Updates from: 01/21/2022 02:08:58
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Billing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/billing.md
To change your pricing tier, follow these steps:
1. Select the pricing tier that includes the features you want to enable. ![Screenshot that shows how to select the pricing tier.](media/billing/select-tier.png)-
-> [!NOTE]
-> Currently, Azure AD Premium P1 for Azure AD B2C is the default pricing tier, and it's equivalent to Azure AD Free tier, but it costs money. Therefore, in terms of features, Azure AD Premium P1 license applied to Azure AD tenant, is not equivalent to Azure AD B2C Premium P1 license in a B2C tenant, and the same is true for Premium P2. Hence, you expect that some features available in Azure AD tenant may be missing in Azure AD B2C even when the tenants have Azure AD Premium P2 and Azure AD B2C Premium P2 licenses respectively. For instance, Azure AD Premium P2 offers identity protection in Azure AD B2C tenants, but does not offer other Azure AD Premium P2 features that apply to Azure AD tenants.
+
## Switch to MAU billing (pre-November 2019 Azure AD B2C tenants)
active-directory-b2c Identity Provider Adfs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/identity-provider-adfs.md
Previously updated : 09/16/2021 Last updated : 01/18/2022
active-directory User Provisioning Sync Attributes For Mapping https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/user-provisioning-sync-attributes-for-mapping.md
Azure Active Directory (Azure AD) must contain all the data (attributes) require
For users only in Azure AD, you can [create schema extensions using PowerShell or Microsoft Graph](#create-an-extension-attribute-on-a-cloud-only-user).
-For users in on-premises Active Directory, you must sync the users to Azure AD. You can sync users and attributes using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md). Azure AD Connect automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as SAMAccountName) that are synchronized by default might not be exposed using the Azure AD Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect). That way, the attribute will be visible to the Azure AD Graph API and the Azure AD provisioning service.
+For users in on-premises Active Directory, you must sync the users to Azure AD. You can sync users and attributes using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md). Azure AD Connect automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as SAMAccountName) that are synchronized by default might not be exposed using the Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect). That way, the attribute will be visible to the Graph API and the Azure AD provisioning service.
## Create an extension attribute on a cloud only user You can use Microsoft Graph and PowerShell to extend the user schema for users in Azure AD. These extension attributes are automatically discovered in most cases.
active-directory Application Proxy Secure Api Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy-secure-api-access.md
To configure the native app to connect to Azure Active Directory and call the AP
- Paste the **Directory (tenant) ID** in the `<add key="ida:Tenant" value="" />` field. You can find and copy this value (a GUID) from the **Overview** page of either of your apps. -- Paste the AppProxyNativeAppSample **Application (client) ID** in the `<add key="ida:ClientId" value="" />` field. You can find and copy this value (a GUID) from the AppProxyNativeAppSample **Overview** page.
+- Paste the AppProxyNativeAppSample **Application (client) ID** in the `<add key="ida:ClientId" value="" />` field. You can find and copy this value (a GUID) from the AppProxyNativeAppSample's **Overview** page, in the left navigation under **Manage**.
-- Paste the AppProxyNativeAppSample **Redirect URI** in the `<add key="ida:RedirectUri" value="" />` field. You can find and copy this value (a URI) from the AppProxyNativeAppSample **Authentication** page.
+- Paste the AppProxyNativeAppSample **Redirect URI** in the `<add key="ida:RedirectUri" value="" />` field. You can find and copy this value (a URI) from the AppProxyNativeAppSample's **Authentication** page, in the left navigation under **Manage**.
-- Paste the SecretAPI **Application ID URI** in the `<add key="todo:TodoListResourceId" value="" />` field. You can find and copy this value (a URI) from the SecretAPI **Expose an API** page.
+- Paste the SecretAPI **Application ID URI** in the `<add key="todo:TodoListResourceId" value="" />` field. You can find and copy this value (a URI) from the SecretAPI's **Expose an API** page, in the left navigation under **Manage**.
-- Paste the SecretAPI **Home Page URL** in the `<add key="todo:TodoListBaseAddress" value="" />` field. You can find and copy this value (a URL) from the SecretAPI **Branding** page.
+- Paste the SecretAPI **Home Page URL** in the `<add key="todo:TodoListBaseAddress" value="" />` field. You can find and copy this value (a URL) from the SecretAPI's **Branding** page, in the left navigation under **Manage**.
After you configure the parameters, build and run the native app. When you select the **Sign In** button, the app lets you sign in, and then displays a success screen to confirm that it successfully connected to the SecretAPI.
active-directory Howto Mfa Nps Extension https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-mfa-nps-extension.md
When you install the extension, you need the *Tenant ID* and admin credentials f
The NPS server must be able to communicate with the following URLs over ports 80 and 443:
+* *https:\//strongauthenticationservice.auth.microsoft.com*
* *https:\//adnotifications.windowsazure.com* * *https:\//login.microsoftonline.com* * *https:\//credentials.azure.com*
active-directory Plan Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/plan-conditional-access.md
Title: Plan an Azure Active Directory Conditional Access Deployment
+ Title: Plan an Azure Active Directory Conditional Access deployment
description: Learn how to design Conditional Access policies and effectively deploy in your organization. Previously updated : 10/16/2020 Last updated : 1/19/2022 --++
Planning your Conditional Access deployment is critical to achieving your organization's access strategy for apps and resources.
-In a mobile-first, cloud-first world, your users access your organization's resources from anywhere using a variety of devices and apps. As a result, focusing on who can access a resource is no longer enough. You also need to consider where the user is, the device being used, the resource being accessed, and more.
+[Azure Active Directory (Azure AD) Conditional Access](overview.md) analyses signals such as user, device, and location to automate decisions and enforce organizational access policies for resources. Conditional Access policies allow you to build conditions that manage security controls that can block access, require multifactor authentication, or restrict the userΓÇÖs session when needed and stay out of the userΓÇÖs way when not.
-Azure Active Directory (Azure AD) Conditional Access analyses signals such as user, device, and location to automate decisions and enforce organizational access policies for resource. You can use Conditional Access policies to apply access controls like Multi-Factor Authentication (MFA). Conditional Access policies allow you to prompt users for MFA when needed for security, and stay out of usersΓÇÖ way when not needed.
+With this evaluation and enforcement, Conditional Access defines the basis of [MicrosoftΓÇÖs Zero Trust security posture management](https://www.microsoft.com/security/business/zero-trust).
![Conditional Access overview](./media/plan-conditional-access/conditional-access-overview-how-it-works.png)
-Microsoft provides standard conditional policies called [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) that ensure a basic level of security. However, your organization may need more flexibility than security defaults offer. You can use Conditional Access to customize security defaults with more granularity and to configure new policies that meet your requirements.
-
-## Learn
-
-Before you begin, make sure you understand how [Conditional Access](overview.md) works and when you should use it.
-
-### Benefits
-
-The benefits of deploying Conditional Access are:
-
-* Increase productivity. Only interrupt users with a sign-in condition like MFA when one or more signals warrants it. Conditional Access policies allow you to control when users are prompted for MFA, when access is blocked, and when they must use a trusted device.
-
-* Manage risk. Automating risk assessment with policy conditions means risky sign-ins are at once identified and remediated or blocked. Coupling Conditional Access with [Identity Protection](../identity-protection/overview-identity-protection.md), which detects anomalies and suspicious events, allows you to target when access to resources is blocked or gated.
-
-* Address compliance and governance. Conditional Access enables you to audit access to applications, present terms of use for consent, and restrict access based on compliance policies.
-
-* Manage cost. Moving access policies to Azure AD reduces the reliance on custom or on-premises solutions for Conditional Access, and their infrastructure costs.
-
-### License requirements
-
-See [Conditional Access license requirements](overview.md).
-
-If additional features are required, you might also need related licenses. For more information, see [Azure Active Directory pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+Microsoft provides [security defaults](../fundamentals/concept-fundamentals-security-defaults.md) that ensure a basic level of security enabled in tenants that do not have Azure AD Premium. With Conditional Access, you can create policies that provide the same protection as security defaults, but with granularity. Conditional Access and security defaults are not meant to be combined as creating Conditional Access policies will prevent you from enabling security defaults.
### Prerequisites
If additional features are required, you might also need related licenses. For m
* An account with Conditional Access administrator privileges.
-* A non-administrator user with a password you know, such as testuser. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
+* A test user (non-administrator) that allows you to verify policies work as expected before you impact real users. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
* A group that the non-administrator user is a member of. If you need to create a group, see [Create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md).
-### Training resources
-
-The following resources may be useful as you learn about Conditional Access:
--
-#### Videos
-
-* [What is Conditional Access?](https://youtu.be/ffMAw2IVO7A)
-* [How to deploy Conditional Access?](https://youtu.be/c_izIRNJNuk)
-* [How to roll out Conditional Access policies to end users?](https://youtu.be/0_Fze7Zpyvc)
-* [How to include or exclude users from Conditional Access policies](https://youtu.be/5DsW1hB3Jqs)
-* [Conditional Access with device controls](https://youtu.be/NcONUf-jeS4)
-* [Conditional Access with Azure AD MFA](https://youtu.be/Tbc-SU97G-w)
-* [Conditional Access in Enterprise Mobility + Security](https://youtu.be/A7IrxAH87wc)
--
-#### Online courses on PluralSight
-
-* [Design Identity Management in Microsoft Azure](https://www.pluralsight.com/courses/microsoft-azure-identity-management-design)
-* [Design Authentication for Microsoft Azure](https://www.pluralsight.com/courses/microsoft-azure-authentication-design)
-* [Design Authorization for Microsoft Azure](https://www.pluralsight.com/courses/microsoft-azure-authorization-design)
-
-## Plan the deployment project
-
-Consider your organizational needs while you determine the strategy for this deployment in your environment.
-
-### Engage the right stakeholders
-
-When technology projects fail, they typically do so due to mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that project roles are clear.
-
-### Plan communications
-
-Communication is critical to the success of any new service. Proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues.
-
-### Plan a pilot
-
-When new policies are ready for your environment, deploy them in phases in the production environment. First apply a policy to a small set of users in a test environment and verify if the policy behaves as expected. See [Best practices for a pilot](../fundamentals/active-directory-deployment-plans.md).
-
-> [!NOTE]
-> For rolling out new policies not specific to administrators, exclude all administrators. This ensures that administrators can still access the policy and make changes or revoke it if there's a significant impact. Always validate the policy with smaller user groups before you apply to all users.
- ## Understand Conditional Access policy components
-Conditional Access policies are if-then statements: If an assignment is met, then apply these access controls.
-
-When configuring Conditional Access policies, conditions are called *assignments*. Conditional Access policies allow you to enforce access controls on your organizationΓÇÖs apps based on certain assignments.
+Policies answer questions about who should access your resources, what resources they should access, and under what conditions. Policies can be designed to grant access, limit access with session controls, or to block access. You [build a Conditional Access policy](concept-conditional-access-policies.md) by defining the if-then statements: **If an assignment is met, then apply the access controls**.
-For more information, see [Building a Conditional Access policy](concept-conditional-access-policies.md).
+### Ask the right questions
-![create policy screen](media/plan-conditional-access/create-policy.png)
+Here are some common questions about [Assignments and Access Controls](concept-conditional-access-cloud-apps.md). Document the answers to questions for each policy before building it out.
-[Assignments](concept-conditional-access-policies.md#assignments) define the
+**Users or workload identities**
-* [Users and groups](concept-conditional-access-users-groups.md) to be affected by the policy
+* Which users, groups, directory roles and workload identities will be included in or excluded from the policy?
-* [Cloud apps or actions](concept-conditional-access-cloud-apps.md) to which the policy will apply
+* What emergency access accounts or groups should be excluded from policy?
-* [Conditions](concept-conditional-access-conditions.md) under which the policy will apply.
+**Cloud apps or actions**
-[Access controls](concept-conditional-access-policies.md) settings determine how to enforce a policy:
+Will this policy apply to any application, user action, or authentication context? If yes-
-* [Grant or Block](concept-conditional-access-grant.md) access to cloud apps.
+* What application(s) will the policy apply to?
+* What user actions will be subject to this policy?
+* What authentication contexts does this policy will be applied to?
-* [Session controls](concept-conditional-access-session.md) enable limited experiences within specific cloud apps.
-
-### Ask the right questions to build your policies
-
-Policies answer questions about who should access your resources, what resources they should access, and under what conditions. Policies can be designed to grant access, or to block access. Be sure to ask the right questions about what your policy is trying to achieve.
-
-Document the answers to questions for each policy before building it out.
-
-#### Common questions about Assignments
-
-[Users and Groups](concept-conditional-access-users-groups.md)
-
-* Which users and groups will be included in or excluded from the policy?
-
-* Does this policy include all users, specific group of users, directory roles, or external users?
-
-[Cloud apps or actions](concept-conditional-access-cloud-apps.md)
-
-* What application(s) will the policy apply to?
-
-* What user actions will be subject to this policy?
-
-[Conditions](concept-conditional-access-conditions.md)
+**Conditions**
* Which device platforms will be included in or excluded from the policy?
Document the answers to questions for each policy before building it out.
* What locations will be included in or excluded from the policy?
-* What client app types (browser, mobile, desktop clients, apps with legacy authentication methods) will be included in or excluded from the policy?
+* What client app types will be included in or excluded from the policy?
-* Do you have policies that would drive excluding Azure AD Joined devices or Hybrid Azure AD joined devices from policies?
+* Do you have policies that would drive excluding Azure AD joined devices or Hybrid Azure AD joined devices from policies?
* If using [Identity Protection](../identity-protection/concept-identity-protection-risks.md), do you want to incorporate sign-in risk protection?
-#### Common questions about access controls
-
-[Grant or Block ](concept-conditional-access-grant.md)
+**Grant or Block**
Do you want to grant access to resources by requiring one or more of the following?
Do you want to grant access to resources by requiring one or more of the followi
* Require app protection policy
-[Session control](concept-conditional-access-session.md)
+* Require password change
+
+* Use Terms of Use
+
+**Session control**
Do you want to enforce any of the following access controls on cloud apps?
-* Use app enforced permissions
+* Use app enforced restrictions
-* Use Conditional Access App Control
+* Use Conditional Access App control
* Enforce sign-in frequency * Use persistent browser sessions
+* Customize continuous access evaluation
+ ### Access token issuance
-ItΓÇÖs important to understand how access tokens are issued.
+[Access tokens](../develop/access-tokens.md) grant or deny access based on whether the user making a request has been authorized and authenticated. If the requestor can prove they're who they claim to be, they can access the protected resources or functionality.
![Access token issuance diagram](media/plan-conditional-access/CA-policy-token-issuance.png)
-> [!NOTE]
-> If no assignment is required, and no Conditional Access policy is in effect, that the default behavior is to issue an access token.
+**Access tokens are by default issued if a Conditional Access policy condition does not trigger an access control**.
-For example, consider a policy where:
+This doesnΓÇÖt prevent the app to have separate authorization to block access. For example, consider a policy where:
+
+ * IF user is in finance team, THEN force MFA to access their payroll app.
-IF user is in Group 1, THEN force MFA to access App 1.
+ * IF a user not in finance team attempts to access the payroll app, the user will be issued an access token.
-If a user not in Group 1 attempts to access the app no ΓÇ£ifΓÇÖ condition is met, and a token is issued. To exclude users outside of Group 1 requires a separate policy to block all other users.
+ * To ensure users outside of finance group cannot access the payroll app, a separate policy should be created to block all other users. If all users except for finance team and emergency access accounts group, accessing payroll app, then block access.
## Follow best practices
-The Conditional Access framework provides you with a great configuration flexibility. However, great flexibility also means you should carefully review each configuration policy before releasing it to avoid undesirable results.
+Conditional Access provides you with great configuration flexibility. However, great flexibility also means you should carefully review each configuration policy before releasing it to avoid undesirable results.
-### Apply Conditional Access policies to every app
+### Set up emergency access accounts
-Access tokens are by default issued if a Conditional Access policy condition does not trigger an access control. Ensure that every app has at least one conditional access policy applied
+**If you misconfigure a policy, it can lock the organizations out of the Azure portal**.
-> [!IMPORTANT]
-> Be very careful in using block and all apps in a single policy. This could lock admins out of the Azure Administration Portal, and exclusions cannot be configured for important end-points such as Microsoft Graph.
+Mitigate the impact of accidental administrator lock out by creating two or more [emergency access accounts](../roles/security-emergency-access.md) in your organization. Create a user account dedicated to policy administration and excluded from all your policies.
-### Minimize the number of Conditional Access policies
+### Apply Conditional Access policies to every app
-Creating a policy for each app isn't efficient and leads to complex administration. There can be a maximum of 195 Conditional Access in each Azure AD tenant. We recommend that you analyze your apps and group them into policies that have the same access requirements. For example, if all Microsoft 365 apps or all HR apps have the same requirements for the same users, create a single policy and include all of these apps instead of adding a policy for each app.
+**Ensure that every app has at least one conditional access policy applied**. From a security perspective it is better to create a policy that encompasses All cloud apps and then exclude applications that you do not want the policy to apply to. This ensures you do not need to update Conditional Access policies every time you onboard a new application.
-### Set up emergency access accounts
+> [!IMPORTANT]
+> Be very careful in using block and all apps in a single policy. This could lock admins out of the Azure portal, and exclusions cannot be configured for important endpoints such as Microsoft Graph.
-If you misconfigure a policy, it can lock the organizations out of the Azure portal. Mitigate the impact of accidental administrator lock out by creating two or more [emergency access accounts](../roles/security-emergency-access.md) in your organization.
+### Minimize the number of Conditional Access policies
-* Create a user account dedicated to policy administration and excluded from all your policies.
+Creating a policy for each app isnΓÇÖt efficient and leads to difficult administration. Conditional Access will only apply to the first 195 policies per user. We recommend that you **analyze your apps and group them into applications that have the same resource requirements for the same users**. For example, if all Microsoft 365 apps or all HR apps have the same requirements for the same users, create a single policy and include all the apps to which it applies.
### Set up report-only mode
It can be difficult to predict the number and names of users affected by common
* requiring MFA * implementing sign-in risk policies
-[Report-only mode ](concept-conditional-access-report-only.md) allows administrators to evaluate the impact of Conditional Access policies before enabling them in their environment.
-
-Learn how to [configure report-only mode on a Conditional Access policy](howto-conditional-access-insights-reporting.md).
+[Report-only mode ](concept-conditional-access-report-only.md) allows administrators to evaluate the impact of Conditional Access policies before enabling them in their environment. **First configure your policies in report-only mode and let it run for an interval before enforcing it in your environment**.
### Plan for disruption
-If you rely on a single access control, such as MFA or a network location, to secure your IT systems, you are susceptible to access failures if that single access control becomes unavailable or misconfigured. To reduce the risk of lockout during unforeseen disruptions, [plan strategies](../authentication/concept-resilient-controls.md) to adopt for your organization.
+If you rely on a single access control, such as MFA or a network location, to secure your IT systems, you are susceptible to access failures if that single access control becomes unavailable or misconfigured.
+
+**To reduce the risk of lockout during unforeseen disruptions, [plan strategies](../authentication/concept-resilient-controls.md) to adopt for your organization**.
### Set naming standards for your policies
-The naming standard helps you to find policies and understand their purpose without opening them in the Azure admin portal. We recommend that you name your policy to show:
+**A naming standard helps you to find policies and understand their purpose without opening them in the Azure admin portal**. We recommend that you name your policy to show:
* A Sequence Number
A descriptive name helps you to keep an overview of your Conditional Access impl
#### Naming standards for emergency access controls In addition to your active policies, implement disabled policies that act as secondary [resilient access controls in outage or emergency scenarios](../authentication/concept-resilient-controls.md). Your naming standard for the contingency policies should include:+ * ENABLE IN EMERGENCY at the beginning to make the name stand out among the other policies. * The name of disruption it should apply to.
In addition to your active policies, implement disabled policies that act as sec
The following name indicates that this policy is the first of four policies to enable if there's an MFA disruption:
-EM01 - ENABLE IN EMERGENCY: MFA Disruption [1/4] - Exchange SharePoint: Require hybrid Azure AD join For VIP users.
-
-### Exclude countries from which you never expect a sign-in.
-
-Azure active directory allows you to create [named locations](location-condition.md). Create a named location that includes all of the countries from which you would never expect a sign-in to occur. Then create a policy for All apps that blocks sign in from that named location. **Be sure to exempt your administrators from this policy**.
-
-### Plan your policy deployment
+* EM01 - ENABLE IN EMERGENCY: MFA Disruption [1/4] - Exchange SharePoint: Require hybrid Azure AD join For VIP users.
-When new policies are ready for your environment, make sure that you review each policy before releasing it to avoid undesirable results.
+### Block countries from which you never expect a sign-in.
-## Common policies
+Azure active directory allows you to create [named locations](location-condition.md). Create the list of countries that are allowed, and then create a network block policy with these "allowed countries" as an exclusion. This is less overhead for customers who are mainly based in smaller geographic locations.**Be sure to exempt your emergency access accounts from this policy**.
-When planning your Conditional Access policy solution, assess whether you need to create policies to achieve the following outcomes.
+## Deploy Conditional Access policy
-* [Require MFA](#require-mfa)
-* [Respond to potentially compromised accounts](#respond-to-potentially-compromised-accounts)
-* [Require managed devices](#require-managed-devices)
-* [Require approved client applications](#require-approved-client-apps)
-* [Block access](#block-access)
+When new policies are ready, deploy your conditional access policies in phases.
-### Require MFA
+### Build your Conditional Access policy
-Common use cases to require MFA access:
+Refer to common [Conditional Access policies](concept-conditional-access-policy-common.md) for a head start. A convenient way will be to use the Conditional Access template that comes with Microsoft recommendations. Make sure you exclude your emergency access accounts.
-* [By admins](howto-conditional-access-policy-admin-mfa.md)
+### Evaluate the policy impact
-* [To specific apps](../authentication/tutorial-enable-azure-mfa.md)
+Before you see the impact of your Conditional Access policy in your production environment, we recommend that you use the following two tools to run the simulation.
-* [For all users](howto-conditional-access-policy-all-users-mfa.md)
+#### Set up report-only mode
-* [From network locations, you don't trust](untrusted-networks.md)
+By default, each policy is created in report-only mode, we recommended organizations test and monitor usage, to ensure intended result, before turning each policy on.
-* [For Azure Management](howto-conditional-access-policy-azure-management.md)
+[Enable the policy in report-only mode](howto-conditional-access-insights-reporting.md). Once you save the policy in report-only mode, you can see the impact on real-time sign-ins in the sign-in logs. From the sign-in logs, select an event and navigate to the Report-only tab to see the result of each report-only policy.
-### Respond to potentially compromised accounts
+You can view the aggregate impact of your Conditional Access policies in the Insights and Reporting workbook. To access the workbook, you need an Azure Monitor subscription and you will need to [stream your sign-in logs to a log analytics workspace](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) .
-With Conditional Access policies, you can implement automated responses to sign-ins by potentially compromised identities. The probability that an account is compromised is expressed in the form of risk levels. There are two risk levels calculated by Identity Protection: sign-in risk and user risk. The following three default policies that can be enabled.
+#### Simulate sign-ins using the What If tool
-* [Require all users to register for MFA](howto-conditional-access-policy-risk.md)
+Another way to validate your Conditional Access policy is by using the [What If tool](troubleshoot-conditional-access-what-if.md), which simulates which policies would apply to a user signing in under hypothetical circumstances. Select the sign-in attributes you want to test (such as user, application, device platform, and location) and see which policies would apply.
-* [Require a password change for users that are high-risk](howto-conditional-access-policy-risk-user.md)
-
-* [Require MFA for users with medium or high sign-in risk](howto-conditional-access-policy-risk.md)
-
-### Require managed devices
-
-The proliferation of supported devices to access your cloud resources helps to improve the productivity of your users. You probably don't want certain resources in your environment to be accessed by devices with an unknown protection level. For those resources, [require that users can only access them using a managed device](require-managed-devices.md).
-
-### Require approved client apps
-
-Employees use their mobile devices for both personal and work tasks. For BYOD scenarios you must decide whether to manage the entire device or just the data on it. If managing only data and access, you can [require approved cloud apps](app-based-conditional-access.md) that can protect your corporate data. for example, you can require email only be accessed via Outlook mobile, and not via a generic mail program.
-
-### Block access
-
-The option to [block all access](howto-conditional-access-policy-block-access.md) is powerful. It can be used, for example, when you are migrating an app to Azure AD, but are not ready for anyone to sign-in to it yet. Block access:
-
-* Overrides all other assignments for a user
-
-* Has the power to block your entire organization from signing on to your tenant
-
-> [!IMPORTANT]
-> If you create a policy to block access for all users, be sure to exclude emergency access accounts, and consider excluding all administrators, from the policy.
-
-Other common scenarios where you can block access for your users are:
-
-* [Block certain network locations](howto-conditional-access-policy-location.md) to access your cloud apps. You can use this policy to block certain countries where you know traffic shouldn't come from.
-
-* Azure AD supports legacy authentication. However, legacy authentication doesn't support MFA and many environments require it to address identity security. In this case, you can [block apps using legacy authentication ](block-legacy-authentication.md) from accessing your tenant resources.
-
-## Build and test policies
-
-At each stage of your deployment ensure that you're evaluating that results are as expected.
-
-When new policies are ready, deploy them in phases in the production environment:
-
-* Provide internal change communication to end users.
-
-* Start with a small set of users and verify that the policy behaves as expected.
-
-* When you expand a policy to include more users, continue to exclude all administrators. Excluding administrators ensures that someone still has access to a policy if a change is required.
-
-* Apply a policy to all users only after it's thoroughly tested. Ensure you have at least one administrator account to which a policy doesn't apply.
-
-### Create test users
-
-Create a set of test users that reflect the users in your production environment. Creating test users allows you to verify policies work as expected before you impact real users and potentially disrupt their access to apps and resources.
+> [!NOTE]
+> While a simulated run gives you a good idea of the impact a Conditional Access policy has, it does not replace an actual test run.
-Some organizations have test tenants for this purpose. However, it can be difficult to recreate all conditions and apps in a test tenant to fully test the outcome of a policy.
+### Test your policy
-### Create a test plan
+**Ensure you test the exclusion criteria of a policy**. For example, you may exclude a user or group from a policy that requires MFA. Test if the excluded users are prompted for MFA, because the combination of other policies might require MFA for those users.
-The test plan is important to have a comparison between the expected results and the actual results. You should always have an expectation before testing something. The following table outlines example test cases. Adjust the scenarios and expected results based on how your Conditional Access policies are configured.
+Perform each test in your test plan with test users. The test plan is important to have a comparison between the expected results and the actual results. The following table outlines example test cases. Adjust the scenarios and expected results based on how your Conditional Access policies are configured.
| Policy| Scenario| Expected Result | | - | - | - |
-| [Require MFA when not at work](untrusted-networks.md)| Authorized user signs into App while on a trusted location / work| User is not prompted to MFA |
-| [Require MFA when not at work](untrusted-networks.md)| Authorized user signs into App while not on a trusted location / work| User is prompted to MFA and can sign in successfully |
-| [Require MFA (for admin)](../fundamentals/concept-fundamentals-security-defaults.md)| Global Admin signs into App| Admin is prompted to MFA |
-| [Risky sign-ins](../identity-protection/howto-identity-protection-configure-risk-policies.md)| User signs into App using an unapproved browser| Admin is prompted to MFA |
-| [Device management](require-managed-devices.md)| Authorized user attempts to sign in from an authorized device| Access Granted |
+| [Risky sign-ins](../identity-protection/howto-identity-protection-configure-risk-policies.md)| User signs into App using an unapproved browser| Calculates a risk score based on the probability that the sign-in wasn't performed by the user. Requires user to self-remediate using MFA |
+| [Device management](require-managed-devices.md)| Authorized user attempts to sign in from an authorized device| Access granted |
| [Device management](require-managed-devices.md)| Authorized user attempts to sign in from an unauthorized device| Access blocked | | [Password change for risky users](../identity-protection/howto-identity-protection-configure-risk-policies.md)| Authorized user attempts to sign in with compromised credentials (high risk sign in)| User is prompted to change password or access is blocked based on your policy | -
-### Configure the test policy
-
-In the [Azure portal](https://portal.azure.com/), you configure Conditional Access policies under Azure Active Directory > Security > Conditional Access.
-
-If you want to learn more about how to create Conditional Access policies, see this example: [Conditional Access policy to prompt for MFA when a user signs in to the Azure portal](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json). This quickstart helps you to:
-
-* Become familiar with the user interface
-
-* Get a first impression of how Conditional Access works
-
-### Enable the policy in report-only mode
-
-To assess the impact of your policy, start by enabling the policy in [report-only mode](concept-conditional-access-report-only.md). Report-only policies are evaluated during sign-in but grant controls and session controls aren't enforced. Once you save the policy in report-only mode, you can see the impact on real-time sign-ins in the sign-in logs. From the sign-in logs, select an event and navigate to the Report-only tab to see the result of each report-only policy.
--
-![report only mode ](media/plan-conditional-access/report-only-mode.png)
-
-Selecting the policy, you can also see how the assignments and access controls of the policy were evaluated using the Policy details screen. In order for a policy to apply to a sign-in, each of the configured assignments must be satisfied.
-
-### Understand the impact of your policies using the Insights and Reporting workbook
-
-You can view the aggregate impact of your Conditional Access policies in the Insights and Reporting workbook. To access the workbook, you need an Azure Monitor subscription and you will need to [stream your Sign-in logs to a Log Analytics workspace](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
-
-### Simulate sign-ins using the what-if tool
-
-Another way to validate your Conditional Access policy is by using the [what-if tool](troubleshoot-conditional-access-what-if.md), which simulates which policies would apply to a user signing in under hypothetical circumstances. Select the sign-in attributes you want to test (such as user, application, device platform, and location) and see which policies would apply.
-
-> [!NOTE]
-> While a simulated run gives you a good idea of the impact a Conditional Access policy has, it does not replace an actual test run.
-
-### Test your policy
-
-Perform each test in your test plan with test users.
-
-**Ensure you test the exclusion criteria of a policy**. For example, you may exclude a user or group from a policy that requires MFA. Test if the excluded users are prompted for MFA, because the combination of other policies might require MFA for those users.
+### Deploy in production
+After confirming impact using **report-only mode**, an administrator can move the **Enable policy** toggle from **Report-only** to **On**.
### Roll back policies
In case you need to roll back your newly implemented policies, use one or more o
* **Disable the policy.** Disabling a policy makes sure it does not apply when a user tries to sign in. You can always come back and enable the policy when you would like to use it.
-![enable policy image](media/plan-conditional-access/enable-policy.png)
+ ![enable policy image](media/plan-conditional-access/enable-policy.png)
* **Exclude a user or group from a policy.** If a user is unable to access the app, you can choose to exclude the user from the policy.
-![exclude users and groups](media/plan-conditional-access/exclude-users-groups.png)
+ ![exclude users and groups](media/plan-conditional-access/exclude-users-groups.png)
> [!NOTE] > This option should be used sparingly, only in situations where the user is trusted. The user should be added back into the policy or group as soon as possible. * **Delete the policy.** If the policy is no longer required, [delete](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json) it.
-## Manage access to cloud apps
-
-Use the following Manage options to control and manage your Conditional Access policies:
-
-![Screenshot shows the MANAGE options for C A policies, including Named locations, Custom controls, Terms of use, V P N connectivity, and the selected Classic policies.](media/plan-conditional-access/manage-access.png)
--
-### Named locations
-
-The location condition of a Conditional Access policy enables you to tie access controls settings to the network locations of your users. With [Named Locations](location-condition.md), you can create logical groupings of IP address ranges or countries and regions.
-
-### Custom controls
-
-[Custom controls](controls.md) redirect your users to a compatible service to satisfy authentication requirements outside of Azure AD. To satisfy this control, a user's browser is redirected to the external service, performs any required authentication, and is then redirected back to Azure AD. Azure AD verifies the response and, if the user was successfully authenticated or validated, the user continues in the Conditional Access flow.
-
-### Terms of use
-
-Before accessing certain cloud apps in your environment, you can get consent from the users by them accepting your Terms of use (ToU). Follow this [Quickstart to create Terms of Use](require-tou.md).
-
-## Troubleshoot Conditional Access
+## Troubleshoot Conditional Access policy
When a user is having an issue with a Conditional Access policy, collect the following information to facilitate troubleshooting.
-* User principle Name
+* User Principle Name
* User display name
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/sample-v2-code.md
The following samples show how to protect a web API with the Microsoft identity
## Desktop
-The following samples show public client desktop applications that access the Microsoft Graph API, or your own web API in the name of the user. Apart from the _Desktop (Console) with Workspace Application Manager (WAM)_ sample, all these client applications use the Microsoft Authentication Library (MSAL).
+The following samples show public client desktop applications that access the Microsoft Graph API, or your own web API in the name of the user. Apart from the _Desktop (Console) with Web Authentication Manager (WAM)_ sample, all these client applications use the Microsoft Authentication Library (MSAL).
> [!div class="mx-tdCol2BreakAll"] > | Language/<br/>Platform | Code sample(s) <br/> on GitHub | Auth<br/> libraries | Auth flow |
active-directory V2 Oauth2 Auth Code Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-auth-code-flow.md
The `spa` redirect type is backwards compatible with the implicit flow. Apps cur
If you attempt to use the authorization code flow and see this error:
-`access to XMLHttpRequest at 'https://login.microsoftonline.com/common/v2.0/oauth2/token' from origin 'yourApp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.`
+`access to XMLHttpRequest at 'https://login.microsoftonline.com/common/oauth2/v2.0/token' from origin 'yourApp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.`
Then, visit your app registration and update the redirect URI for your app to type `spa`.
active-directory Active Directory Data Storage Eu https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-data-storage-eu.md
Previously updated : 01/12/2022 Last updated : 01/20/2022
For more information about what user information is collected by Azure Multi-Fac
If a customer creates a new enterprise application (whether through Azure AD Gallery or non-Gallery) and enables password-based SSO, the Application sign in URL, and custom capture sign in fields are stored in the United States. For more information, see [Configure password-based single sign-on](../manage-apps/configure-password-single-sign-on-non-gallery-applications.md)
-## Microsoft Azure Active Directory B2C (Azure AD B2C)
-
-Azure AD B2C policy configuration data and Key Containers are stored in U.S. datacenters, which do not contain any user personal data. For more info about policy configurations, see the [Azure Active Directory B2C: Built-in policies](../../active-directory-b2c/user-flow-overview.md) article.
- ## Microsoft Azure Active Directory B2B (Azure AD B2B) Azure AD B2B stores invitations with redeem link and redirect URL information in US datacenters. In addition, email address of users that unsubscribe from receiving B2B invitations are also stored in U.S. datacenters.
active-directory Custom Security Attributes Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/custom-security-attributes-overview.md
Previously updated : 11/16/2021 Last updated : 01/14/2022
Azure AD provides built-in roles to work with custom security attributes. The At
> [!IMPORTANT] > By default, [Global Administrator](../roles/permissions-reference.md#global-administrator) and other administrator roles do not have permissions to read, define, or assign custom security attributes.
+## Graph Explorer
+
+If you use the Microsoft Graph API, you can use [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to more easily try the Microsoft Graph APIs for custom security attributes. For more information, see [Overview of custom security attributes using the Microsoft Graph API](/graph/api/resources/custom-security-attributes-overview).
+
+![Screenshot that shows a Microsoft Graph API call for custom security attributes.](./media/custom-security-attributes-overview/graph-explorer-success.png)
+ ## Known issues Here are some of the known issues with custom security attributes:
active-directory Custom Security Attributes Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/custom-security-attributes-troubleshoot.md
Previously updated : 11/16/2021 Last updated : 01/14/2022
When you try to add an eligible Azure AD role assignment using [Azure AD Privile
PIM currently does not support adding an eligible Azure AD role assignment at an attribute set scope.
+## Symptom - Insufficient privileges when using Graph Explorer
+
+When you try to use [Graph Explorer](/graph/graph-explorer/graph-explorer-overview) to call Microsoft Graph APIs for custom security attributes, you see a message similar to the following:
+
+```
+Forbidden - 403. You need to consent to the permissions on the Modify permissions (Preview) tab
+Authorization_RequestDenied
+Insufficient privileges to complete the operation.
+```
+
+![Screenshot of Graph Explorer displaying an insufficient privileges error message.](./media/custom-security-attributes-troubleshoot/graph-explorer-insufficient-privileges.png)
+
+**Cause 1**
+
+You have not consented to the required custom security attribute permissions to make the API call.
+
+**Solution 1**
+
+Open the Permissions panel, select the appropriate custom security attribute permission, and click **Consent**. In the Permissions requested window that appears, review the requested permissions.
+
+![Screenshot of Graph Explorer Permissions panel with CustomSecAttributeDefinition selected.](./media/custom-security-attributes-troubleshoot/graph-explorer-permissions-consent.png)
+
+**Cause 2**
+
+You are not assigned the required custom security attribute role to make the API call. By default, [Global Administrator](../roles/permissions-reference.md#global-administrator) and other administrator roles do not have permissions to read, define, or assign custom security attributes.
+
+**Solution 2**
+
+Make sure that you are assigned the required custom security attribute role. For more information, see [Manage access to custom security attributes in Azure AD](custom-security-attributes-manage.md).
## Next steps
active-directory Whats New Archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new-archive.md
Previously updated : 12/06/2021 Last updated : 1/20/2022
The What's new in Azure Active Directory? release notes provide information abou
+## June 2021
+
+### Context panes to display risk details in Identity Protection Reports
+
+**Type:** Plan for change
+**Service category:** Identity Protection
+**Product capability:** Identity Security & Protection
+
+For the Risky users, Risky sign-ins, and Risk detections reports in Identity Protection, the risk details of a selected entry will be shown in a context pane appearing from the right of the page July 2021. The change only impacts the user interface and won't affect any existing functionalities. To learn more about the functionality of these features, refer to [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
+
++
+### Public preview - create Azure AD access reviews of Service Principals that are assigned to privileged roles
+
+**Type:** New feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+ You can use Azure AD access reviews to review service principal's access to privileged Azure AD and Azure resource roles. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md#create-access-reviews).
+
++
+### Public preview - group owners in Azure AD can create and manage Azure AD access reviews for their groups
+
+**Type:** New feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+Now group owners in Azure AD can create and manage Azure AD access reviews on their groups. This ability can be enabled by tenant administrators through Azure AD access review settings and is disabled by default. [Learn more](../governance/create-access-review.md#allow-group-owners-to-create-and-manage-access-reviews-of-their-groups-preview).
+
++
+### Public preview - customers can scope access reviews of privileged roles to just users with eligible or active access
+
+**Type:** New feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+When admins create access reviews of assignments to privileged roles, they can scope the reviews to only eligibly assigned users or only actively assigned users. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md).
+
++
+### Public preview - Microsoft Graph APIs for Mobility (MDM/MAM) management policies
+
+**Type:** New feature
+**Service category:** Other
+**Product capability:** Device Lifecycle Management
+
+Microsoft Graph support for the Mobility (MDM/MAM) configuration in Azure AD is in public preview. Administrators can configure user scope and URLs for MDM applications like Intune using Microsoft Graph v1.0. For more information, see [mobilityManagementPolicy resource type](/graph/api/resources/mobilitymanagementpolicy?view=graph-rest-beta&preserve-view=true)
+++
+### General availability - Custom questions in access package request flow in Azure Active Directory entitlement management
+
+**Type:** New feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+Azure AD entitlement management now supports the creation of custom questions in the access package request flow. This feature allows you to configure custom questions in the access package policy. These questions are shown to requestors who can input their answers as part of the access request process. These answers will be displayed to approvers, giving them helpful information that empowers them to make better decisions on the access request. [Learn more](../governance/entitlement-management-access-package-create.md).
+++
+### General availability - Multi-geo SharePoint sites as resources in Entitlement Management Access Packages
+
+**Type:** New feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+Access packages in Entitlement Management now support multi-geo SharePoint sites for customers who use the multi-geo capabilities in SharePoint Online. [Learn more](../governance/entitlement-management-catalog-create.md#add-a-multi-geo-sharepoint-site).
