_context": "<BASE64URL(SERVICECONTEXT)>"
+}
``` **challenge** (BASE64URL(OCTETS)): Random value issued by the service.
-**service_context** (BASE64URL(OCTETS)): Opaque, encrypted context created by the service which includes, among others, the challenge and an expiration time for that challenge.
+**service_context** (BASE64URL(OCTETS)): Opaque, encrypted context created by the service, which includes, among others, the challenge, and an expiration time for that challenge.
### Request message
@@ -66,9 +65,7 @@ Client -> Azure Attestation
``` {- "request": "<JWS>"
-
} ```
@@ -92,103 +89,112 @@ BASE64URL(JWS Signature)
##### JWS Payload
-JWS payload can be of type basic or VBS. Basic is used when attestation evidence does not include VBS data.
+JWS payload can be of type basic or VBS. Basic is used when attestation evidence does not include VBS data.
-Basic example
+TPM only sample:
```
-{
- "att_type": "basic",
- "att_data": {
- "rp_id": "<URL>",
- "rp_data": "<BASE64URL(RPCUSTOMDATA)>",
- "challenge": "<BASE64URL(CHALLENGE)>",
- "tpm_att_data": {
- "srtm_boot_log": "<BASE64URL(SRTMBOOTLOG)>",
- "srtm_resume_log": "<BASE64URL(SRTMRESUMELOG)>",
- "drtm_boot_log": "<BASE64URL(DRTMBOOTLOG)>",
- "drtm_resume_log": "<BASE64URL(DRTMRESUMELOG)>",
- "aik_cert": "<BASE64URL(AIKCERTIFICATE)>",
- // aik_pub is represented as a JSON Web Key (JWK) object (RFC 7517).
- "aik_pub": {
- "kty": "RSA",
- "n": "<Base64urlUInt(MODULUS)>",
- "e": "<Base64urlUInt(EXPONENT)>"
- },
- "current_claim": "<BASE64URL(CURRENTCLAIM)>",
- "boot_claim": "<BASE64URL(BOOTCLAIM)>"
- },
- // attest_key is represented as a JSON Web Key (JWK) object (RFC 7517).
- "attest_key": {
- "kty": "RSA",
- "n": "<Base64urlUInt(MODULUS)>",
- "e": "<Base64urlUInt(EXPONENT)>"
- },
- "custom_claims": [
- {
- "name": "<name>",
- "value": "<value>",
- "value_type": "<value_type>"
- },
- {
- "name": "<name>",
- "value": "<value>",
- "value_type": "<value_type>"
- }
- ],
- "service_context": "<BASE64URL(SERVICECONTEXT)>"
- }
-}
+{
+ "att_type": "basic",
+ "att_data": {
+ "rp_id": "<URL>",
+ "rp_data": "<BASE64URL(RPCUSTOMDATA)>",
+ "challenge": "<BASE64URL(CHALLENGE)>",
+
+ "tpm_att_data": {
+ "srtm_boot_log": "<BASE64URL(SRTMBOOTLOG)>",
+ "srtm_resume_log": "<BASE64URL(SRTMRESUMELOG)>",
+ "drtm_boot_log": "<BASE64URL(DRTMBOOTLOG)>",
+ "drtm_resume_log": "<BASE64URL(DRTMRESUMELOG)>",
+ "aik_cert": "<BASE64URL(AIKCERTIFICATE)>",
+
+ // aik_pub is represented as a JSON Web Key (JWK) object (RFC 7517).
+
+ "aik_pub": {
+ "kty": "RSA",
+ "n": "<Base64urlUInt(MODULUS)>",
+ "e": "<Base64urlUInt(EXPONENT)>"
+ },
+ "current_claim": "<BASE64URL(CURRENTCLAIM)>",
+ "boot_claim": "<BASE64URL(BOOTCLAIM)>"
+ },
+
+ // attest_key is represented as a JSON Web Key (JWK) object (RFC 7517).
+
+ "attest_key": {
+ "kty": "RSA",
+ "n": "<Base64urlUInt(MODULUS)>",
+ "e": "<Base64urlUInt(EXPONENT)>"
+ },
+ "custom_claims": [
+ {
+ "name": "<name>",
+ "value": "<value>",
+ "value_type": "<value_type>"
+ },
+ {
+ "name": "<name>",
+ "value": "<value>",
+ "value_type": "<value_type>"
+ }
+ ],
+ "service_context": "<BASE64URL(SERVICECONTEXT)>"
+ }
+}
```
-VBS example
+TPM + VBS enclave sample:
```
-{
- "att_type": "vbs",
- "att_data": {
- "report_signed": {
- "rp_id": "<URL>",
- "rp_data": "<BASE64URL(RPCUSTOMDATA)>",
- "challenge": "<BASE64URL(CHALLENGE)>",
- "tpm_att_data": {
- "srtm_boot_log": "<BASE64URL(SRTMBOOTLOG)>",
- "srtm_resume_log": "<BASE64URL(SRTMRESUMELOG)>",
- "drtm_boot_log": "<BASE64URL(DRTMBOOTLOG)>",
- "drtm_resume_log": "<BASE64URL(DRTMRESUMELOG)>",
- "aik_cert": "<BASE64URL(AIKCERTIFICATE)>",
- // aik_pub is represented as a JSON Web Key (JWK) object (RFC 7517).
- "aik_pub": {
- "kty": "RSA",
- "n": "<Base64urlUInt(MODULUS)>",
- "e": "<Base64urlUInt(EXPONENT)>"
- },
- "current_claim": "<BASE64URL(CURRENTCLAIM)>",
- "boot_claim": "<BASE64URL(BOOTCLAIM)>"
- },
- // attest_key is represented as a JSON Web Key (JWK) object (RFC 7517).
- "attest_key": {
- "kty": "RSA",
- "n": "<Base64urlUInt(MODULUS)>",
- "e": "<Base64urlUInt(EXPONENT)>"
- },
- "custom_claims": [
- {
- "name": "<name>",
- "value": "<value>",
- "value_type": "<value_type>"
- },
- {
- "name": "<name>",
- "value": "<value>",
- "value_type": "<value_type>"
- }
- ],
- "service_context": "<BASE64URL(SERVICECONTEXT)>"
- },
- "vbs_report": "<BASE64URL(REPORT)>"
- }
-}
+{
+ "att_type": "vbs",
+ "att_data": {
+ "report_signed": {
+ "rp_id": "<URL>",
+ "rp_data": "<BASE64URL(RPCUSTOMDATA)>",
+ "challenge": "<BASE64URL(CHALLENGE)>",
+ "tpm_att_data": {
+ "srtm_boot_log": "<BASE64URL(SRTMBOOTLOG)>",
+ "srtm_resume_log": "<BASE64URL(SRTMRESUMELOG)>",
+ "drtm_boot_log": "<BASE64URL(DRTMBOOTLOG)>",
+ "drtm_resume_log": "<BASE64URL(DRTMRESUMELOG)>",
+ "aik_cert": "<BASE64URL(AIKCERTIFICATE)>",
+
+ // aik_pub is represented as a JSON Web Key (JWK) object (RFC 7517).
+
+ "aik_pub": {
+ "kty": "RSA",
+ "n": "<Base64urlUInt(MODULUS)>",
+ "e": "<Base64urlUInt(EXPONENT)>"
+ },
+ "current_claim": "<BASE64URL(CURRENTCLAIM)>",
+ "boot_claim": "<BASE64URL(BOOTCLAIM)>"
+ },
+
+ // attest_key is represented as a JSON Web Key (JWK) object (RFC 7517).
+
+ "attest_key": {
+ "kty": "RSA",
+ "n": "<Base64urlUInt(MODULUS)>",
+ "e": "<Base64urlUInt(EXPONENT)>"
+ },
+ "custom_claims": [
+ {
+ "name": "<name>",
+ "value": "<value>",
+ "value_type": "<value_type>"
+ },
+ {
+ "name": "<name>",
+ "value": "<value>",
+ "value_type": "<value_type>"
+ }
+ ],
+ "service_context": "<BASE64URL(SERVICECONTEXT)>"
+ },
+ "vsm_report": "<BASE64URL(REPORT)>"
+ }
+}
``` **rp_id** (StringOrURI): Relying party identifier. Used by the service in the computation of the machine ID claim
@@ -199,13 +205,13 @@ VBS example
**tpm_att_data**: TPM-related attestation data -- **srtm_boot_log (BASE64URL(OCTETS))**: SRTM boot log as retrieved by function Tbsi_Get_TCG_Log_Ex with log type = TBS_TCGLOG_SRTM_BOOT
+- **srtm_boot_log (BASE64URL(OCTETS))**: SRTM boot logs as retrieved by function Tbsi_Get_TCG_Log_Ex with log type = TBS_TCGLOG_SRTM_BOOT
-- **srtm_resume_log (BASE64URL(OCTETS))**: SRTM resume log as retrieved by function Tbsi_Get_TCG_Log_Ex with log type = TBS_TCGLOG_SRTM_RESUME
+- **srtm_resume_log (BASE64URL(OCTETS))**: SRTM resumes log as retrieved by function Tbsi_Get_TCG_Log_Ex with log type = TBS_TCGLOG_SRTM_RESUME
-- **drtm_boot_log (BASE64URL(OCTETS))**: DRTM boot log as retrieved by function Tbsi_Get_TCG_Log_Ex with log type = TBS_TCGLOG_DRTM_BOOT
+- **drtm_boot_log (BASE64URL(OCTETS))**: DRTM boot logs as retrieved by function Tbsi_Get_TCG_Log_Ex with log type = TBS_TCGLOG_DRTM_BOOT
-- **drtm_resume_log (BASE64URL(OCTETS))**: DRTM resume log as retrieved by function Tbsi_Get_TCG_Log_Ex with log type = TBS_TCGLOG_DRTM_RESUME
+- **drtm_resume_log (BASE64URL(OCTETS))**: DRTM resumes log as retrieved by function Tbsi_Get_TCG_Log_Ex with log type = TBS_TCGLOG_DRTM_RESUME
- **aik_cert (BASE64URL(OCTETS))**: The X.509 certificate for the AIK as returned by function NCryptGetProperty with property = NCRYPT_CERTIFICATE_PROPERTY
@@ -215,7 +221,7 @@ VBS example
- **boot_claim (BASE64URL(OCTETS))**: The attestation claim for the PCR state at boot as returned by function NCryptCreateClaim with dwClaimType = NCRYPT_CLAIM_PLATFORM and parameter NCRYPTBUFFER_TPM_PLATFORM_CLAIM_PCR_MASK set to include all PCRs
-**vbs report** (BASE64URL(OCTETS)): The VBS enclave attestation report as returned by function EnclaveGetAttestationReport. The EnclaveData parameter must be the SHA-512 hash of the value of report_signed (including the opening and closing braces). The hash function input is UTF8(report_signed)
+**vsm_report**ΓÇ»(BASE64URL(OCTETS)): The VBS enclave attestation report as returned by function EnclaveGetAttestationReport. The EnclaveData parameter must be the SHA-512 hash of the value of report_signed (including the opening and closing braces). The hash function input is UTF8(report_signed)
**attest_key**: The public part of the enclave key represented as a JSON Web Key (JWK) object (RFC 7517)
@@ -244,3 +250,7 @@ Azure Attestation -> Client
``` **report** (JWT): The attestation report in JSON Web Token (JWT) format (RFC 7519).+
+## Next steps
+
+- [Azure Attestation workflow](workflow.md)
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-http-webhook-trigger.md
@@ -39,11 +39,15 @@ public static async Task<IActionResult> Run(
log.LogInformation("C# HTTP trigger function processed a request."); string name = req.Query["name"];-
- string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
+
+ string requestBody = String.Empty;
+ using (StreamReader streamReader = new StreamReader(req.Body))
+ {
+ requestBody = await streamReader.ReadToEndAsync();
+ }
dynamic data = JsonConvert.DeserializeObject(requestBody); name = name ?? data?.name;-
+
return name != null ? (ActionResult)new OkObjectResult($"Hello, {name}") : new BadRequestObjectResult("Please pass a name on the query string or in the request body");
@@ -96,11 +100,15 @@ public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
log.LogInformation("C# HTTP trigger function processed a request."); string name = req.Query["name"];-
- string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
+
+ string requestBody = String.Empty;
+ using (StreamReader streamReader = new StreamReader(req.Body))
+ {
+ requestBody = await streamReader.ReadToEndAsync();
+ }
dynamic data = JsonConvert.DeserializeObject(requestBody); name = name ?? data?.name;-
+
return name != null ? (ActionResult)new OkObjectResult($"Hello, {name}") : new BadRequestObjectResult("Please pass a name on the query string or in the request body");
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-premium-plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-premium-plan.md
@@ -149,6 +149,8 @@ Running on a machine with more memory doesn't always mean that your function app
For example, a JavaScript function app is constrained by the default memory limit in Node.js. To increase this fixed memory limit, add the app setting `languageWorkers:node:arguments` with a value of `--max-old-space-size=<max memory in MB>`.
+And for plans with more than 4GB memory, ensure the Bitness Platform Setting is set to `64 Bit` under [General Settings](/azure/app-service/configure-common#configure-general-settings).
+ ## Region Max Scale Out Below are the currently supported maximum scale-out values for a single plan in each region and OS configuration. To request an increase, you can open a support ticket.
azure-government https://docs.microsoft.com/en-us/azure/azure-government/azure-secure-isolation-guidance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/azure-secure-isolation-guidance.md
@@ -783,7 +783,7 @@ In addition to technical implementation details that enable Azure compute, netwo
## Security assurance processes and practices Azure isolation assurance is further enforced by MicrosoftΓÇÖs internal use of the [Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl/) (SDL) and other strong security assurance processes to protect attack surfaces and mitigate threats. Microsoft has established industry-leading processes and tooling that provides high confidence in the Azure isolation guarantee. -- **Security Development Lifecycle (SDL)** ΓÇô The Microsoft SDL introduces security and privacy considerations throughout all phases of the development process, helping developers build highly secure software, address security compliance requirements, and reduce development costs. The guidance, best practices, tools, and processes in the Microsoft SDL are practices used internally to build all Azure services and create more secure products and services. This process is also publicly documented to share MicrosoftΓÇÖs learnings with the broader industry and incorporate industry feedback to create a stronger security development process.
+- **Security Development Lifecycle (SDL)** ΓÇô The Microsoft SDL introduces security and privacy considerations throughout all phases of the development process, helping developers build highly secure software, address security compliance requirements, and reduce development costs. The guidance, best practices, [tools](https://www.microsoft.com/securityengineering/sdl/resources), and processes in the Microsoft SDL are [practices](https://www.microsoft.com/securityengineering/sdl/practices) used internally to build all Azure services and create more secure products and services. This process is also publicly documented to share MicrosoftΓÇÖs learnings with the broader industry and incorporate industry feedback to create a stronger security development process.
- **Tooling and processes** ΓÇô All Azure code is subject to an extensive set of both static and dynamic analysis tools that identify potential vulnerabilities, ineffective security patterns, memory corruption, user privilege issues, and other critical security problems. - *Purpose built fuzzing* ΓÇô A testing technique used to find security vulnerabilities in software products and services. It consists of repeatedly feeding modified, or fuzzed, data to software inputs to trigger hangs, exceptions, and crashes, i.e., fault conditions that could be leveraged by an attacker to disrupt or take control of applications and services. The Microsoft SDL recommends [fuzzing](https://www.microsoft.com/research/blog/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers/) all attack surfaces of a software product, especially those surfaces that expose a data parser to untrusted data. - *Live-site penetration testing* ΓÇô Microsoft conducts [ongoing live-site penetration testing](https://gallery.technet.microsoft.com/Cloud-Red-Teaming-b837392e) to improve cloud security controls and processes, as part of the Red Teaming program described later in this section. Penetration testing is a security analysis of a software system performed by skilled security professionals simulating the actions of a hacker. The objective of a penetration test is to uncover potential vulnerabilities resulting from coding errors, system configuration faults, or other operational deployment weaknesses. The tests are conducted against Azure infrastructure and platforms as well as MicrosoftΓÇÖs own tenants, applications, and data. Customer tenants, applications, and data hosted in Azure are never targeted; however, customers can conduct [their own penetration testing](../security/fundamentals/pen-testing.md) of their applications deployed in Azure.
azure-government https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-developer-guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-developer-guide.md
@@ -10,7 +10,7 @@ ms.devlang: na
ms.topic: article ms.tgt_pltfrm: na ms.workload: azure-government
-ms.date: 10/10/2020
+ms.date: 1/11/2021
---
@@ -22,42 +22,43 @@ Microsoft provides various tools to help developers create and deploy cloud appl
When developers create and deploy applications to Azure Government services, as opposed to the global service, they need to know the key differences between the two services. The specific areas to understand are:
-* Setting up and configuring their programming environment
-* Configuring endpoints
-* Writing applications
-* Deploying applications as services to Azure Government
+- Setting up and configuring their programming environment
+- Configuring endpoints
+- Writing applications
+- Deploying applications as services to Azure Government
The information in this document summarizes the differences between the two services. It supplements the information that's available through the following sources:
-* [Azure Government](https://www.azure.com/gov "Azure Government") site
-* [Microsoft Azure Trust Center](https://www.microsoft.com/trust-center/product-overview "Microsoft Azure Trust Center")
-* [Azure Documentation Center](../index.yml)
-* [Azure Blogs](https://azure.microsoft.com/blog/ "Azure Blogs")
+- [Azure Government](https://www.azure.com/gov "Azure Government") site
+- [Microsoft Azure Trust Center](https://www.microsoft.com/trust-center/product-overview "Microsoft Azure Trust Center")
+- [Azure Documentation Center](../index.yml)
+- [Azure Blogs](https://azure.microsoft.com/blog/ "Azure Blogs")
This content is intended for partners and developers who are deploying to Microsoft Azure Government. ## Guidance for developers Most of the currently available technical content assumes that applications are being developed for the global service rather than for Azure Government. For this reason, itΓÇÖs important to be aware of two key differences in applications that you develop for hosting in Azure Government.
-* Certain services and features that are in specific regions of the global service might not be available in Azure Government.
-* Feature configurations in Azure Government might differ from those in the global service.
- - Therefore, it's important to review your sample code, configurations, and steps to ensure that you are building and executing within the Azure Government Cloud Services environment.
+- Certain services and features that are in specific regions of the global service might not be available in Azure Government.
+- Feature configurations in Azure Government might differ from those in the global service.
+
+Therefore, it's important to review your sample code, configurations, and steps to ensure that you are building and executing within the Azure Government cloud services environment.
Currently, US DoD Central, US DoD East, US Gov Arizona, US Gov Texas, and US Gov Virginia are the regions that support Azure Government. For current regions and available services, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=all&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia). ### Quickstarts Navigate through the links below to get started using Azure Government.
-* [Login to Azure Government Portal](documentation-government-get-started-connect-with-portal.md)
-* [Connect with PowerShell](documentation-government-get-started-connect-with-ps.md)
-* [Connect with CLI](documentation-government-get-started-connect-with-cli.md)
-* [Connect with Visual Studio](documentation-government-connect-vs.md)
-* [Connect to Azure Storage](documentation-government-get-started-connect-to-storage.md)
-* [Connect with Azure SDK for Python](/azure/python/python-sdk-azure-multi-cloud)
+- [Login to Azure Government Portal](./documentation-government-get-started-connect-with-portal.md)
+- [Connect with PowerShell](./documentation-government-get-started-connect-with-ps.md)
+- [Connect with CLI](./documentation-government-get-started-connect-with-cli.md)
+- [Connect with Visual Studio](./documentation-government-connect-vs.md)
+- [Connect to Azure Storage](./documentation-government-get-started-connect-to-storage.md)
+- [Connect with Azure SDK for Python](https://docs.microsoft.com/azure/developer/python/azure-sdk-sovereign-domain)
### Azure Government Video Library
-The [Azure Government video library](https://channel9.msdn.com/blogs/Azure-Government) contains many helpful videos to get you up and running with Azure Government.
+The [Azure Government video library](https://aka.ms/AzureGovVideos) contains many helpful videos to get you up and running with Azure Government.
## Compliance - Azure Blueprint The [Azure Blueprint](../governance/blueprints/overview.md) program is designed to facilitate the secure and compliant use of Azure for government agencies and third-party providers building on behalf of government.
@@ -65,14 +66,14 @@ The [Azure Blueprint](../governance/blueprints/overview.md) program is designed
For more information on Azure Government Compliance, refer to the [compliance documentation](./documentation-government-plan-compliance.md) and watch this [video](https://channel9.msdn.com/blogs/Azure-Government/Compliance-on-Azure-Government). ## Endpoint mapping
-Service endpoints in Azure Government are different than in Azure. For a mapping between Azure and Azure Government endpoints, see [Compare Azure Government and global Azure](compare-azure-government-global-azure.md#guidance-for-developers).
+Service endpoints in Azure Government are different than in Azure. For a mapping between Azure and Azure Government endpoints, see [Compare Azure Government and global Azure](./compare-azure-government-global-azure.md#guidance-for-developers).
## Next steps For more information about Azure Government, see the following resources:
-* [Sign up for a trial](https://azure.microsoft.com/global-infrastructure/government/request/?ReqType=Trial)
-* [Acquiring and accessing Azure Government](https://azure.com/gov)
-* [Ask questions via the azure-gov tag in StackOverflow](https://stackoverflow.com/tags/azure-gov)
-* [Azure Government Overview](documentation-government-welcome.md)
-* [Azure Government Blog](https://blogs.msdn.microsoft.com/azuregov/)
-* [Azure Compliance](https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings)
\ No newline at end of file
+- [Sign up for a trial](https://azure.microsoft.com/global-infrastructure/government/request/?ReqType=Trial)
+- [Acquiring and accessing Azure Government](https://azure.com/gov)
+- [Ask questions via the azure-gov tag in StackOverflow](https://stackoverflow.com/tags/azure-gov)
+- [Azure Government Overview](./documentation-government-welcome.md)
+- [Azure Government Blog](https://blogs.msdn.microsoft.com/azuregov/)
+- [Azure Compliance](../compliance/index.yml)
azure-government https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-impact-level-5 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-impact-level-5.md
@@ -10,153 +10,116 @@ ms.devlang: na
ms.topic: overview ms.tgt_pltfrm: na ms.workload: azure-government
-ms.date: 11/14/2020
+ms.date: 1/11/2021
ms.custom: references_regions #Customer intent: As a DoD mission owner, I want to know how to implement a workload at Impact Level 5 in Microsoft Azure Government. --- # Isolation guidelines for Impact Level 5 workloads
-Azure Government supports applications in all regions that require Impact Level 5 (IL5) data, as defined in the [US Department of Defense Cloud Security Requirements Guide (SRG)](https://dl.dod.cyber.mil/wp-content/uploads/cloud/SRG/https://docsupdatetracker.net/index.html). IL5 workloads have a higher degree of impact to the US Department of Defense and must be secured to a higher standard. When you deploy these workloads on Azure Government, you can meet their isolation requirements in various ways. The guidance in this document will address configurations and settings needed to meet the isolation required to support IL5 data. We'll update this document as new implementations are enabled and as new services are accredited for IL5 data by DISA.
+Azure Government supports applications in all regions that require Impact Level 5 (IL5) data, as defined in the [US Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG)](https://dl.dod.cyber.mil/wp-content/uploads/cloud/SRG/https://docsupdatetracker.net/index.html#3INFORMATIONSECURITYOBJECTIVES/IMPACTLEVELS). IL5 workloads have a higher degree of impact to the DoD and must be secured to a higher standard. When you deploy these workloads on Azure Government, you can meet their isolation requirements in various ways. The guidance in this document addresses configurations and settings needed to meet the IL5 isolation requirements. We'll update this document as new implementations are enabled and as new services are authorized for IL5 data by the Defense Information Systems Agency (DISA).
## Background
-In January 2017, the Impact Level 5 Provisional Authorization (PA) for Azure Government was the first provided to a hyperscale cloud provider. This authorization covered two regions of Azure Government (US DoD Central and US DoD East) that were dedicated to the DoD. Based on mission owner feedback and evolving security capabilities, Microsoft has partnered with DISA to expand the IL5 PA in December 2018 to cover all six Azure Government regions while still honoring the isolation requirements needed by the Department of Defense.
+In January 2017, DISA awarded the IL5 Provisional Authorization (PA) to [Azure Government for DoD](https://azure.microsoft.com/global-infrastructure/government/dod/), making it the first IL5 PA awarded to a hyperscale cloud provider. The PA covered two Azure Government for DoD regions (US DoD Central and US DoD East) that are dedicated to the DoD. Based on DoD mission owner feedback and evolving security capabilities, Microsoft has partnered with DISA to expand the IL5 PA boundary in December 2018 to cover [Azure Government](https://azure.microsoft.com/global-infrastructure/government/get-started/), which is available from three regions (US Gov Arizona, US Gov Texas, and US Gov Virginia) to US federal, state, local, and tribal governments and their partners. The IL5 expansion to Azure Government honors the isolation requirements mandated by the DoD.
-Azure Government continues to provide more PaaS features and services to the DoD at Impact Level 5 than any other cloud provider.
+Azure Government continues to provide more PaaS services suitable for DoD IL5 workloads than any other cloud services environment.
## Principles and approach
-You need to address two key areas for services in Impact Level 5 scope: storage isolation and compute isolation. We'll focus on how these services can isolate the compute and storage of Impact Level 5 data. The SRG allows for a shared management and network infrastructure.
+You need to address two key areas for Azure services in IL5 scope: storage isolation and compute isolation. We'll focus on how these services can help isolate the compute and storage of IL5 data. The SRG allows for a shared management and network infrastructure. **This article is focused on Azure Government compute and storage isolation approaches.** If an Azure service is available in Azure Government for DoD and authorized at IL5, then it is by default suitable for IL5 workloads with no additional isolation configuration required. Azure Government for DoD is reserved for DoD agencies and their partners, enabling physical separation from non-DoD tenants by design.
+
+For Azure service availability in Azure Government and Azure Government for DoD, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia&products=all). For IL5 authorization status, see [Azure Government services by audit scope](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope).
### Compute isolation
-The SRG focuses on the segmentation of compute during "processing" of data for Impact Level 5. This segmentation ensures that a virtual machine that compromises the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, all Impact Level 5 virtual machines should be isolated via Azure Dedicated Host. Doing so provides a dedicated physical server to host your Azure VMs for Windows and Linux.
+IL5 separation requirements are stated in the SRG [Section 5.2.2.3](https://dl.dod.cyber.mil/wp-content/uploads/cloud/SRG/https://docsupdatetracker.net/index.html#5.2LegalConsiderations). The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, all IL5 virtual machines should be isolated via [Azure Dedicated Host](https://azure.microsoft.com/services/virtual-machines/dedicated-host/). Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.
For services where the compute processes are obfuscated from access by the owner and stateless in their processing of data, you should accomplish isolation by focusing on the data being processed and how it's stored and retained. This approach ensures the data is stored in protected mediums. It also ensures the data isn't present on these services for extended periods unless it's encrypted as needed. ### Storage isolation
-In the most recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves encryption via keys that are maintained in Azure Key Vault. The keys are owned and managed by the IL5 system owner.
+In the most recent PA for Azure Government, DISA approved logical separation of IL5 from other data via cryptographic means. In Azure, this approach involves data encryption via keys that are maintained in Azure Key Vault and stored in FIPS 140-2 validated Hardware Security Modules (HSM). The keys are owned and managed by the IL5 system owner.
Here's how this approach applies to services: - If a service hosts only IL5 data, the service can control the key for end users. But it must use a dedicated key to protect IL5 data from all other data in the cloud.-- If a service will host IL5 and non-DoD data, the service must expose the option for end users to use their own keys for encryption. Those keys are stored in Azure Key Vault. This implementation gives consumers of the service the ability to implement cryptographic separation as needed.
+- If a service will host IL5 and non-DoD data, the service must expose the option for end users to use their own encryption keys that are maintained in Azure Key Vault. This implementation gives consumers of the service the ability to implement cryptographic separation as needed.
+
+This approach ensures all key material for decrypting data is stored separately from the data itself using a hardware-based key management solution.
-This approach ensures all key material for decrypting data is stored separately of the data itself and done so with a hardware key-management solution.
+The DoD requirements for encrypting data at rest are provided in the SRG [Section 5.11](https://dl.dod.cyber.mil/wp-content/uploads/cloud/SRG/https://docsupdatetracker.net/index.html#5.11EncryptionofData-at-RestinCommercialCloudStorage). Note that DoD emphasizes encrypting all data at rest stored in virtual machine virtual hard drives, mass storage facilities at the block or file level, and database records where the mission owner does not have sole control over the database service. For cloud applications where encrypting data at rest with DoD key control is not possible, mission owners must perform a risk analysis with relevant data owners before transmitting data into a cloud service offering.
## Applying this guidance
-Impact Level 5 guidelines require workloads to be deployed with a high degree of security, isolation, and control. The following configurations are required *in addition* to any other configurations or controls needed to meet Impact Level 5. Network isolation, access controls, and other necessary security measures aren't necessarily addressed in the guidance here.
+IL5 guidelines require workloads to be deployed with a high degree of security, isolation, and control. The following configurations are required *in addition* to any other configurations or controls needed to meet IL5 requirements. Network isolation, access controls, and other necessary security measures aren't necessarily addressed in this article.
Be sure to review the entry for each service you're using and ensure that all isolation requirements are implemented. ## AI + machine learning
-### [Azure Bot Service](/azure/bot-service/)
+For AI and machine learning services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=project-bonsai,genomics,search,bot-service,databricks,machine-learning-service,cognitive-services&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-Azure Bot Service supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+### [Azure Bot Services](https://azure.microsoft.com/services/bot-services/)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Bot Service** | X | X | X | | |
+Azure Bot Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure Cognitive Search](https://azure.microsoft.com/services/search/) Azure Cognitive Search supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Azure Cognitive Search by [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/search/search-security-manage-encryption-keys).-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Cognitive Search** | X | X | X | | |
+- Configure encryption at rest of content in Azure Cognitive Search by [using customer-managed keys in Azure Key Vault](../search/search-security-manage-encryption-keys.md).
### [Azure Machine Learning](https://azure.microsoft.com/services/machine-learning/) Azure Machine Learning supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Azure Machine Learning by using customer-managed keys in Azure Key Vault. Azure Machine Learning stores snapshots, output, and logs in the Azure Blob Storage account that's associated with the Azure Machine Learning workspace and customer subscription. All the data stored in Azure Blob Storage is [encrypted at rest with Microsoft-managed keys](https://docs.microsoft.com/azure/machine-learning/concept-enterprise-security#data-encryption). Customers can use their own keys for data stored in Azure Blob Storage. See [Configure encryption with customer-managed keys stored in Azure Key Vault](../storage/common/customer-managed-keys-configure-key-vault.md).-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Machine Learning** | X | X | X | | |
+- Configure encryption at rest of content in Azure Machine Learning by using customer-managed keys in Azure Key Vault. Azure Machine Learning stores snapshots, output, and logs in the Azure Blob Storage account that's associated with the Azure Machine Learning workspace and customer subscription. All the data stored in Azure Blob Storage is [encrypted at rest with Microsoft-managed keys](../machine-learning/concept-enterprise-security.md#data-encryption). Customers can use their own keys for data stored in Azure Blob Storage. See [Configure encryption with customer-managed keys stored in Azure Key Vault](../storage/common/customer-managed-keys-configure-key-vault.md).
### [Cognitive Services: Computer Vision](https://azure.microsoft.com/services/cognitive-services/computer-vision/)
-Computer Vision supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Computer Vision** | X | X | X | | |
+Computer Vision supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Cognitive Services: Content Moderator](https://azure.microsoft.com/services/cognitive-services/content-moderator/) The Azure Cognitive Services Content Moderator service supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in the Content Moderator service by [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/cognitive-services/content-moderator/content-moderator-encryption-of-data-at-rest).-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Content Moderator** | X | X | X | | |
+- Configure encryption at rest of content in the Content Moderator service by [using customer-managed keys in Azure Key Vault](../cognitive-services/content-moderator/content-moderator-encryption-of-data-at-rest.md).
### [Cognitive Services: Face](https://azure.microsoft.com/services/cognitive-services/face/) The Cognitive Services Face service supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in the Face service by [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/cognitive-services/face/face-encryption-of-data-at-rest).-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Face** | X | X | X | | |
+- Configure encryption at rest of content in the Face service by [using customer-managed keys in Azure Key Vault](../cognitive-services/face/face-encryption-of-data-at-rest.md).
### [Cognitive Services: Language Understanding](https://azure.microsoft.com/services/cognitive-services/language-understanding-intelligent-service/) The Cognitive Services Language Understanding service supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in the Language Understanding service by [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/cognitive-services/luis/luis-encryption-of-data-at-rest).-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Language Understanding** | X | X | X | | |
+- Configure encryption at rest of content in the Language Understanding service by [using customer-managed keys in Azure Key Vault](../cognitive-services/luis/luis-encryption-of-data-at-rest.md).
### [Cognitive Services: Text Analytics](https://azure.microsoft.com/services/cognitive-services/text-analytics/)
-Text Analytics supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Text Analytics** | X | X | X | | |
+The Cognitive Services Text Analytics service supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Cognitive Services: Translator](https://azure.microsoft.com/services/cognitive-services/translator/) The Cognitive Services Translator service supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in the Translator service by [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/cognitive-services/translator/translator-encryption-of-data-at-rest).-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Translator** | X | X | X | | |
-
+- Configure encryption at rest of content in the Translator service by [using customer-managed keys in Azure Key Vault](../cognitive-services/translator/translator-encryption-of-data-at-rest.md).
### [Cognitive Services: Speech Services](https://azure.microsoft.com/services/cognitive-services/speech-services/) Cognitive Services Speech Services supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Speech Services by [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/cognitive-services/speech-service/speech-encryption-of-data-at-rest).
+- Configure encryption at rest of content in Speech Services by [using customer-managed keys in Azure Key Vault](../cognitive-services/speech-service/speech-encryption-of-data-at-rest.md).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Speech Services** | X | X | X | | |
+## Analytics
-## Analytics services
+For Analytics services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=data-share,power-bi-embedded,analysis-services,event-hubs,data-lake-analytics,storage,data-catalog,monitor,data-factory,synapse-analytics,stream-analytics,databricks,hdinsight&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
### [Azure Analysis Services](https://azure.microsoft.com/services/analysis-services/)
-Azure Analysis Services supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Analysis Services** | X | X | X | X | X |
+Azure Analysis Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure Data Explorer](https://azure.microsoft.com/services/data-explorer/)
@@ -164,41 +127,11 @@ Azure Data Explorer supports Impact Level 5 workloads in Azure Government with t
- Data in Azure Data Explorer clusters in Azure is secured and encrypted with Microsoft-managed keys by default. For additional control over encryption keys, you can supply customer-managed keys to use for data encryption and manage [encryption of your data](https://docs.microsoft.com/azure/data-explorer/security#data-encryption) at the storage level with your own keys.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Data Explorer** | X | X | X | X | X |
-
-### [Azure Data Factory](https://azure.microsoft.com/services/data-factory/)
-
-Azure Data Factory supports Impact Level 5 workloads in Azure Government with this configuration:
--- Secure data store credentials by storing encrypted credentials in a Data Factory managed store. Data Factory helps protect your data store credentials by encrypting them with certificates managed by Microsoft. For more information about Azure Storage security, see [Azure Storage security overview](../storage/common/security-baseline.md). You can also store the data store's credentials in Azure Key Vault. Data Factory retrieves the credentials during the execution of an activity. For more information, see [Store credentials in Azure Key Vault](https://docs.microsoft.com/azure/data-factory/store-credentials-in-key-vault).-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Data Factory** | X | X | X | | |
-
-### [Azure Event Hubs](https://azure.microsoft.com/services/event-hubs/)
-
-Azure Event Hubs supports Impact Level 5 workloads in Azure Government in these regions:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Event Hubs** | X<sup>1</sup> | X<sup>1</sup> | X<sup>1</sup> | X | X |
-
-> [!IMPORTANT]
-> <sup>1</sup>Use client-side encryption to encrypt data before using Azure Event Hubs in the noted regions.