+
++
+### General availability - Knowledge Admin and Knowledge Manager built-in roles
+
+**Type:** New feature
+**Service category:** RBAC
+**Product capability:** Access Control
+
+Two new roles, Knowledge Administrator and Knowledge Manager are now in general availability.
+
+- Users in the Knowledge Administrator role have full access to all Organizational knowledge settings in the Microsoft 365 admin center. They can create and manage content, like topics and acronyms. Additionally, these users can create content centers, monitor service health, and create service requests. [Learn more](../roles/permissions-reference.md#knowledge-administrator)
+- Users in the Knowledge Manager role can create and manage content and are primarily responsible for the quality and structure of knowledge. They have full rights to topic management actions to confirm a topic, approve edits, or delete a topic. This role can also manage taxonomies as part of the term store management tool and create content centers. [Learn more](../roles/permissions-reference.md#knowledge-manager).
+++
+### General availability - Cloud App Security Administrator built-in role
+
+**Type:** New feature
+**Service category:** RBAC
+**Product capability:** Access Control
+
+ Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and do governance actions. [Learn more](../roles/permissions-reference.md#cloud-app-security-administrator).
+
++
+### General availability - Windows Update Deployment Administrator
+
+**Type:** New feature
+**Service category:** RBAC
+**Product capability:** Access Control
+
+
+ Users in this role can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. The deployment service enables users to define settings for when and how updates are deployed. Also, users can specify which updates are offered to groups of devices in their tenant. It also allows users to monitor the update progress. [Learn more](../roles/permissions-reference.md#windows-update-deployment-administrator).
+
++
+### General availability - multi-camera support for Windows Hello
+
+**Type:** New feature
+**Service category:** Authentications (Logins)
+**Product capability:** User Authentication
+
+Now with the Windows 10 21H1 update, Windows Hello supports multiple cameras. The update includes defaults to use the external camera when both built-in and outside cameras are present. [Learn more](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
++
+
+### General availability - Access Reviews MS Graph APIs now in v1.0
+
+**Type:** New feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+Azure Active Directory access reviews MS Graph APIs are now in v1.0 support fully configurable access reviews features. [Learn more](/graph/api/resources/accessreviewsv2-overview?view=graph-rest-1.0&preserve-view=true).
+
++
+### New provisioning connectors in the Azure AD Application Gallery - June 2021
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
+
+- [askSpoke](../saas-apps/askspoke-provisioning-tutorial.md)
+- [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-provisioning-tutorial.md)
+- [CheckProof](../saas-apps/checkproof-provisioning-tutorial.md)
+- [GoLinks](../saas-apps/golinks-provisioning-tutorial.md)
+- [Holmes Cloud](../saas-apps/holmes-cloud-provisioning-tutorial.md)
+- [H5mag](../saas-apps/h5mag-provisioning-tutorial.md)
+- [LimbleCMMS](../saas-apps/limblecmms-provisioning-tutorial.md)
+- [LogMeIn](../saas-apps/logmein-provisioning-tutorial.md)
+- [SECURE DELIVER](../saas-apps/secure-deliver-provisioning-tutorial.md)
+- [Sigma Computing](../saas-apps/sigma-computing-provisioning-tutorial.md)
+- [Smallstep SSH](../saas-apps/smallstep-ssh-provisioning-tutorial.md)
+- [Tribeloo](../saas-apps/tribeloo-provisioning-tutorial.md)
+- [Twingate](../saas-apps/twingate-provisioning-tutorial.md)
+
+For more information, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
+
++
+### New Federated Apps available in Azure AD Application gallery - June 2021
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
+In June 2021, we have added following 42 new applications in our App gallery with Federation support
+
+[Taksel](https://help.ubuntu.com/community/Tasksel), [IDrive360](../saas-apps/idrive360-tutorial.md), [VIDA](../saas-apps/vida-tutorial.md), [ProProfs Classroom](../saas-apps/proprofs-classroom-tutorial.md), [WAN-Sign](../saas-apps/wan-sign-tutorial.md), [Citrix Cloud SAML SSO](../saas-apps/citrix-cloud-saml-sso-tutorial.md), [Fabric](../saas-apps/fabric-tutorial.md), [DssAD](https://cloudlicensing.deepseedsolutions.com/), [RICOH Creative Collaboration RICC](https://www.ricoh-europe.com/products/software-apps/collaboration-board-software/ricc/), [Styleflow](../saas-apps/styleflow-tutorial.md), [Chaos](https://accounts.chaosgroup.com/corporate_login), [Traced Connector](https://control.traced.app/signup), [Squarespace](https://account.squarespace.com/org/azure), [MX3 Diagnostics Connector](https://mx3www.playground.dynuddns.com/signin-oidc), [Ten Spot](https://tenspot.co/api/v1/sso/azure/login/), [Finvari](../saas-apps/finvari-tutorial.md), [Mobile4ERP](https://play.google.com/store/apps/details?id=com.negevsoft.mobile4erp), [WalkMe US OpenID Connect](https://www.walkme.com/), [Neustar UltraDNS](../saas-apps/neustar-ultradns-tutorial.md), [cloudtamer.io](../saas-apps/cloudtamer-io-tutorial.md), [A Cloud Guru](../saas-apps/a-cloud-guru-tutorial.md), [PetroVue](../saas-apps/petrovue-tutorial.md), [Postman](../saas-apps/postman-tutorial.md), [ReadCube Papers](../saas-apps/readcube-papers-tutorial.md), [Peklostroj](https://app.peklostroj.cz/), [SynCloud](https://onboard.syncloud.io/), [Polymerhq.io](https://www.polymerhq.io/), [Bonos](../saas-apps/bonos-tutorial.md), [Astra Schedule](../saas-apps/astra-schedule-tutorial.md), [Draup](../saas-apps/draup-inc-tutorial.md), [Inc](../saas-apps/draup-inc-tutorial.md), [Applied Mental Health](../saas-apps/applied-mental-health-tutorial.md), [iHASCO Training](../saas-apps/ihasco-training-tutorial.md), [Nexsure](../saas-apps/nexsure-tutorial.md), [XEOX](https://login.xeox.com/), [Plandisc](https://create.plandisc.com/account/logon), [foundU](../saas-apps/foundu-tutorial.md), [Standard for Success Accreditation](../saas-apps/standard-for-success-accreditation-tutorial.md), [Penji Teams](https://web.penjiapp.com/), [CheckPoint Infinity Portal](../saas-apps/checkpoint-infinity-portal-tutorial.md), [Teamgo](../saas-apps/teamgo-tutorial.md), [Hopsworks.ai](../saas-apps/hopsworks-ai-tutorial.md), [HoloMeeting 2](https://backend2.holomeeting.io/)
+
+You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial
+
+For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest
+
++
+### Device code flow now includes an app verification prompt
+
+**Type:** Changed feature
+**Service category:** Authentications (Logins)
+**Product capability:** User Authentication
+
+The [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include one extra user prompt. While signing in, the user will see a prompt asking them to validate the app they're signing into. The prompt ensures that they aren't subject to a phishing attack. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).
+
++
+### User last sign-in date and time is now available on Azure portal
+
+**Type:** Changed feature
+**Service category:** User Management
+**Product capability:** User Management
+
+You can now view your users' last sign-in date and time stamp on the Azure portal. The information is available for each user on the user profile page. This information helps you identify inactive users and effectively manage risky events. [Learn more](./active-directory-users-profile-azure-portal.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context).
+
++
+### MIM BHOLD Suite impact of end of support for Microsoft Silverlight
+
+**Type:** Changed feature
+**Service category:** Microsoft Identity Manager
+**Product capability:** Identity Governance
+
+Microsoft Silverlight will reach its end of support on October 12, 2021. This change only impacts customers using the Microsoft BHOLD Suite, and doesn't impact other Microsoft Identity Manager scenarios. For more information, see [Silverlight End of Support](https://support.microsoft.com/windows/silverlight-end-of-support-0a3be3c7-bead-e203-2dfd-74f0a64f1788).
+
+Users who haven't installed Microsoft Silverlight in their browser can't use the BHOLD Suite modules which require Silverlight. This includes the BHOLD Model Generator, BHOLD FIM Self-service integration, and BHOLD Analytics. Customers with an existing BHOLD deployment of one or more of those modules should plan to uninstall those modules from their BHOLD server computers by October 2021. Also, they should plan to uninstall Silverlight from any user computers that were previously interacting with that BHOLD deployment.
+
++
+### My* experiences: End of support for Internet Explorer 11
+
+**Type:** Deprecated
+**Service category:** My Apps
+**Product capability:** End User Experiences
+
+
+Microsoft 365 and other apps are ending support for Internet Explorer 11 on August 21, 2021, and this includes the My* experiences. The My*s accessed via Internet Explorer won't receive bug fixes or any updates, which may lead to issues. These dates are being driven by the Edge team and may be subject to change. [Learn more](https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/).
+
++
+### Planned deprecation - Malware linked IP address detection in Identity Protection
+
+**Type:** Deprecated
+**Service category:** Identity Protection
+**Product capability:** Identity Security & Protection
+
+Starting October 1, 2021, Azure AD Identity Protection will no longer generate the "Malware linked IP address" detection. No action is required and customers will remain protected by the other detections provided by Identity Protection. To learn more about protection policies, refer to [Identity Protection policies](../identity-protection/concept-identity-protection-policies.md).
+
++ ## May 2021 ### Public preview - Azure AD verifiable credentials
Users will no longer be limited to create security and Microsoft 365 groups only
-### Public preview - External Identities Self-Service Sign-up in AAD using Email One-Time Passcode accounts
+### Public preview - External Identities Self-Service Sign-up in Azure AD using Email One-Time Passcode accounts
**Type:** New feature **Service category:** B2B
With this new capability, connector groups can be assigned to the closest region
-### Public preview - External Identities Self-Service Sign-up in AAD using Email One-Time Passcode accounts
+### Public preview - External Identities Self-Service Sign-up in Azure AD using Email One-Time Passcode accounts
**Type:** New feature **Service category:** B2B
External users will now be able to use Email One-Time Passcode accounts to sign
**Service category:** Authentications (Logins) **Product capability:** Monitoring & Reporting
-AD FS sign-in activity can now be integrated with Azure AD activity reporting, providing a unified view of hybrid identity infrastructure. Using the Azure AD Sign-Ins report, Log Analytics, and Azure Monitor Workbooks, it's possible to do in-depth analysis for both AAD and AD FS sign-in scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts.
+AD FS sign-in activity can now be integrated with Azure AD activity reporting, providing a unified view of hybrid identity infrastructure. Using the Azure AD Sign-Ins report, Log Analytics, and Azure Monitor Workbooks, it's possible to do in-depth analysis for both Azure AD and AD FS sign-in scenarios such as AD FS account lockouts, bad password attempts, and spikes of unexpected sign-in attempts.
To learn more, visit [AD FS sign-ins in Azure AD with Connect Health](../hybrid/how-to-connect-health-ad-fs-sign-in.md).
Users can now create their own groupings of apps on the My Apps app launcher. Th
**Service category:** Microsoft Authenticator App **Product capability:** Identity Security & Protection
-Microsoft Authenticator provides multi-factor authentication (MFA) and account management capabilities, and now also will autofill passwords on sites and apps users visit on their mobile (iOS and Android).
+Microsoft Authenticator provides multifactor authentication and account management capabilities, and now also will autofill passwords on sites and apps users visit on their mobile (iOS and Android).
To use autofill on Authenticator, users need to add their personal Microsoft account to Authenticator and use it to sync their passwords. Work or school accounts cannot be used to sync passwords at this time. [Learn more](../user-help/user-help-auth-app-faq.md#autofill-for-it-admins).
For more information, read [Automate user provisioning to SaaS applications with
-### New Company Branding in multi-factor authentication (MFA)/SSPR Combined Registration
+### New Company Branding in multifactor authentication (MFA)/SSPR Combined Registration
**Type:** Changed feature **Service category:** User Experience and Management **Product capability:** End User Experiences
-In the past, company logos weren't used on Azure Active Directory sign-in pages. Company branding is now located to the top left of multi-factor authentication (MFA)/SSPR Combined Registration. Company branding is also included on My Sign-Ins and the Security Info page. [Learn more](../fundamentals/customize-branding.md).
+In the past, company logos weren't used on Azure Active Directory sign-in pages. Company branding is now located to the top left of multifactor authentication (MFA)/SSPR Combined Registration. Company branding is also included on My Sign-Ins and the Security Info page. [Learn more](../fundamentals/customize-branding.md).
B2C Phone Sign-up and Sign-in using Built-in Policy enable IT administrators and
**Product capability:** Identity Security & Protection To protect user accounts, all new tenants created on or after November 12, 2020, will come with Security Defaults enabled. Security Defaults enforces multiple policies including:-- Requires all users and admins to register for multi-factor authentication (MFA) using the Microsoft Authenticator App-- Requires critical admin roles to use multi-factor authentication (MFA) every single time they sign-in. All other users will be prompted for multi-factor authentication (MFA) whenever necessary.
+- Requires all users and admins to register for multifactor authentication (MFA) using the Microsoft Authenticator App
+- Requires critical admin roles to use multifactor authentication (MFA) every single time they sign-in. All other users will be prompted for multifactor authentication (MFA) whenever necessary.
- Legacy authentication will be blocked tenant wide. For more information, read [What are security defaults?](../fundamentals/concept-fundamentals-security-defaults.md)
For guidance to remove deprecating protocols dependencies, please refer to [EEna
In November 2020 we have added following 52 new applications in our App gallery with Federation support:
-[Travel & Expense Management](https://app.expenseonce.com/Account/Login), [Tribeloo](../saas-apps/tribeloo-tutorial.md), [Itslearning File Picker](https://pmteam.itslearning.com/), [Crises Control](../saas-apps/crises-control-tutorial.md), [CourtAlert](https://www.courtalert.com/), [StealthMail](https://stealthmail.com/), [Edmentum - Study Island](https://app.studyisland.com/cfw/login/), [Virtual Risk Manager](../saas-apps/virtual-risk-manager-tutorial.md), [TIMU](../saas-apps/timu-tutorial.md), [Looker Analytics Platform](../saas-apps/looker-analytics-platform-tutorial.md), [Talview - Recruit](https://recruit.talview.com/login), Real Time Translator, [Klaxoon](https://access.klaxoon.com/login), [Podbean](../saas-apps/podbean-tutorial.md), [zcal](https://zcal.co/signup), [expensemanager](https://api.expense-manager.com/), [Netsparker Enterprise](../saas-apps/netsparker-enterprise-tutorial.md), [En-trak Tenant Experience Platform](https://portal.en-trak.app/), [Appian](../saas-apps/appian-tutorial.md), [Panorays](../saas-apps/panorays-tutorial.md), [Builterra](https://portal.builterra.com/), [EVA Check-in](https://my.evacheckin.com/organization), [HowNow WebApp SSO](../saas-apps/hownow-webapp-sso-tutorial.md), [Coupa Risk Assess](../saas-apps/coupa-risk-assess-tutorial.md), [Lucid (All Products)](../saas-apps/lucid-tutorial.md), [GoBright](https://portal.brightbooking.eu/), [SailPoint IdentityNow](../saas-apps/sailpoint-identitynow-tutorial.md),[Resource Central](../saas-apps/resource-central-tutorial.md), [UiPathStudioO365App](https://www.uipath.com/product/platform), [Jedox](../saas-apps/jedox-tutorial.md), [Cequence Application Security](../saas-apps/cequence-application-security-tutorial.md), [PerimeterX](../saas-apps/perimeterx-tutorial.md), [TrendMiner](../saas-apps/trendminer-tutorial.md), [Lexion](../saas-apps/lexion-tutorial.md), [WorkWare](../saas-apps/workware-tutorial.md), [ProdPad](../saas-apps/prodpad-tutorial.md), [AWS ClientVPN](../saas-apps/aws-clientvpn-tutorial.md), [AppSec Flow SSO](../saas-apps/appsec-flow-sso-tutorial.md), [Luum](../saas-apps/luum-tutorial.md), [Freight Measure](https://www.gpcsl.com/freight.html), [Terraform Cloud](../saas-apps/terraform-cloud-tutorial.md), [Nature Research](../saas-apps/nature-research-tutorial.md), [Play Digital Signage](https://login.playsignage.com/login), [RemotePC](../saas-apps/remotepc-tutorial.md), [Prolorus](../saas-apps/prolorus-tutorial.md), [Hirebridge ATS](../saas-apps/hirebridge-ats-tutorial.md), [Teamgage](https://www.teamgage.com/Account/ExternalLoginAzure), [Roadmunk](../saas-apps/roadmunk-tutorial.md), [Sunrise Software Relations CRM](https://cloud.relations-crm.com/), [Procaire](../saas-apps/procaire-tutorial.md), [Mentor® by eDriving: Business](https://www.edriving.com/), [Gradle Enterprise](https://gradle.com/)
+[Travel & Expense Management](https://app.expenseonce.com/Account/Login), [Tribeloo](../saas-apps/tribeloo-tutorial.md), [Itslearning File Picker](https://pmteam.itslearning.com/), [Crises Control](../saas-apps/crises-control-tutorial.md), [CourtAlert](https://www.courtalert.com/), [StealthMail](https://stealthmail.com/), [Edmentum - Study Island](https://app.studyisland.com/cfw/login/), [Virtual Risk Manager](../saas-apps/virtual-risk-manager-tutorial.md), [TIMU](../saas-apps/timu-tutorial.md), [Looker Analytics Platform](../saas-apps/looker-analytics-platform-tutorial.md), [Talview - Recruit](https://recruit.talview.com/login), Real Time Translator, [Klaxoon](https://access.klaxoon.com/login), [Podbean](../saas-apps/podbean-tutorial.md), [zcal](https://zcal.co/signup), [expensemanager](https://api.expense-manager.com/), [Netsparker Enterprise](../saas-apps/netsparker-enterprise-tutorial.md), [En-trak Tenant Experience Platform](https://portal.en-trak.app/), [Appian](../saas-apps/appian-tutorial.md), [Panorays](../saas-apps/panorays-tutorial.md), [Builterra](https://portal.builterra.com/), [EVA Check-in](https://my.evacheckin.com/organization), [HowNow WebApp SSO](../saas-apps/hownow-webapp-sso-tutorial.md), [Coupa Risk Assess](../saas-apps/coupa-risk-assess-tutorial.md), [Lucid (All Products)](../saas-apps/lucid-tutorial.md), [GoBright](https://portal.brightbooking.eu/), [SailPoint IdentityNow](../saas-apps/sailpoint-identitynow-tutorial.md),[Resource Central](../saas-apps/resource-central-tutorial.md), [UiPathStudioO365App](https://www.uipath.com/product/platform), [Jedox](../saas-apps/jedox-tutorial.md), [Cequence Application Security](../saas-apps/cequence-application-security-tutorial.md), [PerimeterX](../saas-apps/perimeterx-tutorial.md), [TrendMiner](../saas-apps/trendminer-tutorial.md), [Lexion](../saas-apps/lexion-tutorial.md), [WorkWare](../saas-apps/workware-tutorial.md), [ProdPad](../saas-apps/prodpad-tutorial.md), [AWS ClientVPN](../saas-apps/aws-clientvpn-tutorial.md), [AppSec Flow SSO](../saas-apps/appsec-flow-sso-tutorial.md), [Luum](../saas-apps/luum-tutorial.md), [Freight Measure](https://www.gpcsl.com/freight.html), [Terraform Cloud](../saas-apps/terraform-cloud-tutorial.md), [Nature Research](../saas-apps/nature-research-tutorial.md), [Play Digital Signage](https://login.playsignage.com/login), [RemotePC](../saas-apps/remotepc-tutorial.md), [Prolorus](../saas-apps/prolorus-tutorial.md), [Hirebridge ATS](../saas-apps/hirebridge-ats-tutorial.md), [Teamgage](https://teamgage.com), [Roadmunk](../saas-apps/roadmunk-tutorial.md), [Sunrise Software Relations CRM](https://cloud.relations-crm.com/), [Procaire](../saas-apps/procaire-tutorial.md), [Mentor® by eDriving: Business](https://www.edriving.com/), [Gradle Enterprise](https://gradle.com/)
You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial
MSAL.js version 2.x now includes support for the authorization code flow for sin
We've recently updated the [remember Azure Active Directory Multi-Factor Authentication (MFA)](../authentication/howto-mfa-mfasettings.md#remember-multi-factor-authentication) on a trusted device feature to extend authentication for up to 365 days. Azure Active Directory (Azure AD) Premium licenses, can also use the [Conditional Access ΓÇô Sign-in Frequency policy](../conditional-access/howto-conditional-access-session-lifetime.md#user-sign-in-frequency) that provides more flexibility for reauthentication settings.
-For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to remember multi-factor authentication (MFA) on a trusted device setting. To get started, review our [latest guidance on optimizing the reauthentication experience](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).
+For the optimal user experience, we recommend using Conditional Access sign-in frequency to extend session lifetimes on trusted devices, locations, or low-risk sessions as an alternative to remember multifactor authentication (MFA) on a trusted device setting. To get started, review our [latest guidance on optimizing the reauthentication experience](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).
This experience will be changed to display only the resources currently added in
Starting 1 October 2020, Azure AD Multi-Factor Authentication (MFA) Server firewall requirements will require additional IP ranges.
-If you have outbound firewall rules in your organization, update the rules so that your multi-factor authentication (MFA) servers can communicate with all the necessary IP ranges. The IP ranges are documented in [Azure Active Directory Multi-Factor Authentication Server firewall requirements](../authentication/howto-mfaserver-deploy.md#azure-multi-factor-authentication-server-firewall-requirements).
+If you have outbound firewall rules in your organization, update the rules so that your multifactor authentication (MFA) servers can communicate with all the necessary IP ranges. The IP ranges are documented in [Azure Active Directory Multi-Factor Authentication Server firewall requirements](../authentication/howto-mfaserver-deploy.md#azure-multi-factor-authentication-server-firewall-requirements).
The externalUserState and externalUserStateChangedDateTime properties can be use
Authentication session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers to offer more security and flexibility in your environment.
-Additionally, authentication session management used to only apply to the First Factor Authentication on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices. Now authentication session management will apply to multi-factor authentication (MFA) as well. For more information, see [Configure authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md).
+Additionally, authentication session management used to only apply to the First Factor Authentication on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices. Now authentication session management will apply to multifactor authentication (MFA) as well. For more information, see [Configure authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md).
We have introduced a new riskEventsTypes_v2 (string) property to the signIns v1.
-### Upcoming changes to multi-factor authentication (MFA) email notifications
+### Upcoming changes to multifactor authentication (MFA) email notifications
**Type:** Plan for change **Service category:** MFA **Product capability:** Identity Security & Protection
-We are making the following changes to the email notifications for cloud multi-factor authentication (MFA):
+We are making the following changes to the email notifications for cloud multifactor authentication (MFA):
E-mail notifications will be sent from the following address: azure-noreply@microsoft.com and msonlineservicesteam@microsoftonline.com. We're updating the content of fraud alert emails to better indicate the required steps to unblock uses.
For more information, visit [The New app registration experience for Azure AD B2
**Product capability:** Identity Security & Protection
-The combined registration experience for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) is now generally available. This new registration experience enables users to register for multi-factor authentication (MFA) and SSPR in a single, step-by-step process. When you deploy the new experience for your organization, users can register in less time and with fewer hassles. Check out the blog post [here](https://bit.ly/3etiRyQ).
+The combined registration experience for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) is now generally available. This new registration experience enables users to register for multifactor authentication (MFA) and SSPR in a single, step-by-step process. When you deploy the new experience for your organization, users can register in less time and with fewer hassles. Check out the blog post [here](https://bit.ly/3etiRyQ).
Delta query for administrative units is available for public preview! You can no
**Product capability:** Developer Experience
-These APIs are a key tool for managing your usersΓÇÖ authentication methods. Now you can programmatically pre-register and manage the authenticators used for multi-factor authentication (MFA) and self-service password reset (SSPR). This has been one of the most-requested features in the Azure AD Multi-Factor Authentication (MFA), SSPR, and Microsoft Graph spaces. The new APIs weΓÇÖve released in this wave give you the ability to:
+These APIs are a key tool for managing your usersΓÇÖ authentication methods. Now you can programmatically pre-register and manage the authenticators used for multifactor authentication (MFA) and self-service password reset (SSPR). This has been one of the most-requested features in the Azure AD Multi-Factor Authentication (MFA), SSPR, and Microsoft Graph spaces. The new APIs weΓÇÖve released in this wave give you the ability to:
- Read, add, update, and remove a userΓÇÖs authentication phones - Reset a userΓÇÖs password
For more information, see [Validate a dynamic group membership rule (preview)](.
-### Identity Secure Score - Security Defaults and multi-factor authentication (MFA) improvement action updates
+### Identity Secure Score - Security Defaults and multifactor authentication (MFA) improvement action updates
**Type:** Changed feature
For more information, see [Validate a dynamic group membership rule (preview)](.
- Require multi-factor authentication (MFA) for administrative roles - Enable policy to block legacy authentication
-**Multi-factor authentication (MFA) improvement action updates:** To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score has removed three improvement actions centered around multifactor authentication and added two.
+**Multifactor authentication (MFA) improvement action updates:** To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score has removed three improvement actions centered around multifactor authentication and added two.
Removed improvement actions: - Register all users for multifactor authentication-- Require multi-factor authentication (MFA) for all users-- Require multi-factor authentication (MFA) for Azure AD privileged roles
+- Require multifactor authentication (MFA) for all users
+- Require multifactor authentication (MFA) for Azure AD privileged roles
Added improvement actions: - Ensure all users can complete multifactor authentication for secure access-- Require multi-factor authentication (MFA) for administrative roles
+- Require multifactor authentication (MFA) for administrative roles
-These new improvement actions require registering your users or admins for multi-factor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. That can take the form of having multiple policies that apply scoped decisions, or setting security defaults (as of March 16th) that let Microsoft decide when to challenge users for multi-factor authentication (MFA). [Read more about what's new in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score#whats-new).
+These new improvement actions require registering your users or admins for multifactor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. That can take the form of having multiple policies that apply scoped decisions, or setting security defaults (as of March 16th) that let Microsoft decide when to challenge users for multifactor authentication (MFA). [Read more about what's new in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score#whats-new).
To provide a more flexible way for customers to create directory-wide groups tha
**Service category:** MFA **Product capability:** Identity Security & Protection
-We're planning to replace the current custom controls preview with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences. Today, partner multi-factor authentication (MFA) solutions face the following limitations: they work only after a password has been entered; they don't serve as multi-factor authentication (MFA) for step-up authentication in other key scenarios; and they don't integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including registration, usage, multi-factor authentication (MFA) claims, step up authentication, reporting, and logging.
+We're planning to replace the current custom controls preview with an approach that allows partner-provided authentication capabilities to work seamlessly with the Azure Active Directory administrator and end user experiences. Today, partner multifactor authentication (MFA) solutions face the following limitations: they work only after a password has been entered; they don't serve as multifactor authentication (MFA) for step-up authentication in other key scenarios; and they don't integrate with end user or administrative credential management functions. The new implementation will allow partner-provided authentication factors to work alongside built-in factors for key scenarios, including registration, usage, multifactor authentication (MFA) claims, step up authentication, reporting, and logging.
Custom controls will continue to be supported in preview alongside the new design until it reaches general availability. At that point, we'll give customers time to migrate to the new design. Because of the limitations of the current approach, we won't onboard new providers until the new design is available. We are working closely with customers and providers and will communicate the timeline as we get closer. [Learn more](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-controls/ba-p/1144696#).
-### Identity Secure Score - multi-factor authentication (MFA) improvement action updates
+### Identity Secure Score - multifactor authentication (MFA) improvement action updates
**Type:** Plan for change **Service category:** MFA **Product capability:** Identity Security & Protection
-To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score is removing three improvement actions centered around multi-factor authentication (MFA), and adding two.
+To reflect the need for businesses to ensure the upmost security while applying policies that work with their business, Microsoft Secure Score is removing three improvement actions centered around multifactor authentication (MFA), and adding two.
The following improvement actions will be removed: -- Register all users for multi-factor authentication (MFA)-- Require multi-factor authentication (MFA) for all users-- Require multi-factor authentication (MFA) for Azure AD privileged roles
+- Register all users for multifactor authentication (MFA)
+- Require multifactor authentication (MFA) for all users
+- Require multifactor authentication (MFA) for Azure AD privileged roles
The following improvement actions will be added: -- Ensure all users can complete multi-factor authentication (MFA) for secure access-- Require multi-factor authentication (MFA) for administrative roles
+- Ensure all users can complete multifactor authentication (MFA) for secure access
+- Require multifactor authentication (MFA) for administrative roles
-These new improvement actions will require registering your users or admins for multi-factor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. This can take the form of setting security defaults that let Microsoft decide when to challenge users for multi-factor authentication (MFA), or having multiple policies that apply scoped decisions. As part of these improvement action updates, Baseline protection policies will no longer be included in scoring calculations. [Read more about what's coming in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score-whats-coming).
+These new improvement actions will require registering your users or admins for multifactor authentication (MFA) across your directory and establishing the right set of policies that fit your organizational needs. The main goal is to have flexibility while ensuring all your users and admins can authenticate with multiple factors or risk-based identity verification prompts. This can take the form of setting security defaults that let Microsoft decide when to challenge users for multifactor authentication (MFA), or having multiple policies that apply scoped decisions. As part of these improvement action updates, Baseline protection policies will no longer be included in scoring calculations. [Read more about what's coming in Microsoft Secure Score](/microsoft-365/security/mtp/microsoft-secure-score-whats-coming).
To learn more about the new App registrations experience, see the [App registrat
-### Users are no longer required to re-register during migration from per-user multi-factor authentication (MFA) to Conditional Access-based multi-factor authentication (MFA)
+### Users are no longer required to re-register during migration from per-user multifactor authentication (MFA) to Conditional Access-based multifactor authentication (MFA)
**Type:** Fixed **Service category:** MFA **Product capability:** Identity Security & Protection
-We've fixed a known issue whereby when users were required to re-register if they were disabled for per-user Multi-Factor Authentication (MFA) and then enabled for multi-factor authentication (MFA) through a Conditional Access policy.
+We've fixed a known issue whereby when users were required to re-register if they were disabled for per-user MultiFactor Authentication (MFA) and then enabled for multifactor authentication (MFA) through a Conditional Access policy.
-To require users to re-register, you can select the **Required re-register multi-factor authentication (MFA)** option from the user's authentication methods in the Azure AD portal.
+To require users to re-register, you can select the **Required re-register multifactor authentication (MFA)** option from the user's authentication methods in the Azure AD portal.
The new **Security** menu includes:
- Security Center - Identity Secure Score - Authentication methods-- Multi-factor authentication (MFA)
+- Multifactor authentication (MFA)
- Risk reports - Risky users, Risky sign-ins, Risk detections - And more...
If you're an existing customer, who activated Azure AD Multi-Factor Authenticati
- Fixed other minor bugs.
-Starting July 1, 2019, Microsoft stopped offering multi-factor authentication (MFA) Server for new deployments. New customers who require multifactor authentication should use cloud-based Azure AD Multi-Factor Authentication. For more information, see [Planning a cloud-based Azure AD Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).
+Starting July 1, 2019, Microsoft stopped offering multifactor authentication (MFA) Server for new deployments. New customers who require multifactor authentication should use cloud-based Azure AD Multi-Factor Authentication. For more information, see [Planning a cloud-based Azure AD Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).
New user interface changes are coming to the design of the **Add from the galler
-### Plan for change: Removal of the multi-factor authentication (MFA) server IP address from the Office 365 IP address
+### Plan for change: Removal of the multifactor authentication (MFA) server IP address from the Office 365 IP address
**Type:** Plan for change **Service category:** MFA **Product capability:** Identity Security & Protection
-We're removing the multi-factor authentication (MFA) server IP address from the [Office 365 IP Address and URL Web service](/office365/enterprise/office-365-ip-web-service). If you currently rely on these pages to update your firewall settings, you must make sure you're also including the list of IP addresses documented in the **Azure Active Directory Multi-Factor Authentication Server firewall requirements** section of the [Getting started with the Azure Active Directory Multi-Factor Authentication Server](../authentication/howto-mfaserver-deploy.md#azure-multi-factor-authentication-server-firewall-requirements) article.
+We're removing the multifactor authentication (MFA) server IP address from the [Office 365 IP Address and URL Web service](/office365/enterprise/office-365-ip-web-service). If you currently rely on these pages to update your firewall settings, you must make sure you're also including the list of IP addresses documented in the **Azure Active Directory Multi-Factor Authentication Server firewall requirements** section of the [Getting started with the Azure Active Directory Multi-Factor Authentication Server](../authentication/howto-mfaserver-deploy.md#azure-multi-factor-authentication-server-firewall-requirements) article.
For more information about this new service tag, see [Network Security Groups fo
**Service category:** Azure AD Domain Services **Product capability:** Azure AD Domain Services
-We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hub, using the Azure AD Domain Service portal.
+We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hubs, using the Azure AD Domain Service portal.
For more information, see [Enable Security Audits for Azure AD Domain Services (Preview)](../../active-directory-domain-services/security-audit-events.md).
For more information, see [Risky users report](../identity-protection/howto-iden
**Service category:** Azure AD Domain Services **Product capability:** Azure AD Domain Services
-We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hub, using the Azure AD Domain Service portal.
+We're pleased to announce the release of Azure AD Domain Service Security Auditing to public preview. Security auditing helps provide you with critical insight into your authentication services by streaming security audit events to targeted resources, including Azure Storage, Azure Log Analytics workspaces, and Azure Event Hubs, using the Azure AD Domain Service portal.
For more information, see [Enable Security Audits for Azure AD Domain Services (Preview)](../../active-directory-domain-services/security-audit-events.md).
For more information about setting up your company branding, see [Add branding t
**Service category:** MFA **Product capability:** Identity Security & Protection
-As of July 1, 2019, Microsoft will no longer offer multi-factor authentication (MFA) Server for new deployments. New customers who want to require multifactor authentication in their organization must now use cloud-based Azure AD Multi-Factor Authentication. Customers who activated multi-factor authentication (MFA) Server prior to July 1 won't see a change. You'll still be able to download the latest version, get future updates, and generate activation credentials.
+As of July 1, 2019, Microsoft will no longer offer multifactor authentication (MFA) Server for new deployments. New customers who want to require multifactor authentication in their organization must now use cloud-based Azure AD Multi-Factor Authentication. Customers who activated multifactor authentication (MFA) Server prior to July 1 won't see a change. You'll still be able to download the latest version, get future updates, and generate activation credentials.
For more information, see [Getting started with the Azure Active Directory Multi-Factor Authentication Server](../authentication/howto-mfaserver-deploy.md). For more information about cloud-based Azure AD Multi-Factor Authentication, see [Planning a cloud-based Azure AD Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).
For more information about the apps, see [SaaS application integration with Azur
**Service category:** Self Service Password Reset **Product capability:** User Authentication
-In response to customer feedback, we've enhanced the combined multi-factor authentication (MFA)/SSPR registration preview experience, helping your users to more quickly register their security info for both multi-factor authentication (MFA) and SSPR.
+In response to customer feedback, we've enhanced the combined multifactor authentication (MFA)/SSPR registration preview experience, helping your users to more quickly register their security info for both multifactor authentication (MFA) and SSPR.
**To turn on the enhanced experience for your users' today, follow these steps:**
In response to customer feedback, we've enhanced the combined multi-factor authe
2. In the **Users who can use the preview features for registering and managing security info ΓÇô refresh** option, choose to turn on the features for a **Selected group of users** or for **All users**.
-Over the next few weeks, we'll be removing the ability to turn on the old combined multi-factor authentication (MFA)/SSPR registration preview experience for tenants that don't already have it turned on.
+Over the next few weeks, we'll be removing the ability to turn on the old combined multifactor authentication (MFA)/SSPR registration preview experience for tenants that don't already have it turned on.
**To see if the control will be removed for your tenant, follow these steps:**
Over the next few weeks, we'll be removing the ability to turn on the old combin
2. If the **Users who can use the preview features for registering and managing security info** option is set to **None**, the option will be removed from your tenant.
-Regardless of whether you previously turned on the old combined multi-factor authentication (MFA)/SSPR registration preview experience for users or not, the old experience will be turned off at a future date. Because of that, we strongly suggest that you move to the new, enhanced experience as soon as possible.
+Regardless of whether you previously turned on the old combined multifactor authentication (MFA)/SSPR registration preview experience for users or not, the old experience will be turned off at a future date. Because of that, we strongly suggest that you move to the new, enhanced experience as soon as possible.
For more information about the enhanced registration experience, see the [Cool enhancements to the Azure AD combined MFA and password reset registration experience](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Cool-enhancements-to-the-Azure-AD-combined-MFA-and-password/ba-p/354271).
For this and other protocols-related changes, see [the full list of what's new f
-### Converged security info management for self-service password (SSPR) and multi-factor authentication (MFA)
+### Converged security info management for self-service password (SSPR) and multifactor authentication (MFA)
**Type:** New feature **Service category:** SSPR **Product capability:** User Authentication
-This new feature helps people manage their security info (such as, phone number, mobile app, and so on) for SSPR and multi-factor authentication (MFA) in a single location and experience; as compared to previously, where it was done in two different locations.
+This new feature helps people manage their security info (such as, phone number, mobile app, and so on) for SSPR and multifactor authentication (MFA) in a single location and experience; as compared to previously, where it was done in two different locations.
-This converged experience also works for people using either SSPR or multi-factor authentication (MFA). Additionally, if your organization doesn't enforce multi-factor authentication (MFA) or SSPR registration, people can still register any multi-factor authentication (MFA) or SSPR security info methods allowed by your organization from the My Apps portal.
+This converged experience also works for people using either SSPR or multifactor authentication (MFA). Additionally, if your organization doesn't enforce multifactor authentication (MFA) or SSPR registration, people can still register any multifactor authentication (MFA) or SSPR security info methods allowed by your organization from the My Apps portal.
This is an opt-in public preview. Administrators can turn on the new experience (if desired) for a selected group or for all users in a tenant. For more information about the converged experience, see the [Converged experience blog](https://cloudblogs.microsoft.com/enterprisemobility/2018/08/06/mfa-and-sspr-updates-now-in-public-preview/)
Pass-through Authentication now supports legacy protocols and apps. The followin
-### Converged security info management for self-service password reset and Multi-Factor Authentication
+### Converged security info management for self-service password reset and MultiFactor Authentication
**Type:** New feature **Service category:** SSPR **Product capability:** User Authentication
-This new feature lets users manage their security info (for example, phone number, email address, mobile app, and so on) for self-service password reset (SSPR) and multi-factor authentication (MFA) in a single experience. Users will no longer have to register the same security info for SSPR and multi-factor authentication (MFA) in two different experiences. This new experience also applies to users who have either SSPR or multi-factor authentication (MFA).
+This new feature lets users manage their security info (for example, phone number, email address, mobile app, and so on) for self-service password reset (SSPR) and multifactor authentication (MFA) in a single experience. Users will no longer have to register the same security info for SSPR and multifactor authentication (MFA) in two different experiences. This new experience also applies to users who have either SSPR or multifactor authentication (MFA).
-If an organization isn't enforcing multi-factor authentication (MFA) or SSPR registration, users can register their security info through the **My Apps** portal. From there, users can register any methods enabled for multi-factor authentication (MFA) or SSPR.
+If an organization isn't enforcing multifactor authentication (MFA) or SSPR registration, users can register their security info through the **My Apps** portal. From there, users can register any methods enabled for multifactor authentication (MFA) or SSPR.
This is an opt-in public preview. Admins can turn on the new experience (if desired) for a selected group of users or all users in a tenant.
As of January 8, 2018, the Azure AD administration experience in the Azure class
As of January 8, 2018, the PhoneFactor web portal has been retired. This portal was used for the administration of multi-factor authentication (MFA) server, but those functions have been moved into the Azure portal at portal.azure.com.
-The multi-factor authentication (MFA) configuration is located at: **Azure Active Directory \> multi-factor authentication (MFA) Server**
+The multifactor authentication (MFA) configuration is located at: **Azure Active Directory \> multi-factor authentication (MFA) Server**
For more information, see:
### Network Policy Server extension for Azure AD Multi-Factor Authentication **Type:** New feature
-**Service category:** Multi-factor authentication
+**Service category:** Multifactor authentication
**Product capability:** User authentication The Network Policy Server extension for Azure Active Directory (Azure AD) Multi-Factor Authentication adds cloud-based multifactor authentication capabilities to your authentication infrastructure by using your existing servers. With the Network Policy Server extension, you can add phone call, text message, or phone app verification to your existing authentication flow. You don't have to install, configure, and maintain new servers.
Due to a service issue, this functionality was temporarily disabled. The issue w
-### New Multi-Factor Authentication features
+### New Multifactor Authentication features
**Type:** New feature
-**Service category:** Multi-factor authentication
+**Service category:** Multifactor authentication
**Product capability:** Identity security and protection Azure Active Directory Multi-Factor Authentication (MFA) is an essential part of protecting your organization. To make credentials more adaptive and the experience more seamless, the following features were added: -- Multi-factor challenge results are directly integrated into the Azure AD sign-in report, which includes programmatic access to multi-factor authentication (MFA) results.-- The multi-factor authentication (MFA) configuration is more deeply integrated into the Azure AD configuration experience in the Azure portal.
+- Multifactor challenge results are directly integrated into the Azure AD sign-in report, which includes programmatic access to multifactor authentication (MFA) results.
+- The multifactor authentication (MFA) configuration is more deeply integrated into the Azure AD configuration experience in the Azure portal.
-With this public preview, multi-factor authentication (MFA) management and reporting are an integrated part of the core Azure AD configuration experience. Now you can manage the multi-factor authentication (MFA) management portal functionality within the Azure AD experience.
+With this public preview, multifactor authentication (MFA) management and reporting are an integrated part of the core Azure AD configuration experience. Now you can manage the multifactor authentication (MFA) management portal functionality within the Azure AD experience.
For more information, see [Reference for MFA reporting in the Azure portal](../authentication/howto-mfa-reporting.md).
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new.md
Previously updated : 12/06/2021 Last updated : 1/20/2022
This page is updated monthly, so revisit it regularly. If you're looking for ite
+## December 2021
+
+### Tenant enablement of combined security information registration for Azure Active Directory
+
+**Type:** Plan for change
+**Service category:** MFA
+**Product capability:** Identity Security & Protection
+
+We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multifactor authentication at the same time was generally available for existing customer to opt-in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting in 2022 Microsoft will be enabling the multifactor authentication and SSPR combined registration experience for existing customers. [Learn more](../authentication/concept-registration-mfa-sspr-combined.md).
+
++
+### Public Preview - Number Matching now available to reduce accidental notification approvals
+
+**Type:** New feature
+**Service category:** Microsoft Authenticator App
+**Product capability:** User Authentication
+
+To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving an multifactor authentication notification in the Authenticator app. This feature adds an additional security measure to the Microsoft Authenticator app. [Learn more](../authentication/how-to-mfa-number-match.md).
+
++
+### Pre-authentication error events removed from Azure AD Sign-in Logs
+
+**Type:** Deprecated
+**Service category:** Reporting
+**Product capability:** Monitoring & Reporting
+
+We are no longer publishing sign-in logs with the following error codes because these events are pre-authentication events that occur before our service has authenticated a user. Because these events happen before authentication, our service is not always able to correctly identify the user. If a user continues on to authenticate, the user sign-in will show up in your tenant Sign-in logs. These logs are no longer visible in the Azure portal UX, and querying these error codes in the Graph API will no longer return results.
+
+|Error code | Failure reason|
+| | |
+|50058| Session information is not sufficient for single-sign-on.|
+|16000| Either multiple user identities are available for the current request or selected account is not supported for the scenario.|
+|500581| Rendering JavaScript. Fetching sessions for single-sign-on on V2 with prompt=none requires JavaScript to verify if any MSA accounts are signed in.|
+|81012| The user trying to sign in to Azure AD is different from the user signed into the device.|
+++ ## November 2021 ### Tenant enablement of combined security information registration for Azure Active Directory
This page is updated monthly, so revisit it regularly. If you're looking for ite
**Service category:** MFA **Product capability:** Identity Security & Protection
-We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multi-factor authentication (MFA) at the same time was generally available for existing customer to opt-in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting 2022, Microsoft will be enabling the MF).
+We previously announced in April 2020, a new combined registration experience enabling users to register authentication methods for SSPR and multifactor authentication at the same time was generally available for existing customer to opt-in. Any Azure AD tenants created after August 2020 automatically have the default experience set to combined registration. Starting 2022, Microsoft will be enabling the MF).
Several user attributes have been added to the list of attributes available to m
**Service category:** Authentications (Logins) **Product capability:** Identity Security & Protection
-We have recently added other property to the sign-in logs called "Session Lifetime Policies Applied". This property will list all the session lifetime policies that applied to the sign-in for example, Sign-in frequency, Remember multi-factor authentication and Configurable token lifetime. [Learn more](../reports-monitoring/concept-sign-ins.md#authentication-details).
+We have recently added other property to the sign-in logs called "Session Lifetime Policies Applied". This property will list all the session lifetime policies that applied to the sign-in for example, Sign-in frequency, Remember multifactor authentication and Configurable token lifetime. [Learn more](../reports-monitoring/concept-sign-ins.md#authentication-details).
We've released beta MS Graph API for Azure AD access reviews. The API has method
**Product capability:** Identity Security & Protection
-The "Register or join devices" user action is generally available in Conditional access. This user action allows you to control multi-factor authentication (MFA) policies for Azure Active Directory (AD) device registration. Currently, this user action only allows you to enable multi-factor authentication (MFA) as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions).
+The "Register or join devices" user action is generally available in Conditional access. This user action allows you to control multifactor authentication policies for Azure Active Directory (AD) device registration. Currently, this user action only allows you to enable multifactor authentication as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions).
For more information about how to better secure your organization by using autom
-### Multi-factor (MFA) fraud report ΓÇô new audit event
+### Multifactor fraud report ΓÇô new audit event
**Type:** Changed feature **Service category:** MFA **Product capability:** Identity Security & Protection
-To help administrators understand that their users are blocked for multi-factor authentication (MFA) as a result of fraud report, we have added a new audit event. This audit event is tracked when the user reports fraud. The audit log is available in addition to the existing information in the sign-in logs about fraud report. To learn how to get the audit report, see [multifactor authentication Fraud alert](../authentication/howto-mfa-mfasettings.md#fraud-alert).
+To help administrators understand that their users are blocked for multifactor authentication as a result of fraud report, we have added a new audit event. This audit event is tracked when the user reports fraud. The audit log is available in addition to the existing information in the sign-in logs about fraud report. To learn how to get the audit report, see [multifactor authentication Fraud alert](../authentication/howto-mfa-mfasettings.md#fraud-alert).
Access packages in Azure AD entitlement management now support setting the user'
-### General availability - Enable external users to self-service sign-up in AAD using MSA accounts
+### General availability - Enable external users to self-service sign-up in Azure AD using MSA accounts
**Type:** New feature **Service category:** B2B
Anomalous token detection is now available in Identity Protection. This feature
**Service category:** Conditional Access **Product capability:** Identity Security & Protection
-The Register or join devices user action in Conditional access is now in general availability. This user action allows you to control multi-factor authentication (MFA) policies for Azure AD device registration.
+The Register or join devices user action in Conditional access is now in general availability. This user action allows you to control multifactor authentication (MFA) policies for Azure AD device registration.
-Currently, this user action only allows you to enable multi-factor authentication (MFA) as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions).
+Currently, this user action only allows you to enable multifactor authentication as a control when users register or join devices to Azure AD. Other controls that are dependent on or not applicable to Azure AD device registration continue to be disabled with this user action. [Learn more](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions).
In the past, users could create security groups and Microsoft 365 groups in the
In the My Apps portal, the collection that was called "All Apps" has been renamed to be called "Apps". As the product evolves, "Apps" is a more fitting name for this default collection. [Learn more](../manage-apps/my-apps-deployment-plan.md#plan-the-user-experience).
-
-## June 2021
-
-### Context panes to display risk details in Identity Protection Reports
-
-**Type:** Plan for change
-**Service category:** Identity Protection
-**Product capability:** Identity Security & Protection
-
-For the Risky users, Risky sign-ins, and Risk detections reports in Identity Protection, the risk details of a selected entry will be shown in a context pane appearing from the right of the page July 2021. The change only impacts the user interface and won't affect any existing functionalities. To learn more about the functionality of these features, refer to [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md).
-
--
-### Public preview - create Azure AD access reviews of Service Principals that are assigned to privileged roles
-
-**Type:** New feature
-**Service category:** Access Reviews
-**Product capability:** Identity Governance
-
- You can use Azure AD access reviews to review service principal's access to privileged Azure AD and Azure resource roles. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md#create-access-reviews).
-
--
-### Public preview - group owners in Azure AD can create and manage Azure AD access reviews for their groups
-
-**Type:** New feature
-**Service category:** Access Reviews
-**Product capability:** Identity Governance
-
-Now group owners in Azure AD can create and manage Azure AD access reviews on their groups. This ability can be enabled by tenant administrators through Azure AD access review settings and is disabled by default. [Learn more](../governance/create-access-review.md#allow-group-owners-to-create-and-manage-access-reviews-of-their-groups-preview).
-
--
-### Public preview - customers can scope access reviews of privileged roles to just users with eligible or active access
-
-**Type:** New feature
-**Service category:** Access Reviews
-**Product capability:** Identity Governance
-
-When admins create access reviews of assignments to privileged roles, they can scope the reviews to only eligibly assigned users or only actively assigned users. [Learn more](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md).
-
--
-### Public preview - Microsoft Graph APIs for Mobility (MDM/MAM) management policies
-
-**Type:** New feature
-**Service category:** Other
-**Product capability:** Device Lifecycle Management
-
-Microsoft Graph support for the Mobility (MDM/MAM) configuration in Azure AD is in public preview. Administrators can configure user scope and URLs for MDM applications like Intune using Microsoft Graph v1.0. For more information, see [mobilityManagementPolicy resource type](/graph/api/resources/mobilitymanagementpolicy?view=graph-rest-beta&preserve-view=true)
---
-### General availability - Custom questions in access package request flow in Azure Active Directory entitlement management
-
-**Type:** New feature
-**Service category:** User Access Management
-**Product capability:** Entitlement Management
-
-Azure AD entitlement management now supports the creation of custom questions in the access package request flow. This feature allows you to configure custom questions in the access package policy. These questions are shown to requestors who can input their answers as part of the access request process. These answers will be displayed to approvers, giving them helpful information that empowers them to make better decisions on the access request. [Learn more](../governance/entitlement-management-access-package-create.md).
---
-### General availability - Multi-geo SharePoint sites as resources in Entitlement Management Access Packages
-
-**Type:** New feature
-**Service category:** User Access Management
-**Product capability:** Entitlement Management
-
-Access packages in Entitlement Management now support multi-geo SharePoint sites for customers who use the multi-geo capabilities in SharePoint Online. [Learn more](../governance/entitlement-management-catalog-create.md#add-a-multi-geo-sharepoint-site).
-
--
-### General availability - Knowledge Admin and Knowledge Manager built-in roles
-
-**Type:** New feature
-**Service category:** RBAC
-**Product capability:** Access Control
-
-Two new roles, Knowledge Administrator and Knowledge Manager are now in general availability.
--- Users in the Knowledge Administrator role have full access to all Organizational knowledge settings in the Microsoft 365 admin center. They can create and manage content, like topics and acronyms. Additionally, these users can create content centers, monitor service health, and create service requests. [Learn more](../roles/permissions-reference.md#knowledge-administrator)-- Users in the Knowledge Manager role can create and manage content and are primarily responsible for the quality and structure of knowledge. They have full rights to topic management actions to confirm a topic, approve edits, or delete a topic. This role can also manage taxonomies as part of the term store management tool and create content centers. [Learn more](../roles/permissions-reference.md#knowledge-manager).---
-### General availability - Cloud App Security Administrator built-in role
-
-**Type:** New feature
-**Service category:** RBAC
-**Product capability:** Access Control
-
- Users with this role have full permissions in Cloud App Security. They can add administrators, add Microsoft Cloud App Security (MCAS) policies and settings, upload logs, and do governance actions. [Learn more](../roles/permissions-reference.md#cloud-app-security-administrator).
-
--
-### General availability - Windows Update Deployment Administrator
-
-**Type:** New feature
-**Service category:** RBAC
-**Product capability:** Access Control
-
-
- Users in this role can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. The deployment service enables users to define settings for when and how updates are deployed. Also, users can specify which updates are offered to groups of devices in their tenant. It also allows users to monitor the update progress. [Learn more](../roles/permissions-reference.md#windows-update-deployment-administrator).
-
--
-### General availability - multi-camera support for Windows Hello
-
-**Type:** New feature
-**Service category:** Authentications (Logins)
-**Product capability:** User Authentication
-
-Now with the Windows 10 21H1 update, Windows Hello supports multiple cameras. The update includes defaults to use the external camera when both built-in and outside cameras are present. [Learn more](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
--
-
-### General availability - Access Reviews MS Graph APIs now in v1.0
-
-**Type:** New feature
-**Service category:** Access Reviews
-**Product capability:** Identity Governance
-
-Azure Active Directory access reviews MS Graph APIs are now in v1.0 support fully configurable access reviews features. [Learn more](/graph/api/resources/accessreviewsv2-overview?view=graph-rest-1.0&preserve-view=true).
-
--
-### New provisioning connectors in the Azure AD Application Gallery - June 2021
-
-**Type:** New feature
-**Service category:** App Provisioning
-**Product capability:** 3rd Party Integration
-
-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
--- [askSpoke](../saas-apps/askspoke-provisioning-tutorial.md)-- [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-provisioning-tutorial.md)-- [CheckProof](../saas-apps/checkproof-provisioning-tutorial.md)-- [GoLinks](../saas-apps/golinks-provisioning-tutorial.md)-- [Holmes Cloud](../saas-apps/holmes-cloud-provisioning-tutorial.md)-- [H5mag](../saas-apps/h5mag-provisioning-tutorial.md)-- [LimbleCMMS](../saas-apps/limblecmms-provisioning-tutorial.md)-- [LogMeIn](../saas-apps/logmein-provisioning-tutorial.md)-- [SECURE DELIVER](../saas-apps/secure-deliver-provisioning-tutorial.md)-- [Sigma Computing](../saas-apps/sigma-computing-provisioning-tutorial.md)-- [Smallstep SSH](../saas-apps/smallstep-ssh-provisioning-tutorial.md)-- [Tribeloo](../saas-apps/tribeloo-provisioning-tutorial.md)-- [Twingate](../saas-apps/twingate-provisioning-tutorial.md)-
-For more information, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
-
--
-### New Federated Apps available in Azure AD Application gallery - June 2021
-
-**Type:** New feature
-**Service category:** Enterprise Apps
-**Product capability:** 3rd Party Integration
-
-In June 2021, we have added following 42 new applications in our App gallery with Federation support
-
-[Taksel](https://help.ubuntu.com/community/Tasksel), [IDrive360](../saas-apps/idrive360-tutorial.md), [VIDA](../saas-apps/vida-tutorial.md), [ProProfs Classroom](../saas-apps/proprofs-classroom-tutorial.md), [WAN-Sign](../saas-apps/wan-sign-tutorial.md), [Citrix Cloud SAML SSO](../saas-apps/citrix-cloud-saml-sso-tutorial.md), [Fabric](../saas-apps/fabric-tutorial.md), [DssAD](https://cloudlicensing.deepseedsolutions.com/), [RICOH Creative Collaboration RICC](https://www.ricoh-europe.com/products/software-apps/collaboration-board-software/ricc/), [Styleflow](../saas-apps/styleflow-tutorial.md), [Chaos](https://accounts.chaosgroup.com/corporate_login), [Traced Connector](https://control.traced.app/signup), [Squarespace](https://account.squarespace.com/org/azure), [MX3 Diagnostics Connector](https://mx3www.playground.dynuddns.com/signin-oidc), [Ten Spot](https://tenspot.co/api/v1/sso/azure/login/), [Finvari](../saas-apps/finvari-tutorial.md), [Mobile4ERP](https://play.google.com/store/apps/details?id=com.negevsoft.mobile4erp), [WalkMe US OpenID Connect](https://www.walkme.com/), [Neustar UltraDNS](../saas-apps/neustar-ultradns-tutorial.md), [cloudtamer.io](../saas-apps/cloudtamer-io-tutorial.md), [A Cloud Guru](../saas-apps/a-cloud-guru-tutorial.md), [PetroVue](../saas-apps/petrovue-tutorial.md), [Postman](../saas-apps/postman-tutorial.md), [ReadCube Papers](../saas-apps/readcube-papers-tutorial.md), [Peklostroj](https://app.peklostroj.cz/), [SynCloud](https://onboard.syncloud.io/), [Polymerhq.io](https://www.polymerhq.io/), [Bonos](../saas-apps/bonos-tutorial.md), [Astra Schedule](../saas-apps/astra-schedule-tutorial.md), [Draup](../saas-apps/draup-inc-tutorial.md), [Inc](../saas-apps/draup-inc-tutorial.md), [Applied Mental Health](../saas-apps/applied-mental-health-tutorial.md), [iHASCO Training](../saas-apps/ihasco-training-tutorial.md), [Nexsure](../saas-apps/nexsure-tutorial.md), [XEOX](https://login.xeox.com/), [Plandisc](https://create.plandisc.com/account/logon), [foundU](../saas-apps/foundu-tutorial.md), [Standard for Success Accreditation](../saas-apps/standard-for-success-accreditation-tutorial.md), [Penji Teams](https://web.penjiapp.com/), [CheckPoint Infinity Portal](../saas-apps/checkpoint-infinity-portal-tutorial.md), [Teamgo](../saas-apps/teamgo-tutorial.md), [Hopsworks.ai](../saas-apps/hopsworks-ai-tutorial.md), [HoloMeeting 2](https://backend2.holomeeting.io/)
-
-You can also find the documentation of all the applications here: https://aka.ms/AppsTutorial
-
-For listing your application in the Azure AD app gallery, read the details here: https://aka.ms/AzureADAppRequest
-
--
-### Device code flow now includes an app verification prompt
-
-**Type:** Changed feature
-**Service category:** Authentications (Logins)
-**Product capability:** User Authentication
-
-The [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include one extra user prompt. While signing in, the user will see a prompt asking them to validate the app they're signing into. The prompt ensures that they aren't subject to a phishing attack. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).
-
--
-### User last sign-in date and time is now available on Azure portal
-
-**Type:** Changed feature
-**Service category:** User Management
-**Product capability:** User Management
-
-You can now view your users' last sign-in date and time stamp on the Azure portal. The information is available for each user on the user profile page. This information helps you identify inactive users and effectively manage risky events. [Learn more](./active-directory-users-profile-azure-portal.md?context=%2fazure%2factive-directory%2fenterprise-users%2fcontext%2fugr-context).
-
--
-### MIM BHOLD Suite impact of end of support for Microsoft Silverlight
-
-**Type:** Changed feature
-**Service category:** Microsoft Identity Manager
-**Product capability:** Identity Governance
-
-Microsoft Silverlight will reach its end of support on October 12, 2021. This change only impacts customers using the Microsoft BHOLD Suite, and doesn't impact other Microsoft Identity Manager scenarios. For more information, see [Silverlight End of Support](https://support.microsoft.com/windows/silverlight-end-of-support-0a3be3c7-bead-e203-2dfd-74f0a64f1788).
-
-Users who haven't installed Microsoft Silverlight in their browser can't use the BHOLD Suite modules which require Silverlight. This includes the BHOLD Model Generator, BHOLD FIM Self-service integration, and BHOLD Analytics. Customers with an existing BHOLD deployment of one or more of those modules should plan to uninstall those modules from their BHOLD server computers by October 2021. Also, they should plan to uninstall Silverlight from any user computers that were previously interacting with that BHOLD deployment.
-
--
-### My* experiences: End of support for Internet Explorer 11
-
-**Type:** Deprecated
-**Service category:** My Apps
-**Product capability:** End User Experiences
-
-
-Microsoft 365 and other apps are ending support for Internet Explorer 11 on August 21, 2021, and this includes the My* experiences. The My*s accessed via Internet Explorer won't receive bug fixes or any updates, which may lead to issues. These dates are being driven by the Edge team and may be subject to change. [Learn more](https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/).
-
--
-### Planned deprecation - Malware linked IP address detection in Identity Protection
-
-**Type:** Deprecated
-**Service category:** Identity Protection
-**Product capability:** Identity Security & Protection
-
-Starting October 1, 2021, Azure AD Identity Protection will no longer generate the "Malware linked IP address" detection. No action is required and customers will remain protected by the other detections provided by Identity Protection. To learn more about protection policies, refer to [Identity Protection policies](../identity-protection/concept-identity-protection-policies.md).
-
-
active-directory How To Connect Staged Rollout https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-staged-rollout.md
The following scenarios are not supported for staged rollout:
- When you first add a security group for staged rollout, you're limited to 200 users to avoid a UX time-out. After you've added the group, you can add more users directly to it, as required. -- While users are in Staged Rollout, password expiration policy is set to 90 days with no option to customize it.
+- While users are in Staged Rollout with Password Hash Synchronization (PHS), by default no password expiration is applied. Password expiration can be applied by enabling "EnforceCloudPasswordPolicyForPasswordSyncedUsers". When "EnforceCloudPasswordPolicyForPasswordSyncedUsers" is enabled, password expiration policy is set to 90 days from the time password was set on-prem with no option to customize it. To learn how to set 'EnforceCloudPasswordPolicyForPasswordSyncedUsers' see [Password expiration policy](./how-to-connect-password-hash-synchronization.md#enforcecloudpasswordpolicyforpasswordsyncedusers).
- Windows 10 Hybrid Join or Azure AD Join primary refresh token acquisition for Windows 10 version older than 1903. This scenario will fall back to the WS-Trust endpoint of the federation server, even if the user signing in is in scope of staged rollout.
active-directory Reference Connect Version History https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-version-history.md
If you want all the latest features and updates, check this page and install wha
To read more about auto-upgrade, see [Azure AD Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).
+## 2.0.91.0
+
+### Release status
+
+01/19/2022: Released for download only, not available for auto upgrade
+
+### Functional changes
+
+- We updated the Azure AD Connect Health component in this release from version 3.1.110.0 to version 3.2.1823.12. This new version provides compliance of the Azure AD Connect Health component with the [Federal Information Processing Standards (FIPS)](https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips) requirements.
+ ## 2.0.89.0 ### Release status
active-directory Tshoot Connect Sync Errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/tshoot-connect-sync-errors.md
Title: 'Azure AD Connect: Troubleshooting Errors during synchronization | Microsoft Docs'
-description: Explains how to troubleshoot errors encountered during synchronization with Azure AD Connect.
+ Title: 'Azure AD Connect: Troubleshoot errors during synchronization | Microsoft Docs'
+description: This article explains how to troubleshoot errors that occur during synchronization with Azure AD Connect.
documentationcenter: ''
-# Troubleshooting Errors during synchronization
-Errors could occur when identity data is synchronized from Windows Server Active Directory (AD DS) to Azure Active Directory (Azure AD). This article provides an overview of different types of sync errors, some of the possible scenarios that cause those errors and potential ways to fix the errors. This article includes the common error types and may not cover all the possible errors.
+# Troubleshoot errors during synchronization
- This article assumes the reader is familiar with the underlying [design concepts of Azure AD and Azure AD Connect](plan-connect-design-concepts.md).
+Errors can occur when identity data is synced from Windows Server Active Directory to Azure Active Directory (Azure AD). This article provides an overview of different types of sync errors, some of the possible scenarios that cause those errors, and potential ways to fix the errors. This article includes common error types and might not cover all possible errors.
-With the latest version of Azure AD Connect \(August 2016 or higher\), a report of Synchronization Errors is available in the [Azure portal](https://aka.ms/aadconnecthealth) as part of Azure AD Connect Health for sync.
+ This article assumes you're familiar with the underlying [design concepts of Azure AD and Azure AD Connect](plan-connect-design-concepts.md).
-Starting September 1, 2016 [Azure Active Directory Duplicate Attribute Resiliency](how-to-connect-syncservice-duplicate-attribute-resiliency.md) feature will be enabled by default for all the *new* Azure Active Directory Tenants. This feature will be automatically enabled for existing tenants in the upcoming months.
+With the latest version of Azure AD Connect \(August 2016 or higher\), a Synchronization Errors Report is available in the [Azure portal](https://aka.ms/aadconnecthealth) as part of Azure AD Connect Health for sync.
-Azure AD Connect performs three types of operations from the directories it keeps in sync: Import, Synchronization, and Export. Errors can take place in all the operations. This article mainly focuses on errors during Export to Azure AD.
+Starting September 1, 2016, [Azure AD duplicate attribute resiliency](how-to-connect-syncservice-duplicate-attribute-resiliency.md) is enabled by default for all the *new* Azure AD tenants. This feature is automatically enabled for existing tenants.
-## Errors during Export to Azure AD
-Following section describes different types of synchronization errors that can occur during the export operation to Azure AD using the Azure AD connector. This connector can be identified by the name format being "contoso.*onmicrosoft.com*".
-Errors during Export to Azure AD indicate that the operation \(add, update, delete etc.\) attempted by Azure AD Connect \(Sync Engine\) on Azure Active Directory failed.
+Azure AD Connect performs three types of operations from the directories it keeps in sync: Import, Synchronization, and Export. Errors can occur in all three operations. This article mainly focuses on errors during export to Azure AD.
-![Export Errors Overview](./media/tshoot-connect-sync-errors/Export_Errors_Overview_01.png)
+## Errors during export to Azure AD
+
+The following section describes different types of synchronization errors that can occur during the export operation to Azure AD by using the Azure AD connector. You can identify this connector by the name format contoso.*onmicrosoft.com*.
+Errors during export to Azure AD indicate that an operation like add, update, or delete attempted by Azure AD Connect \(sync engine\) on Azure AD failed.
+
+![Diagram that shows the export errors overview.](./media/tshoot-connect-sync-errors/Export_Errors_Overview_01.png)
+
+## Data mismatch errors
+
+This section discusses data mismatch errors.
-## Data Mismatch Errors
### InvalidSoftMatch+ #### Description
-* When Azure AD Connect \(sync engine\) instructs Azure Active Directory to add or update objects, Azure AD matches the incoming object using the **sourceAnchor** attribute to the **immutableId** attribute of objects in Azure AD. This match is called a **Hard Match**.
-* When Azure AD **does not find** any object that matches the **immutableId** attribute with the **sourceAnchor** attribute of the incoming object, before provisioning a new object, it falls back to use the ProxyAddresses and UserPrincipalName attributes to find a match. This match is called a **Soft Match**. The Soft Match is designed to match objects already present in Azure AD (that are sourced in Azure AD) with the new objects being added/updated during synchronization that represent the same entity (users, groups) on premises.
-* **InvalidSoftMatch** error occurs when the hard match does not find any matching object **AND** soft match finds a matching object but that object has a different value of *immutableId* than the incoming object's *SourceAnchor*, suggesting that the matching object was synchronized with another object from on premises Active Directory.
-In other words, in order for the soft match to work, the object to be soft-matched with should not have any value for the *immutableId*. If any object with *immutableId* set with a value is failing the hard-match but satisfying the soft-match criteria, the operation would result in an InvalidSoftMatch synchronization error.
+* When Azure AD Connect \(sync engine\) instructs Azure AD to add or update objects, Azure AD matches the incoming object by using the **sourceAnchor** attribute and matching it to the **immutableId** attribute of objects in Azure AD. This match is called a *hard match*.
+* When Azure AD *doesn't find* any object that matches the **immutableId** attribute with the **sourceAnchor** attribute of the incoming object, before Azure AD provisions a new object, it falls back to use the **proxyAddresses** and **userPrincipalName** attributes to find a match. This match is called a *soft match*. The soft match matches objects already present in Azure AD (that are sourced in Azure AD) with the new objects being added or updated during synchronization that represent the same entity (like users and groups) on-premises.
+* The InvalidSoftMatch error occurs when the hard match doesn't find any matching object *and* the soft match finds a matching object, but that object has a different **immutableId** value than the incoming object's **sourceAnchor** attribute. This mismatch suggests that the matching object was synced with another object from on-premises Active Directory.
+
+In other words, for the soft match to work, the object to be soft-matched with shouldn't have any value for the **immutableId** attribute. If any object with the **immutableId** attribute set with a value fails the hard match but satisfies the soft-match criteria, the operation results in an InvalidSoftMatch synchronization error.
-Azure Active Directory schema does not allow two or more objects to have the same value of the following attributes. \(This is not an exhaustive list.\)
+Azure AD schema doesn't allow two or more objects to have the same value of the following attributes. This list isn't exhaustive:
-* ProxyAddresses
-* UserPrincipalName
+* proxyAddresses
+* userPrincipalName
* onPremisesSecurityIdentifier
-* ObjectId
+* objectId
+
+[Azure AD attribute duplicate attribute resiliency](how-to-connect-syncservice-duplicate-attribute-resiliency.md) is also being rolled out as the default behavior of Azure AD. This feature reduces the number of synchronization errors seen by Azure AD Connect and other sync clients. It makes Azure AD more resilient in the way it handles duplicated **proxyAddresses** and **userPrincipalName** attributes present in on-premises Active Directory environments.
+
+This feature doesn't fix the duplication errors, so the data still needs to be fixed. But it allows provisioning of new objects that are otherwise blocked from being provisioned because of duplicated values in Azure AD. This capability will also reduce the number of synchronization errors returned to the synchronization client.
> [!NOTE]
-> [Azure AD Attribute Duplicate Attribute Resiliency](how-to-connect-syncservice-duplicate-attribute-resiliency.md) feature is also being rolled out as the default behavior of Azure Active Directory. This will reduce the number of synchronization errors seen by Azure AD Connect (as well as other sync clients) by making Azure AD more resilient in the way it handles duplicated ProxyAddresses and UserPrincipalName attributes present in on premises AD environments. This feature does not fix the duplication errors. So the data still needs to be fixed. But it allows provisioning of new objects which are otherwise blocked from being provisioned due to duplicated values in Azure AD. This will also reduce the number of synchronization errors returned to the synchronization client.
-> If this feature is enabled for your Tenant, you will not see the InvalidSoftMatch synchronization errors seen during provisioning of new objects.
->
+> If Azure AD attribute duplicate attribute resiliency is enabled for your tenant, you won't see the InvalidSoftMatch synchronization errors seen during provisioning of new objects.
>
-#### Example Scenarios for InvalidSoftMatch
-1. Two or more objects with the same value for the ProxyAddresses attribute exist in on-premises Active Directory. Only one is getting provisioned in Azure AD.
-2. Two or more objects with the same value for the userPrincipalName attribute exists in on-premises Active Directory. Only one is getting provisioned in Azure AD.
-3. An object was added in the on premises Active Directory with the same value of ProxyAddresses attribute as that of an existing object in Azure Active Directory. The object added on premises is not getting provisioned in Azure Active Directory.
-4. An object was added in on premises Active Directory with the same value of userPrincipalName attribute as that of an account in Azure Active Directory. The object is not getting provisioned in Azure Active Directory.
-5. A synced account was moved from Forest A to Forest B. Azure AD Connect (sync engine) was using ObjectGUID attribute to compute the SourceAnchor. After the forest move, the value of the SourceAnchor is different. The new object (from Forest B) is failing to sync with the existing object in Azure AD.
-6. A synced object got accidentally deleted from on premises Active Directory and a new object was created in Active Directory for the same entity (such as user) without deleting the account in Azure Active Directory. The new account fails to sync with the existing Azure AD object.
-7. Azure AD Connect was uninstalled and reinstalled. During the reinstallation, a different attribute was chosen as the SourceAnchor. All the objects that had previously synced stopped syncing with InvalidSoftMatch error.
-
-#### Example case:
-1. **Bob Smith** is a synced user in Azure Active Directory from on premises Active Directory of *contoso.com*
-2. Bob Smith's **UserPrincipalName** is set as **bobs\@contoso.com**.
-3. **"abcdefghijklmnopqrstuv=="** is the **SourceAnchor** calculated by Azure AD Connect using Bob Smith's **objectGUID** from on premises Active Directory, which is the **immutableId** for Bob Smith in Azure Active Directory.
-4. Bob also has following values for the **proxyAddresses** attribute:
+#### Example scenarios for an InvalidSoftMatch error
+
+- Two or more objects with the same value for the **proxyAddresses** attribute exist in on-premises Active Directory. Only one is getting provisioned in Azure AD.
+- Two or more objects with the same value for the **userPrincipalName** attribute exist in on-premises Active Directory. Only one is getting provisioned in Azure AD.
+- An object was added in on-premises Active Directory with the same value for the **proxyAddresses** attribute as that of an existing object in Azure AD. The object added on-premises isn't getting provisioned in Azure AD.
+- An object was added in on-premises Active Directory with the same value for the **userPrincipalName** attribute as that of an account in Azure AD. The object isn't getting provisioned in Azure AD.
+- A synced account was moved from Forest A to Forest B. Azure AD Connect (sync engine) was using the **objectGUID** attribute to compute the **sourceAnchor** attribute. After the forest move, the value of the **sourceAnchor** attribute is different. The new object from Forest B fails to sync with the existing object in Azure AD.
+- A synced object was accidentally deleted from on-premises Active Directory and a new object was created in Active Directory for the same entity (such as user) without deleting the account in Azure AD. The new account fails to sync with the existing Azure AD object.
+- Azure AD Connect was uninstalled and reinstalled. During the reinstallation, a different attribute was chosen as the **sourceAnchor** attribute. All the objects that had previously synced stopped syncing with the InvalidSoftMatch error.
+
+#### Example case
+
+1. Bob Smith is a synced user in Azure AD from the on-premises Active Directory of *contoso.com*.
+1. Bob Smith's user principal name is set as bobs\@contoso.com.
+1. The **sourceAnchor** attribute of **"abcdefghijklmnopqrstuv=="** is calculated by Azure AD Connect by using Bob Smith's **objectGUID** attribute from on-premises Active Directory. This attribute is the **immutableId** attribute for Bob Smith in Azure AD.
+1. Bob also has the following values for the **proxyAddresses** attribute:
* smtp: bobs@contoso.com * smtp: bob.smith@contoso.com
- * **smtp: bob\@contoso.com**
-5. A new user, **Bob Taylor**, is added to the on premises Active Directory.
-6. Bob Taylor's **UserPrincipalName** is set as **bobt\@contoso.com**.
-7. **"abcdefghijkl0123456789==""** is the **sourceAnchor** calculated by Azure AD Connect using Bob Taylor's **objectGUID** from on premises Active Directory. Bob Taylor's object has NOT synced to Azure Active Directory yet.
-8. Bob Taylor has the following values for the proxyAddresses attribute
+ * smtp: bob\@contoso.com
+1. A new user, Bob Taylor, is added to the on-premises Active Directory.
+1. Bob Taylor's user principal name is set as bobt\@contoso.com.
+1. The **sourceAnchor** attribute of **"abcdefghijkl0123456789=="** is calculated by Azure AD Connect by using Bob Taylor's **objectGUID** attribute from on-premises Active Directory. Bob Taylor's object has *not* synced to Azure AD yet.
+1. Bob Taylor has the following values for the **proxyAddresses** attribute:
* smtp: bobt@contoso.com * smtp: bob.taylor@contoso.com
- * **smtp: bob\@contoso.com**
-9. During sync, Azure AD Connect will recognize the addition of Bob Taylor in on premises Active Directory and ask Azure AD to make the same change.
-10. Azure AD will first perform hard match. That is, it will search if there is any object with the immutableId equal to "abcdefghijkl0123456789==". Hard Match will fail as no other object in Azure AD will have that immutableId.
-11. Azure AD will then attempt to soft-match Bob Taylor. That is, it will search if there is any object with proxyAddresses equal to the three values, including smtp: bob@contoso.com
-12. Azure AD will find Bob Smith's object to match the soft-match criteria. But this object has the value of immutableId = "abcdefghijklmnopqrstuv==". which indicates this object was synced from another object from on premises Active Directory. Thus, Azure AD cannot soft-match these objects and results in an **InvalidSoftMatch** sync error.
+ * smtp: bob\@contoso.com
+1. During sync, Azure AD Connect recognizes the addition of Bob Taylor in on-premises Active Directory and asks Azure AD to make the same change.
+1. Azure AD first performs a hard match. That is, it searches for any object with the **immutableId** attribute equal to **"abcdefghijkl0123456789=="**. The hard match fails because no other object in Azure AD has that **immutableId** attribute.
+1. Azure AD then performs a soft match to find Bob Taylor. That is, it searches to see if there's any object with **proxyAddresses** attributes equal to the three values, including smtp: bob@contoso.com.
+1. Azure AD finds Bob Smith's object to match the soft-match criteria. But this object has the value of **immutableId = "abcdefghijklmnopqrstuv=="**, which indicates this object was synced from another object from on-premises Active Directory. Azure AD can't soft match these objects so an InvalidSoftMatch sync error is thrown.
+
+#### Fix the InvalidSoftMatch error
-#### How to fix InvalidSoftMatch error
-The most common reason for the InvalidSoftMatch error is two objects with different SourceAnchor \(immutableId\) have the same value for the ProxyAddresses and/or UserPrincipalName attributes, which are used during the soft-match process on Azure AD. In order to fix the Invalid Soft Match
+The most common reason for the InvalidSoftMatch error is two objects with different **sourceAnchor** \(**immutableId**\) attributes that have the same value for the **proxyAddresses** or **userPrincipalName** attributes, which are used during the soft-match process on Azure AD. To fix the InvalidSoftMatch error:
-1. Identify the duplicated proxyAddresses, userPrincipalName, or other attribute value that's causing the error. Also identify which two \(or more\) objects are involved in the conflict. The report generated by [Azure AD Connect Health for sync](./how-to-connect-health-sync.md) can help you identify the two objects.
-2. Identify which object should continue to have the duplicated value and which object should not.
-3. Remove the duplicated value from the object that should NOT have that value. You should make the change in the directory where the object is sourced from. In some cases, you may need to delete one of the objects in conflict.
-4. If you made the change in the on premises AD, let Azure AD Connect sync the change.
+1. Identify the duplicated **proxyAddresses**, **userPrincipalName**, or other attribute value that's causing the error. Also identify which two or more objects are involved in the conflict. The report generated by [Azure AD Connect Health for sync](./how-to-connect-health-sync.md) can help you identify the two objects.
+1. Identify which object should continue to have the duplicated value and which object should not.
+1. Remove the duplicated value from the object that should *not* have that value. Make the change in the directory from where the object is sourced. In some cases, you might need to delete one of the objects in conflict.
+1. If you made the change in on-premises Active Directory, let Azure AD Connect sync the change.
Sync error reports within Azure AD Connect Health for sync are updated every 30 minutes and include the errors from the latest synchronization attempt. > [!NOTE]
-> ImmutableId, by definition, should not change in the lifetime of the object. If Azure AD Connect was not configured with some of the scenarios in mind from the above list, you could end up in a situation where Azure AD Connect calculates a different value of the SourceAnchor for the AD object that represents the same entity (same user/group/contact etc) that has an existing Azure AD Object that you wish to continue using.
+> The **ImmutableId** attribute, by definition, shouldn't change in the lifetime of the object. But maybe Azure AD Connect wasn't configured with some of the scenarios in mind from the preceding list. In that case, Azure AD Connect might calculate a different value of the **sourceAnchor** attribute for the Active Directory object that represents the same entity (same user, group, or contact) that has an existing Azure AD object that you want to continue using.