-
-### [Azure HDInsight](https://azure.microsoft.com/services/hdinsight/)
+### [Azure Stream Analytics](https://azure.microsoft.com/services/stream-analytics/)
-Azure HDInsight supports Impact Level 5 workloads in Azure Government with these configurations:
--- Azure HDInsight can be deployed to existing storage accounts that have enabled appropriate [Storage service encryption](#storage-encryption-with-key-vault-managed-keys), as discussed in the guidance for Azure Storage.-- Azure HDInsight enables a database option for certain configurations. Ensure the appropriate database configuration for TDE is enabled on the option you choose. This process is discussed in the guidance for [Azure SQL Database](#azure-sql-database).
+Azure Stream Analytics supports Impact Level 5 workloads in Azure Government with this configuration:
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure HDInsight** | X | X | X | X | X |
+- Configure encryption at rest of content in Azure Stream Analytics by [using customer-managed keys in Azure Key Vault](../stream-analytics/data-protection.md).
### [Azure Synapse Analytics](https://azure.microsoft.com/services/sql-data-warehouse/)
@@ -209,55 +142,37 @@ Azure Synapse Analytics supports Impact Level 5 workloads in Azure Government wi
> [!NOTE] > The instructions to enable this configuration are the same as the instructions to do so for Azure SQL Database.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Synapse Analytics** | X | X | X | X | X |
+### [Data Factory](https://azure.microsoft.com/services/data-factory/)
-### [Power BI Embedded](https://azure.microsoft.com/services/power-bi-embedded/)
-
-Power BI Embedded supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Power BI Embedded** | X | X | X | X | X |
-
-### [Power Automate](https://flow.microsoft.com/)
+Azure Data Factory supports Impact Level 5 workloads in Azure Government with this configuration:
-Power Automate supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+- Secure data store credentials by storing encrypted credentials in a Data Factory managed store. Data Factory helps protect your data store credentials by encrypting them with certificates managed by Microsoft. For more information about Azure Storage security, see [Azure Storage security overview](../storage/common/security-baseline.md). You can also store the data store's credentials in Azure Key Vault. Data Factory retrieves the credentials during the execution of an activity. For more information, see [Store credentials in Azure Key Vault](../data-factory/store-credentials-in-key-vault.md).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Power Automate** | X | X | X | | |
+### [Event Hubs](https://azure.microsoft.com/services/event-hubs/)
-### [Stream Analytics](https://azure.microsoft.com/services/stream-analytics/)
+Azure Event Hubs supports Impact Level 5 workloads in Azure Government.
-Azure Stream Analytics supports Impact Level 5 workloads in Azure Government with this configuration:
+> [!IMPORTANT]
+> Use client-side encryption to encrypt data before using Azure Event Hubs in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.
-- Configure encryption at rest of content in Azure Stream Analytics by [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/stream-analytics/data-protection).
+### [HDInsight](https://azure.microsoft.com/services/hdinsight/)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Stream Analytics** | X | X | X | | |
+Azure HDInsight supports Impact Level 5 workloads in Azure Government with these configurations:
-## Compute services
+- Azure HDInsight can be deployed to existing storage accounts that have enabled appropriate [Storage service encryption](#storage-encryption-with-key-vault-managed-keys), as discussed in the guidance for Azure Storage.
+- Azure HDInsight enables a database option for certain configurations. Ensure the appropriate database configuration for TDE is enabled on the option you choose. This process is discussed in the guidance for [Azure SQL Database](#azure-sql-database).
-### [Azure Batch](https://azure.microsoft.com/services/batch/)
+### [Power Automate](https://flow.microsoft.com/)
-Azure Batch supports Impact Level 5 workloads in Azure Government with this configuration:
+Power Automate (formerly Microsoft Flow) supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and [authorized at IL5](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope) in Azure Government regions.
-- Enable user subscription mode, which will require a Key Vault instance for proper encryption and key storage. For more information, see the documentation on [batch account configurations](../batch/batch-account-create-portal.md).
+### [Power BI Embedded](https://azure.microsoft.com/services/power-bi-embedded/)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Batch** | X | X | X | X | X |
+Power BI Embedded supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-### [Cloud Services](https://azure.microsoft.com/services/cloud-services/)
+## Compute
-Azure Cloud Services supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Cloud Services** | X | X | X | X | X |
+For Compute services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud,azure-vmware,cloud-services,batch,app-service,service-fabric,functions,virtual-machine-scale-sets,virtual-machines&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
### [Azure Functions](https://azure.microsoft.com/services/functions/)
@@ -265,31 +180,28 @@ Azure Functions supports Impact Level 5 workloads in Azure Government with this
- To accommodate proper network and workload isolation, deploy your Azure functions on App Service plans configured to use the Isolated SKU. For more information, see the [App Service plan documentation](../app-service/overview-hosting-plans.md).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Functions** | X | X | X | X | X |
+### [Batch](https://azure.microsoft.com/services/batch/)
+
+Azure Batch supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Enable user subscription mode, which will require a Key Vault instance for proper encryption and key storage. For more information, see the documentation on [batch account configurations](../batch/batch-account-create-portal.md).
-### [Azure Service Fabric](https://azure.microsoft.com/services/service-fabric/)
+### [Cloud Services](https://azure.microsoft.com/services/cloud-services/)
-Azure Service Fabric supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+Azure Cloud Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Service Fabric** | | | | X | X |
+### [Service Fabric](https://azure.microsoft.com/services/service-fabric/)
-### [Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) and [virtual machine scale sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/)
+Azure Service Fabric supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+
+### [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) and [virtual machine scale sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/)
You can use Azure virtual machines with multiple deployment mediums. You can do so for single virtual machines and for virtual machines deployed via the Azure virtual machine scale sets feature. All virtual machines should use Disk Encryption for virtual machines or Disk Encryption for virtual machine scale sets, or place virtual machine disks in a storage account that can hold Impact Level 5 data as described in the [Azure Storage section](#storage-encryption-with-key-vault-managed-keys).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Virtual Machines** | X<sup>1</sup> | X<sup>1</sup> | X<sup>1</sup> | X | X |
-| **Virtual machine scale sets** | X<sup>1</sup> | X<sup>1</sup> | X<sup>1</sup> | X | X |
- > [!IMPORTANT]
-> <sup>1</sup>When you deploy VMs in these regions, you must use Azure Dedicated Host, as described in the next section.
+> When you deploy VMs in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia, you must use Azure Dedicated Host, as described in the next section.
#### [Azure Dedicated Host](https://azure.microsoft.com/services/virtual-machines/dedicated-host/)
@@ -322,7 +234,7 @@ You can encrypt the storage that supports these virtual machines in one of two w
- Use Azure Disk Encryption to encrypt the drives by using dm-crypt (Linux) or BitLocker (Windows): - [Enable Azure Disk Encryption for Linux](../virtual-machines/linux/disk-encryption-overview.md)
- - [Enable Azure Disk Encryption for Windows](../virtual-machines/linux/disk-encryption-overview.md)
+ - [Enable Azure Disk Encryption for Windows](../virtual-machines/windows/disk-encryption-overview.md)
- Use Azure Storage service encryption for storage accounts with your own key to encrypt the storage account that holds the disks: - [Storage service encryption with customer-managed keys](../storage/common/customer-managed-keys-configure-key-vault.md)
@@ -332,68 +244,54 @@ You can encrypt disks that support virtual machine scale sets by using Azure Dis
- [Encrypt disks in virtual machine scale sets](../virtual-machine-scale-sets/disk-encryption-powershell.md)
-### [Web Apps feature of Azure App Service](https://azure.microsoft.com/services/app-service/web/)
+## Containers
-Web Apps supports Impact Level 5 workloads in Azure Government with this configuration:
+For Containers services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=openshift,app-service-linux,container-registry,service-fabric,container-instances,kubernetes-service&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-- To accommodate proper network and workload isolation, deploy your web apps on the Isolated SKU. For more information, see the [App Service plan documentation](../app-service/overview-hosting-plans.md).
+### [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Web Apps** | X | X | X | X | X |
+Azure Kubernetes Service (AKS) supports Impact Level 5 workloads in Azure Government with these configurations:
-## Containers
+- Configure encryption at rest of content in AKS by [using customer-managed keys in Azure Key Vault](../aks/azure-disk-customer-managed-keys.md).
+- For workloads that require isolation from other customer workloads, you can use [isolated virtual machines](../aks/concepts-security.md#compute-isolation) as the agent nodes in an AKS cluster.
-### [Azure Container Instances](https://azure.microsoft.com/services/container-instances/)
+### [Container Instances](https://azure.microsoft.com/services/container-instances/)
Azure Container Instances supports Impact Level 5 workloads in Azure Government with this configuration: -- Azure Container Instances automatically encrypts data related to your containers when it's persisted in the cloud. Data in Container Instances is encrypted and decrypted with 256-bit AES encryption and enabled for all Container Instances deployments. You can rely on Microsoft-managed keys for the encryption of your container data, or you can manage the encryption by using your own keys. For more information, see [Encrypt deployment data](https://docs.microsoft.com/azure/container-instances/container-instances-encrypt-data).
+- Azure Container Instances automatically encrypts data related to your containers when it's persisted in the cloud. Data in Container Instances is encrypted and decrypted with 256-bit AES encryption and enabled for all Container Instances deployments. You can rely on Microsoft-managed keys for the encryption of your container data, or you can manage the encryption by using your own keys. For more information, see [Encrypt deployment data](../container-instances/container-instances-encrypt-data.md).
The Container Instances Dedicated SKU provides an [isolated and dedicated compute environment](../container-instances/container-instances-dedicated-hosts.md) for running containers with increased security. When you use the Dedicated SKU, each container group has a dedicated physical server in an Azure datacenter.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Container Instances** | X | X | X | | |
-
-### [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/)
+### [Container Registry](https://azure.microsoft.com/services/container-registry/)
-Azure Kubernetes Service (AKS) supports Impact Level 5 workloads in Azure Government with these configurations:
+Azure Container Registry supports Impact Level 5 workloads in Azure Government with this configuration:
-- Configure encryption at rest of content in AKS by [using customer-managed keys in Azure Key Vault](/azure/aks/azure-disk-customer-managed-keys).-- For workloads that require isolation from other customer workloads, you can use [isolated virtual machines](../aks/concepts-security.md#compute-isolation) as the agent nodes in an AKS cluster.
+- When you store images and other artifacts in a Container Registry, Azure automatically encrypts the registry content at rest by using service-managed keys. You can supplement the default encryption with an additional encryption layer by [using a key that you create and manage in Azure Key Vault](../container-registry/container-registry-customer-managed-keys.md).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **AKS** | X | X | X | | |
+## Databases
-### [Container Registry](https://azure.microsoft.com/services/container-registry/)
+For Databases services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-sql,sql-server-stretch-database,redis-cache,database-migration,postgresql,mariadb,mysql,sql-database,cosmos-db&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-Azure Container Registry supports Impact Level 5 workloads in Azure Government with this configuration:
+### [Azure Cache for Redis](https://azure.microsoft.com/services/cache/)
-- When you store images and other artifacts in a Container Registry, Azure automatically encrypts the registry content at rest by using service-managed keys. You can supplement the default encryption with an additional encryption layer by [using a key that you create and manage in Azure Key Vault](https://docs.microsoft.com/azure/container-registry/container-registry-customer-managed-keys).
+Azure Cache for Redis supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Container Registry** | X | X | X | | |
+### [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/)
-## Databases
+Azure Cosmos DB supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-### [Azure Cache for Redis](https://azure.microsoft.com/services/cache/)
+### [Azure Database for MySQL](https://azure.microsoft.com/services/mysql/)
-Azure Cache for Redis supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+Azure Database for MySQL supports Impact Level 5 workloads in Azure Government with this configuration:
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Cache for Redis** | X | X | X | X | X |
+- Data encryption with customer-managed keys for Azure Database for MySQL enables you to bring your own key (BYOK) for data protection at rest. This encryption is set at the server level. For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. For more information, see [Azure Database for MySQL data encryption with a customer-managed key](../mysql/concepts-data-encryption-mysql.md).
-### [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/)
+### [Azure Database for PostgreSQL](https://azure.microsoft.com/services/postgresql/)
-Azure Cosmos DB supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+Azure Database for PostgreSQL supports Impact Level 5 workloads in Azure Government with this configuration:
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Cosmos DB** | X | X | X | X | X |
+- Data encryption with customer-managed keys for Azure Database for PostgreSQL Single Server is set at the server level. For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. For more information, see [Azure Database for PostgreSQL Single Server data encryption with a customer-managed key](../postgresql/concepts-data-encryption-postgresql.md).
### [Azure SQL Database](https://azure.microsoft.com/services/sql-database/)
@@ -401,512 +299,303 @@ Azure SQL Database supports Impact Level 5 workloads in Azure Government with th
- Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see the [Azure SQL documentation](../azure-sql/database/transparent-data-encryption-byok-overview.md).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure SQL Database** | X | X | X | X | X |
- ### [SQL Server Stretch Database](https://azure.microsoft.com/services/sql-server-stretch-database/) SQL Server Stretch Database supports Impact Level 5 workloads in Azure Government with this configuration: - Add transparent data encryption with customer-managed keys via Azure Key Vault. For more information, see [Azure SQL transparent data encryption](../azure-sql/database/transparent-data-encryption-byok-overview.md).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **SQL Server Stretch Database** | X | X | X | X | X |
-
-### [Azure Database for MySQL](https://azure.microsoft.com/services/mysql/)
+## Developer tools
-Azure Database for MySQL supports Impact Level 5 workloads in Azure Government with this configuration:
+For Developer tools availability in Azure Government, see [Products available by region](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=app-configuration,devtest-lab,lab-services,azure-devops&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-- Data encryption with customer-managed keys for Azure Database for MySQL enables you to bring your own key (BYOK) for data protection at rest. This encryption is set at the server level. For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. For more information, see [Azure Database for MySQL data encryption with a customer-managed key](https://docs.microsoft.com/azure/mysql/concepts-data-encryption-mysql).
+### [Azure DevTest Labs](https://azure.microsoft.com/services/devtest-lab/)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Database for MySQL** | X | X | X | X | X |
+Azure DevTest Labs supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-### [Azure Database for PostgreSQL](https://azure.microsoft.com/services/postgresql/)
+## Hybrid
-Azure Database for PostgreSQL supports Impact Level 5 workloads in Azure Government with this configuration:
+### [Azure Stack Edge](https://azure.microsoft.com/products/azure-stack/edge/)
-- Data encryption with customer-managed keys for Azure Database for PostgreSQL Single Server is set at the server level. For a given server, a customer-managed key, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. For more information, see [Azure Database for PostgreSQL Single Server data encryption with a customer-managed key](https://docs.microsoft.com/azure/postgresql/concepts-data-encryption-postgresql).
+You can protect data via storage accounts because your device is associated with a storage account that's used as a destination for your data in Azure. Access to the storage account is controlled by the subscription and FIPS-compliant storage access keys associated with the storage account. For more information, see [Protect your data](../databox-online/azure-stack-edge-security.md#protect-your-data).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Database for PostgreSQL** | X | X | X | X | X |
+Azure Stack Edge supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-## Developer tools
+## Identity
-### [Azure DevTest Labs](https://azure.microsoft.com/services/devtest-lab/)
+For Identity services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=information-protection,active-directory-ds,active-directory&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-Azure DevTest Labs supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+### [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure DevTest Labs** | X | X | X | | |
+Azure Active Directory supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-## Hybrid
+### [Multifactor authentication](../active-directory/authentication/concept-mfa-howitworks.md)
-### [Azure Stack Edge](https://azure.microsoft.com/products/azure-stack/edge/)
+Multifactor authentication supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-You can protect data via storage accounts because your device is associated with a storage account that's used as a destination for your data in Azure. Access to the storage account is controlled by the subscription and FIPS-compliant storage access keys associated with the storage account. For more information, see [Protect your data](https://docs.microsoft.com/azure/databox-online/data-box-edge-security#protect-your-data).
+## Integration
-Azure Stack Edge supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+For Integration services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=event-grid,api-management,service-bus,logic-apps&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Stack Edge** | X | X | X | X | X |
+### [API Management](https://azure.microsoft.com/services/api-management/)
-## Integration services
+Azure API Management supports Impact Level 5 workloads in Azure Government with no additional configuration required.
<a name="logic-apps"></a> ### [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/)
-Azure Logic Apps supports all impact levels in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Logic Apps** | X | X | X | | X |
+Azure Logic Apps supports Impact Level 5 workloads in Azure Government. To meet these requirements, Logic Apps supports the capability for you to create and run workflows in an environment with dedicated resources so that you can avoid sharing computing resources with other tenants. For more information, see [Secure access and data in Azure Logic Apps: Isolation guidance](../logic-apps/logic-apps-securing-a-logic-app.md#isolation-logic-apps).