> >
-#### Related Articles
-* [Duplicate or invalid attributes prevent directory synchronization in Microsoft 365](https://support.microsoft.com/kb/2647098)
+#### Related article
+
+[Duplicate or invalid attributes prevent directory synchronization in Microsoft 365](https://support.microsoft.com/kb/2647098)
### ObjectTypeMismatch+ #### Description
-When Azure AD attempts to soft match two objects, it is possible that two objects of different "object type" (such as User, Group, Contact etc.) have the same values for the attributes used to perform the soft match. As duplication of these attributes is not permitted in Azure AD, the operation can result in "ObjectTypeMismatch" synchronization error.
-#### Example Scenarios for ObjectTypeMismatch error
-* A mail enabled security group is created in Microsoft 365. Admin adds a new user or contact in on premises AD (that's not synchronized to Azure AD yet) with the same value for the ProxyAddresses attribute as that of the Microsoft 365 group.
+When Azure AD attempts to soft match two objects, it's possible that two objects of different "object type," like user, group, or contact, have the same values for the attributes used to perform the soft match. Because duplication of these attributes isn't permitted in Azure AD, the operation can result in an ObjectTypeMismatch sync error.
+
+#### Example scenario for an ObjectTypeMismatch error
+
+A mail-enabled security group is created in Microsoft 365. The admin adds a new user or contact in on-premises Active Directory that isn't synced to Azure AD yet with the same value for the **proxyAddresses** attribute as that of the Microsoft 365 group.
#### Example case
-1. Admin creates a new mail enabled security group in Microsoft 365 for the Tax department and provides an email address as tax@contoso.com. This group is assigned the ProxyAddresses attribute value of **smtp: tax\@contoso.com**
-2. A new user joins Contoso.com and an account is created for the user on premises with the proxyAddress as **smtp: tax\@contoso.com**
-3. When Azure AD Connect will sync the new user account, it will get the "ObjectTypeMismatch" error.
-#### How to fix ObjectTypeMismatch error
-The most common reason for the ObjectTypeMismatch error is two objects of different type (User, Group, Contact etc.) have the same value for the ProxyAddresses attribute. In order to fix the ObjectTypeMismatch:
+1. An admin creates a new mail-enabled security group in Microsoft 365 for the Tax department and provides an email address as tax@contoso.com. This group is assigned the **proxyAddresses** attribute value of **smtp: tax\@contoso.com**.
+1. A new user joins Contoso.com and an account is created for the user on-premises with the **proxyAddresses** attribute as **smtp: tax\@contoso.com**.
+1. When Azure AD Connect syncs the new user account, it gets the ObjectTypeMismatch error.
-1. Identify the duplicated proxyAddresses (or other attribute) value that's causing the error. Also identify which two \(or more\) objects are involved in the conflict. The report generated by [Azure AD Connect Health for sync](./how-to-connect-health-sync.md) can help you identify the two objects.
-2. Identify which object should continue to have the duplicated value and which object should not.
-3. Remove the duplicated value from the object that should NOT have that value. Note that you should make the change in the directory where the object is sourced from. In some cases, you may need to delete one of the objects in conflict.
-4. If you made the change in the on premises AD, let Azure AD Connect sync the change. Sync error report within Azure AD Connect Health for sync gets updated every 30 minutes and includes the errors from the latest synchronization attempt.
+#### Fix the ObjectTypeMismatch error
+
+The most common reason for the ObjectTypeMismatch error is that two objects of different type, like user, group, or contact, have the same value for the **proxyAddresses** attribute. To fix the ObjectTypeMismatch error:
+
+1. Identify the duplicated **proxyAddresses** (or other attribute) value that's causing the error. Also identify which two or more objects are involved in the conflict. The report generated by [Azure AD Connect Health for sync](./how-to-connect-health-sync.md) can help you identify the two objects.
+1. Identify which object should continue to have the duplicated value and which object should not.
+1. Remove the duplicated value from the object that should *not* have that value. Make the change in the directory where the object is sourced from. In some cases, you might need to delete one of the objects in conflict.
+1. If you made the change in the on-premises AD, let Azure AD Connect sync the change. The sync error report in Azure AD Connect Health for sync is updated every 30 minutes. The report includes the errors from the latest synchronization attempt.
+
+## Duplicate attributes
+
+This section discusses duplicate attribute errors.
-## Duplicate Attributes
### AttributeValueMustBeUnique+ #### Description
-Azure Active Directory schema does not allow two or more objects to have the same value of the following attributes. That is each object in Azure AD is forced to have a unique value of these attributes at a given instance.
-* Mail
-* ProxyAddresses
-* SignInName
-* UserPrincipalName
+Azure AD schema doesn't allow two or more objects to have the same value of the following attributes. Each object in Azure AD is forced to have a unique value of these attributes at a given instance:
-If Azure AD Connect attempts to add a new object or update an existing object with a value for the above attributes that is already assigned to another object in Azure Active Directory, the operation results in the "AttributeValueMustBeUnique" sync error.
+* mail
+* proxyAddresses
+* signInName
+* userPrincipalName
-#### Possible Scenarios:
-1. Duplicate value is assigned to an already synced object, which conflicts with another synced object.
+If Azure AD Connect attempts to add a new object or update an existing object with a value for the preceding attributes that's already assigned to another object in Azure AD, the operation results in the AttributeValueMustBeUnique sync error.
-#### Example case:
-1. **Bob Smith** is a synced user in Azure Active Directory from on premises Active Directory of contoso.com
-2. Bob Smith's **UserPrincipalName** on premises is set as **bobs\@contoso.com**.
-3. Bob also has following values for the **proxyAddresses** attribute:
+#### Possible scenario
+
+A duplicate value is assigned to an already synced object, which conflicts with another synced object.
+
+#### Example case
+
+1. Bob Smith is a synced user in Azure AD from the on-premises Active Directory of contoso.com.
+1. Bob Smith's user principal name on-premises is set as bobs\@contoso.com.
+1. Bob also has the following values for the **proxyAddresses** attribute:
* smtp: bobs@contoso.com * smtp: bob.smith@contoso.com
- * **smtp: bob\@contoso.com**
-4. A new user, **Bob Taylor**, is added to the on premises Active Directory.
-5. Bob Taylor's **UserPrincipalName** is set as **bobt\@contoso.com**.
-6. **Bob Taylor** has the following values for the **ProxyAddresses** attribute
- i. smtp: bobt@contoso.com
- ii. smtp: bob.taylor@contoso.com
-7. Bob Taylor's object is synchronized with Azure AD successfully.
-8. Admin decided to update Bob Taylor's **ProxyAddresses** attribute with the following value:
- i. **smtp: bob\@contoso.com**
-9. Azure AD will attempt to update Bob Taylor's object in Azure AD with the above value, but that operation will fail as that ProxyAddresses value is already assigned to Bob Smith, resulting in "AttributeValueMustBeUnique" error.
-
-#### How to fix AttributeValueMustBeUnique error
-The most common reason for the AttributeValueMustBeUnique error is two objects with different SourceAnchor \(immutableId\) have the same value for the ProxyAddresses and/or UserPrincipalName attributes. In order to fix AttributeValueMustBeUnique error
-
-1. Identify the duplicated proxyAddresses, userPrincipalName or other attribute value that's causing the error. Also identify which two \(or more\) objects are involved in the conflict. The report generated by [Azure AD Connect Health for sync](./how-to-connect-health-sync.md) can help you identify the two objects.
-2. Identify which object should continue to have the duplicated value and which object should not.
-3. Remove the duplicated value from the object that should NOT have that value. Note that you should make the change in the directory where the object is sourced from. In some cases, you may need to delete one of the objects in conflict.
-4. If you made the change in the on premises AD, let Azure AD Connect sync the change for the error to get fixed.
-
-#### Related Articles
--[Duplicate or invalid attributes prevent directory synchronization in Microsoft 365](https://support.microsoft.com/kb/2647098)-
-## Data Validation Failures
+ * smtp: bob\@contoso.com
+1. A new user, Bob Taylor, is added to on-premises Active Directory.
+1. Bob Taylor's user principal name is set as bobt\@contoso.com.
+1. Bob Taylor has the following values for the **proxyAddresses** attribute:
+ * smtp: bobt@contoso.com
+ * smtp: bob.taylor@contoso.com
+1. Bob Taylor's object is synced with Azure AD successfully.
+1. The admin decided to update Bob Taylor's **proxyAddresses** attribute with the following value:
+ * smtp: bob\@contoso.com
+1. Azure AD attempts to update Bob Taylor's object in Azure AD with the preceding value, but that operation fails because that **proxyAddresses** value is already assigned to Bob Smith. The result is an AttributeValueMustBeUnique error.
+
+#### Fix the AttributeValueMustBeUnique error
+
+The most common reason for the AttributeValueMustBeUnique error is that two objects with different **sourceAnchor** \(**immutableId**\) attributes have the same value for the **proxyAddresses** or **userPrincipalName** attributes. To fix the AttributeValueMustBeUnique error:
+
+1. Identify the duplicated **proxyAddresses**, **userPrincipalName**, or other attribute value that's causing the error. Also identify which two or more objects are involved in the conflict. The report generated by [Azure AD Connect Health for sync](./how-to-connect-health-sync.md) can help you identify the two objects.
+1. Identify which object should continue to have the duplicated value and which object should not.
+1. Remove the duplicated value from the object that should *not* have that value. Make the change in the directory from where the object is sourced. In some cases, you might need to delete one of the objects in conflict.
+1. If you made the change in on-premises Active Directory, let Azure AD Connect sync the change for the error to get fixed.
+
+#### Related article
+
+[Duplicate or invalid attributes prevent directory synchronization in Microsoft 365](https://support.microsoft.com/kb/2647098)
+
+## Data validation failures
+
+This section discusses data validation failures.
+ ### IdentityDataValidationFailed+ #### Description
-Azure Active Directory enforces various restrictions on the data itself before allowing that data to be written into the directory. These restrictions are to ensure that end users get the best possible experiences while using the applications that depend on this data.
+
+Azure AD enforces various restrictions on the data itself before allowing that data to be written into the directory. These restrictions are to ensure that end users get the best possible experiences while using the applications that depend on this data.
#### Scenarios
-a. The UserPrincipalName attribute value has invalid/unsupported characters.
-b. The UserPrincipalName attribute does not follow the required format.
-#### How to fix IdentityDataValidationFailed error
-a. Ensure that the userPrincipalName attribute has supported characters and required format.
+- The **userPrincipalName** attribute value has invalid or unsupported characters.
+- The **userPrincipalName** attribute doesn't follow the required format.
+
+The result of the preceding scenarios is an IdentityDataValidationFailed error.
+
+#### Fix the IdentityDataValidationFailed error
+
+Ensure that the **userPrincipalName** attribute has supported characters and the required format.
+
+#### Related article
-#### Related Articles
-* [Prepare to provision users through directory synchronization to Microsoft 365](https://support.office.com/article/Prepare-to-provision-users-through-directory-synchronization-to-Office-365-01920974-9e6f-4331-a370-13aea4e82b3e)
+[Prepare to provision users through directory synchronization to Microsoft 365](https://support.office.com/article/Prepare-to-provision-users-through-directory-synchronization-to-Office-365-01920974-9e6f-4331-a370-13aea4e82b3e)
-## Deletion access violation and Password access violation errors
+## Deletion access violation and password access violation errors
-Azure Active Directory protects cloud only objects from being updated through Azure AD Connect. While it is not possible to update these objects through Azure AD Connect, calls can be made directly to the AADConnect cloud side backend to attempt to change cloud only objects. When doing so, the following errors can be returned:
+Azure AD protects cloud-only objects from being updated through Azure AD Connect. While it isn't possible to update these objects through Azure AD Connect, calls can be made directly to the AADConnect cloud-side back end to attempt to change cloud-only objects. When doing so, the following errors can be returned:
-* This synchronization operation, Delete, is not valid. Contact Technical Support.
-* Unable to process this update as one or more cloud only users credential update is included in current request.
-* Deleting a cloud only object is not supported. Please contact Microsoft Customer Support.
-* The password change request cannot be executed since it contains changes to one or more cloud only user objects, which is not supported. Please contact Microsoft Customer Support.
+* This synchronization operation, Delete, isn't valid. Contact Technical Support.
+* Unable to process this update because one or more cloud-only users' credential update is included in the current request.
+* Deleting a cloud-only object isn't supported. Contact Microsoft Customer Support.
+* The password change request can't be executed because it contains changes to one or more cloud-only user objects, which isn't supported. Contact Microsoft Customer Support.
## LargeObject or ExceededAllowedLength
+This section discusses LargeObject or ExceededAllowedLength errors.
+ ### Description
-When an attribute exceeds the allowed size limit, length limit or count limit set by Azure Active Directory schema, the synchronization operation results in a **LargeObject** or **ExceededAllowedLength** sync error. Typically this error occurs for the following attributes
+
+When an attribute exceeds the allowed size limit, length limit, or count limit set by Azure AD schema, the synchronization operation results in a LargeObject or ExceededAllowedLength sync error. Typically, this error occurs for the following attributes:
* userCertificate * userSMIMECertificate * thumbnailPhoto * proxyAddresses
-Azure AD does not impose limits per attribute, except for a hard-coded limit of 15 certificates in UserCertificate attribute and up to 100 attributes for [Directory extensions](how-to-connect-sync-feature-directory-extensions.md) with a maximum of 250 characters for each directory extension. However, there is a size limit for the whole object so when Azure AD Connect tries to synchronize an object that exceeds this object size limit, an export error is thrown.
-All attributes contribute to the object's final size and some attributes have different weight multipliers due to additional processing overhead (e.g., indexed values). Additionally, different cloud services, service plans, and licenses may be assigned to the account which consumes even more attributes that also contribute to the overall size of the object.
-Therefore, it's not possible to determine exactly how many entries can an attribute hold in Azure AD (for example, how many SMTP addresses can fit in ProxyAddresses), because that depends on the size and multiplying factors of all the attributes populated in the object.
+Azure AD doesn't impose limits per attribute, except for a hard-coded limit of 15 certificates in the **userCertificate** attribute and up to 100 attributes for [Directory extensions](how-to-connect-sync-feature-directory-extensions.md) with a maximum of 250 characters for each directory extension. There's a size limit for the whole object. When Azure AD Connect tries to sync an object that exceeds this object size limit, an export error is thrown.
+
+All attributes contribute to the object's final size. Some attributes have different weight multipliers because of additional processing overhead. An example is indexed values. Also, different cloud services, service plans, and licenses might be assigned to the account, which consume even more attributes and contribute to the overall size of the object.
-### Possible Scenarios
+It isn't possible to determine exactly how many entries an attribute can hold in Azure AD, for example, how many SMTP addresses can fit in the **proxyAddresses** attribute. The amount depends on the size and multiplying factors of all the attributes populated in the object.
-1. Bob's userCertificate attribute is storing too many certificates assigned to Bob. These may include older, expired certificates. The hard limit is 15 certificates. For more information on how to handle LargeObject errors with userCertificate attribute, please refer to article [Handling LargeObject errors caused by userCertificate attribute](tshoot-connect-largeobjecterror-usercertificate.md).
-2. Bob's userSMIMECertificate attribute is storing too many certificates assigned to Bob. These may include older, expired certificates. The hard limit is 15 certificates.
-3. Bob's thumbnailPhoto set in Active Directory is too large to be synced in Azure AD.
-4. During automatic population of the ProxyAddresses attribute in Active Directory, an object has too many ProxyAddresses assigned.
+### Possible scenarios
-Below are some examples which demonstrate the different weighs of attributes like UserCertificate and ProxyAddresses:
+- Bob's **userCertificate** attribute is storing too many certificates assigned to Bob. These certificates might include older, expired certificates. The hard limit is 15 certificates. For more information on how to handle LargeObject errors with the **userCertificate** attribute, see [Handling LargeObject errors caused by userCertificate attribute](tshoot-connect-largeobjecterror-usercertificate.md).
+- Bob's **userSMIMECertificate** attribute is storing too many certificates assigned to Bob. These certificates might include older, expired certificates. The hard limit is 15 certificates.
+- Bob's **thumbnailPhoto** attribute set in Active Directory is too large to be synced in Azure AD.
+- During automatic population of the **proxyAddresses** attribute in Active Directory, an object has too many **proxyAddresses** attributes assigned.
-1. A synchronized user which doesnΓÇÖt have any attributes populated other than the mandatory AD attributes and a Mail might be able to sync up to 332 ProxyAddresses.
-2. For a similar synchronized user that has a mailNickname, plus 10 UserCertificates, the maximum number of ProxyAddresses decreases to 329.
-3. If a similar synchronized user with 10 UserCertificates plus for instance 4 subscriptions assigned (with all Service Plans enabled), the maximum number of ProxyAddresses decreases to 311.
-4. Now letΓÇÖs take the above user which already holds the maximum number of ProxyAddresses, and say you need to add 1 more smtp address - to achieve 312 ProxyAddresses you would need to remove at least 3 UserCertificates (depending on the size of the certificate).
+The following examples demonstrate the different weights of attributes like **userCertificate** and **proxyAddresses**:
+
+- A synced user that doesn't have any attributes populated other than the mandatory Active Directory attributes and Mail might be able to sync up to 332 proxy addresses.
+- For a similar synced user that has a **mailNickName** attribute, plus 10 user certificates, the maximum number of proxy addresses decreases to 329.
+- If a similar synced user with 10 user certificates plus, for instance, 4 subscriptions assigned (with all service plans enabled), the maximum number of proxy addresses decreases to 311.
+- Now let's take the preceding user, which already holds the maximum number of proxy addresses, and say you need to add one more SMTP address. To achieve 312 proxy addresses, you would need to remove at least three user certificates (depending on the size of the certificate).
>[!NOTE]
-> These numbers can vary slightly. As a rule of thumb, it is safer to assume that the limit of smtp addresses in ProxyAddresses is approximately 300 addresses to leave the room for the future growth of the object and its populated attributes.
+> These numbers can vary slightly. As a rule of thumb, it's safer to assume that the limit of SMTP addresses in the **proxyAddresses** attribute is approximately 300 addresses to leave room for future growth of the object and its populated attributes.
-### How to fix
+### Fix the LargeObject or ExceededAllowedLength error
-Review the user properties and remove attribute values that may no longer be required like revoked or expired certificates, outdated or unnecessary addresses (SMTP, X.400, X.500, MSMail, CcMail, etc)
+Review the user properties and remove attribute values that might no longer be required. Examples include revoked or expired certificates and outdated or unnecessary addresses, such as SMTP, X.400, X.500, MSMail, and CcMail.
## Existing Admin Role Conflict ### Description
-An **Existing Admin Role Conflict** will occur on a user object during synchronization when that user object has:
-- administrative permissions and-- the same UserPrincipalName as an existing Azure AD object
+An Existing Admin Role Conflict sync error occurs on a user object during synchronization when that user object has:
+
+- Administrative permissions.
+- The same **userPrincipalName** attribute as an existing Azure AD object.
-Azure AD Connect is not allowed to soft match a user object from on-premises AD with a user object in Azure AD that has an administrative role assigned to it. For more information see [Azure AD UserPrincipalName population](plan-connect-userprincipalname.md)
+Azure AD Connect isn't allowed to soft match a user object from on-premises AD with a user object in Azure AD that has an administrative role assigned to it. For more information, see [Azure AD userPrincipalName population](plan-connect-userprincipalname.md).
-![Existing Admin](media/tshoot-connect-sync-errors/existingadmin.png)
+![Screenshot that shows the number of Existing Admin Role Conflict sync errors.](media/tshoot-connect-sync-errors/existingadmin.png)
+### Fix the Existing Admin Role Conflict error
-### How to fix
-To resolve this issue do the following:
+To resolve this issue:
-1. Remove the Azure AD account (owner) from all admin roles.
-2. **Hard Delete** the Quarantined object in the cloud.
-3. The next sync cycle will take care of soft-matching the on-premises user to the cloud account (since the cloud user is now no longer a global GA).
-4. Restore the role memberships for the owner.
+1. Remove the Azure AD account (owner) from all admin roles.
+1. Hard delete the quarantined object in the cloud.
+1. The next sync cycle will take care of soft-matching the on-premises user to the cloud account because the cloud user is now no longer a global admin.
+1. Restore the role memberships for the owner.
>[!NOTE]
->You can assign the administrative role to the existing user object again after the soft match between the on-premises user object and the Azure AD user object has completed.
+>You can assign the administrative role to the existing user object again after the soft match between the on-premises user object and the Azure AD user object has finished.
## Related links
-* [Locate Active Directory Objects in Active Directory Administrative Center](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560661(v=ws.10))
-* [How to query Azure Active Directory for an object using Azure Active Directory PowerShell](/previous-versions/azure/jj151815(v=azure.100))
+
+* [Locate Active Directory objects in Active Directory Administrative Center](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560661(v=ws.10))
+* [Query Azure AD for an object by using Azure AD PowerShell](/previous-versions/azure/jj151815(v=azure.100))
active-directory Concept Identity Protection Risks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/identity-protection/concept-identity-protection-risks.md
These risks can be calculated in real-time or calculated offline using Microsoft
| Atypical travel | Offline | This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. Among several other factors, this machine learning algorithm takes into account the time between the two sign-ins and the time it would have taken for the user to travel from the first location to the second, indicating that a different user is using the same credentials. <br><br> The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior. | | Anomalous Token | Offline | This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens. ***NOTE:** Anomalous token is tuned to incur more noise than other detections at the same risk level. This tradeoff is chosen to increase the likelihood of detecting replayed tokens that may otherwise go unnoticed. Because this is a high noise detection, there is a higher than normal chance that some of the sessions flagged by this detection are false positives. We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. If the location, application, IP address, User Agent, or other characteristics are unexpected for the user, the tenant admin should consider this as an indicator of potential token replay*. | | Token Issuer Anomaly | Offline |This risk detection indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns. |
-| Malware linked IP address | Offline | This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. This detection is determined by correlating IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active. <br><br> **[This detection has been deprecated](../fundamentals/whats-new.md#planned-deprecationmalware-linked-ip-address-detection-in-identity-protection)**. Identity Protection will no longer generate new "Malware linked IP address" detections. Customers who currently have "Malware linked IP address" detections in their tenant will still be able to view, remediate, or dismiss them until the 90-day detection retention time is reached.|
+| Malware linked IP address | Offline | This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. This detection is determined by correlating IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active. <br><br> **[This detection has been deprecated](../fundamentals/whats-new-archive.md#planned-deprecationmalware-linked-ip-address-detection-in-identity-protection)**. Identity Protection will no longer generate new "Malware linked IP address" detections. Customers who currently have "Malware linked IP address" detections in their tenant will still be able to view, remediate, or dismiss them until the 90-day detection retention time is reached.|
| Suspicious browser | Offline | Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser. | | Unfamiliar sign-in properties | Real-time | This risk detection type considers past sign-in history (IP, Latitude / Longitude and ASN) to look for anomalous sign-ins. The system stores information about previous locations used by a user, and considers these "familiar" locations. The risk detection is triggered when the sign-in occurs from a location that's not already in the list of familiar locations. Newly created users will be in "learning mode" for a while where unfamiliar sign-in properties risk detections will be turned off while our algorithms learn the user's behavior. The learning mode duration is dynamic and depends on how much time it takes the algorithm to gather enough information about the user's sign-in patterns. The minimum duration is five days. A user can go back into learning mode after a long period of inactivity. The system also ignores sign-ins from familiar devices, and locations that are geographically close to a familiar location. <br><br> We also run this detection for basic authentication (or legacy protocols). Because these protocols don't have modern properties such as client ID, there's limited telemetry to reduce false positives. We recommend our customers to move to modern authentication. <br><br> Unfamiliar sign-in properties can be detected on both interactive and non-interactive sign-ins. When this detection is detected on non-interactive sign-ins, it deserves increased scrutiny due to the risk of token replay attacks. | | Admin confirmed user compromised | Offline | This detection indicates an admin has selected 'Confirm user compromised' in the Risky users UI or using riskyUsers API. To see which admin has confirmed this user compromised, check the user's risk history (via UI or API). |
active-directory Configure User Consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-user-consent.md
To configure user consent settings through the Azure portal, do the following:
To choose which app consent policy governs user consent for applications, you can use the latest [Azure AD PowerShell](/powershell/module/azuread/?view=azureadps-2.0&preserve-view=true) module.
+> [!NOTE]
+> The instructions below use the generally available Azure AD PowerShell module ([AzureAD](https://www.powershellgallery.com/packages/AzureAD)). The parameter names are different in the preview version of this module ([AzureADPreview](https://www.powershellgallery.com/packages/AzureADPreview)). If you have both modules installed, ensure you're using the cmdlet from the correct module by first running:
+>
+> ```powershell
+> Remove-Module AzureADPreview -ErrorAction SilentlyContinue
+> Import-Module AzureAD
+> ```
+ #### Disable user consent To disable user consent, set the consent policies that govern user consent to empty:
active-directory Services Azure Active Directory Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md
The following services support Azure AD authentication. New services are added t
| Azure Batch | [Authenticate Batch service solutions with Active Directory](../../batch/batch-aad-auth.md) | | Azure Container Registry | [Authenticate with an Azure container registry](../../container-registry/container-registry-authentication.md) | | Azure Cognitive Services | [Authenticate requests to Azure Cognitive Services](../../cognitive-services/authentication.md?tabs=powershell#authenticate-with-azure-active-directory) |
+| Azure Communication Services | [Authenticate to Azure Communication Services](../../communication-services/concepts/authentication.md) |
| Azure Databricks | [Authenticate using Azure Active Directory tokens](/azure/databricks/dev-tools/api/latest/aad/) | Azure Data Explorer | [How-To Authenticate with Azure Active Directory for Azure Data Explorer Access](/azure/data-explorer/kusto/management/access-control/how-to-authenticate-with-aad) | | Azure Data Lake Storage Gen1 | [Authentication with Azure Data Lake Storage Gen1 using Azure Active Directory](../../data-lake-store/data-lakes-store-authentication-using-azure-active-directory.md) |
The following services support Azure AD authentication. New services are added t
- [Azure China developer guide](/azure/china/resources-developer-guide) - [Compare Azure Government and global Azure](../../azure-government/compare-azure-government-global-azure.md)-- [Azure services that can use Managed identities to access other services](managed-identities-status.md)
+- [Azure services that can use Managed identities to access other services](managed-identities-status.md)
active-directory Permissions Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md
Previously updated : 11/10/2021 Last updated : 01/16/2022
This article lists the Azure AD built-in roles you can assign to allow managemen
> | [Usage Summary Reports Reader](#usage-summary-reports-reader) | Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. | 75934031-6c7e-415a-99d7-48dbd49e875e | > | [User Administrator](#user-administrator) | Can manage all aspects of users and groups, including resetting passwords for limited admins. | fe930be7-5e62-47db-91af-98c3a49a38b1 | > | [Windows 365 Administrator](#windows-365-administrator) | Can provision and manage all aspects of Cloud PCs. | 11451d60-acb2-45eb-a7d6-43d0f0125c13 |
-> | [Windows Update Deployment Administrator](#windows-update-deployment-administrator) | Create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. | 32696413-001a-46ae-978c-ce0f6b3620d2 |
+> | [Windows Update Deployment Administrator](#windows-update-deployment-administrator) | Can create and manage all aspects of Windows Update deployments through the Windows Update for Business deployment service. | 32696413-001a-46ae-978c-ce0f6b3620d2 |
## Application Administrator
This role also grants the ability to consent for delegated permissions and appli
> | microsoft.directory/connectorGroups/delete | Delete application proxy connector groups | > | microsoft.directory/connectorGroups/allProperties/read | Read all properties of application proxy connector groups | > | microsoft.directory/connectorGroups/allProperties/update | Update all properties of application proxy connector groups |
+> | microsoft.directory/customAuthenticationExtensions/allProperties/allTasks | Create and manage custom authentication extensions |
> | microsoft.directory/deletedItems.applications/delete | Permanently delete applications, which can no longer be restored | > | microsoft.directory/deletedItems.applications/restore | Restore soft deleted applications to original state | > | microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks | Create and delete OAuth 2.0 permission grants, and read and update all properties |
This role is available for assignment only as an additional local administrator
Users with this role can manage all enterprise Azure DevOps policies, applicable to all Azure DevOps organizations backed by the Azure AD. Users in this role can manage these policies by navigating to any Azure DevOps organization that is backed by the company's Azure AD. Additionally, users in this role can claim ownership of orphaned Azure DevOps organizations. This role grants no other Azure DevOps-specific permissions (for example, Project Collection Administrators) inside any of the Azure DevOps organizations backed by the company's Azure AD organization. - > [!div class="mx-tableFixed"] > | Actions | Description | > | | |
Do not use. This role is automatically assigned to the Azure AD Connect service,
> | microsoft.directory/applications/policies/update | Update policies of applications | > | microsoft.directory/applications/tag/update | Update tags of applications | > | microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policies |
+> | microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks | Manage hybrid authentication policy in Azure AD |
> | microsoft.directory/organization/dirSync/update | Update the organization directory sync property |
+> | microsoft.directory/passwordHashSync/allProperties/allTasks | Manage all aspects of Password Hash Synchronization (PHS) in Azure AD |
> | microsoft.directory/policies/create | Create policies in Azure AD | > | microsoft.directory/policies/delete | Delete policies in Azure AD | > | microsoft.directory/policies/standard/read | Read basic properties on policies |
Users with this role have global permissions within Microsoft Exchange Online, w
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | microsoft.directory/deletedItems.groups/delete | Permanently delete groups, which can no longer be restored |
-> | microsoft.directory/deletedItems.groups/restore | Restore soft deleted groups to original state |
> | microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups | > | microsoft.directory/groups.unified/create | Create Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/delete | Delete Microsoft 365 groups, excluding role-assignable groups |
-> | microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups |
+> | microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups |
> | microsoft.directory/groups.unified/basic/update | Update basic properties on Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/members/update | Update members of Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/owners/update | Update owners of Microsoft 365 groups, excluding role-assignable groups |
Users with this role have access to all administrative features in Azure Active
> | microsoft.directory/connectorGroups/allProperties/update | Update all properties of application proxy connector groups | > | microsoft.directory/contacts/allProperties/allTasks | Create and delete contacts, and read and update all properties | > | microsoft.directory/contracts/allProperties/allTasks | Create and delete partner contracts, and read and update all properties |
+> | microsoft.directory/customAuthenticationExtensions/allProperties/allTasks | Create and manage custom authentication extensions |
> | microsoft.directory/deletedItems/delete | Permanently delete objects, which can no longer be restored | > | microsoft.directory/deletedItems/restore | Restore soft deleted objects to original state | > | microsoft.directory/devices/allProperties/allTasks | Create and delete devices, and read and update all properties |
Users with this role have access to all administrative features in Azure Active
> | microsoft.directory/groupsAssignableToRoles/allProperties/update | Update role-assignable groups | > | microsoft.directory/groupSettings/allProperties/allTasks | Create and delete group settings, and read and update all properties | > | microsoft.directory/groupSettingTemplates/allProperties/allTasks | Create and delete group setting templates, and read and update all properties |
+> | microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks | Manage hybrid authentication policy in Azure AD |
> | microsoft.directory/identityProtection/allProperties/allTasks | Create and delete all resources, and read and update standard properties in Azure AD Identity Protection | > | microsoft.directory/loginOrganizationBranding/allProperties/allTasks | Create and delete loginTenantBranding, and read and update all properties | > | microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks | Create and delete OAuth 2.0 permission grants, and read and update all properties | > | microsoft.directory/organization/allProperties/allTasks | Read and update all properties for an organization |
+> | microsoft.directory/passwordHashSync/allProperties/allTasks | Manage all aspects of Password Hash Synchronization (PHS) in Azure AD |
> | microsoft.directory/policies/allProperties/allTasks | Create and delete policies, and read and update all properties | > | microsoft.directory/conditionalAccessPolicies/allProperties/allTasks | Manage all properties of conditional access policies |
-> | microsoft.directory/crossTenantAccessPolicies/allProperties/allTasks | Manage cross tenant access policies |
+> | microsoft.directory/crossTenantAccessPolicies/allProperties/allTasks | Manage all aspects of cross-tenant access policies |
> | microsoft.directory/privilegedIdentityManagement/allProperties/read | Read all resources in Privileged Identity Management | > | microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs | > | microsoft.directory/roleAssignments/allProperties/allTasks | Create and delete role assignments, and read and update all role assignment properties |
Users with this role have access to all administrative features in Azure Active
> | microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages | > | microsoft.office365.messageCenter/securityMessages/read | Read security messages in Message Center in the Microsoft 365 admin center | > | microsoft.office365.network/performance/allProperties/read | Read all network performance properties in the Microsoft 365 admin center |
-> | microsoft.office365.protectionCenter/allEntities/allProperties/allTasks | Manage all aspects of the Security & Compliance centers |
+> | microsoft.office365.protectionCenter/allEntities/allProperties/allTasks | Manage all aspects of the Security and Compliance centers |
> | microsoft.office365.search/content/manage | Create and delete content, and read and update all properties in Microsoft Search | > | microsoft.office365.securityComplianceCenter/allEntities/allTasks | Create and delete all resources, and read and update standard properties in the Office 365 Security & Compliance Center | > | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center |
Users with this role have access to all administrative features in Azure Active
> | microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports | > | microsoft.office365.userCommunication/allEntities/allTasks | Read and update what's new messages visibility | > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
+> | microsoft.office365.yammer/allEntities/allProperties/allTasks | Manage all aspects of Yammer |
> | microsoft.powerApps/allEntities/allTasks | Manage all aspects of Power Apps | > | microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Power BI | > | microsoft.teams/allEntities/allProperties/allTasks | Manage all resources in Teams |
Users in this role can read settings and administrative information across Micro
> | Actions | Description | > | | | > | microsoft.directory/accessReviews/allProperties/read | Read all properties of access reviews |
-> | microsoft.directory/administrativeUnits/allProperties/read | Read all properties of administrative units |
+> | microsoft.directory/administrativeUnits/allProperties/read | Read all properties of administrative units, including members |
> | microsoft.directory/applications/allProperties/read | Read all properties (including privileged properties) on all types of applications | > | microsoft.directory/applications/synchronization/standard/read | Read provisioning settings associated with the application object | > | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, including privileged properties |
Users in this role can read settings and administrative information across Micro
> | microsoft.directory/connectors/allProperties/read | Read all properties of application proxy connectors | > | microsoft.directory/connectorGroups/allProperties/read | Read all properties of application proxy connector groups | > | microsoft.directory/contacts/allProperties/read | Read all properties for contacts |
-> | microsoft.directory/devices/allProperties/read | Read all properties on devices |
-> | microsoft.directory/directoryRoles/allProperties/read | Read all properties for Azure AD roles |
-> | microsoft.directory/directoryRoleTemplates/allProperties/read | Read all properties for role templates |
+> | microsoft.directory/customAuthenticationExtensions/allProperties/read | Read custom authentication extensions |
+> | microsoft.directory/devices/allProperties/read | Read all properties of devices |
+> | microsoft.directory/directoryRoles/allProperties/read | Read all properties of directory roles |
+> | microsoft.directory/directoryRoleTemplates/allProperties/read | Read all properties of directory role templates |
> | microsoft.directory/domains/allProperties/read | Read all properties of domains | > | microsoft.directory/entitlementManagement/allProperties/read | Read all properties in Azure AD entitlement management | > | microsoft.directory/groups/allProperties/read | Read all properties (including privileged properties) on Security groups and Microsoft 365 groups, including role-assignable groups |
Users in this role can read settings and administrative information across Micro
> | microsoft.directory/permissionGrantPolicies/standard/read | Read standard properties of permission grant policies | > | microsoft.directory/policies/allProperties/read | Read all properties of policies | > | microsoft.directory/conditionalAccessPolicies/allProperties/read | Read all properties of conditional access policies |
-> | microsoft.directory/crossTenantAccessPolicies/allProperties/read | Read all properties of cross-tenant policies |
+> | microsoft.directory/crossTenantAccessPolicies/allProperties/read | Read all properties of cross-tenant access policies |
> | microsoft.directory/deviceManagementPolicies/standard/read | Read standard properties on device management application policies | > | microsoft.directory/deviceRegistrationPolicy/standard/read | Read standard properties on device registration policies | > | microsoft.directory/privilegedIdentityManagement/allProperties/read | Read all resources in Privileged Identity Management |
Users in this role can read settings and administrative information across Micro
> | microsoft.office365.securityComplianceCenter/allEntities/read | Read standard properties in Microsoft 365 Security and Compliance Center | > | microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports | > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center |
-> | microsoft.teams/allEntities/allProperties/read | Read all aspects of Microsoft Teams |
+> | microsoft.office365.yammer/allEntities/allProperties/read | Read all aspects of Yammer |
+> | microsoft.teams/allEntities/allProperties/read | Read all properties of Microsoft Teams |
> | microsoft.windows.updatesDeployments/allEntities/allProperties/read | Read all aspects of Windows Update Service | ## Groups Administrator
Users in this role can create/manage groups and its settings like naming and exp
> | microsoft.directory/groups/delete | Delete Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups | > | microsoft.directory/groups/reprocessLicenseAssignment | Reprocess license assignments for group-based licensing |
-> | microsoft.directory/groups/restore | Restore deleted groups |
+> | microsoft.directory/groups/restore | Restore groups from soft-deleted container |
> | microsoft.directory/groups/basic/update | Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/classification/update | Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/dynamicMembershipRule/update | Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups |
Users in this role can create, manage and deploy provisioning configuration setu
> | microsoft.directory/deletedItems.applications/restore | Restore soft deleted applications to original state | > | microsoft.directory/domains/allProperties/read | Read all properties of domains | > | microsoft.directory/domains/federation/update | Update federation property of domains |
+> | microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks | Manage hybrid authentication policy in Azure AD |
> | microsoft.directory/organization/dirSync/update | Update the organization directory sync property |
+> | microsoft.directory/passwordHashSync/allProperties/allTasks | Manage all aspects of Password Hash Synchronization (PHS) in Azure AD |
> | microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs | > | microsoft.directory/servicePrincipals/create | Create service principals | > | microsoft.directory/servicePrincipals/delete | Delete service principals |
This role can create and manage all security groups. However, Intune Administrat
> | microsoft.directory/groups.security/delete | Delete Security groups, excluding role-assignable groups | > | microsoft.directory/groups.security/basic/update | Update basic properties on Security groups, excluding role-assignable groups | > | microsoft.directory/groups.security/classification/update | Update the classification property on Security groups, excluding role-assignable groups |
-> | microsoft.directory/groups.security/dynamicMembershipRule/update | Update dynamic membership rule of Security groups, excluding role-assignable groups |
+> | microsoft.directory/groups.security/dynamicMembershipRule/update | Update the dynamic membership rule on Security groups, excluding role-assignable groups |
> | microsoft.directory/groups.security/members/update | Update members of Security groups, excluding role-assignable groups | > | microsoft.directory/groups.security/owners/update | Update owners of Security groups, excluding role-assignable groups | > | microsoft.directory/groups.security/visibility/update | Update the visibility property on Security groups, excluding role-assignable groups |
Do not use. This role has been deprecated and will be removed from Azure AD in t
> | microsoft.directory/deletedItems.groups/restore | Restore soft deleted groups to original state | > | microsoft.directory/groups/create | Create Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/delete | Delete Security groups and Microsoft 365 groups, excluding role-assignable groups |
-> | microsoft.directory/groups/restore | Restore deleted groups |
+> | microsoft.directory/groups/restore | Restore groups from soft-deleted container |
> | microsoft.directory/groups/members/update | Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/owners/update | Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks | Create and delete OAuth 2.0 permission grants, and read and update all properties |
Do not use. This role has been deprecated and will be removed from Azure AD in t
> | microsoft.directory/domains/allProperties/allTasks | Create and delete domains, and read and update all properties | > | microsoft.directory/groups/create | Create Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/delete | Delete Security groups and Microsoft 365 groups, excluding role-assignable groups |
-> | microsoft.directory/groups/restore | Restore deleted groups |
+> | microsoft.directory/groups/restore | Restore groups from soft-deleted container |
> | microsoft.directory/groups/members/update | Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/owners/update | Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks | Create and delete OAuth 2.0 permission grants, and read and update all properties |
Windows Defender ATP and EDR | Assign roles<br>Manage machine groups<br>Configur
> | microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policies | > | microsoft.directory/bitlockerKeys/key/read | Read bitlocker metadata and key on devices | > | microsoft.directory/entitlementManagement/allProperties/read | Read all properties in Azure AD entitlement management |
+> | microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks | Manage hybrid authentication policy in Azure AD |
> | microsoft.directory/identityProtection/allProperties/read | Read all resources in Azure AD Identity Protection | > | microsoft.directory/identityProtection/allProperties/update | Update all resources in Azure AD Identity Protection |
+> | microsoft.directory/passwordHashSync/allProperties/allTasks | Manage all aspects of Password Hash Synchronization (PHS) in Azure AD |
> | microsoft.directory/policies/create | Create policies in Azure AD | > | microsoft.directory/policies/delete | Delete policies in Azure AD | > | microsoft.directory/policies/basic/update | Update basic properties on policies |
Users with this role have global permissions within Microsoft SharePoint Online,
> [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | microsoft.directory/deletedItems.groups/delete | Permanently delete groups, which can no longer be restored |
-> | microsoft.directory/deletedItems.groups/restore | Restore soft deleted groups to original state |
> | microsoft.directory/groups.unified/create | Create Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/delete | Delete Microsoft 365 groups, excluding role-assignable groups |
-> | microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups |
+> | microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups |
> | microsoft.directory/groups.unified/basic/update | Update basic properties on Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/members/update | Update members of Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/owners/update | Update owners of Microsoft 365 groups, excluding role-assignable groups |
Users in this role can manage all aspects of the Microsoft Teams workload via th
> | Actions | Description | > | | | > | microsoft.directory/authorizationPolicy/standard/read | Read standard properties of authorization policies |
-> | microsoft.directory/deletedItems.groups/delete | Permanently delete groups, which can no longer be restored |
-> | microsoft.directory/deletedItems.groups/restore | Restore soft deleted groups to original state |
> | microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups | > | microsoft.directory/groups.unified/create | Create Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/delete | Delete Microsoft 365 groups, excluding role-assignable groups |
-> | microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups |
+> | microsoft.directory/groups.unified/restore | Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups |
> | microsoft.directory/groups.unified/basic/update | Update basic properties on Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/members/update | Update members of Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups.unified/owners/update | Update owners of Microsoft 365 groups, excluding role-assignable groups |
Users with this role can create users, and manage all aspects of users with some
> | microsoft.directory/groups/delete | Delete Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/hiddenMembers/read | Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups | > | microsoft.directory/groups/reprocessLicenseAssignment | Reprocess license assignments for group-based licensing |
-> | microsoft.directory/groups/restore | Restore deleted groups |
+> | microsoft.directory/groups/restore | Restore groups from soft-deleted container |
> | microsoft.directory/groups/basic/update | Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/classification/update | Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/groups/dynamicMembershipRule/update | Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups |
Users with this role can create users, and manage all aspects of users with some
> | microsoft.directory/groups/settings/update | Update settings of groups | > | microsoft.directory/groups/visibility/update | Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups | > | microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks | Create and delete OAuth 2.0 permission grants, and read and update all properties |
+> | microsoft.directory/policies/standard/read | Read basic properties on policies |
> | microsoft.directory/servicePrincipals/appRoleAssignedTo/update | Update service principal role assignments | > | microsoft.directory/users/assignLicense | Manage user licenses | > | microsoft.directory/users/create | Add users |
Assign the Windows 365 Administrator role to users who need to do the following
> | microsoft.directory/groups.security/delete | Delete Security groups, excluding role-assignable groups | > | microsoft.directory/groups.security/basic/update | Update basic properties on Security groups, excluding role-assignable groups | > | microsoft.directory/groups.security/classification/update | Update the classification property on Security groups, excluding role-assignable groups |
-> | microsoft.directory/groups.security/dynamicMembershipRule/update | Update dynamic membership rule of Security groups, excluding role-assignable groups |
+> | microsoft.directory/groups.security/dynamicMembershipRule/update | Update the dynamic membership rule on Security groups, excluding role-assignable groups |
> | microsoft.directory/groups.security/members/update | Update members of Security groups, excluding role-assignable groups | > | microsoft.directory/groups.security/owners/update | Update owners of Security groups, excluding role-assignable groups | > | microsoft.directory/groups.security/visibility/update | Update the visibility property on Security groups, excluding role-assignable groups |
active-directory Active Directory Sso For Doubleyou Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/active-directory-sso-for-doubleyou-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Active Directory SSO for DoubleYou'
+description: Learn how to configure single sign-on between Azure Active Directory and Active Directory SSO for DoubleYou.
++++++++ Last updated : 01/17/2022++++
+# Tutorial: Azure AD SSO integration with Active Directory SSO for DoubleYou
+
+In this tutorial, you'll learn how to integrate Active Directory SSO for DoubleYou with Azure Active Directory (Azure AD). When you integrate Active Directory SSO for DoubleYou with Azure AD, you can:
+
+* Control in Azure AD who has access to Active Directory SSO for DoubleYou.
+* Enable your users to be automatically signed-in to Active Directory SSO for DoubleYou with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Active Directory SSO for DoubleYou single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Active Directory SSO for DoubleYou supports **SP and IDP** initiated SSO.
+
+## Add Active Directory SSO for DoubleYou from the gallery
+
+To configure the integration of Active Directory SSO for DoubleYou into Azure AD, you need to add Active Directory SSO for DoubleYou from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Active Directory SSO for DoubleYou** in the search box.
+1. Select **Active Directory SSO for DoubleYou** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Active Directory SSO for DoubleYou
+
+Configure and test Azure AD SSO with Active Directory SSO for DoubleYou using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Active Directory SSO for DoubleYou.
+
+To configure and test Azure AD SSO with Active Directory SSO for DoubleYou, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Active Directory SSO for DoubleYou SSO](#configure-active-directory-sso-for-doubleyou-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Active Directory SSO for DoubleYou test user](#create-active-directory-sso-for-doubleyou-test-user)** - to have a counterpart of B.Simon in Active Directory SSO for DoubleYou that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Active Directory SSO for DoubleYou** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier** text box, type a value using the following pattern:
+ `<company-id>.welfare.it`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<company-id>.welfare.it/<store-id>?`
+
+ c. In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<company-id>.welfare.it/microsoft/`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Active Directory SSO for DoubleYou Client support team](mailto:info@double-you.it) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Your Active Directory SSO for DoubleYou application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but Active Directory SSO for DoubleYou expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.
+
+ ![image](common/default-attributes.png)
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Active Directory SSO for DoubleYou.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Active Directory SSO for DoubleYou**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Active Directory SSO for DoubleYou SSO
+
+To configure single sign-on on **Active Directory SSO for DoubleYou** side, you need to send the **App Federation Metadata Url** to [Active Directory SSO for DoubleYou support team](mailto:info@double-you.it). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Active Directory SSO for DoubleYou test user
+
+In this section, you create a user called Britta Simon in Active Directory SSO for DoubleYou. Work with [Active Directory SSO for DoubleYou support team](mailto:info@double-you.it) to add the users in the Active Directory SSO for DoubleYou platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Active Directory SSO for DoubleYou Sign on URL where you can initiate the login flow.
+
+* Go to Active Directory SSO for DoubleYou Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Active Directory SSO for DoubleYou for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Active Directory SSO for DoubleYou tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Active Directory SSO for DoubleYou for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Active Directory SSO for DoubleYou you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Athena Systems Login Platform Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/athena-systems-login-platform-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Athena Systems Login Platform'
+description: Learn how to configure single sign-on between Azure Active Directory and Athena Systems Login Platform.
++++++++ Last updated : 01/20/2022++++
+# Tutorial: Azure AD SSO integration with Athena Systems Login Platform
+
+In this tutorial, you'll learn how to integrate Athena Systems Login Platform with Azure Active Directory (Azure AD). When you integrate Athena Systems Login Platform with Azure AD, you can:
+
+* Control in Azure AD who has access to Athena Systems Login Platform.
+* Enable your users to be automatically signed-in to Athena Systems Login Platform with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Athena Systems Login Platform single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Athena Systems Login Platform supports **SP and IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Athena Systems Login Platform from the gallery
+
+To configure the integration of Athena Systems Login Platform into Azure AD, you need to add Athena Systems Login Platform from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Athena Systems Login Platform** in the search box.
+1. Select **Athena Systems Login Platform** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Athena Systems Login Platform
+
+Configure and test Azure AD SSO with Athena Systems Login Platform using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Athena Systems Login Platform.
+
+To configure and test Azure AD SSO with Athena Systems Login Platform, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Athena Systems Login Platform SSO](#configure-athena-systems-login-platform-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Athena Systems Login Platform test user](#create-athena-systems-login-platform-test-user)** - to have a counterpart of B.Simon in Athena Systems Login Platform that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Athena Systems Login Platform** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **SP** initiated mode then perform the following steps:
+
+ a. In the **Identifier** text box, type the value:
+ `athenasystems`
+
+ b. In the **Reply URL** text box, type the URL:
+ `https://login.athenasystems.com/saml/module.php/saml/sp/saml2-acs.php/default-sp`
+
+ In the **Sign-on URL** text box, type the URL:
+ `https://login.athenasystems.com/`
+
+1. Athena Systems Login Platform application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, Athena Systems Login Platform application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute|
+ | - | |
+ | Client | user.companyname |
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up Athena Systems Login Platform** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Athena Systems Login Platform.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Athena Systems Login Platform**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Athena Systems Login Platform SSO
+
+To configure single sign-on on **Athena Systems Login Platform** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Athena Systems Login Platform support team](mailto:support@athenasystems.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Athena Systems Login Platform test user
+
+In this section, you create a user called Britta Simon in Athena Systems Login Platform. Work with [Athena Systems Login Platform support team](mailto:support@athenasystems.com) to add the users in the Athena Systems Login Platform platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Athena Systems Login Platform Sign on URL where you can initiate the login flow.
+
+* Go to Athena Systems Login Platform Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Athena Systems Login Platform for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Athena Systems Login Platform tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Athena Systems Login Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Athena Systems Login Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Bic Cloud Design Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bic-cloud-design-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with BIC Cloud Design | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and BIC Cloud Design.
+ Title: 'Tutorial: Azure AD SSO integration with BIC Process Design'
+description: Learn how to configure single sign-on between Azure Active Directory and BIC Process Design.
Previously updated : 06/15/2021 Last updated : 01/16/2022
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with BIC Cloud Design
+# Tutorial: Azure AD SSO integration with BIC Process Design
-In this tutorial, you'll learn how to integrate BIC Cloud Design with Azure Active Directory (Azure AD). When you integrate BIC Cloud Design with Azure AD, you can:
+In this tutorial, you'll learn how to integrate BIC Process Design with Azure Active Directory (Azure AD). When you integrate BIC Process Design with Azure AD, you can:
-* Control in Azure AD who has access to BIC Cloud Design.
-* Enable your users to be automatically signed-in to BIC Cloud Design with their Azure AD accounts.
+* Control in Azure AD who has access to BIC Process Design.
+* Enable your users to be automatically signed-in to BIC Process Design with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal. ## Prerequisites
In this tutorial, you'll learn how to integrate BIC Cloud Design with Azure Acti
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* BIC Cloud Design single sign-on (SSO) enabled subscription.
+* BIC Process Design single sign-on (SSO) enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* BIC Cloud Design supports **SP** initiated SSO.
+* BIC Process Design supports **SP** initiated SSO.
-## Add BIC Cloud Design from the gallery
+## Add BIC Process Design from the gallery
-To configure the integration of BIC Cloud Design into Azure AD, you need to add BIC Cloud Design from the gallery to your list of managed SaaS apps.
+To configure the integration of BIC Process Design into Azure AD, you need to add BIC Process Design from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **BIC Cloud Design** in the search box.
-1. Select **BIC Cloud Design** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, type **BIC Process Design** in the search box.
+1. Select **BIC Process Design** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for BIC Cloud Design
+## Configure and test Azure AD SSO for BIC Process Design
-Configure and test Azure AD SSO with BIC Cloud Design using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in BIC Cloud Design.
+Configure and test Azure AD SSO with BIC Process Design using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in BIC Process Design.
-To configure and test Azure AD SSO with BIC Cloud Design, perform the following steps:
+To configure and test Azure AD SSO with BIC Process Design, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure BIC Cloud Design SSO](#configure-bic-cloud-design-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create BIC Cloud Design test user](#create-bic-cloud-design-test-user)** - to have a counterpart of B.Simon in BIC Cloud Design that is linked to the Azure AD representation of user.
+1. **[Configure BIC Process Design SSO](#configure-bic-process-design-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create BIC Process Design test user](#create-bic-process-design-test-user)** - to have a counterpart of B.Simon in BIC Process Design that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **BIC Cloud Design** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **BIC Process Design** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
c. After the metadata file is successfully uploaded, the **Identifier** value gets auto populated in Basic SAML Configuration section.
- In the **Sign-on URL** text box, type a URL using the following pattern:
+ d. In the **Sign-on URL** text box, type a URL using one of the following patterns:
| Sign-on URL | |--|
Follow these steps to enable Azure AD SSO in the Azure portal.
| `https://<CUSTOMER_SPECIFIC_NAME/TENANT>.biccloud.de` | > [!Note]
- > If the **Identifier** value does not get auto populated, then please fill in the value manually according to your requirement. The Sign-on URL value is not real. Update this value with the actual Sign-on URL. Contact [BIC Cloud Design Client support team](mailto:bicsupport@gbtec.de) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > If the **Identifier** value does not get auto populated, then please fill in the value manually according to your requirement. The Sign-on URL value is not real. Update this value with the actual Sign-on URL. Contact [BIC Process Design Client support team](mailto:bicsupport@gbtec.de) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. BIC Cloud Design application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+1. BIC Process Design application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
![image](common/default-attributes.png)
-1. In addition to above, BIC Cloud Design application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+1. In addition to above, BIC Process Design application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
| Name | Source Attribute| | | |
In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to BIC Cloud Design.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to BIC Process Design.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **BIC Cloud Design**.
+1. In the applications list, select **BIC Process Design**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure BIC Cloud Design SSO
+## Configure BIC Process Design SSO
-To configure single sign-on on **BIC Cloud Design** side, you need to send the **App Federation Metadata Url** to [BIC Cloud Design support team](mailto:bicsupport@gbtec.de). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **BIC Process Design** side, you need to send the **App Federation Metadata Url** to [BIC Process Design support team](mailto:bicsupport@gbtec.de). They set this setting to have the SAML SSO connection set properly on both sides.
-### Create BIC Cloud Design test user
+### Create BIC Process Design test user
-In this section, you create a user called B.Simon in BIC Cloud Design. Work with [BIC Cloud Design support team](mailto:bicsupport@gbtec.de) to add the users in the BIC Cloud Design platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called B.Simon in BIC Process Design. Work with [BIC Process Design support team](mailto:bicsupport@gbtec.de) to add the users in the BIC Process Design platform. Users must be created and activated before you use single sign-on.
## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to BIC Cloud Design Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to BIC Process Design Sign-on URL where you can initiate the login flow.
-* Go to BIC Cloud Design Sign-on URL directly and initiate the login flow from there.
+* Go to BIC Process Design Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the BIC Cloud Design tile in the My Apps, this will redirect to BIC Cloud Design Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* You can use Microsoft My Apps. When you click the BIC Process Design tile in the My Apps, this will redirect to BIC Process Design Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure the BIC Cloud Design you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).
+Once you configure BIC Process Design you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Dining Sidekick Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dining-sidekick-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Dining Sidekick'
+description: Learn how to configure single sign-on between Azure Active Directory and Dining Sidekick.
++++++++ Last updated : 01/17/2022++++
+# Tutorial: Azure AD SSO integration with Dining Sidekick
+
+In this tutorial, you'll learn how to integrate Dining Sidekick with Azure Active Directory (Azure AD). When you integrate Dining Sidekick with Azure AD, you can:
+
+* Control in Azure AD who has access to Dining Sidekick.
+* Enable your users to be automatically signed-in to Dining Sidekick with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Dining Sidekick single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Dining Sidekick supports **SP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Dining Sidekick from the gallery
+
+To configure the integration of Dining Sidekick into Azure AD, you need to add Dining Sidekick from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Dining Sidekick** in the search box.
+1. Select **Dining Sidekick** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Dining Sidekick
+
+Configure and test Azure AD SSO with Dining Sidekick using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Dining Sidekick.
+
+To configure and test Azure AD SSO with Dining Sidekick, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Dining Sidekick SSO](#configure-dining-sidekick-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Dining Sidekick test user](#create-dining-sidekick-test-user)** - to have a counterpart of B.Simon in Dining Sidekick that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Dining Sidekick** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier (Entity ID)** text box, type the URL:
+ `https://api.diningsidekick.com`
+
+ b. In the **Reply URL** text box, type the URL:
+ `https://api.diningsidekick.com/api_user/samlsuccess`
+
+ c. In the **Sign on URL** text box, type the URL:
+ `https://api.diningsidekick.com/api_user/samllogin`
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/metadataxml.png)
+
+1. On the **Set up Dining Sidekick** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Dining Sidekick.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Dining Sidekick**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Dining Sidekick SSO
+
+To configure single sign-on on **Dining Sidekick** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Dining Sidekick support team](mailto:support@gethangry.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Dining Sidekick test user
+
+In this section, you create a user called Britta Simon in Dining Sidekick. Work with [Dining Sidekick support team](mailto:support@gethangry.com) to add the users in the Dining Sidekick platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Dining Sidekick Sign-on URL where you can initiate the login flow.
+
+* Open Dining Sidekick mobile app, choose **Sidekick University** and then initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Dining Sidekick tile in the My Apps, this will redirect to Dining Sidekick Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Dining Sidekick you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Emplifi Platform Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/emplifi-platform-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Emplifi platform'
+description: Learn how to configure single sign-on between Azure Active Directory and Emplifi platform.
++++++++ Last updated : 01/17/2022++++
+# Tutorial: Azure AD SSO integration with Emplifi platform
+
+In this tutorial, you'll learn how to integrate Emplifi platform with Azure Active Directory (Azure AD). When you integrate Emplifi platform with Azure AD, you can:
+
+* Control in Azure AD who has access to Emplifi platform.
+* Enable your users to be automatically signed-in to Emplifi platform with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Emplifi platform single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Emplifi platform supports **SP and IDP** initiated SSO.
+
+## Add Emplifi platform from the gallery
+
+To configure the integration of Emplifi platform into Azure AD, you need to add Emplifi platform from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Emplifi platform** in the search box.
+1. Select **Emplifi platform** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Emplifi platform
+
+Configure and test Azure AD SSO with Emplifi platform using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Emplifi platform.
+
+To configure and test Azure AD SSO with Emplifi platform, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Emplifi platform SSO](#configure-emplifi-platform-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Emplifi platform test user](#create-emplifi-platform-test-user)** - to have a counterpart of B.Simon in Emplifi platform that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Emplifi platform** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier** text box, type a URL using one of the following patterns:
+
+ | **Identifier** |
+ |-|
+ | `https://<CustomerName>.account.socialbakers.com` |
+ | `https://<CustomerName>.account.emplifi.io` |
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<CustomerName>.account.emplifi.io/login/saml`
+
+ c. In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<CustomerName>.account.emplifi.io`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Emplifi platform Client support team](mailto:support@emplifi.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Your Emplifi platform application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but Box expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.
+
+ ![image](common/default-attributes.png)
+
+1. In addition to above, Emplifi platform application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+ | Name | Source Attribute|
+ | --| |
+ | firstName | user.givenname |
+ | lastName | user.surname |
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Emplifi platform.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Emplifi platform**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Emplifi platform SSO
+
+To configure single sign-on on **Emplifi platform** side, you need to send the **App Federation Metadata Url** to [Emplifi platform support team](mailto:support@emplifi.io). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Emplifi platform test user
+
+In this section, you create a user called Britta Simon in Emplifi platform. Work with [Emplifi platform support team](mailto:support@emplifi.io) to add the users in the Emplifi platform platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Emplifi platform Sign on URL where you can initiate the login flow.
+
+* Go to Emplifi platform Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Emplifi platform for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Emplifi platform tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Emplifi platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Emplifi platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Mihcm Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mihcm-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with MiHCM'
+description: Learn how to configure single sign-on between Azure Active Directory and MiHCM.
++++++++ Last updated : 01/20/2022++++
+# Tutorial: Azure AD SSO integration with MiHCM
+
+In this tutorial, you'll learn how to integrate MiHCM with Azure Active Directory (Azure AD). When you integrate MiHCM with Azure AD, you can:
+
+* Control in Azure AD who has access to MiHCM.
+* Enable your users to be automatically signed-in to MiHCM with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* MiHCM single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* MiHCM supports **SP** initiated SSO.
+
+## Add MiHCM from the gallery
+
+To configure the integration of MiHCM into Azure AD, you need to add MiHCM from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **MiHCM** in the search box.
+1. Select **MiHCM** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for MiHCM
+
+Configure and test Azure AD SSO with MiHCM using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in MiHCM.
+
+To configure and test Azure AD SSO with MiHCM, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure MiHCM SSO](#configure-mihcm-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create MiHCM test user](#create-mihcm-test-user)** - to have a counterpart of B.Simon in MiHCM that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **MiHCM** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier** box, type a URL using the following pattern:
+ `https://<subdomain>.mihcm.com`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://login.mihcm.com/<subdomain>/Acs`
+
+ c. In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<subdomain>.mihcm.com`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [MiHCM Client support team](mailto:support@mihcm.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to MiHCM.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **MiHCM**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure MiHCM SSO
+
+To configure single sign-on on **MiHCM** side, you need to send the **App Federation Metadata Url** to [MiHCM support team](mailto:support@mihcm.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create MiHCM test user
+
+In this section, you create a user called Britta Simon in MiHCM. Work with [MiHCM support team](mailto:support@mihcm.com) to add the users in the MiHCM platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to MiHCM Sign-on URL where you can initiate the login flow.
+
+* Go to MiHCM Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the MiHCM tile in the My Apps, this will redirect to MiHCM Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure MiHCM you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Recurly Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/recurly-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Recurly'
+description: Learn how to configure single sign-on between Azure Active Directory and Recurly.
++++++++ Last updated : 01/19/2022++++
+# Tutorial: Azure AD SSO integration with Recurly
+
+In this tutorial, you'll learn how to integrate Recurly with Azure Active Directory (Azure AD). When you integrate Recurly with Azure AD, you can:
+
+* Control in Azure AD who has access to Recurly.
+* Enable your users to be automatically signed-in to Recurly with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Recurly single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Recurly supports **SP and IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Recurly from the gallery
+
+To configure the integration of Recurly into Azure AD, you need to add Recurly from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Recurly** in the search box.
+1. Select **Recurly** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Recurly
+
+Configure and test Azure AD SSO with Recurly using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Recurly.
+
+To configure and test Azure AD SSO with Recurly, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Recurly SSO](#configure-recurly-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Recurly test user](#create-recurly-test-user)** - to have a counterpart of B.Simon in Recurly that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Recurly** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **SP** initiated mode then perform the following steps:
+
+ a. In the **Identifier** text box, type the URL:
+ `https://app.recurly.com`
+
+ b. In the **Reply URL** text box, type the URL:
+ `https://app.recurly.com/login/sso`
+
+ c. In the **Sign-on URL** text box, type the URL:
+ `https://app.recurly.com/login/sso`
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (PEM)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificate-base64-download.png)
+
+1. Recurly application expects to enable token encryption in order to make SSO work. To activate token encryption, go to the **Azure Active Directory** > **Enterprise applications** and select **Token encryption**. For more information, please refer this [link](../manage-apps/howto-saml-token-encryption.md).
+
+ ![Screenshot shows the activation of Token Encryption.](./media/recurly-tutorial/token.png "Token Encryption")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Recurly.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Recurly**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Recurly SSO
+
+To configure single sign-on on **Recurly** side, you need to send the downloaded **Certificate (PEM)** and appropriate copied URLs from Azure portal to [Recurly support team](mailto:support@recurly.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Recurly test user
+
+In this section, you create a user called Britta Simon in Recurly. Work with [Recurly support team](mailto:support@recurly.com) to add the users in the Recurly platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Recurly Sign on URL where you can initiate the login flow.
+
+* Go to Recurly Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Recurly for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Recurly tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Recurly for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Recurly you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Scuba Analytics Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/scuba-analytics-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with Scuba Analytics'
+description: Learn how to configure single sign-on between Azure Active Directory and Scuba Analytics.
++++++++ Last updated : 01/17/2022++++
+# Tutorial: Azure AD SSO integration with Scuba Analytics
+
+In this tutorial, you'll learn how to integrate Scuba Analytics with Azure Active Directory (Azure AD). When you integrate Scuba Analytics with Azure AD, you can:
+
+* Control in Azure AD who has access to Scuba Analytics.
+* Enable your users to be automatically signed-in to Scuba Analytics with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Scuba Analytics single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Scuba Analytics supports **IDP** initiated SSO.
+
+## Add Scuba Analytics from the gallery
+
+To configure the integration of Scuba Analytics into Azure AD, you need to add Scuba Analytics from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Scuba Analytics** in the search box.
+1. Select **Scuba Analytics** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Scuba Analytics
+
+Configure and test Azure AD SSO with Scuba Analytics using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Scuba Analytics.
+
+To configure and test Azure AD SSO with Scuba Analytics, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Scuba Analytics SSO](#configure-scuba-analytics-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Scuba Analytics test user](#create-scuba-analytics-test-user)** - to have a counterpart of B.Simon in Scuba Analytics that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Scuba Analytics** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section the application is pre-configured in **IDP** initiated mode and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Scuba Analytics** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Scuba Analytics.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Scuba Analytics**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Scuba Analytics SSO
+
+To configure single sign-on on **Scuba Analytics** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Scuba Analytics support team](mailto:help@scuba.io). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Scuba Analytics test user
+
+In this section, you create a user called Britta Simon in Scuba Analytics. Work with [Scuba Analytics support team](mailto:help@scuba.io) to add the users in the Scuba Analytics platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on Test this application in Azure portal and you should be automatically signed in to the Scuba Analytics for which you set up the SSO.
+
+* You can use Microsoft My Apps. When you click the Scuba Analytics tile in the My Apps, you should be automatically signed in to the Scuba Analytics for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Scuba Analytics you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Timetrack Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/timetrack-tutorial.md
+
+ Title: 'Tutorial: Azure AD SSO integration with TimeTrack'
+description: Learn how to configure single sign-on between Azure Active Directory and TimeTrack.
++++++++ Last updated : 01/20/2022++++
+# Tutorial: Azure AD SSO integration with TimeTrack
+
+In this tutorial, you'll learn how to integrate TimeTrack with Azure Active Directory (Azure AD). When you integrate TimeTrack with Azure AD, you can:
+
+* Control in Azure AD who has access to TimeTrack.
+* Enable your users to be automatically signed-in to TimeTrack with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* TimeTrack single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* TimeTrack supports **SP and IDP** initiated SSO.
+
+## Add TimeTrack from the gallery
+
+To configure the integration of TimeTrack into Azure AD, you need to add TimeTrack from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **TimeTrack** in the search box.
+1. Select **TimeTrack** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for TimeTrack
+
+Configure and test Azure AD SSO with TimeTrack using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TimeTrack.
+
+To configure and test Azure AD SSO with TimeTrack, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure TimeTrack SSO](#configure-timetrack-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create TimeTrack test user](#create-timetrack-test-user)** - to have a counterpart of B.Simon in TimeTrack that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **TimeTrack** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://<tenant>.timetrackenterprise.com/api/v2/azure/saml20`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<tenant>.timetrackenterprise.com/api/v2/azure/callback`
+
+ c. In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<tenant>.timetrackenterprise.com`
+
+ d. In the **Relay State** text box, type a URL using the following pattern:
+ `<ID>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL, Sign-on URL and Relay State. Contact [TimeTrack Client support team](mailto:info@timetrackapp.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog.
+
+ ![Edit SAML Signing Certificate](common/edit-certificate.png)
+
+1. In the **SAML Signing Certificate** section, copy the **Thumbprint Value** and save it on your computer.
+
+ ![Copy Thumbprint value](common/copy-thumbprint.png)
+
+1. On the **Set up TimeTrack** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TimeTrack.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **TimeTrack**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure TimeTrack SSO
+
+To configure single sign-on on **TimeTrack** side, you need to send the **Thumbprint Value** and appropriate copied URLs from Azure portal to [TimeTrack support team](mailto:info@timetrackapp.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create TimeTrack test user
+
+In this section, you create a user called Britta Simon in TimeTrack. Work with [TimeTrack support team](mailto:info@timetrackapp.com) to add the users in the TimeTrack platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to TimeTrack Sign on URL where you can initiate the login flow.
+
+* Go to TimeTrack Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the TimeTrack for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the TimeTrack tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the TimeTrack for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure TimeTrack you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Workplacebyfacebook Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workplacebyfacebook-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Workplace by Facebook | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and Workplace by Facebook.
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Workplace by Meta | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Workplace by Meta.
Last updated 06/15/2021
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Workplace by Facebook
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Workplace by Meta
-In this tutorial, you'll learn how to integrate Workplace by Facebook with Azure Active Directory (Azure AD). When you integrate Workplace by Facebook with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Workplace by Meta with Azure Active Directory (Azure AD). When you integrate Workplace by Meta with Azure AD, you can:
-* Control in Azure AD who has access to Workplace by Facebook.
-* Enable your users to be automatically signed-in to Workplace by Facebook with their Azure AD accounts.
+* Control in Azure AD who has access to Workplace by Meta.
+* Enable your users to be automatically signed-in to Workplace by Meta with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal.
In this tutorial, you'll learn how to integrate Workplace by Facebook with Azure
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Workplace by Facebook single sign-on (SSO) enabled subscription.
+* Workplace by Meta single sign-on (SSO) enabled subscription.
> [!NOTE]
-> Facebook has two products, Workplace Standard (free) and Workplace Premium (paid). Any Workplace Premium tenant can configure SCIM and SSO integration with no other implications to cost or licenses required. SSO and SCIM are not available in Workplace Standard instances.
+> Meta has two products, Workplace Standard (free) and Workplace Premium (paid). Any Workplace Premium tenant can configure SCIM and SSO integration with no other implications to cost or licenses required. SSO and SCIM are not available in Workplace Standard instances.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Workplace by Facebook supports **SP** initiated SSO.
-* Workplace by Facebook supports **just-in-time provisioning**.
-* Workplace by Facebook supports **[automatic User Provisioning](workplace-by-facebook-provisioning-tutorial.md)**.
-* Workplace by Facebook Mobile application can now be configured with Azure AD for enabling SSO. In this tutorial, you configure and test Azure AD SSO in a test environment.
+* Workplace by Meta supports **SP** initiated SSO.
+* Workplace by Meta supports **just-in-time provisioning**.
+* Workplace by Meta supports **[automatic User Provisioning](workplace-by-facebook-provisioning-tutorial.md)**.
+* Workplace by Meta Mobile application can now be configured with Azure AD for enabling SSO. In this tutorial, you configure and test Azure AD SSO in a test environment.
-## Adding Workplace by Facebook from the gallery
+## Adding Workplace by Meta from the gallery
-To configure the integration of Workplace by Facebook into Azure AD, you need to add Workplace by Facebook from the gallery to your list of managed SaaS apps.
+To configure the integration of Workplace by Meta into Azure AD, you need to add Workplace by Meta from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **Workplace by Facebook** in the search box.
-1. Select **Workplace by Facebook** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, type **Workplace by Meta** in the search box.
+1. Select **Workplace by Meta** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for Workplace by Facebook
+## Configure and test Azure AD SSO for Workplace by Meta
-Configure and test Azure AD SSO with Workplace by Facebook using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Workplace by Facebook.
+Configure and test Azure AD SSO with Workplace by Meta using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Workplace by Meta.
-To configure and test Azure AD SSO with Workplace by Facebook, perform the following steps:
+To configure and test Azure AD SSO with Workplace by Meta, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-2. **[Configure Workplace by Facebook SSO](#configure-workplace-by-facebook-sso)** - to configure the Single Sign-On settings on application side.
- 1. **[Create Workplace by Facebook test user](#create-workplace-by-facebook-test-user)** - to have a counterpart of B.Simon in Workplace by Facebook that is linked to the Azure AD representation of user.
+2. **[Configure Workplace by Meta SSO](#configure-workplace-by-meta-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create Workplace by Meta test user](#create-workplace-by-meta-test-user)** - to have a counterpart of B.Simon in Workplace by Meta that is linked to the Azure AD representation of user.
3. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **Workplace by Facebook** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Workplace by Meta** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**. 1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields: a. In the **Sign on URL** (found in WorkPlace as the Recipient URL) text box, type a URL using the following pattern:
- `https://.facebook.com/work/saml.php`
+ `https://.workplace.com/work/saml.php`
b. In the **Identifier (Entity ID)** (found in WorkPlace as the Audience URL) text box, type a URL using the following pattern:
- `https://www.facebook.com/company/`
+ `https://www.workplace.com/company/`
c. In the **Reply URL** (found in WorkPlace as the Assertion Consumer Service) text box, type a URL using the following pattern:
- `https://.facebook.com/work/saml.php`
+ `https://.workplace.com/work/saml.php`
> [!NOTE] > These values are not the real. Update these values with the actual Sign-On URL, Identifier and Reply URL. See the Authentication page of the Workplace Company Dashboard for the correct values for your Workplace community, this is explained later in the tutorial.
Follow these steps to enable Azure AD SSO in the Azure portal.
![The Certificate download link](common/certificatebase64.png)
-1. On the **Set up Workplace by Facebook** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up Workplace by Meta** section, copy the appropriate URL(s) based on your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Workplace by Facebook.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Workplace by Meta.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Workplace by Facebook**.
+1. In the applications list, select **Workplace by Meta**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure Workplace by Facebook SSO
+## Configure Workplace by Meta SSO
-1. To automate the configuration within Workplace by Facebook, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+1. To automate the configuration within Workplace by Meta, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
![My apps extension](common/install-myappssecure-extension.png)
-1. After adding extension to the browser, click on **Set up Workplace by Facebook** will direct you to the Workplace by Facebook application. From there, provide the admin credentials to sign into Workplace by Facebook. The browser extension will automatically configure the application for you and automate steps 3-5.
+1. After adding extension to the browser, click on **Set up Workplace by Meta** will direct you to the Workplace by Meta application. From there, provide the admin credentials to sign into Workplace by Meta. The browser extension will automatically configure the application for you and automate steps 3-5.
![Setup configuration](common/setup-sso.png)
-1. If you want to setup Workplace by Facebook manually, open a new web browser window and sign into your Workplace by Facebook company site as an administrator and perform the following steps:
+1. If you want to setup Workplace by Meta manually, open a new web browser window and sign into your Workplace by Meta company site as an administrator and perform the following steps:
> [!NOTE] > As part of the SAML authentication process, Workplace may utilize query strings of up to 2.5 kilobytes in size in order to pass parameters to Azure AD.
You can configure Workplace to prompt for a SAML check every day, three days, we
You can also force a SAML reset for all users using the button: Require SAML authentication for all users now.
-### Create Workplace by Facebook test user
+### Create Workplace by Meta test user
-In this section, a user called B.Simon is created in Workplace by Facebook. Workplace by Facebook supports just-in-time provisioning, which is enabled by default.
+In this section, a user called B.Simon is created in Workplace by Meta. Workplace by Meta supports just-in-time provisioning, which is enabled by default.
-There is no action for you in this section. If a user doesn't exist in Workplace by Facebook, a new one is created when you attempt to access Workplace by Facebook.
+There is no action for you in this section. If a user doesn't exist in Workplace by Meta, a new one is created when you attempt to access Workplace by Meta.
>[!Note]
->If you need to create a user manually, Contact [Workplace by Facebook Client support team](https://www.workplace.com/help/work/).
+>If you need to create a user manually, Contact [Workplace by Meta Client support team](https://www.workplace.com/help/work/).
## Test SSO In this section, you test your Azure AD single sign-on configuration with following options.
-* Click on **Test this application** in Azure portal. This will redirect to Workplace by Facebook Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Workplace by Meta Sign-on URL where you can initiate the login flow.
-* Go to Workplace by Facebook Sign-on URL directly and initiate the login flow from there.
+* Go to Workplace by Meta Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Workplace by Facebook tile in the My Apps, this will redirect to Workplace by Facebook Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
+* You can use Microsoft My Apps. When you click the Workplace by Meta tile in the My Apps, this will redirect to Workplace by Meta Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
-## Test SSO for Workplace by Facebook (mobile)
+## Test SSO for Workplace by Meta (mobile)
-1. Open Workplace by Facebook Mobile application. On the sign in page, click on **LOG IN**.
+1. Open Workplace by Meta Mobile application. On the sign in page, click on **LOG IN**.
![The sign in](./media/workplacebyfacebook-tutorial/test05.png)
In this section, you test your Azure AD single sign-on configuration with follow
## Next steps
-Once you configure Workplace by Facebook you can enforce Session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+Once you configure Workplace by Meta you can enforce Session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
advisor Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Advisor description: Sample Azure Resource Graph queries for Azure Advisor showing use of resource types and tables to access Azure Advisor related resources and properties. Previously updated : 12/20/2021 Last updated : 01/20/2022
aks Aks Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/aks-migration.md
Stateless application migration is the most straightforward case:
Carefully plan your migration of stateful applications to avoid data loss or unexpected downtime.
-* If you use Azure Files, you can mount the file share as a volume into the new cluster. See [Mount Static Azure Files as a Volume](./azure-files-volume.md#mount-file-share-as-an-persistent-volume).
+* If you use Azure Files, you can mount the file share as a volume into the new cluster. See [Mount Static Azure Files as a Volume](./azure-files-volume.md#mount-file-share-as-a-persistent-volume).
* If you use Azure Managed Disks, you can only mount the disk if unattached to any VM. See [Mount Static Azure Disk as a Volume](./azure-disk-volume.md#mount-disk-as-volume). * If neither of those approaches work, you can use a backup and restore options. See [Velero on Azure](https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/master/README.md).
aks Azure Files Volume https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-files-volume.md
description: Learn how to manually create a volume with Azure Files for use with multiple concurrent pods in Azure Kubernetes Service (AKS) Previously updated : 07/08/2021 Last updated : 01/18/2022 #Customer intent: As a developer, I want to learn how to manually create and attach storage using Azure Files to a pod in AKS.
kubectl create secret generic azure-secret --from-literal=azurestorageaccountnam
``` ## Mount file share as an inline volume
-> Note: inline `azureFile` volume can only access secret in the same namespace as pod, to specify a different secret namespace, please use below persistent volume example instead.
+> [!NOTE]
+> Inline `azureFile` volume can only access secrets in the same namespace as the pod. To specify a different secret namespace, [please use the persistent volume example][persistent-volume-example] below instead.
To mount the Azure Files share into your pod, configure the volume in the container spec. Create a new file named `azure-files-pod.yaml` with the following contents. If you changed the name of the Files share or secret name, update the *shareName* and *secretName*. If desired, update the `mountPath`, which is the path where the Files share is mounted in the pod. For Windows Server containers, specify a *mountPath* using the Windows path convention, such as *'D:'*.