-For more information, see [Secure access and data in Azure Logic Apps: Isolation guidance](../logic-apps/logic-apps-securing-a-logic-app.md#isolation-logic-apps).
-
-### [Azure Event Grid](https://azure.microsoft.com/services/event-grid/)
+### [Event Grid](https://azure.microsoft.com/services/event-grid/)
Azure Event Grid can persist customer content for no more than 24 hours. For more information, see [Authenticate event delivery to event handlers](https://docs.microsoft.com/azure/event-grid/security-authentication#encryption-at-rest). All data written to disk is encrypted with Microsoft-managed keys.
-Azure Event Grid supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Event Grid** | X | X | X | X | X |
+Azure Event Grid supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-### [Azure Service Bus](https://azure.microsoft.com/services/service-bus/)
+### [Service Bus](https://azure.microsoft.com/services/service-bus/)
-Azure Service Bus supports Impact Level 5 workloads in Azure Government in these regions:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Service Bus** | X<sup>1</sup> | X<sup>1</sup> | X<sup>1</sup> | X | X |
+Azure Service Bus supports Impact Level 5 workloads in Azure Government.
> [!IMPORTANT]
-> <sup>1</sup>Use client-side encryption to encrypt data before using Azure Service Bus in the noted regions.
-
-### [Azure API Management](https://azure.microsoft.com/services/api-management/)
-
-Azure API Management supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **API Management** | X | X | X | X | X |
+> Use client-side encryption to encrypt data before using Azure Service Bus in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.
## Internet of Things
-### [IoT Hub](https://azure.microsoft.com/services/iot-hub/)
+For Internet of Things services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=notification-hubs,azure-rtos,azure-maps,iot-central,iot-hub&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-Azure IoT Hub supports Impact Level 5 workloads in Azure Government with this configuration:
+### [Azure IoT Hub](https://azure.microsoft.com/services/iot-hub/)
-- IoT Hub supports encryption of data at rest with customer-managed keys, also known as "bring your own key (BYOK)." Azure IoT Hub provides encryption of data at rest and in transit. By default, IoT Hub uses Microsoft-managed keys to encrypt the data. Customer-managed key support enables customers to encrypt data at rest by using an [encryption key that they manage via Azure Key Vault](https://docs.microsoft.com/azure/iot-hub/iot-hub-customer-managed-keys).
+Azure IoT Hub supports Impact Level 5 workloads in Azure Government with this configuration:
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **IoT Hub** | X | X | X | | |
+- IoT Hub supports encryption of data at rest with customer-managed keys, also known as "bring your own key" (BYOK). Azure IoT Hub provides encryption of data at rest and in transit. By default, Azure IoT Hub uses Microsoft-managed keys to encrypt the data. Customer-managed key support enables customers to encrypt data at rest by using an [encryption key that they manage via Azure Key Vault](../iot-hub/iot-hub-customer-managed-keys.md).
### [Notification Hubs](https://azure.microsoft.com/services/notification-hubs/)
-Azure Notification Hubs supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Notification Hubs** | X | X | X | | |
+Azure Notification Hubs supports Impact Level 5 workloads in Azure Government with no additional configuration required.
## Management and governance
-### [Automation](https://azure.microsoft.com/services/automation/)
+For Management and governance services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=azure-automanage,resource-mover,azure-portal,azure-lighthouse,cloud-shell,managed-applications,azure-policy,monitor,automation,scheduler,site-recovery,cost-management,backup,blueprints,advisor&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-Azure Automation supports Impact level 5 workloads in Azure Government to provide compute-level isolation.
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Automation** | X | X | X | | |
+### [Automation](https://azure.microsoft.com/services/automation/)
-Automation supports Impact Level 5 workloads in Azure Government in these configurations:
+Automation supports Impact Level 5 workloads in Azure Government with these configurations:
- Use the [Hybrid Runbook Worker](../automation/automation-hybrid-runbook-worker.md) feature of Azure Automation to run runbooks directly on the VM that's hosting the role and against resources in your environment. Runbooks are stored and managed in Azure Automation. They are then delivered to one or more assigned computers known as "Hybrid Runbook Workers." Use Azure Dedicated Host or isolated virtual machine types for the Hybrid Worker role. When deployed, [isolated VM types](#isolated-virtual-machines) consume the entire physical host for the VM, providing the level of isolation required to support IL5 workloads. [Azure Dedicated Host](#azure-dedicated-host) provides physical servers that can host one or more virtual machines and that are dedicated to one Azure subscription.-- By default, your Azure Automation account uses Microsoft-managed keys. You can manage the encryption of secure assets for your Automation account by using your own keys. When you specify a customer-managed key at the level of the Automation account, that key is used to protect and control access to the account encryption key for the Automation account. For more information, see [Encryption of secure assets in Azure Automation](https://docs.microsoft.com/azure/automation/automation-secure-asset-encryption).
+- By default, your Azure Automation account uses Microsoft-managed keys. You can manage the encryption of secure assets for your Automation account by using your own keys. When you specify a customer-managed key at the level of the Automation account, that key is used to protect and control access to the account encryption key for the Automation account. For more information, see [Encryption of secure assets in Azure Automation](../automation/automation-secure-asset-encryption.md).
### [Azure Advisor](https://azure.microsoft.com/services/advisor/)
-Azure Advisor supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Advisor** | X | X | X | | |
+Azure Advisor supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure Backup](https://azure.microsoft.com/services/backup/)
-Azure Backup supports all impact levels in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Backup** | X | X | X | X | X |
+Azure Backup supports all impact levels in Azure Government with no additional configuration required.
### [Azure Blueprints](https://azure.microsoft.com/services/blueprints/)
-Azure Blueprints supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Blueprints** | X | X | X | | |
-
-### [Azure Cloud Shell](https://azure.microsoft.com/features/cloud-shell/)
-
-Azure Cloud Shell supports all impact levels in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Cloud Shell** | X | X | X | | |
+Azure Blueprints supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure Cost Management and Billing](https://azure.microsoft.com/services/cost-management/)
-Azure Cost Management and Billing supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Cost Management and Billing** | X | X | X | | |
+Azure Cost Management and Billing supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)
-Azure Lighthouse supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Lighthouse** | X | X | X | | |
+Azure Lighthouse supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure Managed Applications](https://azure.microsoft.com/services/managed-applications/) Azure Managed Applications supports Impact Level 5 workloads in Azure Government with this configuration: -- You can store your managed application definition in a storage account that you provide when you create the application. Doing so allows you to manage its location and access for your regulatory needs. For more information, see [Bring your own storage](https://docs.microsoft.com/azure/azure-resource-manager/managed-applications/publish-service-catalog-app#bring-your-own-storage-for-the-managed-application-definition).-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Managed Applications** | X | X | X | X | X |
+- You can store your managed application definition in a storage account that you provide when you create the application. Doing so allows you to manage its location and access for your regulatory needs. For more information, see [Bring your own storage](../azure-resource-manager/managed-applications/publish-service-catalog-app.md#bring-your-own-storage-for-the-managed-application-definition).
### [Azure Monitor](https://azure.microsoft.com/services/monitor/)
-Azure Monitor supports all impact levels in Azure Government in these regions, with no additional configuration required:
+Azure Monitor supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Monitor** | X | X | X | X | X |
+> [!IMPORTANT]
+> See additional guidance for **[Log Analytics](#log-analytics)**, which is a feature of Azure Monitor.
### [Azure Policy](https://azure.microsoft.com/services/azure-policy/)
-Azure Policy supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Policy** | X | X | X | | |
+Azure Policy supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure Policy Guest Configuration](../governance/policy/concepts/guest-configuration.md)
-Azure Policy Guest Configuration supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Policy Guest Configuration** | X | X | X | | |
+Azure Policy Guest Configuration supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure portal](https://azure.microsoft.com/features/azure-portal/)
-You can add a markdown tile to your Azure dashboards to display custom static content. For example, you can show basic instructions, an image, or a set of hyperlinks on a [markdown tile](https://docs.microsoft.com/azure/azure-portal/azure-portal-markdown-tile).
-
-The Azure portal supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+The Azure portal supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure portal** | X | X | X | X | X |
+You can add a markdown tile to your Azure dashboards to display custom static content. For example, you can show basic instructions, an image, or a set of hyperlinks on a [markdown tile](../azure-portal/azure-portal-markdown-tile.md).
-### [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/)
+### [Azure Resource Graph](../governance/resource-graph/overview.md)
-Azure Resource Manager supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+Azure Resource Graph supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Resource Manager** | X | X | X | X | X |
+### [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/)
-### [Azure Resource Graph](../governance/resource-graph/overview.md)
+Azure Resource Manager supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-Azure Resource Graph supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+### Azure Scheduler
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Resource Graph** | X | X | X | | |
+Azure Scheduler is being retired and replaced by [Azure Logic Apps](#logic-apps). To continue working with the jobs that you set up in Scheduler, please [migrate to Azure Logic Apps](../scheduler/migrate-from-scheduler-to-logic-apps.md) as soon as you can.
### [Azure Site Recovery](https://azure.microsoft.com/services/site-recovery/) Azure Site Recovery supports Impact Level 5 workloads in Azure Government with this configuration: -- You can replicate Azure VMs with managed disks enabled for customer-managed keys from one Azure region to another. For more information, see [Replicate machines with customer-managed key disks](https://docs.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-replication-cmk-disks).
+- You can replicate Azure VMs with managed disks enabled for customer-managed keys from one Azure region to another. For more information, see [Replicate machines with customer-managed key disks](../site-recovery/azure-to-azure-how-to-enable-replication-cmk-disks.md).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Site Recovery** | X | X | X | X | X |
+### [Cloud Shell](https://azure.microsoft.com/features/cloud-shell/)
-### [Log Analytics](../azure-monitor/platform/data-platform-logs.md)
+Azure Cloud Shell supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-Log Analytics supports Impact Level 5 workloads in Azure Government with this configuration:
+<a name="log-analytics"></a>
-- Configure customer-managed keys for your Log Analytics workspaces and Application Insights components. With this configuration, any data sent to your workspaces or components is encrypted with your Azure Key Vault key. For more information, see [Azure Monitor customer-managed keys](https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys).
+### [Log Analytics](../azure-monitor/platform/data-platform-logs.md)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Log Analytics** | X | X | X | | |
+Log Analytics is intended to be used for monitoring the health and status of services and infrastructure. The monitoring data and logs primarily store [logs and metrics](../azure-monitor/platform/data-security.md#data-retention) that are service generated. When used in this primary capacity, Log Analytics supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-### Azure Scheduler
+Log Analytics may also be used to ingest additional customer-provided logs. These logs may include data ingested as part of operating Azure Security Center or Azure Sentinel. If the ingested logs or the queries written against these logs are categorized as IL5 data, then you should configure customer-managed keys (CMK) for your Log Analytics workspaces and Application Insights components. Once configured, any data sent to your workspaces or components is encrypted with your Azure Key Vault key. For more information, see [Azure Monitor customer-managed keys](../azure-monitor/platform/customer-managed-keys.md).
-Azure Scheduler is being retired and replaced by [Azure Logic Apps](#logic-apps). To continue working with the jobs that you set up in Scheduler, please [migrate to Azure Logic Apps](../scheduler/migrate-from-scheduler-to-logic-apps.md) as soon as you can.
+## Media
-## Media services
+For Media services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=media-services&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
### [Azure Media Services](https://azure.microsoft.com/services/media-services/)
-Azure Media Services supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+Azure Media Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Media Services** | | | | X | X |
+## Migration
-## Migration services
+For Migration services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=database-migration,azure-migrate&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
### [Azure Migrate](https://azure.microsoft.com/services/azure-migrate/) Azure Migrate supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Azure Migrate by [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/migrate/how-to-migrate-vmware-vms-with-cmk-disks).-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Migrate** | X | X | X | | |
+- Configure encryption at rest of content in Azure Migrate by [using customer-managed keys in Azure Key Vault](../migrate/how-to-migrate-vmware-vms-with-cmk-disks.md).
### [Azure Database Migration Service](https://azure.microsoft.com/services/database-migration/)
-Azure Database Migration Service supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+Azure Database Migration Service supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Database Migration Service** | X | X | X | | |
+## Networking
-## Networking services
+For Networking services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=internet-analyzer,private-link,azure-bastion,frontdoor,virtual-wan,dns,ddos-protection,cdn,azure-firewall,network-watcher,load-balancer,vpn-gateway,expressroute,application-gateway,virtual-network&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
-### [Azure Application Gateway](https://azure.microsoft.com/services/application-gateway/)
+### [Application Gateway](https://azure.microsoft.com/services/application-gateway/)
-Azure Application Gateway supports all impact levels in Azure Government with no additional configuration required between regions.
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Application Gateway** | X | X | X | X | X |
+Azure Application Gateway supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure DNS](https://azure.microsoft.com/services/dns/)
-Azure DNS supports all impact levels in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure DNS** | X | X | X | X | X |
+Azure DNS supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure ExpressRoute](https://azure.microsoft.com/services/expressroute/)
-ExpressRoute supports all impact levels in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **ExpressRoute** | X | X | X | X | X |
-
-### [Azure Front Door](https://azure.microsoft.com/services/frontdoor/)
-
-Azure Front Door supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Front Door** | X | X | X | | |
+ExpressRoute supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/)
-Azure Firewall supports all impact levels in Azure Government with no additional configuration required between regions.
+Azure Firewall supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Firewall** | X | X | X | X | X |
+### [Azure Front Door](https://azure.microsoft.com/services/frontdoor/)
-### [Azure Load Balancer](https://azure.microsoft.com/services/load-balancer/)
+Azure Front Door supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-Azure Load Balancer supports all impact levels in Azure Government in these regions, with no additional configuration required:
+### [Load Balancer](https://azure.microsoft.com/services/load-balancer/)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Load Balancer** | X | X | X | X | X |
+Azure Load Balancer supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Network Watcher](https://azure.microsoft.com/services/network-watcher/)
-Azure Network Watcher and Network Watcher traffic analytics support all impact levels in Azure Government, with no additional configuration required between regions.
+Azure Network Watcher and Network Watcher traffic analytics support Impact Level 5 workloads in Azure Government with no additional configuration required.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Network Watcher** | X | X | X | X | X |
+### [Traffic Manager](https://azure.microsoft.com/services/traffic-manager/)
-### [Azure Traffic Manager](https://azure.microsoft.com/services/traffic-manager/)
+Azure Traffic Manager supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-Azure Traffic Manager supports all impact levels in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Traffic Manager** | X | X | X | X | X |
-
-### [Azure Virtual Network](https://azure.microsoft.com/services/virtual-network/)
-
-Azure Virtual Network supports all impact levels in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Virtual Network** | X | X | X | X | X |
-
-### [Azure VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/)
-
-Azure VPN Gateway supports all impact levels in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **VPN Gateway** | X | X | X | X | X |
-
-## Security and identity services
-
-### [Azure Active Directory](https://azure.microsoft.com/services/active-directory/)
+### [Virtual Network](https://azure.microsoft.com/services/virtual-network/)
-Azure Active Directory can be used in all Azure Government regions. It supports all impact levels in the following regions, with no additional configuration required:
+Azure Virtual Network supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Active Directory** | X | X | X | X | X |
+### [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/)
-### [Defender for Identity](https://azure.microsoft.com/features/azure-advanced-threat-protection/)
+Azure VPN Gateway supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-Defender for Identity can be used in all Azure Government regions. It supports all impact levels in the following regions, with no additional configuration required:
+## Security
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Defender for Identity** | X | X | X | | |
+For Security services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-sentinel,azure-dedicated-hsm,security-center,key-vault&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
### [Azure Dedicated HSM](https://azure.microsoft.com/services/azure-dedicated-hsm/)
-Azure Dedicated HSM can be used in all Azure Government regions. It supports all impact levels in the following regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Dedicated HSM** | X | X | X | | |
-
-### [Azure Security Center](https://azure.microsoft.com/services/security-center/)
-
-Azure Security Center can be used in all Azure Government regions. It supports all impact levels in the following regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Security Center** | X | X | X | | |
+Azure Dedicated HSM supports Impact Level 5 workloads in Azure Government with no additional configuration required.
### [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) Azure Sentinel supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Azure Sentinel by [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/sentinel/customer-managed-keys).
+- Configure encryption at rest of content in Azure Sentinel by [using customer-managed keys in Azure Key Vault](../sentinel/customer-managed-keys.md).
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Sentinel** | X | X | X | | |
+### [Key Vault](https://azure.microsoft.com/services/key-vault/)
-### [Customer Lockbox](../security/fundamentals/customer-lockbox-overview.md)
+Azure Key Vault supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-Customer Lockbox supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+### [Security Center](https://azure.microsoft.com/services/security-center/)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Customer Lockbox** | X | X | X | | |
+Azure Security Center supports Impact Level 5 workloads in Azure Government with no additional configuration required.
-### [Multifactor authentication](../active-directory/authentication/concept-mfa-howitworks.md)
+### [Customer Lockbox](../security/fundamentals/customer-lockbox-overview.md)
-Multifactor authentication supports Impact Level 5 workloads in Azure Government in these regions, with no additional configuration required:
+Customer Lockbox for Microsoft Azure supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government US Gov Arizona, US Gov Texas, and US Gov Virginia regions.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Multifactor authentication** | X | X | X | X | X |
+### [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
-### [Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
+Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection, also known as Microsoft Defender ATP) supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and [authorized at IL5](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope) in Azure Government and Azure Government for DoD regions.