Volumes:
[...] ```
-## Mount file share as an persistent volume
+## Mount file share as a persistent volume
- Mount options The default value for *fileMode* and *dirMode* is *0777* for Kubernetes version 1.15 and above. The following example sets *0755* on the *PersistentVolume* object:
For storage class parameters, see [Static Provision(bring your own file share)](
[kubernetes-security-context]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ <!-- LINKS - internal -->
-[az-group-create]: /cli/azure/group#az_group_create
-[az-storage-create]: /cli/azure/storage/account#az_storage_account_create
-[az-storage-key-list]: /cli/azure/storage/account/keys#az_storage_account_keys_list
-[az-storage-share-create]: /cli/azure/storage/share#az_storage_share_create
[aks-quickstart-cli]: kubernetes-walkthrough.md [aks-quickstart-portal]: kubernetes-walkthrough-portal.md [install-azure-cli]: /cli/azure/install-azure-cli [operator-best-practices-storage]: operator-best-practices-storage.md [concepts-storage]: concepts-storage.md
+[persistent-volume-example]: #mount-file-share-as-a-persistent-volume
aks Concepts Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/concepts-security.md
description: Learn about security in Azure Kubernetes Service (AKS), including m
Previously updated : 11/11/2021 Last updated : 01/20/2022
Container security protects the entire end-to-end pipeline from build to the app
The Secure Supply Chain includes the build environment and registry.
-Kubernetes includes security components, such as *pod security standards* and *Secrets*. Meanwhile, Azure includes components like Active Directory, Microsoft Defender for Cloud, Azure Policy, Azure Key Vault, network security groups and orchestrated cluster upgrades. AKS combines these security components to:
+Kubernetes includes security components, such as *pod security standards* and *Secrets*. Meanwhile, Azure includes components like Active Directory, Microsoft Defender for Containers, Azure Policy, Azure Key Vault, network security groups and orchestrated cluster upgrades. AKS combines these security components to:
* Provide a complete Authentication and Authorization story. * Leverage AKS Built-in Azure Policy to secure your applications. * End-to-End insight from build through your application with Microsoft Defender for Containers.
To limit network traffic between pods in your cluster, AKS offers support for [K
## Application Security
-To protect pods running on AKS leverage [Microsoft Defender for Kubernetes][azure-defender-for-kubernetes] to detect and restrict cyber attacks against your applications running in your pods. Run continual scanning to detect drift in the vulnerability state of your application and implement a "blue/green/canary" process to patch and replace the vulnerable images.
+To protect pods running on AKS leverage [Microsoft Defender for Containers][microsoft-defender-for-containers] to detect and restrict cyber attacks against your applications running in your pods. Run continual scanning to detect drift in the vulnerability state of your application and implement a "blue/green/canary" process to patch and replace the vulnerable images.
## Kubernetes Secrets
For more information on core Kubernetes and AKS concepts, see:
[encryption-atrest]: ../security/fundamentals/encryption-atrest.md <!-- LINKS - Internal -->
-[azure-defender-for-kubernetes]: ../defender-for-cloud/container-security.md
+[microsoft-defender-for-containers]: ../defender-for-cloud/defender-for-containers-introduction.md
[aks-daemonsets]: concepts-clusters-workloads.md#daemonsets [aks-upgrade-cluster]: upgrade-cluster.md [aks-aad]: ./managed-aad.md
aks Kubernetes Walkthrough https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-walkthrough.md
Title: 'Quickstart: Deploy an AKS cluster by using Azure CLI'
description: Learn how to quickly create a Kubernetes cluster, deploy an application, and monitor performance in Azure Kubernetes Service (AKS) using the Azure CLI. Previously updated : 02/26/2021 Last updated : 01/18/2022 #Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy an application so that I can see how to run and monitor applications using the managed Kubernetes service in Azure.
To learn more about AKS, and walk through a complete code to deployment example,
[kubernetes-concepts]: concepts-clusters-workloads.md [aks-monitor]: ../azure-monitor/containers/container-insights-onboard.md [aks-tutorial]: ./tutorial-kubernetes-prepare-app.md
-[az-aks-browse]: /cli/azure/aks#az_aks_browse
-[az-aks-create]: /cli/azure/aks#az_aks_create
-[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
-[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli
-[az-group-create]: /cli/azure/group#az_group_create
-[az-group-delete]: /cli/azure/group#az_group_delete
+[az-aks-browse]: /cli/azure/aks#az-aks-browse
+[az-aks-create]: /cli/azure/aks#az-aks-create
+[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials
+[az-aks-install-cli]: /cli/azure/aks#az-aks-install-cli
+[az-group-create]: /cli/azure/group#az-group-create
+[az-group-delete]: /cli/azure/group#az-group-delete
[azure-cli-install]: /cli/azure/install_azure_cli [azure-monitor-containers]: ../azure-monitor/containers/container-insights-overview.md [sp-delete]: kubernetes-service-principal.md#additional-considerations
aks Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS) description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
api-management Api Management Howto Aad B2c https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-aad-b2c.md
In this section, you'll create a user flow in your Azure Active Directory B2C te
1. Return to the browser tab for your Azure Active Directory B2C tenant in the Azure portal. Select **App registrations** > **+ New registration**. 1. In the **Register an application** page, enter your application's registration information. * In the **Name** section, enter an application name of your choosing.
- * In the **Supported account types** section, choose the type of accounts that are appropriate for your scenario. To target a wide set of customers, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**. For more information, see [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application).
+ * In the **Supported account types** section, select **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**. For more information, see [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application).
* In **Redirect URI**, enter the Redirect URL your copied from your API Management instance. * In **Permissions**, select **Grant admin consent to openid and offline_access permissions.** * Select **Register** to create the application.
api-management Api Management Howto Add Products https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-add-products.md
description: In this tutorial, you create and publish a product in Azure API Man
Previously updated : 12/15/2021 Last updated : 01/18/2022 # Tutorial: Create and publish a product
-In Azure API Management, a [*product*](api-management-terminology.md#term-definitions) contains one or more APIs, a usage quota, and the terms of use. After a product is published, developers can subscribe to the product and begin to use the product's APIs.
+In Azure API Management, a [*product*](api-management-terminology.md#term-definitions) contains one or more APIs, a usage quota, and the terms of use. After a product is published, developers can [subscribe](api-management-subscriptions.md) to the product and begin to use the product's APIs.
In this tutorial, you learn how to: > [!div class="checklist"] > * Create and publish a product > * Add an API to the product
+> * Access product APIs
:::image type="content" source="media/api-management-howto-add-products/added-product-1.png" alt-text="API Management products in portal":::
In this tutorial, you learn how to:
|--|-| | Display name | The name as you want it to be shown in the [developer portal](api-management-howto-developer-portal.md). | | Description | Provide information about the product such as its purpose, the APIs it provides access to, and other details. |
- | Published | Select **Published** if you want to publish the product. Before the APIs in a product can be called, the product must be published. By default, new products are unpublished, and are visible only to the **Administrators** group. |
- | Requires subscription | Select if a user is required to subscribe to use the product. |
+ | State | Select **Published** if you want to publish the product. Before the APIs in a product can be called, the product must be published. By default, new products are unpublished, and are visible only to the **Administrators** group. |
+ | Requires subscription | Select if a user is required to subscribe to use the product (the product is *protected*) and a subscription key must be used to access the product's APIs. If a subscription isn't required (the product is *open*), a subscription key isn't required to access the product's APIs. See [Access to product APIs](#access-to-product-apis) later in this article. |
| Requires approval | Select if you want an administrator to review and accept or reject subscription attempts to this product. If not selected, subscription attempts are auto-approved. |
- | Subscription count limit | Optionally, limit the count of multiple simultaneous subscriptions. |
- | Legal terms | You can include the terms of use for the product, which subscribers must accept to use the product. |
- | APIs | Select one or more APIs. You can also add APIs after creating the product. For more information, see [Add APIs to a product](#add-apis-to-a-product) later in this article. |
+ | Subscription count limit | Optionally limit the count of multiple simultaneous subscriptions. |
+ | Legal terms | You can include the terms of use for the product which subscribers must accept in order to use the product. |
+ | APIs | Select one or more APIs. You can also add APIs after creating the product. For more information, see [Add APIs to a product](#add-apis-to-a-product) later in this article. <br/><br/>If the product is open (doesn't require a subscription), you can only add an API that isn't associated with another open product. |
1. Select **Create** to create your new product.
You can specify various values for your product:
| `--product-name` | The name as you want it to be shown in the [developer portal](api-management-howto-developer-portal.md). | | `--description` | Provide information about the product such as its purpose, the APIs it provides access to, and other details. | | `--state` | Select **published** if you want to publish the product. Before the APIs in a product can be called, the product must be published. By default, new products are unpublished, and are visible only to the **Administrators** group. |
- | `--subscription-required` | Select if a user is required to subscribe to use the product. |
+ | `--subscription-required` | Select if a user is required to subscribe to use the product (the product is *protected*) or a subscription isn't required (the product is *open*). See [Access to product APIs](#access-to-product-apis) later in this article. |
| `--approval-required` | Select if you want an administrator to review and accept or reject subscription attempts to this product. If not selected, subscription attempts are auto-approved. | | `--subscriptions-limit` | Optionally, limit the count of multiple simultaneous subscriptions.| | `--legal-terms` | You can include the terms of use for the product, which subscribers must accept to use the product. |
Continue configuring the product after saving it. In your API Management instanc
Products are associations of one or more APIs. You can include many APIs and offer them to developers through the developer portal. During the product creation, you can add one or more existing APIs. You can also add APIs to the product later, either from the Products **Settings** page or while creating an API.
-Developers must first subscribe to a product to get access to the API. When they subscribe, they get a subscription key that is good for any API in that product. If you created the API Management instance, you're an administrator already, so you're subscribed to every product by default.
- ### Add an API to an existing product ### [Portal](#tab/azure-portal)
az apim product api delete --resource-group apim-hello-word-resource-group \
-> [!TIP]
-> You can create or update a user's subscription to a product with custom subscription keys through a [REST API](/rest/api/apimanagement/current-ga/subscription/create-or-update) or PowerShell command.
+## Access to product APIs
+
+After you publish a product, developers can access the APIs. Depending on how the product is configured, they may need to subscribe to the product for access.
+
+* **Protected product** - Developers must first subscribe to a protected product to get access to the product's APIs. When they subscribe, they get a subscription key that can access any API in that product. If you created the API Management instance, you are an administrator already, so you are subscribed to every product by default. For more information, see [Subscriptions in Azure API Management](api-management-subscriptions.md).
+
+ When a client makes an API request with a valid product subscription key, API Management processes the request and permits access in the context of the product. Policies and access control rules configured for the product can be applied.
+
+ > [!TIP]
+ > You can create or update a user's subscription to a product with custom subscription keys through a [REST API](/rest/api/apimanagement/current-ga/subscription/create-or-update) or PowerShell command.
+
+* **Open product** - Developers can access an open product's APIs without a subscription key. However, you can configure other mechanisms to secure client access to the APIs, including [OAuth 2.0](api-management-howto-protect-backend-with-aad.md), [client certificates](api-management-howto-mutual-certificates-for-clients.md), and [restricting caller IP addresses](./api-management-access-restriction-policies.md#RestrictCallerIPs).
+
+ When a client makes an API request without a subscription key:
+
+ * API Management checks whether the API is associated with an open product.
+
+ * If the open product exists, it then processes the request in the context of that open product. Policies and access control rules configured for the open product can be applied.
+
+For more information, see [How API Management handles requests with or without subscription keys](api-management-subscriptions.md#how-api-management-handles-requests-with-or-without-subscription-keys).
## Next steps
In this tutorial, you learned how to:
> [!div class="checklist"] > * Create and publish a product > * Add an API to the product
+> * Access product APIs
Advance to the next tutorial:
api-management Api Management Revisions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-revisions.md
When you create a revision, you can set a description for your own tracking purp
When you set a revision as current you can also optionally specify a public change log note. The change log is included in the developer portal for your API users to view. You can modify your change log note using the `Update-AzApiManagementApiRelease` PowerShell cmdlet.
-> [!NOTE]
-> Certain API properties such as **Display name** and the **API suffix** can only be updated in the current revision.
+> [!CAUTION]
+> If you are editing a non-current revision of an API, you cannot change the following properties:
+>
+> * Name
+> * Type
+> * Description
+> * Subscription required
+> * API version
+> * API version description
+> * Path
+> * Protocols
+>
+> These properties can only be changed in the current revision. If your edits change any of the above
+> properties of a non-current revision, the error message `Can't change property for non-current revision` will be displayed.
## Versions and revisions
api-management Api Management Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-subscriptions.md
Title: Subscriptions in Azure API Management | Microsoft Docs
-description: Learn about the concept of subscriptions in Azure API Management. Consumers get access to APIs by using subscriptions in Azure API Management.
+description: Learn about the concept of subscriptions in Azure API Management. Consumers commonly get access to APIs by using subscriptions in Azure API Management.
documentationcenter: '' - -- Previously updated : 11/22/2021+ Last updated : 01/05/2022 # Subscriptions in Azure API Management
In Azure API Management, *subscriptions* are the most common way for API consume
## What are subscriptions?
-By publishing APIs through API Management, you can easily secure API access using subscription keys. Consume the published APIs by including a valid subscription key in the HTTP requests when calling to those APIs. Without a valid subscription key, the calls will:
-* Be rejected immediately by the API Management gateway.
-* Not be forwarded to the back-end services.
+By publishing APIs through API Management, you can easily secure API access using subscription keys. Developers who need to consume the published APIs must include a valid subscription key in HTTP requests when calling those APIs. Without a valid subscription key, the calls are:
+* Rejected immediately by the API Management gateway.
+* Not forwarded to the back-end services.
To access APIs, you'll need a subscription and a subscription key. A *subscription* is a named container for a pair of subscription keys.
-Regularly regenerating keys is a common security precaution, so most Azure products requiring a subscription key will generate keys in pairs. Each application using the service can switch from *key A* to *key B* and regenerate key A with minimal disruption, and vice versa.
+> [!NOTE]
+> Regularly regenerating keys is a common security precaution. Like most Azure services requiring a subscription key, API Management generates keys in pairs. Each application using the service can switch from *key A* to *key B* and regenerate key A with minimal disruption, and vice versa.
In addition,
In addition,
## Scope of subscriptions
-Subscriptions can be associated with various scopes: product, all APIs, or an individual API.
+Subscriptions can be associated with various scopes: [product](api-management-howto-add-products.md), all APIs, or an individual API.
### Subscriptions for a product
-Traditionally, subscriptions in API Management were associated with a single [API product](api-management-terminology.md) scope. Developers:
+Traditionally, subscriptions in API Management were associated with a single [product](api-management-terminology.md) scope. Developers:
* Found the list of products on the developer portal. * Submitted subscription requests for the products they wanted to use. * Use the keys in those subscriptions (approved either automatically or by API publishers) to access all APIs in the product.
- * You can access APIs with or without the subscription key regardless of subscription scope (product, global, or API).
Currently, the developer portal only shows the product scope subscriptions under the **User Profile** section. ![Product subscriptions](./media/api-management-subscriptions/product-subscription.png)
-> [!TIP]
-> Under certain scenarios, API publishers might want to publish an API product to the public without the requirement of subscriptions. They can deselect the **Require subscription** option on the **Settings** page of the product in the Azure portal. As a result, all APIs under the product can be accessed without an API key.
- ### Subscriptions for all APIs or an individual API
-With the addition of the [Consumption](https://aka.ms/apimconsumptionblog) tier of API Management, subscription key management is more streamlined.
-
-#### Two more subscription scopes
-
-Subscription scopes aren't limited to an API product. You can create keys that grant access to either:
-* a single API, or
+You can also create keys that grant access to either:
+* A single API, or
* All APIs within an API Management instance.
-You don't need to create a product before adding APIs to it.
+In these cases, you don't need to create a product and add APIs to it first.
+
+### All-access subscription
Each API Management instance comes with an immutable, all-APIs subscription (also called an *all-access* subscription). This built-in subscription makes it straightforward to test and debug APIs within the test console. > [!NOTE]
-> If you're using an API-scoped subscription or the all-access subscription, any [policies](api-management-howto-policies.md) configured at the product scope aren't applied to that subscription.
+> If you're using an API-scoped subscription or the all-access subscription, any [policies](api-management-howto-policies.md) configured at the product scope aren't applied to requests from that subscription.
-#### Standalone subscriptions
+### Standalone subscriptions
-API Management now allows *standalone* subscriptions. You no longer need to associate subscriptions with a developer account. This feature proves useful in scenarios similar to several developers or teams sharing a subscription.
+API Management also allows *standalone* subscriptions, which are not associated with a developer account. This feature proves useful in scenarios similar to several developers or teams sharing a subscription.
Creating a subscription without assigning an owner makes it a standalone subscription. To grant developers and the rest of your team access to the standalone subscription key, either: * Manually share the subscription key. * Use a custom system to make the subscription key available to your team.
-#### Creating subscriptions in Azure portal
+## Create subscriptions in Azure portal
API publishers can [create subscriptions](api-management-howto-create-subscriptions.md) directly in the Azure portal: ![Flexible subscriptions](./media/api-management-subscriptions/flexible-subscription.png)
+## How API Management handles requests with or without subscription keys
+
+By default, a developer can only access a product or API by using a subscription key. Under certain scenarios, API publishers might want to publish a product or a particular API to the public without the requirement of subscriptions. While a publisher could choose to enable unsecured access to certain APIs, configuring another mechanism to secure client access is recommended.
+
+To disable the subscription requirement using the portal:
+
+* **Product** - Disable **Requires subscription** on the **Settings** page of the product.
+* **API** - Disable **Subscription required** on the **Settings** page of the API.
+
+After disabling the subscription requirement, the selected API or APIs can be accessed without a subscription key.
+
+When API Management receives an API request from a client without a subscription key, it handles the request according to these rules:
+
+1. Check first for the existence of a product that includes the API but doesn't require a subscription (an *open* product). If the open product exists, handle the request in the context of the APIs, policies, and access rules configured for the product.
+1. If an open product including the API isn't found, check whether the API requires a subscription. If a subscription isn't required, handle the request in the context of that API and operation.
+1. If no configured product or API is found, then access is denied.
+ ## Next steps Get more information on API Management: ++ Learn how API Management [policies](set-edit-policies.md#configure-scope) get applied at different scopes. + Learn other [concepts](api-management-terminology.md) in API Management. + Follow our [tutorials](import-and-publish.md) to learn more about API Management. + Check our [FAQ page](api-management-faq.yml) for common questions.
api-management Configure Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/configure-custom-domain.md
-# Mandatory fields. See more on aka.ms/skyeye/meta.
Title: Configure custom domain name for Azure API Management instance
-description: This topic describes how to configure a custom domain name for your Azure API Management instance.
+description: How to configure a custom domain name and choose certificates for the endpoints of your Azure API Management instance.
documentationcenter: '' - -- Previously updated : 08/24/2021+ Last updated : 01/11/2022 # Configure a custom domain name for your Azure API Management instance
-When you create an Azure API Management service instance, Azure assigns it a `azure-api.net` subdomain (for example, `apim-service-name.azure-api.net`). You can also expose your API Management endpoints using your own custom domain name, such as **`contoso.com`**. This tutorial shows you how to map an existing custom DNS name to endpoints exposed by an API Management instance.
+When you create an Azure API Management service instance in the Azure cloud, Azure assigns it a `azure-api.net` subdomain (for example, `apim-service-name.azure-api.net`). You can also expose your API Management endpoints using your own custom domain name, such as **`contoso.com`**. This article shows you how to map an existing custom DNS name to endpoints exposed by an API Management instance.
> [!IMPORTANT]
-> API Management accepts only requests with [host header](https://tools.ietf.org/html/rfc2616#section-14.23) values matching:
+> API Management only accepts requests with [host header](https://tools.ietf.org/html/rfc2616#section-14.23) values matching:
>
->* The default domain name
->* Any of the configured custom domain names
-
-> [!WARNING]
-> If you wish to improve the security of your applications with certificate pinning, you must use a custom domain name and certificate that you manage, not the default certificate. Pinning the default certificate takes a hard dependency on the properties of the certificate you don't manage, which we do not recommend.
+>* The Gateway's default domain name
+>* Any of the Gateway's configured custom domain names
## Prerequisites - An active Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] - An API Management instance. For more information, see [Create an Azure API Management instance](get-started-create-service-instance.md).-- A custom domain name that is owned by you or your organization. This topic does not provide instructions on how to procure a custom domain name.-- A [CNAME-record hosted on a DNS server](#dns-configuration) that maps the custom domain name to the default domain name of your API Management instance. This topic does not provide instructions on how to host a CNAME-record.-- A valid certificate with a public and private key (.PFX). Subject or subject alternative name (SAN) has to match the domain name (this enables API Management instance to securely expose URLs over TLS).
+- A custom domain name that is owned by you or your organization. This article does not provide instructions on how to procure a custom domain name.
+- Optionally, a valid certificate with a public and private key (.PFX). The subject or subject alternative name (SAN) has to match the domain name (this enables API Management instance to securely expose URLs over TLS).
+
+ See [Domain certificate options](#domain-certificate-options).
+
+- DNS records hosted on a DNS server to map the custom domain name to the default domain name of your API Management instance. This topic does not provide instructions on how to host the DNS records.
+
+ For more information about required records, see [DNS configuration](#dns-configuration), later in this article.
+
+## Endpoints for custom domains
+
+There are several API Management service endpoints to which you can assign a custom domain name. Currently, the following endpoints are available:
+
+| Endpoint | Default |
+| -- | -- |
+| **Gateway** | Default is: `<apim-service-name>.azure-api.net`. Gateway is the only endpoint available for configuration in the Consumption tier.<br/><br/>The default Gateway endpoint configuration remains available after a custom Gateway domain is added. |
+| **Developer portal (legacy)** | Default is: `<apim-service-name>.portal.azure-api.net` |
+| **Developer portal** | Default is: `<apim-service-name>.developer.azure-api.net` |
+| **Management** | Default is: `<apim-service-name>.management.azure-api.net` |
+| **SCM** | Default is: `<apim-service-name>.scm.azure-api.net` |
+
+### Considerations
+* You can update any of the endpoints supported in your service tier. Typically, customers update **Gateway** (this URL is used to call the APIs exposed through API Management) and **Developer portal** (the developer portal URL).
+* Only API Management instance owners can use **Management** and **SCM** endpoints internally. These endpoints are less frequently assigned a custom domain name.
+* The **Premium** and **Developer** tiers support setting multiple hostnames for the **Gateway** endpoint.
+* Wildcard domain names, like `*.contoso.com`, are supported in all tiers except the Consumption tier.
+
+## Domain certificate options
+
+API Management supports custom TLS certificates or certificates imported from Azure Key Vault. You can also enable a free, managed certificate.
+
+> [!WARNING]
+> If you wish to improve the security of your applications with certificate pinning, you should use a custom domain name and either a custom or Key Vault certificate, not the default certificate or the free, managed certificate. We don't recommend taking a hard dependency on a certificate that you don't manage.
-## Use the Azure portal to set a custom domain name
+# [Custom](#tab/custom)
+
+If you already have a private certificate from a third-party provider, you can upload it to your API Management instance. It must meet the following requirements. (If you enable the free certificate managed by API Management, it already meets these requirements.)
+
+* Exported as a PFX file, encrypted using triple DES, and optionally password protected.
+* Contains private key at least 2048 bits long
+* Contains all intermediate certificates and the root certificate in the certificate chain.
+
+# [Key Vault](#tab/key-vault)
+
+We recommend using Azure Key Vault to [manage your certificates](../key-vault/certificates/about-certificates.md) and setting them to `autorenew`.
+
+If you use Azure Key Vault to manage a custom domain TLS certificate, make sure the certificate is inserted into Key Vault [as a _certificate_](/rest/api/keyvault/createcertificate/createcertificate), not a _secret_.
+
+To fetch a TLS/SSL certificate, API Management must have the list and get secrets permissions on the Azure Key Vault containing the certificate.
+* When you use the Azure portal to import the certificate, all the necessary configuration steps are completed automatically.
+* When you use command-line tools or management API, these permissions must be granted manually, in two steps:
+ 1. On the **Managed identities** page of your API Management instance, enable a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md). Note the principal Id on that page.
+ 1. Give the list and get secrets permissions to this principal Id on the Azure Key Vault containing the certificate.
+
+If the certificate is set to `autorenew` and your API Management tier has an SLA (that is, in all tiers except the Developer tier), API Management will pick up the latest version automatically, without downtime to the service.
+
+For more information, see [Use managed identities in Azure API Management](api-management-howto-use-managed-service-identity.md).
+
+# [Managed](#tab/managed)
+
+API Management offers a free, managed TLS certificate for your domain, if you don't wish to purchase and manage your own certificate. The certificate is autorenewed automatically.
+
+> [!NOTE]
+> The free, managed TLS certificate is available for all API Management service tiers. It is currently in preview.
+
+#### Limitations
+
+* Currently can be used only with the Gateway endpoint of your API Management service
+* Not supported in the following Azure regions: France South and South Africa West
+* Currently available only in the Azure cloud
+* Does not support root domain names (for example, `contoso.com`). Requires a fully qualified name such as `api.contoso.com`.
++
+## Set a custom domain name - portal
+
+Choose the steps according to the [domain certificate](#domain-certificate-options) you want to use.
+
+# [Custom](#tab/custom)
+1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).
+1. In the left navigation, select **Custom domains**.
+1. Select **+Add**, or select an existing [endpoint](#endpoints-for-custom-domains) that you want to update.
+1. In the window on the right, select the **Type** of endpoint for the custom domain.
+1. In the **Hostname** field, specify the name you want to use. For example, `api.contoso.com`.
+1. Under **Certificate**, select **Custom**
+1. Select **Certificate file** to select and upload a certificate.
+1. Upload a valid .PFX file and provide its **Password**, if the certificate is protected with a password.
+1. When configuring a Gateway endpoint, select or deselect [other options as necessary](#clients-calling-with-server-name-indication-sni-header), including **Negotiate client certificate** or **Default SSL binding**.
+ :::image type="content" source="media/configure-custom-domain/gateway-domain-custom-certificate.png" alt-text="Configure gateway domain with custom certificate":::
+1. Select **Add**, or select **Update** for an existing endpoint.
+1. Select **Save**.
+
+# [Key Vault](#tab/key-vault)
1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).
-1. Select **Custom domains**.
-
- There are a number of endpoints to which you can assign a custom domain name. Currently, the following endpoints are available:
-
- | Endpoint | Default |
- | -- | -- |
- | **Gateway** | Default is: `<apim-service-name>.azure-api.net`. Gateway is the only endpoint available for configuration in the Consumption tier. |
- | **Developer portal (legacy)** | Default is: `<apim-service-name>.portal.azure-api.net` |
- | **Developer portal** | Default is: `<apim-service-name>.developer.azure-api.net` |
- | **Management** | Default is: `<apim-service-name>.management.azure-api.net` |
- | **SCM** | Default is: `<apim-service-name>.scm.azure-api.net` |
-
- > [!NOTE]
- > You can update any of the endpoints. Typically, customers update **Gateway** (this URL is used to call the API exposed through API Management) and **Portal** (the developer portal URL).
- >
- > Only API Management instance owners can use **Management** and **SCM** endpoints internally. These endpoints are less frequently assigned a custom domain name.
- >
- > The **Premium** and **Developer** tiers support setting multiple host names for the **Gateway** endpoint.
-
-1. Select **+Add**, or select an existing endpoint that you want to update.
+1. In the left navigation, select **Custom domains**.
+1. Select **+Add**, or select an existing [endpoint](#endpoints-for-custom-domains) that you want to update.
1. In the window on the right, select the **Type** of endpoint for the custom domain. 1. In the **Hostname** field, specify the name you want to use. For example, `api.contoso.com`.
-1. Under **Certificate**, select either **Key Vault** or **Custom**.
- - **Key Vault**
- - Click **Select**.
- - Select the **Subscription** from the dropdown list.
- - Select the **Key vault** from the dropdown list.
- - Once the certificates have loaded, select the **Certificate** from the dropdown list.
- - Click **Select**.
- - **Custom**
- - Select the **Certificate file** field to select and upload a certificate.
- - Upload a valid .PFX file and provide its **Password**, if the certificate is protected with a password.
-1. When configuring a Gateway endpoint, select or deselect [other options as necessary](#clients-calling-with-server-name-indication-sni-header), like **Negotiate client certificate** or **Default SSL binding**.
-1. Select **Update**.
-
- > [!NOTE]
- > Wildcard domain names, like `*.contoso.com`, are supported in all tiers except the Consumption tier.
-
- > [!TIP]
- > We recommend using [Azure Key Vault for managing certificates](../key-vault/certificates/about-certificates.md) and setting them to `autorenew`.
- >
- > If you use Azure Key Vault to manage the custom domain TLS/SSL certificate, make sure the certificate is inserted into Key Vault [as a _certificate_](/rest/api/keyvault/createcertificate/createcertificate), not a _secret_.
- >
- > To fetch a TLS/SSL certificate, API Management must have the list and get secrets permissions on the Azure Key Vault containing the certificate.
- >
- >* When using Azure portal, all the necessary configuration steps will be completed automatically.
- >* When using command line tools or management API, these permissions must be granted manually, in two steps:
- > * Using the **Managed identities** page on your API Management instance, ensure that Managed Identity is enabled and note the principal id on that page.
- > * Give the permission list and get secrets permissions to this principal id on the Azure Key Vault containing the certificate.
- >
- > If the certificate is set to `autorenew` and your API Management tier has SLA (i. e. in all tiers except the Developer tier), API Management will pick up the latest version automatically, without any downtime to the service.
-
-1. Click Apply.
-
- > [!NOTE]
- > The process of assigning the certificate may take 15 minutes or more depending on size of deployment. Developer SKU has downtime, while Basic and higher SKUs do not.
+1. Under **Certificate**, select **Key Vault** and then **Select**.
+ 1. Select the **Subscription** from the dropdown list.
+ 1. Select the **Key vault** from the dropdown list.
+ 1. Once the certificates have loaded, select the **Certificate** from the dropdown list. Click **Select**.
+ 1. In **Client identity**, select a system-assigned identity or a user-assigned [managed identity](api-management-howto-use-managed-service-identity.md) enabled in the instance to access the key vault.
+1. When configuring a Gateway endpoint, select or deselect [other options as necessary](#clients-calling-with-server-name-indication-sni-header), including **Negotiate client certificate** or **Default SSL binding**.
+ :::image type="content" source="media/configure-custom-domain/gateway-domain-key-vault-certificate.png" alt-text="Configure gateway domain with Key Vault certificate":::
+1. Select **Add**, or select **Update** for an existing endpoint.
+1. Select **Save**.
+
+# [Managed](#tab/managed)
+
+1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).
+1. In the left navigation, select **Custom domains**.
+1. Select **+Add**, or select an existing [endpoint](#endpoints-for-custom-domains) that you want to update.
+1. In the window on the right, select the **Type** of endpoint for the custom domain.
+1. In the **Hostname** field, specify the name you want to use. For example, `api.contoso.com`.
+1. Under **Certificate**, select **Managed** to enable a free certificate managed by API Management. Te managed certificate is available in preview for the Gateway endpoint only.
+1. Copy the following values and use them to [configure DNS](#dns-configuration):
+ * **TXT record**
+ * **CNAME record**
+1. When configuring a Gateway endpoint, select or deselect [other options as necessary](#clients-calling-with-server-name-indication-sni-header), including **Negotiate client certificate** or **Default SSL binding**.
+ :::image type="content" source="media/configure-custom-domain/gateway-domain-free-certifcate.png" alt-text="Configure gateway domain with free certificate":::
+1. Select **Add**, or select **Update** for an existing endpoint.
+1. Select **Save**.
+
+
+> [!NOTE]
+> The process of assigning the certificate may take 15 minutes or more depending on size of deployment. Developer tier has downtime, while Basic and higher tiers do not.
[!INCLUDE [api-management-custom-domain](../../includes/api-management-custom-domain.md)] ## DNS configuration
-When configuring DNS for your custom domain name, you can either:
+* Configure a CNAME record for your custom domain.
+* When using API Management's free, managed certificate, also configure a TXT record to establish your ownership of the domain.
-- Configure a CNAME-record that points to the endpoint of your configured custom domain name, or-- Configure an A-record that points to your API Management gateway IP address.
+### CNAME record
-While CNAME-records (or alias records) and A-records both allow you to associate a domain name with a specific server or service, they work differently.
-
-### CNAME or Alias record
-A CNAME-record maps a *specific* domain (such as `contoso.com` or www\.contoso.com) to a canonical domain name. Once created, the CNAME creates an alias for the domain. The CNAME entry will resolve to the IP address of your custom domain service automatically, so if the IP address changes, you do not have to take any action.
+Configure a CNAME record that points from your custom domain name (for example, `api.contoso.com`) to your API Management service hostname (for example, `<apim-service-name>.azure-api.net`). A CNAME record is more stable than an A-record in case the IP address changes. For more information, see [IP addresses of Azure API Management](api-management-howto-ip-addresses.md#changes-to-the-ip-addresses) and the [API Management FAQ](./api-management-faq.yml#how-can-i-secure-the-connection-between-the-api-management-gateway-and-my-back-end-services-).
> [!NOTE]
-> Some domain registrars only allow you to map subdomains when using a CNAME-record, such as www\.contoso.com, and not root names, such as contoso.com. For more information on CNAME-records, see the documentation provided by your registrar, [the Wikipedia entry on CNAME-record](https://en.wikipedia.org/wiki/CNAME_record), or the [IETF Domain Names - Implementation and Specification](https://tools.ietf.org/html/rfc1035) document.
+> Some domain registrars only allow you to map subdomains when using a CNAME record, such as `www.contoso.com`, and not root names, such as `contoso.com`. For more information on CNAME records, see the documentation provided by your registrar or [IETF Domain Names - Implementation and Specification](https://tools.ietf.org/html/rfc1035).
-### A-record
-An A-record maps a domain, such as `contoso.com` or **www\.contoso.com**, *or a wildcard domain*, such as **\*.contoso.com**, to an IP address. Since an A-record is mapped to a static IP address, it cannot automatically resolve changes to the IP address. We recommend using the more stable CNAME-record instead of an A-record.
+### TXT record
-> [!NOTE]
-> Although the API Management instance IP address is static, it may change in a few scenarios. When choosing DNS configuration method, we recommend using a CNAME-record when configuring custom domain, as it is more stable than an A-record in case the IP changes. Read more in the [the IP documentation article](api-management-howto-ip-addresses.md#changes-to-the-ip-addresses) and the [API Management FAQ](./api-management-faq.yml#how-can-i-secure-the-connection-between-the-api-management-gateway-and-my-back-end-services-).
+When enabling the free, managed certificate for API Management, also configure a TXT record in your DNS zone to establish your ownership of the domain name.
+
+* The name of the record is your custom domain name prefixed by `apimuid`. Example: `apimuid.api.contoso.com`.
+* The value is a domain ownership identifier provided by your API Management instance.
+
+When you use the portal to configure the free, managed certificate for your custom domain, the name and value of the necessary TXT record are automatically displayed.
+
+You can also get a domain ownership identifier by calling the [Get Domain Ownership Identifier](/rest/api/apimanagement/current-ga/api-management-service/get-domain-ownership-identifier) REST API.
## Next steps
api-management Edit Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/edit-api.md
Title: Edit an API with the Azure portal | Microsoft Docs
description: Learn how to use API Management (APIM) to edit an API. Add, delete, or rename operations in the APIM instance, or edit the API's swagger. documentationcenter: ''--+ editor: '' na Previously updated : 11/08/2017- Last updated : 01/19/2022+ # Edit an API
-The steps in this tutorial show you how to use API Management (APIM) to edit an API.
+The steps in this tutorial show you how to use API Management (APIM) to edit an API.
-+ You can do it by adding, deleting, renaming operations in the APIM instance.
++ You can add, rename, or delete operations in the Azure portal. + You can edit your API's swagger. ## Prerequisites
You can update your backbend API from the Azure portal by following these steps:
3. Update the swagger. 4. Press **Save**.
+> [!CAUTION]
+> If you are editing a non-current revision of an API, you cannot change the following properties:
+>
+> * Name
+> * Type
+> * Description
+> * Subscription required
+> * API version
+> * API version description
+> * Path
+> * Protocols
+>
+> If your edits change any of the above properties of a non-current revision, the error message
+> `Can't change property for non-current revision` will be displayed.
+ [!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)] ## Next steps
api-management Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure API Management description: Lists Azure Policy Regulatory Compliance controls available for Azure API Management. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
api-management Self Hosted Gateway Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/self-hosted-gateway-overview.md
Previously updated : 05/25/2021 Last updated : 01/19/2022 # Self-hosted gateway overview
-This article explains how self-hosted gateway feature of Azure API Management enables hybrid and multi-cloud API management, presents its high-level architecture, and highlights its capabilities.
+This article explains how the self-hosted gateway feature of Azure API Management enables hybrid and multi-cloud API management, presents its high-level architecture, and highlights its capabilities.
## Hybrid and multi-cloud API management The self-hosted gateway feature expands API Management support for hybrid and multi-cloud environments and enables organizations to efficiently and securely manage APIs hosted on-premises and across clouds from a single API Management service in Azure.
-With the self-hosted gateway, customers have the flexibility to deploy a containerized version of the API Management gateway component to the same environments where they host their APIs. All self-hosted gateways are managed from the API Management service they are federated with, thus providing customers with the visibility and unified management experience across all internal and external APIs. Placing the gateways close to the APIs allow customers to optimize API traffic flows and address security and compliance requirements.
+With the self-hosted gateway, customers have the flexibility to deploy a containerized version of the API Management gateway component to the same environments where they host their APIs. All self-hosted gateways are managed from the API Management service they are federated with, thus providing customers with the visibility and unified management experience across all internal and external APIs. Placing the gateways close to the APIs allows customers to optimize API traffic flows and address security and compliance requirements.
Each API Management service is composed of the following key components: - Management plane, exposed as an API, used to configure the service via the Azure portal, PowerShell, and other supported mechanisms.-- Gateway (or data plane) is responsible for proxying API requests, applying policies, and collecting telemetry
+- Gateway (or data plane), which is responsible for proxying API requests, applying policies, and collecting telemetry
- Developer portal used by developers to discover, learn, and onboard to use the APIs
-By default, all these components are deployed in Azure, causing all API traffic (shown as solid black arrows on the picture below) to flow through Azure regardless of where backends implementing the APIs are hosted. The operational simplicity of this model comes at the cost of increased latency, compliance issues, and in some cases, additional data transfer fees.
+By default, all these components are deployed in Azure, causing all API traffic (shown as solid black arrows on the following picture) to flow through Azure regardless of where backends implementing the APIs are hosted. The operational simplicity of this model comes at the cost of increased latency, compliance issues, and in some cases, extra data transfer fees.
-![API traffic flow without self-hosted gateways](media/self-hosted-gateway-overview/without-gateways.png)
-Deploying self-hosted gateways into the same environments where the backend API implementations are hosted allows API traffic to flow directly to the backend APIs, which improves latency, optimizes data transfer costs, and enables compliance while retaining the benefits of having a single point of management, observability, and discovery of all APIs within the organization regardless of where their implementations are hosted.
+Deploying self-hosted gateways into the same environments where the backend API implementations are hosted allows API traffic to flow directly to the backend APIs, which reduces latency, optimizes data transfer costs, and enables compliance while retaining the benefits of having a single point of management, observability, and discovery of all APIs within the organization regardless of where their implementations are hosted.
-![API traffic flow with self-hosted gateways](media/self-hosted-gateway-overview/with-gateways.png)
## Packaging and features
-The self-hosted gateway is a containerized, functionally equivalent version of the managed gateway deployed to Azure as part of every API Management service. The self-hosted gateway is available as a Linux-based Docker [container](https://aka.ms/apim/sputnik/dhub) from the Microsoft Container Registry. It can be deployed to Docker, Kubernetes, or any other container orchestration solution running on a server cluster on premises, cloud infrastructure, or for evaluation and development purposes, on a personal computer. You can also deploy the self-hosted gateway as a cluster extension to an [Azure Arc-enabled Kubernetes cluster](./how-to-deploy-self-hosted-gateway-azure-arc.md).
+The self-hosted gateway is a containerized, functionally equivalent version of the managed gateway deployed to Azure as part of every API Management service. The self-hosted gateway is available as a Linux-based Docker [container image](https://aka.ms/apim/sputnik/dhub) from the Microsoft Container Registry. It can be deployed to Docker, Kubernetes, or any other container orchestration solution running on a server cluster on premises, cloud infrastructure, or for evaluation and development purposes, on a personal computer. You can also deploy the self-hosted gateway as a cluster extension to an [Azure Arc-enabled Kubernetes cluster](./how-to-deploy-self-hosted-gateway-azure-arc.md).