-Defender for Endpoint supports all impact levels in Azure Government in these regions, with no additional configuration required:
+### [Microsoft Defender for Identity](/defender-for-identity/what-is)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Defender for Endpoint** | X | X | X | | |
+Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and [authorized at IL5](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope) in Azure Government regions.
### [Microsoft Graph](/graph/overview)
-Microsoft Graph supports all impact levels in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Microsoft Graph** | X | X | X | X | X |
-
-### [Azure Key Vault](https://azure.microsoft.com/services/key-vault/)
-
-Azure Key Vault supports all impact levels in Azure Government in these regions, with no additional configuration required:
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Key Vault** | X | X | X | X | X |
+Microsoft Graph supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and [authorized at IL5](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope) in Azure Government and Azure Government for DoD regions.
-## Storage and database services
+## Storage
+For Storage services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=hpc-cache,managed-disks,storsimple,storage&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
### [Azure Import/Export service](../storage/common/storage-import-export-service.md) Azure Import/Export service can be used in Azure Government to import and export Impact Level 5 data. By default, the Import/Export service will encrypt data that's written to the hard drive for transport. When you create a target storage account for import and export of Impact Level 5 data, add storage encryption via customer-managed keys. For more information, see the [storage services section](#storage-encryption-with-key-vault-managed-keys) of this document.
-The target storage account for import and source storage account for export can be located in any of these regions:
+The target storage account for import and source storage account for export can be located in any Azure Government or Azure Government for DoD regions.
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Import/Export service** | X | X | X | X | X |
+### [Archive Storage](https://azure.microsoft.com/services/storage/archive/)
-### [Azure Archive Storage](https://azure.microsoft.com/services/storage/archive/)
+Azure Archive Storage can be used in Azure Government to support Impact Level 5 data. Azure Archive Storage is a tier of Azure Storage. It automatically helps secure data at rest by using 256-bit AES encryption. Just like hot and cool tiers, Archive Storage can be set at the blob level. To enable access to the content, you need to rehydrate the archived blob or copy it to an online tier, at which point customers can enforce customer-managed keys that are in place for their online storage tiers. When you create a target storage account for Impact Level 5 data in Archive Storage, add storage encryption via customer-managed keys. For more information, see the [storage services section](#storage-encryption-with-key-vault-managed-keys).
-Azure Archive Storage can be used in Azure Government to support Impact Level 5 data. Azure Archive Storage is a tier of Azure Storage. It automatically helps secure that data at rest by using 256-bit AES keys. Just like hot and cool tiers, Azure Archive Storage can be set at the blob level. To enable access to the content, you need to rehydrate the archived blob or copy it to an online tier, at which point customers can enforce customer-managed keys that are in place for their online storage tiers. When you create a target storage account for Impact Level 5 data in Archive Storage, add storage encryption via customer-managed keys. For more information, see the [storage services section](#storage-encryption-with-key-vault-managed-keys).
+The target storage account for Archive Storage can be located in any Azure Government or Azure Government for DoD region.
-The target storage account for Archive Storage can be located in any of these regions:
+### [Storage](https://azure.microsoft.com/services/storage/)
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure Archive Storage** | X | X | X | X | X |
+Azure Storage consists of multiple data features: Blob Storage, File Storage, Table Storage, and Queue Storage. Blob Storage supports both standard and premium storage. Premium storage uses only SSDs, to provide the fastest performance possible. Storage also includes configurations that modify these storage types, like hot and cool to provide appropriate speed-of-availability for data scenarios.
-### [Azure Storage](https://azure.microsoft.com/services/storage/)
-
-Azure Storage consists of multiple data features: Blob Storage, File Storage, Table Storage, and Queue Storage. Blob Storage supports both standard and premium storage. Premium storage uses only SSDs, to provide the fastest performance possible. Storage also includes configurations that modify these storage types, like hot and cool to provide appropriate speed-of-availability for data scenarios. The following table outlines which features of Storage currently support IL5 workloads.
-
-When you use an Azure Storage account, you must follow the steps for using [storage encryption with Key Vault managed keys](#storage-encryption-with-key-vault-managed-keys) to ensure the data is protected with customer-managed keys.
-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Blobs** | X | X | X | X | X |
-| **Files** | X | X | X | X | X |
-| **Tables** | X<sup>1</sup> | X<sup>1</sup> | X<sup>1</sup> | X | X |
-| **Queues** | X<sup>1</sup> | X<sup>1</sup> | X<sup>1</sup> | X | X |
+When you use an Azure Storage account, you must follow the steps for [storage encryption with Key Vault managed keys](#storage-encryption-with-key-vault-managed-keys) to ensure the data is protected with customer-managed keys. Azure Storage supports Impact Level 5 workloads in all Azure Government and Azure Government for DoD regions.
> [!IMPORTANT]
-> <sup>1</sup>When you use tables and queues outside the US DoD regions, you must encrypt the data before you insert it into the table or queue. For more information, see the instructions for using [client-side encryption](../storage/common/storage-client-side-encryption-java.md).
+> When you use Tables and Queues outside the US DoD regions, you must encrypt the data before you insert it into the table or queue. For more information, see the instructions for using [client-side encryption](../storage/common/storage-client-side-encryption-java.md).
#### Storage encryption with Key Vault managed keys
-To implement Impact Level 5 compliant controls on an Azure Storage account that runs in Azure Government outside of the dedicated DoD regions, you must use encryption at rest with the customer-managed key option enabled. (The customer-managed key option is also known as "bring your own key.")
+To implement Impact Level 5 compliant controls on an Azure Storage account that runs in Azure Government outside of the dedicated DoD regions, you must use encryption at rest with the customer-managed key option enabled. The customer-managed key option is also known as "bring your own key."
For more information about how to enable this Azure Storage encryption feature, see the documentation for [Azure Storage](../storage/common/customer-managed-keys-configure-key-vault.md).
@@ -917,19 +606,20 @@ For more information about how to enable this Azure Storage encryption feature,
Azure File Sync supports Impact Level 5 workloads in Azure Government with this configuration: -- Configure encryption at rest of content in Azure File Sync by [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/storage/files/storage-sync-files-planning#azure-file-share-encryption-at-rest).-
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **Azure File Sync** | X | X | X | | |
+- Configure encryption at rest of content in Azure File Sync by [using customer-managed keys in Azure Key Vault](../storage/files/storage-sync-files-planning.md#azure-file-share-encryption-at-rest).
### [StorSimple](https://azure.microsoft.com/services/storsimple/)
-Microsoft Azure StorSimple supports Impact Level 5 workloads in Azure Government with this configuration:
+StorSimple supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- To help ensure the security and integrity of data moved to the cloud, StorSimple allows you to [define cloud storage encryption keys](../storsimple/storsimple-8000-security.md#storsimple-data-protection). You specify the cloud storage encryption key when you create a volume container.
-- To help ensure the security and integrity of data moved to the cloud, StorSimple allows you to [define cloud storage encryption keys](https://docs.microsoft.com/azure/storsimple/storsimple-8000-security#storsimple-data-protection). You specify the cloud storage encryption key when you create a volume container.
+## Web
-| **Service** | **US Gov VA** | **US Gov TX** | **US Gov AZ** | **US DoD East** | **US DoD Central** |
-| --- | --- | --- | --- | --- | --- |
-| **StorSimple** | X | X | X | X | X |
+For Web services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud,signalr-service,app-service-linux,app-service&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
+### [Web Apps feature of Azure App Service](https://azure.microsoft.com/services/app-service/web/)
+
+Web Apps supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- To accommodate proper network and workload isolation, deploy your web apps on the Isolated SKU. For more information, see the [App Service plan documentation](../app-service/overview-hosting-plans.md).
azure-maps https://docs.microsoft.com/en-us/azure/azure-maps/migrate-from-google-maps-web-services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/migrate-from-google-maps-web-services.md
@@ -17,6 +17,7 @@ Both Azure and Google Maps provide access to spatial APIs through REST web servi
In this tutorial, you will learn how to:
+> [!div class="checklist"]
> * Forward and reverse geocoding > * Search for points of interest > * Calculate routes and directions
azure-maps https://docs.microsoft.com/en-us/azure/azure-maps/tutorial-create-store-locator https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/tutorial-create-store-locator.md
@@ -931,6 +931,10 @@ In this tutorial, you learned how to create a basic store locator by using Azure
You can [View full source code](https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/AzureMapsCodeSamples/Tutorials/Simple%20Store%20Locator), [View live sample](https://azuremapscodesamples.azurewebsites.net/https://docsupdatetracker.net/index.html?sample=Simple%20Store%20Locator) and learn more about the coverage and capabilities of Azure Maps by using [Zoom levels and tile grid](zoom-levels-and-tile-grid.md). You can also [Use data-driven style expressions](data-driven-style-expressions-web-sdk.md) to apply to your business logic.
+## Clean up resources
+
+There are no resources that require cleanup.
+ ## Next steps To see more code examples and an interactive coding experience:
azure-maps https://docs.microsoft.com/en-us/azure/azure-maps/tutorial-creator-indoor-maps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/tutorial-creator-indoor-maps.md
@@ -17,8 +17,6 @@ manager: philmea
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -- This tutorial shows you how to create indoor maps. In this tutorial, you'll learn how to use the API to: > [!div class="checklist"]
@@ -408,6 +406,10 @@ The [Feature Get States API](/rest/api/maps/featurestate/getstatespreview) allow
To learn more about the different Azure Maps Creator services (Preview) discussed in this article see, [Creator Indoor Maps](creator-indoor-maps.md).
+## Clean up resources
+
+There are no resources that require cleanup.
+ ## Next steps To learn how to use the indoor maps module, see
azure-maps https://docs.microsoft.com/en-us/azure/azure-maps/tutorial-ev-routing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/tutorial-ev-routing.md
@@ -394,6 +394,10 @@ To explore the Azure Maps APIs that are used in this tutorial, see:
* [Get Route Directions](/rest/api/maps/route/getroutedirections) * [Azure Maps REST APIs](./consumption-model.md)
+## Clean up resources
+
+There are no resources that require cleanup.
+ ## Next steps To learn more about Azure Notebooks, see
azure-maps https://docs.microsoft.com/en-us/azure/azure-maps/tutorial-geofence https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/tutorial-geofence.md
@@ -467,6 +467,10 @@ In the preceding GeoJSON response, the equipment has exited the main site geofen
You can also [Send email notifications using Event Grid and Logic Apps](../event-grid/publish-iot-hub-events-to-logic-apps.md) and check [Supported Events Handlers in Event Grid](../event-grid/event-handlers.md) using Azure Maps.
+## Clean up resources
+
+There are no resources that require cleanup.
+ ## Next steps > [!div class="nextstepaction"]
azure-maps https://docs.microsoft.com/en-us/azure/azure-maps/tutorial-iot-hub-maps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/tutorial-iot-hub-maps.md
@@ -281,6 +281,10 @@ To get a list of devices that are Azure certified for IoT, visit:
* [Azure certified devices](https://catalog.azureiotsolutions.com/)
+## Clean up resources
+
+There are no resources that require cleanup.
+ ## Next steps To learn more about how to send device-to-cloud telemetry, and the other way around, see:
azure-maps https://docs.microsoft.com/en-us/azure/azure-maps/tutorial-prioritized-routes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/tutorial-prioritized-routes.md
@@ -280,7 +280,9 @@ You can obtain the full source code for the sample [here](https://github.com/Azu
You can also [Use data-driven style expressions](data-driven-style-expressions-web-sdk.md)
+## Clean up resources
+There are no resources that require cleanup.
## Next steps
azure-maps https://docs.microsoft.com/en-us/azure/azure-maps/tutorial-route-location https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/tutorial-route-location.md
@@ -215,6 +215,10 @@ This section shows you how to use the Azure Maps Route Directions API to get rou
You can obtain the full source code for the sample [here](https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/master/AzureMapsCodeSamples/Tutorials/route.html). A live sample can be found [here](https://azuremapscodesamples.azurewebsites.net/?sample=Route%20to%20a%20destination).
+## Clean up resources
+
+There are no resources that require cleanup.
+ ## Next steps The next tutorial shows you how to create a route query with restrictions, like mode of travel or type of cargo. You can then display multiple routes on the same map.
azure-maps https://docs.microsoft.com/en-us/azure/azure-maps/tutorial-search-location https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/tutorial-search-location.md
@@ -242,6 +242,10 @@ The map that we've made so far only looks at the longitude/latitude data for the
To view the full code for this tutorial, click [here](https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/master/AzureMapsCodeSamples/Tutorials/search.html). To view the live sample, click [here](https://azuremapscodesamples.azurewebsites.net/?sample=Search%20for%20points%20of%20interest)
+## Clean up resources
+
+There are no resources that require cleanup.
+ ## Next steps The next tutorial demonstrates how to display a route between two locations.
azure-maps https://docs.microsoft.com/en-us/azure/azure-maps/weather-service-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-maps/weather-service-tutorial.md
@@ -193,6 +193,10 @@ To explore the Azure Maps APIs that are used in this tutorial, see:
For a complete list of Azure Maps REST APIs, see [Azure Maps REST APIs](./consumption-model.md).
+## Clean up resources
+
+There are no resources that require cleanup.
+ ## Next steps To learn more about Azure Notebooks, see
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/ip-addresses https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/ip-addresses.md
@@ -23,7 +23,7 @@ You need to open some outgoing ports in your server's firewall to allow the Appl
| Purpose | URL | IP | Ports | | --- | --- | --- | --- |
-| Telemetry |dc.applicationinsights.azure.com<br/>dc.applicationinsights.microsoft.com<br/>dc.services.visualstudio.com |40.114.241.141<br/>104.45.136.42<br/>40.84.189.107<br/>168.63.242.221<br/>52.167.221.184<br/>52.169.64.244<br/>40.85.218.175<br/>104.211.92.54<br/>52.175.198.74<br/>51.140.6.23<br/>40.71.12.231<br/>13.69.65.22<br/>13.78.108.165<br/>13.70.72.233<br/>20.44.8.7<br/>13.86.218.248<br/>40.79.138.41<br/>52.231.18.241<br/>13.75.38.7<br/>102.133.155.50<br/>52.162.110.67<br/>191.233.204.248<br/>13.69.66.140<br/>13.77.52.29<br/>51.107.59.180<br/>40.71.12.235<br/>20.44.8.10<br/>40.71.13.169<br/>13.66.141.156<br/>40.71.13.170<br/>13.69.65.23<br/>20.44.17.0<br/>20.36.114.207 <br/>51.116.155.246 <br/>51.107.155.178 <br/>51.140.212.64 <br/>13.86.218.255 <br/>20.37.74.240 <br/>65.52.250.236 <br/>13.69.229.240 <br/>52.236.186.210<br/>52.167.107.65<br/>40.71.12.237<br/>40.78.229.32<br/>40.78.229.33<br/>51.105.67.161<br/>40.124.64.192 | 443 |
+| Telemetry |dc.applicationinsights.azure.com<br/>dc.applicationinsights.microsoft.com<br/>dc.services.visualstudio.com |40.114.241.141<br/>104.45.136.42<br/>40.84.189.107<br/>168.63.242.221<br/>52.167.221.184<br/>52.169.64.244<br/>40.85.218.175<br/>104.211.92.54<br/>52.175.198.74<br/>51.140.6.23<br/>40.71.12.231<br/>13.69.65.22<br/>13.78.108.165<br/>13.70.72.233<br/>20.44.8.7<br/>13.86.218.248<br/>40.79.138.41<br/>52.231.18.241<br/>13.75.38.7<br/>102.133.155.50<br/>52.162.110.67<br/>191.233.204.248<br/>13.69.66.140<br/>13.77.52.29<br/>51.107.59.180<br/>40.71.12.235<br/>20.44.8.10<br/>40.71.13.169<br/>13.66.141.156<br/>40.71.13.170<br/>13.69.65.23<br/>20.44.17.0<br/>20.36.114.207 <br/>51.116.155.246 <br/>51.107.155.178 <br/>51.140.212.64 <br/>13.86.218.255 <br/>20.37.74.240 <br/>65.52.250.236 <br/>13.69.229.240 <br/>52.236.186.210<br/>52.167.107.65<br/>40.71.12.237<br/>40.78.229.32<br/>40.78.229.33<br/>51.105.67.161<br/>40.124.64.192<br/>20.44.12.194<br/>20.189.172.0 | 443 |
| Live Metrics Stream | live.applicationinsights.azure.com<br/>rt.applicationinsights.microsoft.com<br/>rt.services.visualstudio.com|23.96.28.38<br/>13.92.40.198<br/>40.112.49.101<br/>40.117.80.207<br/>157.55.177.6<br/>104.44.140.84<br/>104.215.81.124<br/>23.100.122.113| 443 | ## Status Monitor
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/java-in-process-agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-in-process-agent.md
@@ -30,11 +30,11 @@ The 3.0 agent supports Java 8 and above.
> Please review all the [configuration options](./java-standalone-config.md) carefully, > as the json structure has completely changed, in addition to the file name itself which went all lowercase.
-Download [applicationinsights-agent-3.0.1.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.0.1/applicationinsights-agent-3.0.1.jar)
+Download [applicationinsights-agent-3.0.2.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.0.2/applicationinsights-agent-3.0.2.jar)
**2. Point the JVM to the agent**
-Add `-javaagent:path/to/applicationinsights-agent-3.0.1.jar` to your application's JVM args
+Add `-javaagent:path/to/applicationinsights-agent-3.0.2.jar` to your application's JVM args
Typical JVM args include `-Xmx512m` and `-XX:+UseG1GC`. So if you know where to add these, then you already know where to add this.