The following functionality found in the managed gateways is **not available** in the self-hosted gateways: - Azure Monitor logs - Upstream (backend side) TLS version and cipher management - Validation of server and client certificates using [CA root certificates](api-management-howto-ca-certificates.md) uploaded to API Management service. You can configure [custom certificate authorities](api-management-howto-ca-certificates.md#create-custom-ca-for-self-hosted-gateway) for your self-hosted gateways and [client certificate validation](api-management-access-restriction-policies.md#validate-client-certificate) policies to enforce them.-- Integration with the [Service Fabric](../service-fabric/service-fabric-api-management-overview.md)
+- Integration with [Service Fabric](../service-fabric/service-fabric-api-management-overview.md)
- TLS session resumption-- Client certificate renegotiation. This means that for [client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) to work API consumers must present their certificates as part of the initial TLS handshake. To ensure that, enable the negotiate client certificate setting when configuring a self-hosted gateway custom hostname.-- Built-in cache. See this [document](api-management-howto-cache-external.md) to learn about using external cache in self-hosted gateways.
+- Client certificate renegotiation. This means that for [client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) to work, API consumers must present their certificates as part of the initial TLS handshake. To ensure this behavior, enable the Negotiate Client Certificate setting when configuring a self-hosted gateway custom hostname.
+- Built-in cache. Learn about using an [external Redis-compatible cache](api-management-howto-cache-external.md) in self-hosted gateways.
## Connectivity to Azure
-Self-hosted gateways require outbound TCP/IP connectivity to Azure on port 443. Each self-hosted gateway must be associated with a single API Management service and is configured via its management plane. Self-hosted gateway uses connectivity to Azure for:
+Self-hosted gateways require outbound TCP/IP connectivity to Azure on port 443. Each self-hosted gateway must be associated with a single API Management service and is configured via its management plane. A self-hosted gateway uses connectivity to Azure for:
- Reporting its status by sending heartbeat messages every minute - Regularly checking for (every 10 seconds) and applying configuration updates whenever they are available - Sending request logs and metrics to Azure Monitor, if configured to do so - Sending events to Application Insights, if set to do so
-When connectivity to Azure is lost, self-hosted gateway will be unable to receive configuration updates, report its status, or upload telemetry.
+### FQDN dependencies
-The self-hosted gateway is designed to "fail static" and can survive temporary loss of connectivity to Azure. It can be deployed with or without local configuration backup. In the former case, self-hosted gateways will regularly save a backup copy of the latest downloaded configuration on a persistent volume attached to its container or pod.
+To operate properly, each self-hosted gateway needs outbound connectivity on port 443 to the following endpoints associated with its cloud-based API Management instance:
+
+* The public IP address of the API Management instance in its primary location
+* The hostname of the instance's management endpoint: `<apim-service-name>.management.azure-api.net`
+* The hostname of the instance's associated blob storage account: `<blob-storage-account-name>.blob.core.windows.net`
+* The hostname of the instance's associated table storage account: `<table-storage-account-name>.table.core.windows.net`
+* Public IP addresses from the Storage [service tag](../virtual-network/service-tags-overview.md) corresponding to the primary location of the API Management instance
+
+> [!IMPORTANT]
+> * DNS hostnames must be resolvable to IP addresses and the corresponding IP addresses must be reachable.
+> * The associated storage account names are listed in the service's **Network connectivity status** page in the Azure portal.
+> * Public IP addresses underlying the associated storage accounts are dynamic and can change without notice.
+
+If integrated with your API Management instance, also enable outbound connectivity to the associated public IP addresses, ports, and hostnames for:
+
+* [Event Hubs](api-management-howto-log-event-hubs.md)
+* [Application Insights](api-management-howto-app-insights.md)
+* [External cache](api-management-howto-cache-external.md)
+
+### Connectivity failures
+
+When connectivity to Azure is lost, the self-hosted gateway is unable to receive configuration updates, report its status, or upload telemetry.
+
+The self-hosted gateway is designed to "fail static" and can survive temporary loss of connectivity to Azure. It can be deployed with or without local configuration backup. With configuration backup, self-hosted gateways regularly save a backup copy of the latest downloaded configuration on a persistent volume attached to their container or pod.
When configuration backup is turned off and connectivity to Azure is interrupted:
When connectivity is restored, each self-hosted gateway affected by the outage w
## Next steps -- [Read a whitepaper for additional background on this topic](https://aka.ms/hybrid-and-multi-cloud-api-management)-- Review the guidance on [running the self-hosted gateway on Kubernetes in production](how-to-self-hosted-gateway-on-kubernetes-in-production.md).-- Learn [how to deploy API Management self-hosted gateway to Docker](how-to-deploy-self-hosted-gateway-docker.md)-- Learn [how to deploy API Management self-hosted gateway to Kubernetes with YAML](how-to-deploy-self-hosted-gateway-kubernetes.md)-- Learn [how to deploy API Management self-hosted gateway to Kubernetes with Helm](how-to-deploy-self-hosted-gateway-kubernetes-helm.md)-- Learn [how to deploy API Management self-hosted gateway to Azure Arc-enabled Kubernetes clusters](how-to-deploy-self-hosted-gateway-azure-arc.md)
+- Learn more about [API Management in a Hybrid and MultiCloud World](https://aka.ms/hybrid-and-multi-cloud-api-management)
+- [Deploy self-hosted gateway to Docker](how-to-deploy-self-hosted-gateway-docker.md)
+- [Deploy self-hosted gateway to Kubernetes](how-to-deploy-self-hosted-gateway-kubernetes.md)
+- [Deploy self-hosted gateway to Azure Arc-enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md)
app-service Configure Custom Container https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-custom-container.md
SSH enables secure communication between a container and a client. In order for
``` #!/bin/sh
- if [ ! -f "/etc/ssh/ssh_host_rsa_key" ]; then
- # generate fresh rsa key
- ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
- fi
-
- if [ ! -f "/etc/ssh/ssh_host_dsa_key" ]; then
- # generate fresh dsa key
- ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
- fi
-
- if [ ! -f "/etc/ssh/ssh_host_ecdsa_key" ]; then
- # generate fresh ecdsa key
- ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t dsa
- fi
-
- if [ ! -f "/etc/ssh/ssh_host_ed25519_key" ]; then
- # generate fresh ecdsa key
- ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -N '' -t dsa
- fi
+ ssh-keygen -A
#prepare run dir
- if [ ! -d "/var/run/sshd" ]; then
+ if [ ! -d "/var/run/sshd" ]; then
mkdir -p /var/run/sshd fi ```
app-service How To Migrate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/environment/how-to-migrate.md
Once you get a status of "Ready", migration is done and you have an App Service
Get the details of your new environment by running the following command or by navigating to the [Azure portal](https://portal.azure.com). ```azurecli
-az appservice ase show --name $ASE_NAME --resource group $ASE_RG
+az appservice ase show --name $ASE_NAME --resource-group $ASE_RG
``` ## Next steps
app-service Using An Ase https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/environment/using-an-ase.md
The publishing endpoints for apps in an ILB ASE use the domain that the ILB ASE
An ASE has 1 TB of storage for all the apps in the ASE. An App Service plan in the Isolated pricing SKU has a limit of 250 GB. In an ASE, 250 GB of storage is added per App Service plan up to the 1 TB limit. You can have more App Service plans than just four, but there is no more storage added beyond the 1 TB limit.
+## Monitoring
+
+As a customer, you should monitor the App Service plans and the individual apps running and take appropriate actions. For App Service Environment v2, you should also pay attention to the metrics around the platform infrastructure. These metrics will give you insights into how the platform infrastructure and frontend servers are doing, and you can take action if they are heavily utilized and you are not getting maximum throughput.
+
+Through CLI you can configure the scale ratio of your frontend servers between 5 and 15 (default 15) App Service plan instances per frontend server. An App Service Environment will always have a minimum of two frontend servers. You can also increase the size of the frontend servers through CLI.
+
+You will see some metrics called Small/Medium/Large App Service Plan Workers and a sub-scope called multiRolePools/default. These are applicable to App Service Environment v1 only.
+ ## Logging You can integrate your ASE with Azure Monitor to send logs about the ASE to Azure Storage, Azure Event Hubs, or Log Analytics. These items are logged today:
app-service Using https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/environment/using.md
Every App Service app runs in an App Service plan. App Service Environments hold
When you scale an App Service plan, the needed infrastructure is added automatically. Be aware that there's a time delay to scale operations while the infrastructure is being added. For example, when you scale an App Service plan, and you have another scale operation of the same operating system and size running, there might be a delay of a few minutes until the requested scale starts.
-A scale operation on one size and operating system won't affect scaling of the other combinations of size and operating system. For example, if you are scaling a Windows I2v2 App Service plan, a scale operation to a Windows I3v2 App Service plan starts immediately. Scaling normally takes less than 20 minutes.
+A scale operation on one size and operating system won't affect scaling of the other combinations of size and operating system. For example, if you are scaling a Windows I2v2 App Service plan, a scale operation to a Windows I3v2 App Service plan starts immediately. Scaling normally takes less than 15 minutes.
In a multi-tenant App Service, scaling is immediate, because a pool of shared resources is readily available to support it. App Service Environment is a single-tenant service, so there's no shared buffer, and resources are allocated based on need.
Without additional changes, internet-based CI systems like GitHub and Azure DevO
You have 1 TB of storage for all the apps in your App Service Environment. An App Service plan in the isolated pricing SKU has a limit of 250 GB. In an App Service Environment, 250 GB of storage is added per App Service plan, up to the 1 TB limit. You can have more App Service plans than just four, but there is no additional storage beyond the 1 TB limit.
+## Monitoring
+
+The platform infrastructure in App Service Environment v3 is being monitored and managed by Microsoft, and is scaled as needed. As a customer, you should only monitor the App Service plans and the individual apps running and take appropriate actions. You will see some metrics visible for your App Service Environment, but these are used for older version only and will not omit any values for this version. If you are using v1 or v2 of App Service Environment, refer to [this section](.\using-an-ase.md#monitoring) for guidance on monitoring and scaling.
+ ## Logging You can integrate with Azure Monitor to send logs to Azure Storage, Azure Event Hubs, or Azure Monitor Logs. The following table shows the situations and messages you can log:
app-service Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Service description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
application-gateway Key Vault Certs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/key-vault-certs.md
Add-AzApplicationGatewaySslCertificate -KeyVaultSecretId $secretId -ApplicationG
Set-AzApplicationGateway -ApplicationGateway $appgw ```
-Once the commands have been executed, you can navigate to your Application Gateway in the Azure portal and select the Listeners tab. Click Add Lister (or select an existing) and specify the Protocol to HTTPS.
+Once the commands have been executed, you can navigate to your Application Gateway in the Azure portal and select the Listeners tab. Click Add Listener (or select an existing) and specify the Protocol to HTTPS.
Under *Choose a certificate* select the certificate named in the previous steps. Once selected, select *Add* (if creating) or *Save* (if editing) to apply the referenced Key Vault certificate to the listener.
applied-ai-services Concept Custom https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/applied-ai-services/form-recognizer/concept-custom.md
The following resources are supported by Form Recognizer v3.0:
| Feature | Resources | |-|-|
-|Custom model| <ul><li>[Form Recognizer Studio](https://fott-2-1.azurewebsites.net)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-1/operations/AnalyzeDocument)</li><li>[C# SDK](quickstarts/try-v3-csharp-sdk.md)</li><li>[Python SDK](quickstarts/try-v3-python-sdk.md)</li></ul>|
+|Custom model| <ul><li>[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/customform/projects)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-1/operations/AnalyzeDocument)</li><li>[C# SDK](quickstarts/try-v3-csharp-sdk.md)</li><li>[Python SDK](quickstarts/try-v3-python-sdk.md)</li></ul>|
### Try Form Recognizer
automation Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Automation description: Lists Azure Policy Regulatory Compliance controls available for Azure Automation. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
azure-app-configuration Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure App Configuration description: Lists Azure Policy Regulatory Compliance controls available for Azure App Configuration. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
azure-arc Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Arc-enabled Kubernetes description: Sample Azure Resource Graph queries for Azure Arc-enabled Kubernetes showing use of resource types and tables to access Azure Arc-enabled Kubernetes related resources and properties. Previously updated : 12/20/2021 Last updated : 01/20/2022
azure-arc Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Arc description: Sample Azure Resource Graph queries for Azure Arc showing use of resource types and tables to access Azure Arc related resources and properties. Previously updated : 12/20/2021 Last updated : 01/20/2022
azure-arc Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Arc-enabled servers description: Sample Azure Resource Graph queries for Azure Arc-enabled servers showing use of resource types and tables to access Azure Arc-enabled servers related resources and properties. Previously updated : 12/20/2021 Last updated : 01/20/2022
azure-arc Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Arc-enabled servers (preview) description: Lists Azure Policy Regulatory Compliance controls available for Azure Arc-enabled servers (preview). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
azure-cache-for-redis Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cache for Redis description: Lists Azure Policy Regulatory Compliance controls available for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
azure-functions Functions Bindings Storage Blob Output https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-storage-blob-output.md
The following table explains the binding configuration properties that you set i
|**name** | n/a | The name of the variable that represents the blob in function code. Set to `$return` to reference the function return value.| |**path** |**BlobPath** | The path to the blob container. | |**connection** |**Connection**| The name of an app setting or setting collection that specifies how to connect to Azure Blobs. See [Connections](#connections).|
-|n/a | **Access** | Indicates whether you will be reading or writing. |
+|**Access** | n/a | Indicates whether you will be reading or writing. |
[!INCLUDE [app settings to local.settings.json](../../includes/functions-app-settings-local.md)]
azure-functions Functions Reference Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-reference-python.md
CORS is fully supported for Python function apps.
## <a name="shared-memory"></a>Shared memory (preview)
-Functions lets your Python worker use shared memory to improve throughput. When your function app is hitting bottlenecks, you can enable shared memory by adding an application setting named [FUNCTIONS_WORKER_SHARED_MEMORY_DATA_TRANSFER_ENABLED](functions-app-settings.md#functions_worker_shared_memory_data_transfer_enabled) with a value of `1`. With shared memory enabled, you can then use the [DOCKER_SHM_SIZE](functions-app-settings.md#docker_shm_size) setting to set the shared memory to something like `268435456`, which is equivalent to 256 MB.
+To improve throughput, Functions lets your out-of-process Python language worker share memory with the Functions host process. When your function app is hitting bottlenecks, you can enable shared memory by adding an application setting named [FUNCTIONS_WORKER_SHARED_MEMORY_DATA_TRANSFER_ENABLED](functions-app-settings.md#functions_worker_shared_memory_data_transfer_enabled) with a value of `1`. With shared memory enabled, you can then use the [DOCKER_SHM_SIZE](functions-app-settings.md#docker_shm_size) setting to set the shared memory to something like `268435456`, which is equivalent to 256 MB.
-This functionality is available only for function apps running in Premium and Dedicated (App Service) plans.
+For example, you might enable shared memory to reduce bottlenecks when using Blob storage bindings to transfer payloads larger than 1 MB.
+
+This functionality is available only for function apps running in Premium and Dedicated (App Service) plans. To learn more, see [Shared memory](https://github.com/Azure/azure-functions-python-worker/wiki/Shared-Memory).
## Known issues and FAQ
azure-monitor Azure Monitor Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/azure-monitor-agent-overview.md
In addition to consolidating this functionality into a single agent, the Azure M
When compared with the existing agents, this new agent doesn't yet have full parity. - **Comparison with Log Analytics agents (MMA/OMS):** - Not all Log Analytics solutions are supported today. [View supported features and services](#supported-services-and-features).
- - No support for Azure Private Links.
- No support for collecting file based logs or IIS logs. - **Comparison with Azure Diagnostics extensions (WAD/LAD):**
The following table shows the current support for the Azure Monitor agent with A
| Azure Monitor feature | Current support | More information | |:|:|:| | [VM insights](../vm/vminsights-overview.md) | Private preview | [Sign-up link](https://aka.ms/amadcr-privatepreviews) |
-| [Connect using private links or AMPLS](../logs/private-link-security.md) | Private preview for AMA | [Sign-up link](https://aka.ms/amadcr-privatepreviews) |
+| [Connect using private links](data-collection-endpoint-overview.md#enable-network-isolation-for-the-azure-monitor-agent) | Public preview | No sign-up needed |
| [VM insights guest health](../vm/vminsights-health-overview.md) | Public preview | Available only on the new agent | | [SQL insights](../insights/sql-insights-overview.md) | Public preview | Available only on the new agent |
The Azure Monitor agent sends data to Azure Monitor Metrics (preview) or a Log A
The Azure Monitor agent doesn't require any keys but instead requires a [system-assigned managed identity](../../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#system-assigned-managed-identity). You must have a system-assigned managed identity enabled on each virtual machine before you deploy the agent. ## Networking
-The Azure Monitor agent supports Azure service tags. Both AzureMonitor and AzureResourceManager tags are required. The Azure Monitor agent doesn't yet work with Azure Monitor Private Link Scopes. If the machine connects through a proxy server to communicate over the internet, review the following requirements to understand the network configuration required.
+The Azure Monitor agent supports Azure service tags (both AzureMonitor and AzureResourceManager tags are required). It supports connecting via private links and direct proxies as described below.
### Proxy configuration
+If the machine connects through a proxy server to communicate over the internet, review requirements below to understand the network configuration required.
The Azure Monitor agent extensions for Windows and Linux can communicate either through a proxy server or a Log Analytics gateway to Azure Monitor by using the HTTPS protocol. Use it for Azure virtual machines, Azure virtual machine scale sets, and Azure Arc for servers. Use the extensions settings for configuration as described in the following steps. Both anonymous and basic authentication by using a username and password are supported.
New-AzConnectedMachineExtension -Name AzureMonitorLinuxAgent -ExtensionType Azur
+## Private link configuration
+To configure the agent to use private links for network communications with Azure Monitor, you can use [Azure Monitor Private Links Scopes (AMPLS)](../logs/private-link-security.md) and [data collection endpoints](./data-collection-endpoint-overview.md) to enable required network isolation. [View steps to configure network isolation for the agent](./data-collection-endpoint-overview.md#enable-network-isolation-for-the-azure-monitor-agent)
+ ## Next steps - [Install the Azure Monitor agent](azure-monitor-agent-install.md) on Windows and Linux virtual machines.-- [Create a data collection rule](data-collection-rule-azure-monitor-agent.md) to collect data from the agent and send it to Azure Monitor.
+- [Create a data collection rule](data-collection-rule-azure-monitor-agent.md) to collect data from the agent and send it to Azure Monitor.
azure-monitor Data Collection Endpoint Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/data-collection-endpoint-overview.md
+
+ Title: Data collection endpoints in Azure Monitor (preview)
+description: Overview of data collection endpoints (DCEs) in Azure Monitor including their contents and structure and how you can create and work with them.
+++ Last updated : 1/5/2022++++
+# Data collection endpoints in Azure Monitor (preview)
+Data Collection Endpoints (DCEs) allow you to uniquely configure ingestion settings for your machines, giving you greater control over your networking requirements. This article provides an overview of data collection endpoints including their contents and structure and how you can create and work with them.
+
+## Components of a data collection endpoint
+A data collection endpoint includes the following components.
+
+| Component | Description |
+|:|:|
+| Configuration access endpoint | The endpoint used to access the configuration service to fetch associated data collection rules (DCR). Example: `<unique-dce-identifier>.<regionname>.handler.control` |
+| Logs ingestion endpoint | The endpoint used to ingest logs to Log Analytics workspace(s). Example: `<unique-dce-identifier>.<regionname>.ingest` |
+| Network Access Control Lists (ACLs) | Network access control rules for the endpoints
++
+## Regionality
+Data collection endpoints are ARM resources created within specific regions. An endpoint in a given region can only be **associated with machines in the same region**, although you can have more than one endpoint within the same region as per your needs.
+
+## Limitations
+Data collection endpoints only support Log Analytics as a destination for collected data. [Custom Metrics (preview)](../essentials/metrics-custom-overview.md) collected and uploaded via the Azure Monitor Agent are not controlled by Data Collection endpoints nor can they be configured over private links.
+
+## Create endpoint and association in Azure portal
+You can use the Azure portal to create a data collection endpoint and associate virtual machines in your subscription to that rule.
+
+> [!NOTE]
+> The data collection endpoint should be created in the **same region** where your virtual machines exist.
+
+In the **Azure Monitor** menu in the Azure portal, select **Data Collection Endpoint** from the **Settings** section. Click **Create** to create a new Data Collection Rule and assignment.
+
+[![Data Collection Endpoints](media/data-collection-endpoint-overview/data-collection-endpoint-overview.png)](media/data-collection-endpoint-overview/data-collection-endpoint-overview.png#lightbox)
+
+Click **Create** to create a new endpoint. Provide a **Rule name** and specify a **Subscription**, **Resource Group** and **Region**. This specifies where the DCE will be created.
+
+[![Data Collection Rule Basics](media/data-collection-endpoint-overview/data-collection-endpoint-basics.png)](media/data-collection-endpoint-overview/data-collection-endpoint-basics.png#lightbox)
+
+Click **Review + create** to review the details of the data collection endpoint. Click **Create** to create it.
+
+Next, you can use 'Data collection rules' in the portal to associate endpoints with a resource (e.g. a virtual machine) or a set of resources.
+Create a new rule or open an existing rule. In the **Resources** tab, click on the **Data collection endpoint** drop-down to associate an existing endpoint for your resource in the same region (or select multiple resources in the same region to bulk-assign an endpoint for them). Doing this creates an association per resource which links the endpoint to the resource. The Azure Monitor agent running on these resources will now start using the endpoint instead for uploading data to Azure Monitor.
+
+[![Data Collection Rule virtual machines](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png#lightbox)
+
+## Create endpoint and association using REST API
+
+> [!NOTE]
+> The data collection endpoint should be created in the **same region** where your virtual machines exist.
+
+1. Create data collection endpoint(s) using these [DCE REST APIs](/rest/api/monitor/datacollectionendpoints).
+2. Create association(s) to link the endpoint(s) to your target machines or resources, using these [DCRA REST APIs](/rest/api/monitor/datacollectionruleassociations/create#examples).
++
+## Sample data collection endpoint
+The sample data collection endpoint below is for virtual machines with Azure Monitor agent, with public network access disabled so that agent only uses private links to communicate and send data to Azure Monitor/Log Analytics.
+
+```json
+{
+ "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionEndpoints/myCollectionEndpoint",
+ "name": "myCollectionEndpoint",
+ "type": "Microsoft.Insights/dataCollectionEndpoints",
+ "location": "eastus",
+ "tags": {
+ "tag1": "A",
+ "tag2": "B"
+ },
+ "properties": {
+ "configurationAccess": {
+ "endpoint": "https://mycollectionendpoint-abcd.eastus-1.control.monitor.azure.com"
+ },
+ "logsIngestion": {
+ "endpoint": "https://mycollectionendpoint-abcd.eastus-1.ingest.monitor.azure.com"
+ },
+ "networkAcls": {
+ "publicNetworkAccess": "Disabled"
+ }
+ },
+ "systemData": {
+ "createdBy": "user1",
+ "createdByType": "User",
+ "createdAt": "yyyy-mm-ddThh:mm:ss.sssssssZ",
+ "lastModifiedBy": "user2",
+ "lastModifiedByType": "User",
+ "lastModifiedAt": "yyyy-mm-ddThh:mm:ss.sssssssZ"
+ },
+ "etag": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+## Enable network isolation for the Azure Monitor Agent
+You can use data collection endpoints to enable the Azure Monitor agent to communicate to the internet via private links. To do so, you must:
+1. Create data collection endpoint(s), at least one per region, as shown above
+2. Add the data collection endpoints to a new or existing [Azure Monitor Private Link Scopes (AMPLS)](../logs/private-link-configure.md#connect-azure-monitor-resources) resource. This adds the DCE endpoints to your private DNS zone (see [how to validate](../logs/private-link-configure.md#review-and-validate-your-private-link-setup)) and allows communication via private links. You can do this from either the AMPLS resource or from within an existing DCE resource's 'Network Isolation' tab.
+ > [!NOTE]
+ > Other Azure Monitor resources like the Log Analytics workspace(s) configured in your data collection rules that you wish to send data to, must be part of this same AMPLS resource.
+3. For your data collection endpoint(s), ensure **Accept access from public networks not connected through a Private Link Scope** option is set to **No** under the 'Network Isolation' tab of your endpoint resource in Azure portal, as shown below. This ensures that public internet access is disabled, and network communication only happen via private links.
+4. Associate the data collection endpoints to the target resources, using the data collection rules experience in Azure portal. This results in the agent using the configured the data collection endpoint(s) for network communications. See [Configure data collection for the Azure Monitor agent](../agents/data-collection-rule-azure-monitor-agent.md).
+
+ ![Data collection endpoint network isolation](media/data-collection-endpoint-overview/data-collection-endpoint-network-isolation.png)
+
+## Next steps
+- [Associate endpoint to machines](data-collection-rule-azure-monitor-agent.md#create-rule-and-association-in-azure-portal)
+- [Add endpoint to AMPLS resource](../logs/private-link-configure.md#connect-azure-monitor-resources)
azure-monitor Data Collection Rule Azure Monitor Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/agents/data-collection-rule-azure-monitor-agent.md
In the **Monitor** menu in the Azure portal, select **Data Collection Rules** fr
[![Data Collection Rules](media/data-collection-rule-azure-monitor-agent/data-collection-rules-updated.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rules-updated.png#lightbox)
-Click **Add** to create a new rule and set of associations. Provide a **Rule name** and specify a **Subscription**, **Resource Group** and **Region**. This specifies where the DCR will be created. The virtual machines and their associations can be in any subscription or resource group in the tenant.
+Click **Create** to create a new rule and set of associations. Provide a **Rule name** and specify a **Subscription**, **Resource Group** and **Region**. This specifies where the DCR will be created. The virtual machines and their associations can be in any subscription or resource group in the tenant.
Additionally, choose the appropriate **Platform Type** which specifies the type of resources this rule can apply to. Custom will allow for both Windows and Linux types. This allows for pre-curated creation experiences with options scoped to the selected platform type. [![Data Collection Rule Basics](media/data-collection-rule-azure-monitor-agent/data-collection-rule-basics-updated.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-basics-updated.png#lightbox) In the **Resources** tab, add the resources (virtual machines, virtual machine scale sets, Arc for servers) that should have the Data Collection Rule applied. The Azure Monitor Agent will be installed on resources that don't already have it installed, and will enable Azure Managed Identity as well.
-[![Data Collection Rule virtual machines](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-updated.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-updated.png#lightbox)
+### Private link configuration using data collection endpoints (preview)
+If you need network isolation using private links for collecting data using agents from your resources, simply select existing endpoints (or create a new endpoint) from the same region for the respective resource(s) as shown below. See [how to create data collection endpoint](./data-collection-endpoint-overview.md).
+
+[![Data Collection Rule virtual machines](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png)](media/data-collection-rule-azure-monitor-agent/data-collection-rule-virtual-machines-with-endpoint.png#lightbox)
On the **Collect and deliver** tab, click **Add data source** to add a data source and destination set. Select a **Data source type**, and the corresponding details to select will be displayed. For performance counters, you can select from a predefined set of objects and their sampling rate. For events, you can select from a set of logs or facilities and the severity level.
azure-monitor App Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/app-insights-overview.md
Title: What is Azure Application Insights? | Microsoft Docs
-description: Application Performance Management and usage tracking of your live web application. Detect, triage and diagnose problems, understand how people use your app.
+ Title: Application Insights overview
+description: Learn how Application Insights in Azure Monitor provides performance management and usage tracking of your live web application.
++ Previously updated : 06/03/2019- Last updated : 01/10/2022
-# What is Application Insights?
-Application Insights, a feature of [Azure Monitor](../overview.md), is an extensible Application Performance Management (APM) service for developers and DevOps professionals. Use it to monitor your live applications. It will automatically detect performance anomalies, and includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms including .NET, Node.js, Java, and Python hosted on-premises, hybrid, or any public cloud. It integrates with your DevOps process, and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.
+# Application Insights overview
+
+Application Insights is a feature of [Azure Monitor](../overview.md) that provides extensible application performance management (APM) and monitoring for live web apps. Developers and DevOps professionals can use Application Insights to:
+
+- Automatically detect performance anomalies.
+- Help diagnose issues by using powerful analytics tools.
+- See what users actually do with apps.
+- Help continuously improve app performance and usability.
+
+Application Insights:
+
+- Supports a wide variety of platforms, including .NET, Node.js, Java, and Python.
+- Works for apps hosted on-premises, hybrid, or on any public cloud.
+- Integrates with DevOps processes.
+- Has connection points to many development tools.
+- Can monitor and analyze telemetry from mobile apps by integrating with Visual Studio [App Center](https://appcenter.ms/).
+
+<a name="how-does-application-insights-work"></a>
+## How Application Insights works
+
+To use Application Insights, you either install a small instrumentation package (SDK) in your app, or enable Application Insights by using the Application Insights agent. For languages and platforms that support the Application Insights agent, see [Supported languages](./platforms.md).
+
+You can instrument the web app, any background components, and the JavaScript in the web pages themselves. The app and its components don't have to be hosted in Azure.
+
+The instrumentation monitors your app and directs the telemetry data to an Application Insights resource by using a unique instrumentation key. The impact on your app's performance is small. Tracking calls are non-blocking, and are batched and sent in a separate thread.
+
+You can pull in telemetry like performance counters, Azure diagnostics, or Docker logs from host environments. You can also set up web tests that periodically send synthetic requests to your web service. All these telemetry streams are integrated into Azure Monitor. In the Azure portal, you can apply powerful analytics and search tools to the raw data.
+
+The following diagram shows how Application Insights instrumentation in an app sends telemetry to an Application Insights resource.
+
+![Diagram that shows Application Insights instrumentation in an app sending telemetry to an Application Insights resource.](./media/app-insights-overview/diagram.png)
+
+## What Application Insights monitors
+
+Application Insights helps development teams understand app performance and usage. Application Insights monitors:
+
+- Request rates, response times, and failure rates
+
+ Find out which pages are most popular, at what times of day, and where users are. See which pages perform best. If response times and failure rates are high when there are more requests, there might be a resourcing problem.
+
+- Dependency rates, response times, and failure rates, to show whether external services are slowing down performance
+
+- Exceptions
+
+ Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and related requests. Application Insights reports both server and browser exceptions.
+
+- Page views and load performance reported by users' browsers
+
+- AJAX calls from web pages, including rates, response times, and failure rates
+
+- User and session counts
+
+- Performance counters from Windows or Linux server machines, such as CPU, memory, and network usage
+
+- Host diagnostics from Docker or Azure
+
+- Diagnostic trace logs from apps, so you can correlate trace events with requests
+
+- Custom events and metrics in client or server code that track business events, like items sold
+
+<a name="where-do-i-see-my-telemetry"></a>
+## Where to see Application Insights data
+
+There are many ways to explore Application Insights telemetry. For more information, see the following articles:
+
+- [Smart detection in Application Insights](./proactive-diagnostics.md)
+
+ Set up automatic alerts that adapt to your app's normal telemetry patterns and trigger when something is outside the usual pattern. You can also set alerts on specified levels of custom or standard metrics. For more information, see [Create, view, and manage log alerts using Azure Monitor](../alerts/alerts-log.md).
+
+- [Application Map: Triage distributed applications](./app-map.md)
-## How does Application Insights work?
-You install a small instrumentation package (SDK) in your application or enable Application Insights using the Application Insights Agent when [supported](./platforms.md). The instrumentation monitors your app and directs the telemetry data to an Azure Application Insights Resource using a unique GUID that we refer to as an Instrumentation Key.
+ Explore the components of your app, with key metrics and alerts.
-You can instrument not only the web service application, but also any background components, and the JavaScript in the web pages themselves. The application and its components can run anywhere - it doesn't have to be hosted in Azure.
+- [Profile live Azure App Service apps with Application Insights](./profiler.md)
-![Application Insights instrumentation in your app sends telemetry to your Application Insights resource.](./media/app-insights-overview/diagram.png)
+ Inspect the execution profiles of sampled requests.
-In addition, you can pull in telemetry from the host environments such as performance counters, Azure diagnostics, or Docker logs. You can also set up web tests that periodically send synthetic requests to your web service.
+- [Usage analysis with Application Insights](./usage-overview.md)
-All these telemetry streams are integrated into Azure Monitor. In the Azure portal, you can apply powerful analytic and search tools to the raw data.
+ Analyze user segmentation and retention.
-### What's the performance overhead?
-The impact on your app's performance is small. Tracking calls are non-blocking, and are batched and sent in a separate thread.
+- [Use Search in Application Insights](./diagnostic-search.md)
-## What does Application Insights monitor?
+ Apply transaction search for instance data. Search and filter events such as requests, exceptions, dependency calls, log traces, and page views.
-Application Insights is aimed at the development team, to help you understand how your app is performing and how it's being used. It monitors:
+- [Advanced features of the Azure metrics explorer](../essentials/metrics-charts.md)
-* **Request rates, response times, and failure rates** - Find out which pages are most popular, at what times of day, and where your users are. See which pages perform best. If your response times and failure rates go high when there are more requests, then perhaps you have a resourcing problem.
-* **Dependency rates, response times, and failure rates** - Find out whether external services are slowing you down.
-* **Exceptions** - Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and related requests. Both server and browser exceptions are reported.
-* **Page views and load performance** - reported by your users' browsers.
-* **AJAX calls** from web pages - rates, response times, and failure rates.
-* **User and session counts**.
-* **Performance counters** from your Windows or Linux server machines, such as CPU, memory, and network usage.
-* **Host diagnostics** from Docker or Azure.
-* **Diagnostic trace logs** from your app - so that you can correlate trace events with requests.
-* **Custom events and metrics** that you write yourself in the client or server code, to track business events such as items sold or games won.
+ Explore, filter, and segment aggregated data such as request, failure, and exception rates, response times, and page load times.
-## Where do I see my telemetry?
+- [Application Insights overview dashboard](./overview-dashboard.md)
-There are plenty of ways to explore your data. Check out these articles:
+ Combine data from multiple resources and share with others. Use the dashboard for multi-component apps and for continuous display in the team room.
-| Article description | Image |
-| | |
-| [**Smart detection and manual alerts**](./proactive-diagnostics.md)<br/>Set up automatic alerts that adapt to your app's normal patterns of telemetry and trigger when there's something outside the usual pattern. You can also [set alerts](../alerts/alerts-log.md) on particular levels of custom or standard metrics. |![Alert sample](./media/app-insights-overview/alerts-tn.png) |
-| [**Application map**](./app-map.md)<br/>Explore the components of your app, with key metrics and alerts. |![Application map](./media/app-insights-overview/appmap-tn.png) |
-| [**Profiler**](./profiler.md)<br/>Inspect the execution profiles of sampled requests. |![Screen capture shows execution profiles of sampled requests.](./media/app-insights-overview/profiler.png) |
-| [**Usage analysis**](./usage-overview.md)<br/>Analyze user segmentation and retention.|![Retention tool](./media/app-insights-overview/retention.png) |
-| [**Transaction search for instance data**](./diagnostic-search.md)<br/>Search and filter events such as requests, exceptions, dependency calls, log traces, and page views. |![Search telemetry](./media/app-insights-overview/search-tn.png) |
-| [**Metrics Explorer for aggregated data**](../essentials/metrics-charts.md)<br/>Explore, filter, and segment aggregated data such as rates of requests, failures, and exceptions; response times, page load times. |![Metrics](./media/app-insights-overview/metrics-tn.png) |
-| [**Dashboards**](./overview-dashboard.md)<br/>Mash up data from multiple resources and share with others. Great for multi-component applications, and for continuous display in the team room. |![Dashboards sample](./media/app-insights-overview/dashboard-tn.png) |
-| [**Live Metrics Stream**](./live-stream.md)<br/>When you deploy a new build, watch these near-real-time performance indicators to make sure everything works as expected. |![Live metrics sample](./media/app-insights-overview/live-metrics-tn.png) |
-| [**Analytics**](../logs/log-query-overview.md)<br/>Answer tough questions about your app's performance and usage by using this powerful query language. |![Analytics sample](./media/app-insights-overview/analytics-tn.png) |
-| [**Visual Studio**](./visual-studio.md)<br/>See performance data in the code. Go to code from stack traces.|![Screenshot shows Exception Details in Visual Studio and an example of going to code from stack traces.](./media/app-insights-overview/visual-studio-tn.png) |
-| [**Snapshot debugger**](./snapshot-debugger.md)<br/>Debug snapshots sampled from live operations, with parameter values.|![Visual studio](./media/app-insights-overview/snapshot.png) |
-| [**Power BI**](./export-power-bi.md)<br/>Integrate usage metrics with other business intelligence.| ![Power BI](./media/app-insights-overview/power-bi.png)|
-| [**REST API**](https://dev.applicationinsights.io/)<br/>Write code to run queries over your metrics and raw data.| ![REST API](./media/app-insights-overview/rest-tn.png) |
-| [**Continuous export**](./export-telemetry.md)<br/>Bulk export of raw data to storage as soon as it arrives. |![Export](./media/app-insights-overview/export-tn.png) |
+- [Live Metrics Stream: Monitor and diagnose with one-second latency](./live-stream.md)
-## How do I use Application Insights?
+ When you deploy a new build, watch these near-realtime performance indicators to make sure everything works as expected.
+
+- [Log queries in Azure Monitor](../logs/log-query-overview.md)
+
+ Ask questions about your app's performance and usage by using the powerful Kusto query language (KQL).
+
+- [Debug your applications with Application Insights in Visual Studio](./visual-studio.md)
+
+ See performance data in the code, and go to code from stack traces.
+
+- [Debug snapshots on exceptions in .NET apps](./snapshot-debugger.md)
+
+ Use the Snapshot Debugger to debug snapshots sampled from live operations, with parameter values.
+
+- [Feed Power BI from Application Insights](./export-power-bi.md)
+
+ Integrate usage metrics with other business intelligence.
+
+- [Use the Application Insights REST API to build custom solutions](https://dev.applicationinsights.io/)
+
+ Write code to run queries over your metrics and raw data.
+
+- [Export telemetry from Application Insights](./export-telemetry.md)
+
+ Use continuous export to bulk export raw data to storage as soon as it arrives.
+
+## How to use Application Insights
+
+There are several ways to get started with Application Insights. Begin with whatever works best for you, and you can add others later.
+
+### Prerequisites
+
+- You need an Azure account. Application Insights is hosted in Azure, and sends its telemetry to Azure for analysis and presentation. If you don't have an Azure subscription, you can [sign up for free](https://azure.microsoft.com/free). If your organization already has an Azure subscription, an administrator can [add you to it](/azure/active-directory/fundamentals/add-users-azure-active-directory).
+
+- The basic [Application Insights pricing plan](https://azure.microsoft.com/pricing/details/application-insights/) has no charge until your app has substantial usage.
+
+### Get started
+
+To use Application Insights at run time, you can instrument your web app on the server. This approach is ideal for apps that are already deployed, because it avoids any updates to the app code.
+
+See the following articles for details and instructions:
+
+- [Application monitoring for Azure App Service overview](./azure-web-apps.md)
+- [Deploy the Azure Monitor Application Insights Agent on Azure virtual machines and Azure virtual machine scale sets](./azure-vm-vmss-apps.md)
+- [Deploy Azure Monitor Application Insights Agent for on-premises servers](./status-monitor-v2-overview.md)
+- [Azure Monitor OpenTelemetry-based auto-instrumentation for Java applications](java-in-process-agent.md)
+
+You can also add Application Insights to your app code at development time. This approach lets you customize and add to telemetry collection.