@@ -50,7 +50,7 @@ Point the agent to your Application Insights resource, either by setting an envi
APPLICATIONINSIGHTS_CONNECTION_STRING=InstrumentationKey=... ```
-Or by creating a configuration file named `applicationinsights.json`, and placing it in the same directory as `applicationinsights-agent-3.0.1.jar`, with the following content:
+Or by creating a configuration file named `applicationinsights.json`, and placing it in the same directory as `applicationinsights-agent-3.0.2.jar`, with the following content:
```json {
@@ -258,7 +258,7 @@ try {
### Add request custom dimensions using the 2.x SDK > [!NOTE]
-> This feature is only in 3.0.1 and later
+> This feature is only in 3.0.2 and later
Add `applicationinsights-web-2.6.2.jar` to your application (all 2.x versions are supported by Application Insights Java 3.0, but it's worth using the latest if you have a choice):
@@ -282,7 +282,7 @@ requestTelemetry.getProperties().put("mydimension", "myvalue");
### Set the request telemetry user_Id using the 2.x SDK > [!NOTE]
-> This feature is only in 3.0.1 and later
+> This feature is only in 3.0.2 and later
Add `applicationinsights-web-2.6.2.jar` to your application (all 2.x versions are supported by Application Insights Java 3.0, but it's worth using the latest if you have a choice):
@@ -306,7 +306,7 @@ requestTelemetry.getContext().getUser().setId("myuser");
### Override the request telemetry name using the 2.x SDK > [!NOTE]
-> This feature is only in 3.0.1 and later
+> This feature is only in 3.0.2 and later
Add `applicationinsights-web-2.6.2.jar` to your application (all 2.x versions are supported by Application Insights Java 3.0, but it's worth using the latest if you have a choice):
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/java-standalone-arguments https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-standalone-arguments.md
@@ -18,24 +18,24 @@ Configure [App Services](../../app-service/configure-language-java.md#set-java-r
## Spring Boot
-Add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.0.1.jar` somewhere before `-jar`, for example:
+Add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.0.2.jar` somewhere before `-jar`, for example:
```
-java -javaagent:path/to/applicationinsights-agent-3.0.1.jar -jar <myapp.jar>
+java -javaagent:path/to/applicationinsights-agent-3.0.2.jar -jar <myapp.jar>
``` ## Spring Boot via Docker entry point
-If you are using the *exec* form, add the parameter `"-javaagent:path/to/applicationinsights-agent-3.0.1.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:
+If you are using the *exec* form, add the parameter `"-javaagent:path/to/applicationinsights-agent-3.0.2.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:
```
-ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.0.1.jar", "-jar", "<myapp.jar>"]
+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.0.2.jar", "-jar", "<myapp.jar>"]
```
-If you are using the *shell* form, add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.0.1.jar` somewhere before `-jar`, for example:
+If you are using the *shell* form, add the JVM arg `-javaagent:path/to/applicationinsights-agent-3.0.2.jar` somewhere before `-jar`, for example:
```
-ENTRYPOINT java -javaagent:path/to/applicationinsights-agent-3.0.1.jar -jar <myapp.jar>
+ENTRYPOINT java -javaagent:path/to/applicationinsights-agent-3.0.2.jar -jar <myapp.jar>
``` ## Tomcat 8 (Linux)
@@ -45,7 +45,7 @@ ENTRYPOINT java -javaagent:path/to/applicationinsights-agent-3.0.1.jar -jar <mya
If you installed Tomcat via `apt-get` or `yum`, then you should have a file `/etc/tomcat8/tomcat8.conf`. Add this line to the end of that file: ```
-JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.0.1.jar"
+JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.0.2.jar"
``` ### Tomcat installed via download and unzip
@@ -53,10 +53,10 @@ JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.0.1.jar"
If you installed Tomcat via download and unzip from [https://tomcat.apache.org](https://tomcat.apache.org), then you should have a file `<tomcat>/bin/catalina.sh`. Create a new file in the same directory named `<tomcat>/bin/setenv.sh` with the following content: ```
-CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.0.1.jar"
+CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.0.2.jar"
```
-If the file `<tomcat>/bin/setenv.sh` already exists, then modify that file and add `-javaagent:path/to/applicationinsights-agent-3.0.1.jar` to `CATALINA_OPTS`.
+If the file `<tomcat>/bin/setenv.sh` already exists, then modify that file and add `-javaagent:path/to/applicationinsights-agent-3.0.2.jar` to `CATALINA_OPTS`.
## Tomcat 8 (Windows)
@@ -66,36 +66,36 @@ If the file `<tomcat>/bin/setenv.sh` already exists, then modify that file and a
Locate the file `<tomcat>/bin/catalina.bat`. Create a new file in the same directory named `<tomcat>/bin/setenv.bat` with the following content: ```
-set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.0.1.jar
+set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.0.2.jar
``` Quotes are not necessary, but if you want to include them, the proper placement is: ```
-set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.0.1.jar"
+set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.0.2.jar"
```
-If the file `<tomcat>/bin/setenv.bat` already exists, just modify that file and add `-javaagent:path/to/applicationinsights-agent-3.0.1.jar` to `CATALINA_OPTS`.
+If the file `<tomcat>/bin/setenv.bat` already exists, just modify that file and add `-javaagent:path/to/applicationinsights-agent-3.0.2.jar` to `CATALINA_OPTS`.
### Running Tomcat as a Windows service
-Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.0.1.jar` to the `Java Options` under the `Java` tab.
+Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.0.2.jar` to the `Java Options` under the `Java` tab.
## JBoss EAP 7 ### Standalone server
-Add `-javaagent:path/to/applicationinsights-agent-3.0.1.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):
+Add `-javaagent:path/to/applicationinsights-agent-3.0.2.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):
```java ...
- JAVA_OPTS="<b>-javaagent:path/to/applicationinsights-agent-3.0.1.jar</b> -Xms1303m -Xmx1303m ..."
+ JAVA_OPTS="<b>-javaagent:path/to/applicationinsights-agent-3.0.2.jar</b> -Xms1303m -Xmx1303m ..."
... ``` ### Domain server
-Add `-javaagent:path/to/applicationinsights-agent-3.0.1.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:
+Add `-javaagent:path/to/applicationinsights-agent-3.0.2.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:
```xml ...
@@ -105,7 +105,7 @@ Add `-javaagent:path/to/applicationinsights-agent-3.0.1.jar` to the existing `jv
<jvm-options> <option value="-server"/> <!--Add Java agent jar file here-->
- <option value="-javaagent:path/to/applicationinsights-agent-3.0.1.jar"/>
+ <option value="-javaagent:path/to/applicationinsights-agent-3.0.2.jar"/>
<option value="-XX:MetaspaceSize=96m"/> <option value="-XX:MaxMetaspaceSize=256m"/> </jvm-options>
@@ -145,20 +145,20 @@ Add these lines to `start.ini`
``` --exec--javaagent:path/to/applicationinsights-agent-3.0.1.jar
+-javaagent:path/to/applicationinsights-agent-3.0.2.jar
``` ## Payara 5
-Add `-javaagent:path/to/applicationinsights-agent-3.0.1.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:
+Add `-javaagent:path/to/applicationinsights-agent-3.0.2.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:
```xml ... <java-config ...> <!--Edit the JVM options here--> <jvm-options>
- -javaagent:path/to/applicationinsights-agent-3.0.1.jar>
+ -javaagent:path/to/applicationinsights-agent-3.0.2.jar>
</jvm-options> ... </java-config>
@@ -175,7 +175,7 @@ Java and Process Management > Process definition > Java Virtual Machine
``` In "Generic JVM arguments" add the following: ```--javaagent:path/to/applicationinsights-agent-3.0.1.jar
+-javaagent:path/to/applicationinsights-agent-3.0.2.jar
``` After that, save and restart the application server.
@@ -184,5 +184,5 @@ After that, save and restart the application server.
Create a new file `jvm.options` in the server directory (for example `<openliberty>/usr/servers/defaultServer`), and add this line: ```--javaagent:path/to/applicationinsights-agent-3.0.1.jar
+-javaagent:path/to/applicationinsights-agent-3.0.2.jar
```
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/java-standalone-config https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-standalone-config.md
@@ -36,14 +36,14 @@ You will find more details and additional configuration options below.
## Configuration file path
-By default, Application Insights Java 3.0 expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.0.1.jar`.
+By default, Application Insights Java 3.0 expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.0.2.jar`.
You can specify your own configuration file path using either * `APPLICATIONINSIGHTS_CONFIGURATION_FILE` environment variable, or * `applicationinsights.configuration.file` Java system property
-If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.0.1.jar` is located.
+If you specify a relative path, it will be resolved relative to the directory where `applicationinsights-agent-3.0.2.jar` is located.
## Connection string
@@ -168,7 +168,7 @@ If you want to add custom dimensions to all of your telemetry:
`${...}` can be used to read the value from specified environment variable at startup. > [!NOTE]
-> Starting from version 3.0.1, if you add a custom dimension named `service.version`, the value will be stored
+> Starting from version 3.0.2, if you add a custom dimension named `service.version`, the value will be stored
> in the `application_Version` column in the Application Insights Logs table instead of as a custom dimension. ## Telemetry processors (preview)
@@ -245,7 +245,7 @@ To disable auto-collection of Micrometer metrics (including Spring Boot Actuator
## Suppressing specific auto-collected telemetry
-Starting from version 3.0.1, specific auto-collected telemetry can be suppressed using these configuration options:
+Starting from version 3.0.2, specific auto-collected telemetry can be suppressed using these configuration options:
```json {
@@ -344,7 +344,7 @@ and the console, corresponding to this configuration:
`level` can be one of `OFF`, `ERROR`, `WARN`, `INFO`, `DEBUG`, or `TRACE`. `path` can be an absolute or relative path. Relative paths are resolved against the directory where
-`applicationinsights-agent-3.0.1.jar` is located.
+`applicationinsights-agent-3.0.2.jar` is located.
`maxSizeMb` is the max size of the log file before it rolls over.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/java-standalone-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-standalone-troubleshoot.md
@@ -11,7 +11,7 @@ In this article, we cover some of the common issues that you might face while in
## Check the self-diagnostic log file
-By default, the Java 3.0 agent for Application Insights produces a log file named `applicationinsights.log` in the same directory that holds the `applicationinsights-agent-3.0.1.jar` file.
+By default, the Java 3.0 agent for Application Insights produces a log file named `applicationinsights.log` in the same directory that holds the `applicationinsights-agent-3.0.2.jar` file.
This log file is the first place to check for hints to any issues you might be experiencing.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/javascript-click-analytics-plugin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/javascript-click-analytics-plugin.md
@@ -13,11 +13,11 @@ ms.author: lagayhar
# Click Analytics Auto-collection plugin for Application Insights JavaScript SDK
-Click Analytics Auto-collection plugin for Application Insights JavaScript SDK, enables automatic tracking of the click events on web pages based on `data-*`meta tags. This plugin uses the `data-*` global attributes to capture the click events and populate telemetry data.
+This plugin automatically tracks click events on web pages and uses data-* attributes on HTML elements to populate event telemetry.
## Getting started
-Users can setup the Click Analytics Auto-collection plugin via npm.
+Users can set up the Click Analytics Auto-collection plugin via npm.
### npm setup
@@ -97,19 +97,19 @@ appInsights.loadAppInsights();
### ICustomDataTags
-| Name | Type | Default | Description |
-|---------------------------|---------|-----------|---------------------------------------------------------------------------------------------------|
-| useDefaultContentNameOrId | boolean | false | When a particular element is not tagged with default customDataPrefix or customDataPrefix is not provided by user, this flag is used to collect standard HTML attribute for contentName. |
-| customDataPrefix | string | `data-` | Automatic capture content name and value of elements that are tagged with provided prefix. |
-| aiBlobAttributeTag | string | `ai-blob` | Plugin supports a JSON blob content meta data tagging instead of individual `data-*` attributes. |
-| metaDataPrefix | string | null | Automatic capture HTML Head's meta element name and content with provided prefix. |
-| captureAllMetaDataContent | string | null | Automatic capture all HTML Head's meta element names and content. Default is false. If enabled this will override provided metaDataPrefix. |
-| parentDataTag | string | null | Stops traversing up the DOM to capture content name and value of elements when encountered with this tag.|
-| dntDataTag | string | `ai-dnt` | HTML elements with this attribute will be ignored by the plugin for capturing telemetry data.|
+| Name | Type | Default | Default Tag to Use in HTML | Description |
+|---------------------------|---------|-----------|-------------|----------------------------------------------------------------------------------------------|
+| useDefaultContentNameOrId | boolean | false | N/A |Collects standard HTML attribute for contentName when a particular element is not tagged with default customDataPrefix or when customDataPrefix is not provided by user. |
+| customDataPrefix | string | `data-` | `data-*`| Automatic capture content name and value of elements that are tagged with provided prefix. For example, `data-*-id`, `data-<yourcustomattribute>` can be used in the HTML tags. |
+| aiBlobAttributeTag | string | `ai-blob` | `data-ai-blob`| Plugin supports a JSON blob attribute instead of individual `data-*` attributes. |
+| metaDataPrefix | string | null | N/A | Automatic capture HTML Head's meta element name and content with provided prefix when capture. For example, `custom-` can be used in the HTML meta tag. |
+| captureAllMetaDataContent | boolean | false | N/A | Automatic capture all HTML Head's meta element names and content. Default is false. If enabled this will override provided metaDataPrefix. |
+| parentDataTag | string | null | N/A | Stops traversing up the DOM to capture content name and value of elements when encountered with this tag. For example, `data-<yourparentDataTag>` can be used in the HTML tags.|
+| dntDataTag | string | `ai-dnt` | `data-ai-dnt`| HTML elements with this attribute will be ignored by the plugin for capturing telemetry data.|
### behaviorValidator
-You might use the behaviorValidator function when you want to ensure data consistency though automatic checks that tagged behaviors in code conform to a pre-defined list of known and accepted taxonomy within your enterprise. It is not required or expected that most Azure Monitor customers will use this, but it's available for advanced scenarios. There are three different behaviorValidator callback functions exposed as part of this extension. However, users can use their own callback functions if the exposed functions do not solve your requirement. The intent is to bring your own behaviors data structure, the plugin uses this validator function while extracting the behaviors from the data tags.
+The behaviorValidator functions automatically checks that tagged behaviors in code conform to a pre-defined list. This ensures tagged behaviors are consistent with your enterprise's established taxonomy. It is not required or expected that most Azure Monitor customers will use this, but it's available for advanced scenarios. There are three different behaviorValidator callback functions exposed as part of this extension. However, users can use their own callback functions if the exposed functions do not solve your requirement. The intent is to bring your own behaviors data structure, the plugin uses this validator function while extracting the behaviors from the data tags.
| Name | Description | | ---------------------- | -----------------------------------------------------------------------------------|
@@ -308,6 +308,7 @@ appInsights.loadAppInsights();
## Next steps
+- Check out the [GitHub Repository](https://github.com/microsoft/ApplicationInsights-JS/tree/master/extensions/applicationinsights-clickanalytics-js) and [NPM Package](https://www.npmjs.com/package/@microsoft/applicationinsights-clickanalytics-js) for the Click Analytics Auto-Collection Plugin.
- Use [Events Analysis in Usage Experience](usage-segmentation.md) to analyze top clicks and slice by available dimensions. - Find click data under content field within customDimensions attribute in CustomEvents table in [Log Analytics](../log-query/log-analytics-tutorial.md#write-a-query). - Build a [Workbook](../platform/workbooks-overview.md) to create custom visualizations of click data.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/nodejs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/nodejs.md
@@ -330,6 +330,12 @@ server.on("listening", () => {
}); ```
+### Flush
+
+By default, telemetry is buffered for 15 seconds before it is sent to the ingestion server. If your application has a short lifespan (e.g. a CLI tool), it might be necessary to manually flush your buffered telemetry when application terminates, `appInsights.defaultClient.flush()`.
+
+If the SDK detects that your application is crashing, it will call flush for you, `appInsights.defaultClient.flush({ isAppCrashing: true })`. With the flush option `isAppCrashing`, your application is assumed to be in an abnormal state, not suitable for sending telemetry. Instead, the SDK will save all buffered telemetry to [persistent storage](./data-retention-privacy.md#nodejs) and let your application terminate. When you application starts again, it will try to send any telemetry that was saved to persistent storage.
+ ### Preprocess data with telemetry processors You can process and filter collected data before it is sent for retention using *Telemetry Processors*. Telemetry processors are called one by one in the order they were added before the telemetry item is sent to the cloud.
@@ -419,4 +425,4 @@ These properties are client specific, so you can configure `appInsights.defaultC
<!--references--> [portal]: https://portal.azure.com/
-[FAQ]: ../faq.md
\ No newline at end of file
+[FAQ]: ../faq.md
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/insights/network-performance-monitor-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/insights/network-performance-monitor-faq.md
@@ -30,7 +30,7 @@ Listed below are the platform requirements for NPM's various capabilities:
- NPM's ExpressRoute Monitor capability supports only Windows server (2008 SP1 or later) operating system. ### Can I use Linux machines as monitoring nodes in NPM?
-The capability to monitor networks using Linux-based nodes is now generally available. Acccess the agent [here](../../virtual-machines/extensions/oms-linux.md). Linux agents provide monitoring capability only for NPM's Performance Monitor capability, and are not available for the Service Connectivity Monitor and ExpressRoute Monitor capabilities
+The capability to monitor networks using Linux-based nodes is now generally available. Acccess the agent [here](../../virtual-machines/extensions/oms-linux.md).
### What are the size requirements of the nodes to be used for monitoring by NPM? For running the NPM solution on node VMs to monitor networks, the nodes should have at least 500-MB memory and one core. You don't need to use separate nodes for running NPM. The solution can run on nodes that have other workloads running on it. The solution has the capability to stop the monitoring process if it uses more than 5% CPU.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/logs-dedicated-clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/log-query/logs-dedicated-clusters.md
@@ -508,28 +508,26 @@ Use the following REST call to delete a cluster:
- You can link a workspace to your cluster and then unlink it. The number of workspace link operations on particular workspace is limited to 2 in a period of 30 days. -- Workspace link to cluster should be carried ONLY after you have verified that the Log Analytics cluster provisioning was completed. Data sent to your workspace prior to the completion will be dropped and won't be recoverable.- - Cluster move to another resource group or subscription isn't supported currently. -- Workspace link to cluster will fail if it is linked to another cluster.- - Lockbox isn't available in China currently. -- [Double encryption](../../storage/common/storage-service-encryption.md#doubly-encrypt-data-with-infrastructure-encryption) is configured automatically for clusters created from October 2020 in supported regions. You can verify if your cluster is configured for Double encryption by a GET request on the cluster and observing the `"isDoubleEncryptionEnabled"` property value - it's `true` for clusters with Double encryption enabled.
- - If you create a cluster and get an error "<region-name> doesnΓÇÖt support Double Encryption for clusters.", you can still create the cluster without Double Encryption. Add `"properties": {"isDoubleEncryptionEnabled": false}` property in the REST request body.
+- [Double encryption](../../storage/common/storage-service-encryption.md#doubly-encrypt-data-with-infrastructure-encryption) is configured automatically for clusters created from October 2020 in supported regions. You can verify if your cluster is configured for double encryption by sending a GET request on the cluster and observing that the `isDoubleEncryptionEnabled` value is `true` for clusters with Double encryption enabled.
+ - If you create a cluster and get an error "<region-name> doesnΓÇÖt support Double Encryption for clusters.", you can still create the cluster without Double encryption by adding `"properties": {"isDoubleEncryptionEnabled": false}` in the REST request body.
- Double encryption setting can not be changed after the cluster has been created. ## Troubleshooting - If you get conflict error when creating a cluster ΓÇô it may be that you have deleted your cluster in the last 14 days and itΓÇÖs in a soft-delete state. The cluster name remains reserved during the soft-delete period and you can't create a new cluster with that name. The name is released after the soft-delete period when the cluster is permanently deleted. -- If you update your cluster while an operation is in progress, the operation will fail.
+- If you update your cluster while the cluster is at provisioning or updating state, the update will fail.
- Some operations are long and can take a while to complete -- these are cluster create, cluster key update and cluster delete. You can check the operation status in two ways: - When using REST, copy the Azure-AsyncOperation URL value from the response and follow the [asynchronous operations status check](#asynchronous-operations-and-status-check). - Send GET request to cluster or workspace and observe the response. For example, unlinked workspace won't have the *clusterResourceId* under *features*.
+- Workspace link to cluster will fail if it is linked to another cluster.
+ - Error messages Cluster Create:
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/customer-managed-keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/customer-managed-keys.md
@@ -383,16 +383,12 @@ Customer-Managed key is provided on dedicated cluster and these operations are r
## Limitations and constraints -- Customer-managed key is supported on dedicated Log Analytics cluster and suitable for customers sending 1TB per day or more.- - The max number of cluster per region and subscription is 2 -- The maximum of linked workspaces to cluster is 1000
+- The maximum number of workspaces that can be linked to a cluster is 1000
- You can link a workspace to your cluster and then unlink it. The number of workspace link operations on particular workspace is limited to 2 in a period of 30 days. -- Workspace link to cluster should be carried ONLY after you have verified that the Log Analytics cluster provisioning was completed. Data sent to your workspace prior to the completion will be dropped and won't be recoverable.- - Customer-managed key encryption applies to newly ingested data after the configuration time. Data that was ingested prior to the configuration, remains encrypted with Microsoft key. You can query data ingested before and after the Customer-managed key configuration seamlessly. - The Azure Key Vault must be configured as recoverable. These properties aren't enabled by default and should be configured using CLI or PowerShell:<br>
@@ -401,14 +397,12 @@ Customer-Managed key is provided on dedicated cluster and these operations are r
- Cluster move to another resource group or subscription isn't supported currently. -- Your Azure Key Vault, cluster and linked workspaces must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.--- Workspace link to cluster will fail if it is linked to another cluster.
+- Your Azure Key Vault, cluster and workspaces must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.
- Lockbox isn't available in China currently. -- [Double encryption](../../storage/common/storage-service-encryption.md#doubly-encrypt-data-with-infrastructure-encryption) is configured automatically for clusters created from October 2020 in supported regions. You can verify if your cluster is configured for Double encryption by a GET request on the cluster and observing the `"isDoubleEncryptionEnabled"` property value - it's `true` for clusters with Double encryption enabled.
- - If you create a cluster and get an error "<region-name> doesnΓÇÖt support Double Encryption for clusters.", you can still create the cluster without Double Encryption. Add `"properties": {"isDoubleEncryptionEnabled": false}` property in the REST request body.
+- [Double encryption](../../storage/common/storage-service-encryption.md#doubly-encrypt-data-with-infrastructure-encryption) is configured automatically for clusters created from October 2020 in supported regions. You can verify if your cluster is configured for double encryption by sending a GET request on the cluster and observing that the `isDoubleEncryptionEnabled` value is `true` for clusters with Double encryption enabled.
+ - If you create a cluster and get an error "<region-name> doesnΓÇÖt support Double Encryption for clusters.", you can still create the cluster without Double encryption by adding `"properties": {"isDoubleEncryptionEnabled": false}` in the REST request body.
- Double encryption setting can not be changed after the cluster has been created. - If your cluster is set with User-assigned managed identity, setting `UserAssignedIdentities` with `None` suspends the cluster and prevents access to your data, but you can't revert the revocation and activate the cluster without opening support request. This limitation isn' applied to System-assigned managed identity.
@@ -426,15 +420,17 @@ Customer-Managed key is provided on dedicated cluster and these operations are r
- Key Vault access rate -- The frequency that Azure Monitor Storage accesses Key Vault for wrap and unwrap operations is between 6 to 60 seconds.
+- If you update your cluster while the cluster is at provisioning or updating state, the update will fail.
+
+- If you get conflict error when creating a cluster ΓÇô It may be that you have deleted your cluster in the last 14 days and itΓÇÖs in a soft-delete period. The cluster name remains reserved during the soft-delete period and you can't create a new cluster with that name. The name is released after the soft-delete period when the cluster is permanently deleted.
+
+- Workspace link to cluster will fail if it is linked to another cluster.
+ - If you create a cluster and specify the KeyVaultProperties immediately, the operation may fail since the access policy can't be defined until system identity is assigned to the cluster. - If you update existing cluster with KeyVaultProperties and 'Get' key Access Policy is missing in Key Vault, the operation will fail. -- If you get conflict error when creating a cluster – It may be that you have deleted your cluster in the last 14 days and it’s in a soft-delete period. The cluster name remains reserved during the soft-delete period and you can't create a new cluster with that name. The name is released after the soft-delete period when the cluster is permanently deleted.--- If you update your cluster while an operation is in progress, the operation will fail.- - If you fail to deploy your cluster, verify that your Azure Key Vault, cluster and linked Log Analytics workspaces are in the same region. The can be in different subscriptions. - If you update your key version in Key Vault and don't update the new key identifier details in the cluster, the Log Analytics cluster will keep using your previous key and your data will become inaccessible. Update new key identifier details in the cluster to resume data ingestion and ability to query data.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collection-rule-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/data-collection-rule-overview.md
@@ -5,7 +5,7 @@ ms.subservice: logs
ms.topic: conceptual author: bwren ms.author: bwren
-ms.date: 08/19/2020
+ms.date: 01/19/2021
---
@@ -49,10 +49,20 @@ For limits that apply to each data collection rule, see [Azure Monitor service l
## Create a DCR
-There are currently two available methods to create a DCR:
+You can currently use any of the following methods to create a DCR:
- [Use the Azure portal](data-collection-rule-azure-monitor-agent.md) to create a data collection rule and have it associated with one or more virtual machines. - Directly edit the data collection rule in JSON and [submit using the REST API](/rest/api/monitor/datacollectionrules).
+- Create DCR and associations with [Azure CLI](https://github.com/Azure/azure-cli-extensions/blob/master/src/monitor-control-service/README.md).
+- Create DCR and associations with Azure PowerShell.
+ - [Get-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Get-AzDataCollectionRule.md)
+ - [New-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/New-AzDataCollectionRule.md)
+ - [Set-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Set-AzDataCollectionRule.md)
+ - [Update-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Update-AzDataCollectionRule.md)
+ - [Remove-AzDataCollectionRule](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Remove-AzDataCollectionRule.md)
+ - [Get-AzDataCollectionRuleAssociation](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Get-AzDataCollectionRuleAssociation.md)
+ - [New-AzDataCollectionRuleAssociation](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/New-AzDataCollectionRuleAssociation.md)
+ - [Remove-AzDataCollectionRuleAssociation](https://github.com/Azure/azure-powershell/blob/master/src/Monitor/Monitor/help/Remove-AzDataCollectionRuleAssociation.md)
## Sample data collection rule The sample data collection rule below is for virtual machines with Azure Management agent and has the following details:
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-dashboard-errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/itsmc-dashboard-errors.md
@@ -23,7 +23,7 @@ in this section you can find the common errors that presented in the connector s
* A custom script deployed in ServiceNow instance causes incidents to be ignored. * "OMS Integrator App" code itself was modified on ServiceNow side, e.g. the onBefore script.
- **Resolution**: Disable all custom scripts or code modifications of the data import path.
+ **Resolution**: Disable all custom scripts or code modifications of the data import path.
* **Error**: "{"error":{"message":"Operation Failed","detail":"ACL Exception Update Failed due to security constraints"}"
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-troubleshoot-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/itsmc-troubleshoot-overview.md
@@ -52,7 +52,7 @@ If you're using Service Map, you can view the service desk items created in ITSM
You can see details about the messages in the table - [here](itsmc-dashboard-errors.md). - **Log Search** page: View the errors and related information directly by using the query `*ServiceDeskLog_CL*`.
-## Common Symptoms - how it should be resolved?
+## Common Symptoms - how should it be resolved?
The list below contain common symptoms and how should it be resolved:
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/logs-data-export https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/logs-data-export.md
@@ -31,13 +31,16 @@ Log Analytics workspace data export continuously exports data from a Log Analyti
## Current limitations -- Configuration can currently only be performed using CLI or REST requests. You cannot use the Azure portal or PowerShell.
+- Configuration can be performed using CLI or REST requests currently. Azure portal or PowerShell are not supported yet.
- The ```--export-all-tables``` option in CLI and REST isn't supported and will be removed. You should provide the list of tables in export rules explicitly.-- Supported tables are currently limited those specific in the [supported tables](#supported-tables) section below. If the data export rule includes an unsupported table, the operation will succeed, but no data will be exported for that table. If the data export rule includes a table that doesn't exist, it will fail with the error ```Table <tableName> does not exist in the workspace.```
+- Supported tables are currently limited those specific in the [supported tables](#supported-tables) section below.
+- If the data export rule includes an unsupported table, the operation will succeed, but no data will be exported for that table until table gets supported.
+- If the data export rule includes a table that doesn't exist, it will fail with the error ```Table <tableName> does not exist in the workspace```.
- Your Log Analytics workspace can be in any region except for the following: - Switzerland North - Switzerland West - Azure Government regions
+- You can create two export rules in a workspace -- in can be one rule to event hub and one rule to storage account.
- The destination storage account or event hub must be in the same region as the Log Analytics workspace. - Names of tables to be exported can be no longer than 60 characters for a storage account and no more than 47 characters to an event hub. Tables with longer names will not be exported.
@@ -111,7 +114,7 @@ If you have configured your Storage Account to allow access from selected networ
### Create or update data export rule
-A data export rule defines data to be exported for a set of tables to a single destination. You can create a rule for each destination.
+A data export rule defines data to be exported for a set of tables to a single destination. You can create a single rule for each destination.
# [Azure portal](#tab/portal)
azure-relay https://docs.microsoft.com/en-us/azure/azure-relay/relay-exceptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-exceptions.md
@@ -12,16 +12,16 @@ This article lists some exceptions that might be generated by the Azure Relay AP
The Relay APIs generate exceptions that might fall into the following categories. Also listed are suggested actions that you can take to help resolve the exceptions.
-* **User coding error**: [System.ArgumentException](/dotnet/api/system.argumentexception?view=netcore-3.1), [System.InvalidOperationException](/dotnet/api/system.invalidoperationexception?view=netcore-3.1), [System.OperationCanceledException](/dotnet/api/system.operationcanceledexception?view=netcore-3.1), [System.Runtime.Serialization.SerializationException](/dotnet/api/system.runtime.serialization.serializationexception?view=netcore-3.1).
+* **User coding error**: [System.ArgumentException](/dotnet/api/system.argumentexception), [System.InvalidOperationException](/dotnet/api/system.invalidoperationexception), [System.OperationCanceledException](/dotnet/api/system.operationcanceledexception), [System.Runtime.Serialization.SerializationException](/dotnet/api/system.runtime.serialization.serializationexception).
**General action**: Try to fix the code before you proceed.
-* **Setup/configuration error**: [System.UnauthorizedAccessException](/dotnet/api/system.unauthorizedaccessexception?view=netcore-3.1).
+* **Setup/configuration error**: [System.UnauthorizedAccessException](/dotnet/api/system.unauthorizedaccessexception).
**General action**: Review your configuration. If necessary, change the configuration. * **Transient exceptions**: [Microsoft.ServiceBus.Messaging.MessagingException](/dotnet/api/microsoft.servicebus.messaging.messagingexception), [Microsoft.ServiceBus.Messaging.ServerBusyException](/dotnet/api/microsoft.servicebus.messaging.serverbusyexception), [Microsoft.ServiceBus.Messaging.MessagingCommunicationException](/dotnet/api/microsoft.servicebus.messaging.messagingcommunicationexception). **General action**: Retry the operation or notify users.
-* **Other exceptions**: [System.Transactions.TransactionException](/dotnet/api/system.transactions.transactionexception?view=netcore-3.1), [System.TimeoutException](/dotnet/api/system.timeoutexception?view=netcore-3.1).
+* **Other exceptions**: [System.Transactions.TransactionException](/dotnet/api/system.transactions.transactionexception), [System.TimeoutException](/dotnet/api/system.timeoutexception).
**General action**: Specific to the exception type. See the table in the following section.
@@ -31,11 +31,11 @@ The following table lists messaging exception types and their causes. It also no
| **Exception type** | **Description** | **Suggested action** | **Note on automatic or immediate retry** | | --- | --- | --- | --- |
-| [Timeout](/dotnet/api/system.timeoutexception?view=netcore-3.1) |The server did not respond to the requested operation within the specified time, which is controlled by [OperationTimeout](/dotnet/api/microsoft.servicebus.messaging.messagingfactorysettings.operationtimeout). The server might have completed the requested operation. This can happen due to network or other infrastructure delays. |Check the system state for consistency, and then retry, if necessary. See [TimeoutException](#timeoutexception). |Retry might help in some cases; add retry logic to code. |
-| [Invalid Operation](/dotnet/api/system.invalidoperationexception?view=netcore-3.1) |The requested user operation is not allowed within the server or service. See the exception message for details. |Check the code and the documentation. Make sure that the requested operation is valid. |Retry will not help. |
-| [Operation Canceled](/dotnet/api/system.operationcanceledexception?view=netcore-3.1) |An attempt is made to invoke an operation on an object that has already been closed, aborted, or disposed. In rare cases, the ambient transaction is already disposed. |Check the code and make sure it does not invoke operations on a disposed object. |Retry will not help. |
-| [Unauthorized Access](/dotnet/api/system.unauthorizedaccessexception?view=netcore-3.1) |The [TokenProvider](/dotnet/api/microsoft.servicebus.tokenprovider) object could not acquire a token, the token is invalid, or the token does not contain the claims required to perform the operation. |Make sure that the token provider is created with the correct values. Check the configuration of the Access Control service. |Retry might help in some cases; add retry logic to code. |
-| [Argument Exception](/dotnet/api/system.argumentexception?view=netcore-3.1),<br /> [Argument Null](/dotnet/api/system.argumentnullexception?view=netcore-3.1),<br />[Argument Out Of Range](/dotnet/api/system.argumentoutofrangeexception?view=netcore-3.1) |One or more of the following has occurred:<br />One or more arguments supplied to the method are invalid.<br /> The URI supplied to [NamespaceManager](/dotnet/api/microsoft.servicebus.namespacemanager) or [Create](/dotnet/api/microsoft.servicebus.messaging.messagingfactory.create) contains one or more path segments.<br />The URI scheme supplied to [NamespaceManager](/dotnet/api/microsoft.servicebus.namespacemanager) or [Create](/dotnet/api/microsoft.servicebus.messaging.messagingfactory.create) is invalid. <br />The property value is larger than 32 KB. |Check the calling code and make sure the arguments are correct. |Retry will not help. |
+| [Timeout](/dotnet/api/system.timeoutexception) |The server did not respond to the requested operation within the specified time, which is controlled by [OperationTimeout](/dotnet/api/microsoft.servicebus.messaging.messagingfactorysettings.operationtimeout). The server might have completed the requested operation. This can happen due to network or other infrastructure delays. |Check the system state for consistency, and then retry, if necessary. See [TimeoutException](#timeoutexception). |Retry might help in some cases; add retry logic to code. |
+| [Invalid Operation](/dotnet/api/system.invalidoperationexception) |The requested user operation is not allowed within the server or service. See the exception message for details. |Check the code and the documentation. Make sure that the requested operation is valid. |Retry will not help. |
+| [Operation Canceled](/dotnet/api/system.operationcanceledexception) |An attempt is made to invoke an operation on an object that has already been closed, aborted, or disposed. In rare cases, the ambient transaction is already disposed. |Check the code and make sure it does not invoke operations on a disposed object. |Retry will not help. |
+| [Unauthorized Access](/dotnet/api/system.unauthorizedaccessexception) |The [TokenProvider](/dotnet/api/microsoft.servicebus.tokenprovider) object could not acquire a token, the token is invalid, or the token does not contain the claims required to perform the operation. |Make sure that the token provider is created with the correct values. Check the configuration of the Access Control service. |Retry might help in some cases; add retry logic to code. |
+| [Argument Exception](/dotnet/api/system.argumentexception),<br /> [Argument Null](/dotnet/api/system.argumentnullexception),<br />[Argument Out Of Range](/dotnet/api/system.argumentoutofrangeexception) |One or more of the following has occurred:<br />One or more arguments supplied to the method are invalid.<br /> The URI supplied to [NamespaceManager](/dotnet/api/microsoft.servicebus.namespacemanager) or [Create](/dotnet/api/microsoft.servicebus.messaging.messagingfactory.create) contains one or more path segments.<br />The URI scheme supplied to [NamespaceManager](/dotnet/api/microsoft.servicebus.namespacemanager) or [Create](/dotnet/api/microsoft.servicebus.messaging.messagingfactory.create) is invalid. <br />The property value is larger than 32 KB. |Check the calling code and make sure the arguments are correct. |Retry will not help. |
| [Server Busy](/dotnet/api/microsoft.servicebus.messaging.serverbusyexception) |Service is not able to process the request at this time. |The client can wait for a period of time, then retry the operation. |The client might retry after a specific interval. If a retry results in a different exception, check the retry behavior of that exception. | | [Quota Exceeded](/dotnet/api/microsoft.servicebus.messaging.quotaexceededexception) |The messaging entity has reached its maximum allowable size. |Create space in the entity by receiving messages from the entity or its subqueues. See [QuotaExceededException](#quotaexceededexception). |Retry might help if messages have been removed in the meantime. | | [Message Size Exceeded](/dotnet/api/microsoft.servicebus.messaging.messagesizeexceededexception) |A message payload exceeds the 256-KB limit. Note that the 256-KB limit is the total message size. The total message size can include system properties and any Microsoft .NET overhead. |Reduce the size of the message payload, then retry the operation. |Retry will not help. |
@@ -44,12 +44,12 @@ The following table lists messaging exception types and their causes. It also no
[QuotaExceededException](/dotnet/api/microsoft.servicebus.messaging.quotaexceededexception) indicates that a quota for a specific entity has been exceeded.
-For Relay, this exception wraps the [System.ServiceModel.QuotaExceededException](/dotnet/api/system.servicemodel.quotaexceededexception?view=dotnet-plat-ext-3.1), which indicates that the maximum number of listeners has been exceeded for this endpoint. This is indicated in the **MaximumListenersPerEndpoint** value of the exception message.
+For Relay, this exception wraps the [System.ServiceModel.QuotaExceededException](/dotnet/api/system.servicemodel.quotaexceededexception), which indicates that the maximum number of listeners has been exceeded for this endpoint. This is indicated in the **MaximumListenersPerEndpoint** value of the exception message.
## TimeoutException
-A [TimeoutException](/dotnet/api/system.timeoutexception?view=netcore-3.1) indicates that a user-initiated operation is taking longer than the operation timeout.
+A [TimeoutException](/dotnet/api/system.timeoutexception) indicates that a user-initiated operation is taking longer than the operation timeout.
-Check the value of the [ServicePointManager.DefaultConnectionLimit](/dotnet/api/system.net.servicepointmanager.defaultconnectionlimit?view=netcore-3.1#System_Net_ServicePointManager_DefaultConnectionLimit) property. Reaching this limit also can cause a [TimeoutException](/dotnet/api/system.timeoutexception?view=netcore-3.1).
+Check the value of the [ServicePointManager.DefaultConnectionLimit](/dotnet/api/system.net.servicepointmanager.defaultconnectionlimit#System_Net_ServicePointManager_DefaultConnectionLimit) property. Reaching this limit also can cause a [TimeoutException](/dotnet/api/system.timeoutexception).
For Relay, you might receive timeout exceptions when you first open a relay sender connection. There are two common causes for this exception:
azure-relay https://docs.microsoft.com/en-us/azure/azure-relay/relay-hybrid-connections-dotnet-api-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-relay/relay-hybrid-connections-dotnet-api-overview.md
@@ -78,7 +78,7 @@ var hybridConnectionStream = await client.CreateConnectionAsync();
### Receiving data
-The [HybridConnectionStream][HCStream] class enables two-way communication. In most cases, you continuously receive from the stream. If you are reading text from the stream, you might also want to use a [StreamReader](/dotnet/api/system.io.streamreader?view=netcore-3.1) object, which enables easier parsing of the data. For example, you can read data as text, rather than as `byte[]`.
+The [HybridConnectionStream][HCStream] class enables two-way communication. In most cases, you continuously receive from the stream. If you are reading text from the stream, you might also want to use a [StreamReader](/dotnet/api/system.io.streamreader) object, which enables easier parsing of the data. For example, you can read data as text, rather than as `byte[]`.
The following code reads individual lines of text from the stream until a cancellation is requested:
@@ -105,14 +105,14 @@ while (!cancellationToken.IsCancellationRequested)
### Sending data
-Once you have a connection established, you can send a message to the Relay endpoint. Because the connection object inherits [Stream](/dotnet/api/system.io.stream?view=netcore-3.1), send your data as a `byte[]`. The following example shows how to do this:
+Once you have a connection established, you can send a message to the Relay endpoint. Because the connection object inherits [Stream](/dotnet/api/system.io.stream), send your data as a `byte[]`. The following example shows how to do this:
```csharp var data = Encoding.UTF8.GetBytes("hello"); await clientConnection.WriteAsync(data, 0, data.Length); ```
-However, if you want to send text directly, without needing to encode the string each time, you can wrap the `hybridConnectionStream` object with a [StreamWriter](/dotnet/api/system.io.streamwriter?view=netcore-3.1) object.
+However, if you want to send text directly, without needing to encode the string each time, you can wrap the `hybridConnectionStream` object with a [StreamWriter](/dotnet/api/system.io.streamwriter) object.
```csharp // The StreamWriter object only needs to be created once
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/lock-resources.md
@@ -249,13 +249,20 @@ To get all locks for a resource group, use:
Get-AzResourceLock -ResourceGroupName exampleresourcegroup ```
-To delete a lock, use:
+To delete a lock for a resource, use:
```azurepowershell-interactive $lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup -ResourceName examplesite -ResourceType Microsoft.Web/sites).LockId Remove-AzResourceLock -LockId $lockId ```
+To delete a lock for a resource group, use:
+
+```azurepowershell-interactive
+$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup).LockId
+Remove-AzResourceLock -LockId $lockId
+```
+ ### Azure CLI You lock deployed resources with Azure CLI by using the [az lock create](/cli/azure/lock#az-lock-create) command.
@@ -290,13 +297,20 @@ To get all locks for a resource group, use:
az lock list --resource-group exampleresourcegroup ```
-To delete a lock, use:
+To delete a lock for a resource, use:
```azurecli lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --resource-type Microsoft.Web/sites --resource-name examplesite --output tsv --query id) az lock delete --ids $lockid ```
+To delete a lock for a resource group, use:
+
+```azurecli
+lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --output tsv --query id)
+az lock delete --ids $lockid
+```
+ ### REST API You can lock deployed resources with the [REST API for management locks](/rest/api/resources/managementlocks). The REST API enables you to create and delete locks, and retrieve information about existing locks.
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/common-deployment-errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/common-deployment-errors.md
@@ -3,7 +3,7 @@ title: Troubleshoot common deployment errors
description: Describes how to resolve common errors when you deploy resources to Azure using Azure Resource Manager. tags: top-support-issue ms.topic: troubleshooting
-ms.date: 09/09/2020
+ms.date: 01/20/2021
--- # Troubleshoot common Azure deployment errors with Azure Resource Manager
@@ -28,7 +28,7 @@ If you're looking for information about an error code and that information isn't
| DeploymentNameLengthLimitExceeded | The deployment names are limited to 64 characters. | | | DeploymentFailed | The DeploymentFailed error is a general error that doesn't provide the details you need to solve the error. Look in the error details for an error code that provides more information. | [Find error code](#find-error-code) | | DeploymentQuotaExceeded | If you reach the limit of 800 deployments per resource group, delete deployments from the history that are no longer needed. | [Resolve error when deployment count exceeds 800](deployment-quota-exceeded.md) |
-| DeploymentSizeExceeded | Simplify your template to reduce size. | [Resolve template size errors](error-job-size-exceeded.md) |
+| DeploymentJobSizeExceeded | Simplify your template to reduce size. | [Resolve template size errors](error-job-size-exceeded.md) |
| DnsRecordInUse | The DNS record name must be unique. Enter a different name. | | | ImageNotFound | Check VM image settings. | | | InUseSubnetCannotBeDeleted | You might get this error when trying to update a resource, and the request is processed by deleting and creating the resource. Make sure to specify all unchanged values. | [Update resource](/azure/architecture/building-blocks/extending-templates/update-resource) |
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/error-job-size-exceeded https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/error-job-size-exceeded.md
@@ -2,11 +2,11 @@
title: Job size exceeded error description: Describes how to troubleshoot errors when job size or template are too large. ms.topic: troubleshooting
-ms.date: 10/07/2020
+ms.date: 01/19/2021
--- # Resolve errors for job size exceeded
-This article describes how to resolve the **JobSizeExceededException** and **DeploymentSizeExceededException** errors.
+This article describes how to resolve the **JobSizeExceededException** and **DeploymentJobSizeExceededException** errors.
## Symptom
@@ -14,9 +14,12 @@ When deploying a template, you receive an error stating the deployment has excee
## Cause
-You can get this error when the size of your template exceeds 4 MB. The 4-MB limit applies to the final state of the template after it has been expanded for resource definitions that use [copy](copy-resources.md) to create many instances. The final state also includes the resolved values for variables and parameters.
+You get this error when the deployment exceeds one of the allowed limits. Typically, you see this error when either your template or the job that runs the deployment is too large.
-The deployment job also includes metadata about the request. For large templates, the metadata combined with the template can exceed the allowed size for a job.
+The deployment job can't exceed 1 MB. The job includes metadata about the request. For large templates, the metadata combined with the template can exceed the allowed size for a job.
++
+The template can't exceed 4 MB. The 4-MB limit applies to the final state of the template after it has been expanded for resource definitions that use [copy](copy-resources.md) to create many instances. The final state also includes the resolved values for variables and parameters.
Other limits for the template are:
@@ -38,4 +41,4 @@ Try to shorten the length of the names you use for [parameters](template-paramet
## Solution 3 - Use serial copy
-Your second option is to change your copy loop from [parallel to serial processing](copy-resources.md#serial-or-parallel). Use this option only when you suspect the error comes from deploying a large number of resources through copy. This change can significantly increase your deployment time because the resources aren't deployed in parallel.
+Consider changing your copy loop from [parallel to serial processing](copy-resources.md#serial-or-parallel). Use this option only when you suspect the error comes from deploying a large number of resources through copy. This change can significantly increase your deployment time because the resources aren't deployed in parallel.
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/linked-templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/linked-templates.md
@@ -2,7 +2,7 @@
title: Link templates for deployment description: Describes how to use linked templates in an Azure Resource Manager template (ARM template) to create a modular template solution. Shows how to pass parameters values, specify a parameter file, and dynamically created URLs. ms.topic: conceptual
-ms.date: 12/07/2020
+ms.date: 01/20/2021
--- # Using linked and nested templates when deploying Azure resources
@@ -156,7 +156,7 @@ The following template demonstrates how template expressions are resolved accord
The value of `exampleVar` changes depending on the value of the `scope` property in `expressionEvaluationOptions`. The following table shows the results for both scopes.
-| `expressionEvaluationOptions` scope | Output |
+| Evaluation scope | Output |
| ----- | ------ | | inner | from nested template | | outer (or default) | from parent template |
@@ -271,6 +271,129 @@ The following example deploys a SQL server and retrieves a key vault secret to u
} ```
+Be careful when using secure parameter values in a nested template. If you set the scope to outer, the secure values are stored as plain text in the deployment history. A user viewing the template in the deployment history could see the secure values. Instead use the inner scope or add to the parent template the resources that need secure values.
+
+The following excerpt shows which values are secure and which aren't secure.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "adminUsername": {
+ "type": "string",
+ "metadata": {
+ "description": "Username for the Virtual Machine."
+ }
+ },
+ "adminPasswordOrKey": {
+ "type": "securestring",
+ "metadata": {
+ "description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
+ }
+ }
+ },
+ ...
+ "resources": [
+ {
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2020-06-01",
+ "name": "mainTemplate",
+ "properties": {
+ ...
+ "osProfile": {
+ "computerName": "mainTemplate",
+ "adminUsername": "[parameters('adminUsername')]",
+ "adminPassword": "[parameters('adminPasswordOrKey')]" // Yes, secure because resource is in parent template
+ }
+ }
+ },
+ {
+ "name": "outer",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "outer"
+ },
+ "mode": "Incremental",
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "resources": [
+ {
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2020-06-01",
+ "name": "outer",
+ "properties": {
+ ...
+ "osProfile": {
+ "computerName": "outer",
+ "adminUsername": "[parameters('adminUsername')]",
+ "adminPassword": "[parameters('adminPasswordOrKey')]" // No, not secure because resource is in nested template with outer scope
+ }
+ }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "inner",
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2019-10-01",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ },
+ "mode": "Incremental",
+ "parameters": {
+ "adminPasswordOrKey": {
+ "value": "[parameters('adminPasswordOrKey')]"
+ },
+ "adminUsername": {
+ "value": "[parameters('adminUsername')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "adminUsername": {
+ "type": "string",
+ "metadata": {
+ "description": "Username for the Virtual Machine."
+ }
+ },
+ "adminPasswordOrKey": {
+ "type": "securestring",
+ "metadata": {
+ "description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2020-06-01",
+ "name": "inner",
+ "properties": {
+ ...
+ "osProfile": {
+ "computerName": "inner",
+ "adminUsername": "[parameters('adminUsername')]",
+ "adminPassword": "[parameters('adminPasswordOrKey')]" // Yes, secure because resource is in nested template and scope is inner
+ }
+ }
+ }
+ ]
+ }
+ }
+ }
+ ]
+}
+```
+ > [!NOTE] > > When scope is set to `outer`, you can't use the `reference` function in the outputs section of a nested template for a resource you have deployed in the nested template. To return the values for a deployed resource in a nested template, either use `inner` scope or convert your nested template to a linked template.
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/overview.md
@@ -2,7 +2,7 @@
title: Templates overview description: Describes the benefits using Azure Resource Manager templates (ARM templates) for deployment of resources. ms.topic: conceptual
-ms.date: 12/17/2020
+ms.date: 01/20/2021
--- # What are ARM templates?
@@ -121,6 +121,12 @@ If you envision your tiers having separate lifecycles, you can deploy your three
For information about nested templates, see [Using linked templates with Azure Resource Manager](linked-templates.md).
+## Share templates
+
+After creating your template, you may wish to share it with other users in your organization. [Template specs](template-specs.md) enable you to store a template as a resource type. You use role-based access control to manage access to the template spec. Users with read access to the template spec can deploy it, but not change the template.
+
+This approach means you can safely share templates that meet your organization's standards.
+ ## Next steps * For a step-by-step tutorial that guides you through the process of creating a template, see [Tutorial: Create and deploy your first ARM template](template-tutorial-create-first-template.md).
backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-vm-file-recovery-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-vm-file-recovery-troubleshoot.md
@@ -5,164 +5,164 @@ ms.topic: troubleshooting
ms.date: 07/12/2020 ---
-# Troubleshooting issues in file recovery of Azure VM backup
+# Troubleshoot issues in file recovery of an Azure VM backup
-This article provides troubleshooting steps that can help you resolve Azure Backup errors related to issues when recovering files and folders from an Azure VM backup.
+This article provides troubleshooting steps that can help you resolve problems recovering files and folders from an Azure virtual machine (VM) backup.
## Common error messages
-### Exception caught while connecting to target
+This section provides steps to troubleshoot error messages that you might see.
+
+### "Exception caught while connecting to target"
**Possible cause**: The script is unable to access the recovery point.
-**Recommended action**: Check whether the machine fulfills all the [access requirements](https://docs.microsoft.com/azure/backup/backup-azure-restore-files-from-vm#step-4-access-requirements-to-successfully-run-the-script).
+**Recommended action**: To resolve this issue, follow the steps listed in [The script runs but the connection failed](#the-script-runs-but-the-connection-to-the-iscsi-target-failed).
-### The target has already been logged in via an iSCSI session
+### "The target has already been logged in via an iSCSI session"
-**Possible cause**: The script was already executed on the same machine and the drives have been attached.
+**Possible cause**: The script was already run on the same machine and the drives have been attached.
-**Recommended action**: The volumes of the recovery point have already been attached. They may not be mounted with the same drive letters of the original VM. Browse through all the available volumes in the file explorer.
+**Recommended action**: The volumes of the recovery point have already been attached. They can't be mounted with the same drive letters of the original VM. Browse through the available volumes in File Explorer.
-### This script is invalid because the disks have been dismounted via portal/exceeded the 12-hr limit. Download a new script from the portal
+### "This script is invalid because the disks have been dismounted via portal/exceeded the 12-hr limit. Download a new script from the portal"