+
+See the following articles for details and instructions:
+
+- [Configure Application Insights for your ASP.NET website](./asp-net.md)
+- [Application Insights for ASP.NET Core applications](./asp-net-core.md)
+- [Application Insights for .NET console applications](./console.md)
+- [Application Insights for web pages](./javascript.md)
+- [Monitor your Node.js services and apps with Application Insights](./nodejs.md)
+- [Set up Azure Monitor for your Python application](./opencensus-python.md)
+
+For all supported languages, platforms, and frameworks, see [Supported languages](./platforms.md).
### Monitor
-Install Application Insights in your app, set up [availability web tests](./monitor-web-app-availability.md), and:
-* Check out the default [application dashboard](./overview-dashboard.md) for your team room to keep an eye on load, responsiveness, and the performance of your dependencies, page loads, and AJAX calls.
-* Discover which are the slowest and most failing requests.
-* Watch [Live Stream](./live-stream.md) when you deploy a new release, to know immediately about any degradation.
+After you set up Application Insights, monitor your app.
-### Detect, Diagnose
-When you receive an alert or discover a problem:
+- Set up [availability web tests](./monitor-web-app-availability.md).
+- Use the default [application dashboard](./overview-dashboard.md) for your team room, to track load, responsiveness, and performance. Monitor your dependencies, page loads, and AJAX calls.
+- Discover which requests are the slowest and fail most often.
+- Watch [Live Stream](./live-stream.md) when you deploy a new release, to know immediately about any degradation.
-* Assess how many users are affected.
-* Correlate failures with exceptions, dependency calls, and traces.
-* Examine profiler, snapshots, stack dumps, and trace logs.
-
-### Build, Measure, Learn
-[Measure the effectiveness](./usage-overview.md) of each new feature that you deploy.
-
-* Plan to measure how customers use new UX or business features.
-* Write custom telemetry into your code.
-* Base the next development cycle on hard evidence from your telemetry.
-
-## Get started
-Application Insights is one of the many services hosted within Microsoft Azure, and telemetry is sent there for analysis and presentation. So before you do anything else, you'll need a subscription to [Microsoft Azure](https://azure.com). It's free to sign up, and if you choose the basic [pricing plan](https://azure.microsoft.com/pricing/details/application-insights/) of Application Insights, there's no charge until your application has grown to have substantial usage. If your organization already has a subscription, they could add your Microsoft account to it.
-
-There are several ways to get started. Begin with whichever works best for you. You can add the others later.
-
-* **At run time: instrument your web app on the server.** Ideal for applications already deployed. Avoids any update to the code.
- * [**ASP.NET or ASP.NET Core applications hosted on Azure Web Apps**](./azure-web-apps.md)
- * [**ASP.NET applications hosted in IIS on Azure VM or Azure virtual machine scale set**](./azure-vm-vmss-apps.md)
- * [**ASP.NET applications hosted in IIS on-premises server**](./status-monitor-v2-overview.md)
- * [**Java applications**](java-in-process-agent.md)
-* **At development time: add Application Insights to your code.** Allows you to customize telemetry collection and send additional telemetry.
- * [ASP.NET Applications](./asp-net.md)
- * [ASP.NET Core Applications](./asp-net-core.md)
- * [.NET Console Applications](./console.md)
- * [Java](./java-in-process-agent.md)
- * [Node.js](./nodejs.md)
- * [Python](./opencensus-python.md)
- * [Other platforms](./platforms.md)
-* **[Instrument your web pages](./javascript.md)** for page view, AJAX, and other client-side telemetry.
-* **[Analyze mobile app usage](../app/mobile-center-quickstart.md)** by integrating with Visual Studio App Center.
-* **[Availability tests](./monitor-web-app-availability.md)** - ping your website regularly from our servers.
+### Detect and diagnose
-## Next steps
-Get started at runtime with:
+When you receive an alert or discover a problem:
+
+- Assess how many users are affected.
+- Correlate failures with exceptions, dependency calls, and traces.
+- Examine profiler, snapshots, stack dumps, and trace logs.
-* [Azure VM and Azure virtual machine scale set IIS-hosted apps](./azure-vm-vmss-apps.md)
-* [IIS server](./status-monitor-v2-overview.md)
-* [Azure Web Apps](./azure-web-apps.md)
+### Measure, learn, and build
-Get started at development time with:
+- Plan to measure how customers use new user experience or business features.
+- Write custom telemetry into your code.
+- [Measure the effectiveness](./usage-overview.md) of each new feature that you deploy.
+- Base the next development cycle on evidence from your telemetry.
-* [ASP.NET](./asp-net.md)
-* [ASP.NET Core](./asp-net-core.md)
-* [Java](./java-in-process-agent.md)
-* [Node.js](./nodejs.md)
-* [Python](./opencensus-python.md)
-* [JavaScript](./javascript.md)
+## Next steps
+- [Instrument your web pages](./javascript.md) for page view, AJAX, and other client-side telemetry.
+- [Analyze mobile app usage](../app/mobile-center-quickstart.md) by integrating with Visual Studio App Center.
+- [Monitor availability with URL ping tests](./monitor-web-app-availability.md) to your website from Application Insights servers.
-## Support and feedback
+<!-- ## Support and feedback
* Questions and Issues: * [Troubleshooting][qna] * [Microsoft Q&A question page](/answers/topics/azure-monitor.html)
Get started at development time with:
* Your suggestions: * [UserVoice](https://feedback.azure.com/d365community/forum/8849e04d-1325-ec11-b6e6-000d3a4f09d0) * Blog:
- * [Application Insights blog](https://azure.microsoft.com/blog/tag/application-insights)
+ * [Application Insights blog](https://azure.microsoft.com/blog/tag/application-insights) -->
<!--Link references-->
azure-monitor Java In Process Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-in-process-agent.md
Download the [applicationinsights-agent-3.2.4.jar](https://github.com/microsoft/
> For details, see the [3.1.0 release notes](https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.1.0). > > If you're upgrading from 3.1.x:
->
+> - Starting from 3.2.0, controller "InProc" dependencies are not captured by default. For details on how to enable this, please see the [config options](./java-standalone-config.md#autocollect-inproc-dependencies-preview).
> - Database dependency names are now more concise with the full (sanitized) query still present in the `data` field. HTTP dependency names are now more descriptive. > This change can affect custom dashboards or alerts if they relied on the previous values. > For details, see the [3.2.0 release notes](https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.2.0).
azure-monitor Java Standalone Config https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-standalone-config.md
Instrumentation key overrides allow you to override the [default instrumentation
} ```
+## Autocollect InProc dependencies (preview)
+
+Starting from 3.2.0, if you want to capture controller "InProc" dependencies, please use the following configuration:
+
+```json
+{
+ "preview": {
+ "captureControllerSpans": true
+ }
+}
+```
+ ## Telemetry processors (preview) It allows you to configure rules that will be applied to request, dependency and trace telemetry, for example:
azure-monitor Metrics Supported https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/essentials/metrics-supported.md
> [!NOTE] > This list is largely auto-generated. Any modification made to this list via GitHub might be written over without warning. Contact the author of this article for details on how to make permanent updates.
+Date list was last updated: 2021-10-05.
+ Azure Monitor provides several ways to interact with metrics, including charting them in the Azure portal, accessing them through the REST API, or querying them by using PowerShell or the Azure CLI. This article is a complete list of all platform (that is, automatically collected) metrics currently available with the consolidated metric pipeline in Azure Monitor. Metrics changed or added after the date at the top of this article might not yet appear in the list. To query for and access the list of metrics programmatically, use the [2018-01-01 api-version](/rest/api/monitor/metricdefinitions). Other metrics not in this list might be available in the portal or through legacy APIs.
azure-monitor Logs Data Export https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logs-data-export.md
N/A
## Unsupported tables If the data export rule includes an unsupported table, the configuration will succeed, but no data will be exported for that table. If the table is later supported, then its data will be exported at that time.
-If the data export rule includes a table that doesn't exist, it will fail with the error "Table \<tableName\> does not exist in the workspace".
-- ## Supported tables Supported tables are currently limited to those specified below. All data from the table will be exported unless limitations are specified. This list is updated as more tables are added.
azure-monitor Logs Dedicated Clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/logs-dedicated-clusters.md
Content-type: application/json
{ "properties": {
- "billingType": "Workspaces",
- }
+ "billingType": "Workspaces"
+ },
+ "location": "region"
} ```
azure-monitor Private Link Configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/private-link-configure.md
description: Configure Private Link
Previously updated : 08/01/2021 Last updated : 1/5/2022 # Configure your Private Link
In this section, we review the process of setting up a Private Link through the
### Connect Azure Monitor resources
-Connect Azure Monitor resources (Log Analytics workspaces and Application Insights components) to your AMPLS.
+Connect Azure Monitor resources (Log Analytics workspaces, Application Insights components and [Data Collection endpoints](../agents/data-collection-endpoint-overview.md)) to your AMPLS.
1. In your Azure Monitor Private Link scope, select **Azure Monitor Resources** in the left-hand menu. Select the **Add** button. 2. Add the workspace or component. Selecting the **Add** button brings up a dialog where you can select Azure Monitor resources. You can browse through your subscriptions and resource groups, or you can type in their name to filter down to them. Select the workspace or component and select **Apply** to add them to your scope.
You've now created a new private endpoint that is connected to this AMPLS.
## Configure access to your resources
-So far we covered the configuration of your network, but you should also consider how you want to configure network access to your monitored resources - Log Analytics workspaces and Application Insights components.
+So far we covered the configuration of your network, but you should also consider how you want to configure network access to your monitored resources - Log Analytics workspaces, Application Insights components and [Data Collection endpoints](../agents/data-collection-endpoint-overview.md).
Go to the Azure portal. In your resource's menu, there's a menu item called **Network Isolation** on the left-hand side. This page controls both which networks can reach the resource through a Private Link, and whether other networks can reach it or not.
This zone covers the global endpoints used by Azure Monitor, meaning endpoints t
* **live** - Application Insights live metrics endpoint * **profiler** - Application Insights profiler endpoint * **snapshot** - Application Insights snapshots endpoint
-[![Screenshot of Private DNS zone monitor-azure-com.](./media/private-link-security/dns-zone-privatelink-monitor-azure-com.png)](./media/private-link-security/dns-zone-privatelink-monitor-azure-com-expanded.png#lightbox)
+
+This zone also covers the resource specific endpoints for [Data Collection Endpoints](../agents/data-collection-endpoint-overview.md):
+* `<unique-dce-identifier>.<regionname>.handler.control` - Private configuration endpoint, part of a Data Collection Endpoint (DCE) resource
+* `<unique-dce-identifier>.<regionname>.ingest` - Private ingestion endpoint, part of a Data Collection Endpoint (DCE) resource
+
+[![Screenshot of Private DNS zone monitor-azure-com.](./media/private-link-security/dns-zone-privatelink-monitor-azure-com-with-endpoint.png)](./media/private-link-security/dns-zone-privatelink-monitor-azure-com-expanded-with-endpoint.png#lightbox)
+ #### Log Analytics endpoints > [!IMPORTANT]
The below screenshot shows endpoints mapped for an AMPLS with two workspaces in
## Next steps - Learn about [private storage](private-storage.md) for Custom Logs and Customer managed keys (CMK)-- Learn about [Private Link for Automation](../../automation/how-to/private-link-security.md)
+- Learn about [Private Link for Automation](../../automation/how-to/private-link-security.md)
+- Learn about the new [Data Collection endpoints](../agents/data-collection-endpoint-overview.md)
azure-monitor Private Link Design https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/private-link-design.md
description: Design your Private Link setup
Previously updated : 08/01/2021 Last updated : 1/5/2022 # Design your Private Link setup
As discussed in the [Azure Monitor Private Link overview article](private-link-s
The simplest and most secure approach would be: 1. Create a single Private Link connection, with a single Private Endpoint and a single AMPLS. If your networks are peered, create the Private Link connection on the shared (or hub) VNet.
-2. Add *all* Azure Monitor resources (Application Insights components and Log Analytics workspaces) to that AMPLS.
+2. Add *all* Azure Monitor resources (Application Insights components, Log Analytics workspaces and [Data Collection endpoints](../agents/data-collection-endpoint-overview.md)) to that AMPLS.
3. Block network egress traffic as much as possible. If you can't add all Azure Monitor resources to your AMPLS, you can still apply your Private Link to some resources, as explained in [Control how Private Links apply to your networks](./private-link-design.md#control-how-private-links-apply-to-your-networks). While useful, this approach is less recommended since it doesn't prevent data exfiltration.
To avoid this conflict, create only a single AMPLS object per DNS.
### Hub-and-spoke networks Hub-and-spoke networks should use a single Private Link connection set on the hub (main) network, and not on each spoke VNet.
-![Hub-and-spoke-single-PE](./media/private-link-security/hub-and-spoke-with-single-private-endpoint.png)
+![Hub-and-spoke-single-PE](./media/private-link-security/hub-and-spoke-with-single-private-endpoint-with-data-collection-endpoint.png)
> [!NOTE] > You may intentionally prefer to create separate Private Links for your spoke VNets, for example to allow each VNet to access a limited set of monitoring resources. In such cases, you can create a dedicated Private Endpoint and AMPLS for each VNet, but **must also verify they don't share the same DNS zones in order to avoid DNS overrides**.
In the following diagram, VNet1 uses the Open mode and VNet2 uses the Private On
The AMPLS object has the following limits: * A VNet can only connect to **one** AMPLS object. That means the AMPLS object must provide access to all the Azure Monitor resources the VNet should have access to. * An AMPLS object can connect to 300 Log Analytics workspaces and 1000 Application Insights components at most.
-* An Azure Monitor resource (Workspace or Application Insights component) can connect to 5 AMPLSs at most.
+* An Azure Monitor resource (Workspace or Application Insights component or [Data Collection Endpoint](../agents/data-collection-endpoint-overview.md)) can connect to 5 AMPLSs at most.
* An AMPLS object can connect to 10 Private Endpoints at most. > [!NOTE]
That granularity allows you to set access according to your needs, per workspace
Blocking queries from public networks means clients (machines, SDKs etc.) outside of the connected AMPLSs can't query data in the resource. That data includes logs, metrics, and the live metrics stream. Blocking queries from public networks affects all experiences that run these queries, such as workbooks, dashboards, Insights in the Azure portal, and queries run from outside the Azure portal.
+Your [Data Collection endpoints](../agents/data-collection-endpoint-overview.md) can be set to:
+* Accept or block access from public networks (networks not connected to the resource AMPLS).
+ See [Set resource access flags](./private-link-configure.md#set-resource-access-flags) for configuration details. ### Exceptions
See [Set resource access flags](./private-link-configure.md#set-resource-access-
#### Diagnostic logs Logs and metrics uploaded to a workspace via [Diagnostic Settings](../essentials/diagnostic-settings.md) go over a secure private Microsoft channel and are not controlled by these settings.
+#### 'Custom Metrics' or Azure Monitor guest metrics
+[Custom Metrics (preview)](../essentials/metrics-custom-overview.md) collected and uploaded via the Azure Monitor Agent are not controlled by Data Collection endpoints nor can they be configured over private links.
+ #### Azure Resource Manager Restricting access as explained above applies to data in the resource. However, configuration changes, including turning these access settings on or off, are managed by Azure Resource Manager. To control these settings, you should restrict access to resources using the appropriate roles, permissions, network controls, and auditing. For more information, see [Azure Monitor Roles, Permissions, and Security](../roles-permissions-security.md)
Log Analytics agents need to access a global storage account to download solutio
If your Private Link setup was created before April 19, 2021, it won't reach the solution packs storage over a private link. To handle that you can either: * Re-create your AMPLS and the Private Endpoint connected to it
-* Allow your agents to reach the storage account through its public endpoint, by adding the following rules to your firewall allow list:
+* Allow your agents to reach the storage account through its public endpoint, by adding the following rules to your firewall allowlist:
| Cloud environment | Agent Resource | Ports | Direction | |:--|:--|:--|:--|
We've identified the following products and experiences query workspaces through
> * VM Insights > * Container Insights ++ ## Requirements ### Network subnet size
The smallest supported IPv4 subnet is /27 (using CIDR subnet definitions). While
### Agents The latest versions of the Windows and Linux agents must be used to support secure ingestion to Log Analytics workspaces. Older versions can't upload monitoring data over a private network.
-**Log Analytics Windows agent**
+**Azure Monitor Windows agents**
+
+Azure Monitor Windows agent version 1.1.1.0 or higher (using [Data Collection endpoints](../agents/data-collection-endpoint-overview.md))
+
+**Azure Monitor Linux agents**
+
+Azure Monitor Windows agent version 1.10.5.0 or higher (using [Data Collection endpoints](../agents/data-collection-endpoint-overview.md))
+
+**Log Analytics Windows agent (on deprecation path)**
Use the Log Analytics agent version 10.20.18038.0 or later.
-**Log Analytics Linux agent**
+**Log Analytics Linux agent (on deprecation path)**
Use agent version 1.12.25 or later. If you can't, run the following commands on your VM.
$ sudo /opt/microsoft/omsagent/bin/omsadmin.sh -X
$ sudo /opt/microsoft/omsagent/bin/omsadmin.sh -w <workspace id> -s <workspace key> ``` ### Azure portal
-To use Azure Monitor portal experiences such as Application Insights and Log Analytics, you need to allow the Azure portal and Azure Monitor extensions to be accessible on the private networks. Add **AzureActiveDirectory**, **AzureResourceManager**, **AzureFrontDoor.FirstParty**, and **AzureFrontdoor.Frontend** [service tags](../../firewall/service-tags.md) to your Network Security Group.
+To use Azure Monitor portal experiences such as Application Insights, Log Analytics and [Data Collection endpoints](../agents/data-collection-endpoint-overview.md), you need to allow the Azure portal and Azure Monitor extensions to be accessible on the private networks. Add **AzureActiveDirectory**, **AzureResourceManager**, **AzureFrontDoor.FirstParty**, and **AzureFrontdoor.Frontend** [service tags](../../firewall/service-tags.md) to your Network Security Group.
### Programmatic access To use the REST API, [CLI](/cli/azure/monitor) or PowerShell with Azure Monitor on private networks, add the [service tags](../../virtual-network/service-tags-overview.md) **AzureActiveDirectory** and **AzureResourceManager** to your firewall.
azure-monitor Private Link Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/private-link-security.md
description: Set up an Azure Monitor Private Link Scope to securely connect netw
Previously updated : 10/05/2020 Last updated : 1/5/2022 # Use Azure Private Link to connect networks to Azure Monitor
When configuring Private Link even for a single resource, traffic to the below e
### Resource-specific endpoints Log Analytics endpoints are workspace-specific, except for the query endpoint discussed earlier. As a result, adding a specific Log Analytics workspace to the AMPLS will send ingestion requests to this workspace over the Private Link, while ingestion to other workspaces will continue to use the public endpoints.
+[Data Collection Endpoints](../agents/data-collection-endpoint-overview.md) are also resource-specific, and allow you to uniquely configure ingestion settings for collecting guest OS telemetry data from your machines (or set of machines) when using the new [Azure Monitor agent](../agents/azure-monitor-agent-overview.md) and [Data Collection Rules](../agents/data-collection-rule-overview.md). Configuring a data collection endpoint for a set of machines does not affect ingestion of guest telemetry from other machines using the new agent.
+ > [!IMPORTANT] > Starting December 1, 2021, the Private Endpoints DNS configuration will use the Endpoint Compression mechanism, which allocates a single private IP address for all workspaces in the same region. This improves the supported scale (up to 300 workspaces and 1000 components per AMPLS) and reduces the total number of IPs taken from the network's IP pool.
Therefore, Private Links created starting September 2021 have new mandatory AMPL
> [!NOTE] > Log Analytics ingestion uses resource-specific endpoints. As such, it doesnΓÇÖt adhere to AMPLS access modes. **To assure Log Analytics ingestion requests canΓÇÖt access workspaces out of the AMPLS, set the network firewall to block traffic to public endpoints, regardless of the AMPLS access modes**. + ## Next steps - [Design your Private Link setup](private-link-design.md) - Learn how to [configure your Private Link](private-link-configure.md)
azure-monitor Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Monitor description: Sample Azure Resource Graph queries for Azure Monitor showing use of resource types and tables to access Azure Monitor related resources and properties. Previously updated : 12/20/2021 Last updated : 01/20/2022
azure-monitor Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Monitor description: Lists Azure Policy Regulatory Compliance controls available for Azure Monitor. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
azure-percept Create People Counting Solution With Azure Percept Devkit Vision https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-percept/create-people-counting-solution-with-azure-percept-devkit-vision.md
+
+ Title: Create a people counting solution with Azure Percept DK and Azure Percept Vision
+description: This guide will focus on detecting and counting people using the Azure Percept DK hardware, Azure IoT Hub, Azure Stream Analytics, and Power BI dashboard.
++++ Last updated : 01/19/2021 ++++
+# Tutorial: Create a People Counting Solution with Azure Percept DK and Azure Percept Vision
+This guide will focus on detecting and counting people using the Azure Percept DK hardware, Azure IoT Hub, Azure Stream Analytics, and Power BI dashboard.
+
+The tutorial is intended to show detailed steps on how users can create, configure, and implement the basic components of this solution. Users can easily expand the tutorial and create additional ways to visualize people counting data.
+
+Top customer scenarios:
+- People counting intelligence: aggregation of people counting over a given day, week, or duration.
+- Occupancy: determine when a space is free and available for use. Quantify how long the space is idle and unused.
+- Understanding peak occupancy levels and when they occur.
+- Detecting people counting after hours: count of people in space during non-business hours.
+
+In this tutorial, you learn how to:
+
+- Set up your Azure Percept DK and Vision AI model
+- Create a Container Registry resource
+- Build and push your edge solution to Container Registry
+- Deploy edge solution to device
+- Add a Consumer group to your IoT Hub
+- Create a Stream Analytics Job
+- Create and publish a Power BI report to visualize data
+
+## Solution Architecture
+[ ![Solution Architecture](./media/create-people-counting-solution-with-azure-percept-vision-images/solution-architecture-mini.png) ](./media/create-people-counting-solution-with-azure-percept-vision-images/solution-architecture.png#lightbox)
+
+- Input : Video stream from Azure Percept DK
+
+- Output: Count of people in Power BI dashboard
+
+[ ![Power BI](./media/create-people-counting-solution-with-azure-percept-vision-images/power-bi-mini.png) ](./media/create-people-counting-solution-with-azure-percept-vision-images/power-bi.png#lightbox)
++
+- Percept DK ([Purchase](https://www.microsoft.com/store/build/azure-percept/8v2qxmzbz9vc))
+- Azure Subscription: ([Free trial account](https://azure.microsoft.com/free/))
+- Power BI subscription: ([Try Power BI for free](https://go.microsoft.com/fwlink/?LinkId=874445&clcid=0x409&cmpid=pbi-gett-hero-try-powerbifree))
+- Power BI workspace: ([Create the new workspaces in Power BI](https://github.com/MicrosoftDocs/powerbi-docs/blob/main/powerbi-docs/collaborate-share/service-create-the-new-workspaces.md))
+- [Azure Percept DK setup experience](./quickstart-percept-dk-set-up.md): you connected your devkit to a Wi-Fi network, created an IoT Hub, and connected your devkit to the IoT Hub
+- Download and install [VS Code]()
+- Download and install [Git]()
+- Install the IoT Hub Extension in VS Code
+- Install the Azure IoT Tools Extension in VS Code
+- Download and install [Docker Desktop]() (Will require a PC reboot)
+- (Only for Windows Users) Install WSL2 by running the following commands in Windows PowerShell or Terminal (on macOS) (Will require a PC restart)
+
+ `wsl --install`
+
+ `wsl --set-default-version 2`
++
+## Step 0: Set up your Azure Percept DK and Vision AI model
+Setting up the Azure Percept DK is the first step in the tutorial. Below are the steps to follow and links to further guidance.
+
+1. Follow [Quickstart: unbox and assemble your Azure Percept DK components](./quickstart-percept-dk-unboxing.md) and the next steps.
+2. Connect the camera module to the Azure Percept DK via the USB-C cable.
+3. Open Command Prompt (for Windows) or Terminal (on macOS) and execute the command-
+
+ `git clone https://github.com/microsoft/Azure-Percept-Reference-Solutions.git`
+
+ Within the cloned repository go to `people-counting-with-azure-percept-vision` directory.
++
+## Step 1: Create a Container Registry resource
+Azure Container Registry is a managed, private Docker registry service based on the open-souce Docker Registry. Container Registries are used to manage and store your private Docker containers images and related artifacts.
+
+1. Login to Azure portal https://portal.azure.com/
+2. To create a Container Registry, go to [Create container registry - Microsoft Azure](https://ms.portal.azure.com/#create/Microsoft.ContainerRegistry)
+
+ a. Select your Azure Subscription in the `Subscription` drop-down box
+
+ b. Select your preferred resource group from the `Resource group` drop-down menu. It is recommended to use the `Resource group` which contains the IOT Hub connected to the Azure Percept DK.
+
+ c. Provide a unique `Registry Name`
+
+ d. Under `Location`, select the region to deploy resource (We suggest select `West US`)
+
+ e. `Availability Zones` - disabled
+
+ f. For `SKU`, select `Standard`
+
+ g. Keep all other tab as default and click `Review + create` at the bottom of the screen. Once the validation passes, click `Create`. This will create your Container Registry.
+
+ ![Container Registry Creation](./media/create-people-counting-solution-with-azure-percept-vision-images/container-registry.png)
+3. After successful resource deployment go to your container registry resource. On the left scroll panel select `Access Keys` under `Settings` and `enable` the `Admin user`
+ ![Container Registry setting](./media/create-people-counting-solution-with-azure-percept-vision-images/access-keys.png)
+4. Make a note of the `Login Server`, `Username`, and `password`
+ ![Container Registry login](./media/create-people-counting-solution-with-azure-percept-vision-images/access-keys-1.png)
+5. Go to the git repository and `people-counting-with-azure-percept-vision` directory and rename `envtemplate` to `.env`. Open the file and fill in the following details-
+
+ a. CONTAINER_REGISTRY_USERNAME= your container registry Username
+
+ b. CONTAINER_REGISTRY_PASSWORD= your container registry Password
+
+ c. CONTAINER_REGISTRY_LOGINSERVER= your container registry Login Server
+
+ ![Environment](./media/create-people-counting-solution-with-azure-percept-vision-images/env.png)
++
+## Step 2: Build and push your edge solution to Container Registry
+This section guides users on modifying the cloned people counting repo with their individual deployment information, building the model image, and pushing model image to container registry.
+
+1. Open VS Code, at the bottom of the screen ensure you have `arm64v8` as the `Default Platform for IoT Edge Solution` selected (if not, then please click and select arm64v8 from the list)
+
+ ![select arm64v8](./media/create-people-counting-solution-with-azure-percept-vision-images/vscode-arm64v8.png)
+
+2. Within the `people-counting-with-azure-percept-vision` directory go to `modules/CountModule/` directory and open `module.json`. Fill in your `Container registry address` (same as the `Login server` saved earlier) and followed by a `repository name` **(Note- please make sure your repository name is all lowercase)**
+
+ `"repository": "<Your container registry login server/repository name>"`
+
+ will change as follows, for example-
+
+ `"repository": "visiontrainingacr.azurecr.io/countmodule"`
+
+ ![example of count module](./media/create-people-counting-solution-with-azure-percept-vision-images/count-module.png)
+
+3. Now you will build the module image and push it to your container registry. Open Visual Studio Code integrated terminal by selecting `View > Terminal `
+
+4. Sign into Docker with the Azure Container registry (ACR) credentials that you saved after creating the registry using below command in terminal-
+
+ `docker login -u <ACR username> -p <ACR password> <ACR login server>`
+
+5. Visual Studio Code now has access to your container registry. In the next steps you will turn the solution code into a container image. In Visual Studio Code explorer, right click the `deployment.template.json` file and select `Build and Push IoT Edge Solution`
+
+ ![Build and Push IoT Edge Solution](./media/create-people-counting-solution-with-azure-percept-vision-images/build-and-push.png)
+
+ The build and push command starts three operations. First, it creates a new folder in the solution called `config` that holds the full deployment manifest, built out of information in the deployment template and other solution files. Second, it runs `docker build` to build the container image based on the appropriate docker file for your target architecture. Then, it runs `docker push` to push the image repository to your container registry. This process may take several minutes the first time but is faster the next time that you run the commands.
+
+6. Open the `deployment.arm64v8.json` file in the newly created config folder. The filename reflects the target architecture, so it will be different if you choose a different architecture.
+
+7. Notice that the two parameters that had placeholders now are filled in with their proper values. The `registryCredentials` section has your registry username and password pulled from the .env file. The `CountModule` has the full image repository with the `name`, `version`, and `architecture` tag from the `module.json` file.
+
+8. To further verify what the build and push command did, go to the Azure portal, and navigate to your container registry. In your container registry, select `Repositories` then `countmodule`
+
+ ![select repositories](./media/create-people-counting-solution-with-azure-percept-vision-images/azure-container-registry.png)
++
+## Step 3: Deploy edge solution to device
+Step 3 will guide users on creating and deploying a manifest to the Azure Percept Dev Kit. This deployment will create a new edge module ΓÇÿCountModuleΓÇÖ and will overwrite any previous deployments of ΓÇÿCountModuleΓÇÖ.
+
+1. In the Visual Studio Code explorer, under the `Azure IoT Hub` section, expand `Devices` to see your list of IoT devices
+
+2. Right-click the IoT Edge device that you want to deploy to, then select `Create Deployment for Single Device`
+
+ ![Create Deployment for Single Device](./media/create-people-counting-solution-with-azure-percept-vision-images/deployment.png)
+
+3. In the file explorer, navigate into the `config` folder then select the `deployment.arm64v8.json` file and click `Select Edge Deployment Manifest`.
+
+ **Do not use the deployment.template.json file, which does not have the container registry credentials or module image values in it.**
+
+4. Under your device, expand `Modules` to see a list of deployed and running modules. Click the refresh button. You should see the `CountModule` running on your device.
+
+ ![view the count module](./media/create-people-counting-solution-with-azure-percept-vision-images/module-run.png)
+
+5. Go to [Azure Percept Studio](https://ms.portal.azure.com/#blade/AzureEdgeDevices/Main/devices) and on the left panel, select Devices, then select your Azure Percept device
+
+ ![select devices](./media/create-people-counting-solution-with-azure-percept-vision-images/devices.png)
+
+6. Ensure that your device is `Connected`. Click on `Vision`
+
+ ![check for connected](./media/create-people-counting-solution-with-azure-percept-vision-images/vision.png)
+
+7. Click `View your device stream `
+
+ ![View your device stream](./media/create-people-counting-solution-with-azure-percept-vision-images/device-stream.png)
+
+8. The previous step will deploy modules to your device. In the `Notifications` tab click `View Stream`. This will open a new tab in your browser, please verify that you see the video stream. If you point the camera module to a person then you will see the person detection with bounding box
+
+ ![verify the video stream](./media/create-people-counting-solution-with-azure-percept-vision-images/stream.png)
+
+9. After verifying the video stream and bounding boxes, please close the web stream browser tab.
+
+10. To ensure the Count Module is setup correctly, in the Azure portal go to your IoT Hub. On the left panel under `Device management `select `IoT Edge`
+
+ ![select iot edge](./media/create-people-counting-solution-with-azure-percept-vision-images/iot-edge.png)
+
+11. From the IoT device list click on your Azure Percept DK device
+
+ ![Azure Percept DK device](./media/create-people-counting-solution-with-azure-percept-vision-images/device.png)
+
+12. Scroll down to check if all deployed modules are in `running` status
+
+ ![check the running status](./media/create-people-counting-solution-with-azure-percept-vision-images/running.png)
+
+13. Click `Troubleshoot`
+
+ ![chose troubleshoot](./media/create-people-counting-solution-with-azure-percept-vision-images/troubleshoot.png)
+
+14. From the drop-down list select `CountModule`
+
+ ![view count module](./media/create-people-counting-solution-with-azure-percept-vision-images/dropdown.png)
+
+15. Ensure you see `People_Count` logs as follows-
+
+ ![check the box](./media/create-people-counting-solution-with-azure-percept-vision-images/logs.png)
++
+## Step 4: Add a Consumer group to your IoT Hub
+Consumer groups provide independent views into the event stream that enable apps and Azure services to independently consume data. This consumer group will be used by the Stream Analytics Job we will create in Step 5.
+
+1. In the [Azure portal](https://portal.azure.com), go to your IoT hub which is connected to your Azure Percept DK.
+
+2. On the left pane, select `Hub settings > Built-in endpoints`. Enter a name for your new consumer group in the text box under `Consumer groups`
+
+ ![new consumer group](./media/create-people-counting-solution-with-azure-percept-vision-images/consumer-group.png)
+
+3. Click anywhere outside the text box to save the consumer group
+
+## Step 5: Create a Stream Analytics Job
+Step 5 guides users through creating, configuring, and running a Stream Analytics job. Stream Analytics is a hot path to stream data from out Azure IoT Hub to a Power BI workspace in real time. We will create a query so only People Counting telemetry will be streamed. Once People Counting data is in our Power BI workspace it will be easy to render with a Power BI report.
+
+1. Go to New [Stream Analytics job - Microsoft Azure](https://ms.portal.azure.com/#create/Microsoft.StreamAnalyticsJob)
+
+2. Enter the following information for the job -
+
+ - `Job name` - The name of the job. The name must be globally unique.
+
+ - `Resource group` - Use the same resource group that your IoT hub uses.
+
+ - `Location` - Use the same location as your resource group.
+
+ ![resource group](./media/create-people-counting-solution-with-azure-percept-vision-images/stream-analytics-job.png)
+
+3. Click `Create`
+
+### Add an input to the Stream Analytics job
+1. Open the previously created Stream Analytics job. Under `Job topology`, select `Inputs`
+
+2. In the `Inputs` pane, select `Add stream input`, then select `IoT Hub` from the drop-down list.
+
+ ![drop-down list](./media/create-people-counting-solution-with-azure-percept-vision-images/stream-analytics-input.png)
+
+3. On the new input pane, enter the following information -
+
+ - `Input alias` - Enter a unique alias for the input
+
+ - `Select IoT Hub from your subscription` - Select this radio button
+
+ - `Subscription` - Select the Azure subscription you are using for this lab
+
+ - `IoT Hub` - Select the IoT Hub you are using for this lab
+
+ - `Consumer group` - Select the consumer group you created previously
+
+ - `Shared access policy name` - Select the name of the shared access policy you want the Stream Analytics job to use for your IoT hub. For this lab, you can select service
+
+ - `Shared access policy key` - This field is auto filled based on your selection for the shared access policy name
+
+ - `Endpoint` - Select Messaging
+
+ Leave all other fields as default
+
+ ![example view](./media/create-people-counting-solution-with-azure-percept-vision-images/stream-analytics-input-fields.png)
+
+4. Click `Save`
+
+### Add an output to the Stream Analytics job
+
+1. Create a Group Workspace, take the following steps to create one -
+
+ a. In a new web browser tab open [Power BI](https://msit.powerbi.com/home)
+
+ b. On the left panel click on `Workspaces > Create a workspace`
+
+ c. Give your workspace a name and description (optional) and click `Save `
+
+ d. Go back to the Azure portal and go to the Stream Analytics job
+
+2. Under `Job topology`, select `Outputs`
+3. In the `Outputs` pane, select `Add`, and then select `Power BI` from the drop-down list
+
+ ![view of drop-down list](./media/create-people-counting-solution-with-azure-percept-vision-images/stream-analytics-output.png)
+
+4. Enter the following information-
+
+ a. `Output alias` - A unique alias for the output
+
+ b. `Group workspace` - Select your target group workspace.
+
+ c. `Dataset name` - Enter a dataset name
+
+ d. `Table name` - Enter a table name
+
+ e. `Authentication mode` - Leave as the default
+
+ ![Leave as the default](./media/create-people-counting-solution-with-azure-percept-vision-images/stream-analytics-output-fields.png)
+
+5. On the `Power BI - New output` pane, select `Authorize` and follow the prompts to sign into your Power BI account
+
+6. Click `Save `
+
+### Configure the query of the Stream Analytics job
+1. Under `Job topology`, select `Query `
+
+2. Replace `[YourInputAlias]` with the input alias of the job
+
+3. Replace `[YourOutputAlias]` with the output alias of the job
+
+4. Add the following `WHERE` clause as the last line of the query. This line ensures that only messages with a `People_Count` property will be forwarded to Power BI.
+
+ `WHERE People_Count IS NOT NULL `
+
+5. The query will look as follows -
+
+ ![The query](./media/create-people-counting-solution-with-azure-percept-vision-images/query.png)
+
+6. Click `Save Query`
+
+ **Note- The `People_Count` property is sent from the `countmodule` to the IoT hub and is forwarded to the Stream Analytics job.**
+
+### Run the Stream Analytics job
+1. In the Stream Analytics job, select `Overview`, then select `Start > Now > Start`
+
+ ![overview](./media/create-people-counting-solution-with-azure-percept-vision-images/stream-analytics-start.png)
+
+2. Once the job successfully starts, the job status changes from `Stopped` to `Running`
+
+ ![running state](./media/create-people-counting-solution-with-azure-percept-vision-images/stream-analytics-running.png)
++
+## Step 6: Create and publish a Power BI report to visualize data
+This step will guide users on how to create a Power BI report from the People Counting telemetry data. The tutorial walks through initial steps to visualize people counting data. Users who are interested to learn more ways to transform, aggregate, and visualize their data could explore the [Power BI product page](https://powerbi.microsoft.com/) for ideas and templates.
+
+1. Login to [Power BI](https://msit.powerbi.com/home) and select your Workspace (this is the same Group Workspace you used while creating the Stream Analytics job output)
+
+ ![select your Workspace](./media/create-people-counting-solution-with-azure-percept-vision-images/power-bi-1.png)
+
+2. Verify that you see your dataset
+
+ ![verify dataset](./media/create-people-counting-solution-with-azure-percept-vision-images/power-bi-data-set.png)
+
+3. On the left scroll panel select `+ Create` and then click `Pick a published dataset`
+
+ ![publish dataset](./media/create-people-counting-solution-with-azure-percept-vision-images/power-bi-create.png)
+
+4. Select your dataset and click `Create `
+
+5. On the right, expand the `Fields` dropdown and select `EventEnqueuedUtcTime` and `ΣPeople_Count`
+
+6. Under `Visualizations` select `Line and clustered column chart`
+
+ ![select correct column chart](./media/create-people-counting-solution-with-azure-percept-vision-images/power-bi-fields.png)
+
+7. This will generate a graph as follows-
+
+ ![graph is generated](./media/create-people-counting-solution-with-azure-percept-vision-images/ power-bi-graph.png)
+
+8. Click `Refresh` periodically to update the graph
+
+ ![update the graph](./media/create-people-counting-solution-with-azure-percept-vision-images/power-bi-graph-refresh.png)
++++
+<!-- 6. Clean up resources
+Required. If resources were created during the tutorial. If no resources were created,
+state that there are no resources to clean up in this section.
+-->
+
+## Step 7: Clean up resources
+
+If you're not going to continue to use this application, delete
+Azure resources with the following steps:
+
+1. Login to the [Azure portal](https://portal.azure.com), go to `Resource Group` you have been using for this tutorial. Select the `Stream Analytics Job` resource created and stop the job from running then delete.
+
+2. Login to [Power BI](https://msit.powerbi.com/home) and select your Workspace (this is the same Group Workspace you used while creating the Stream Analytics job output), and delete workspace.
+
+<!-- 7. Next steps
+Required: A single link in the blue box format. Point to the next logical tutorial
+in a series, or, if there are no other tutorials, to some other cool thing the
+customer can do.
+-->
+
+## Next steps
+
+Check out the other tutorial under Advanced prototyping with Azure Percept section for your Azure Percept DK.
+
+<!--
+Remove all the comments in this template before you sign-off or merge to the
+main branch.
+-->
azure-resource-manager Lock Resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/lock-resources.md
Applying locks can lead to unexpected results because some operations that don't
- A cannot-delete lock on a **resource group** prevents **Azure Machine Learning** from autoscaling [Azure Machine Learning compute clusters](../../machine-learning/concept-compute-target.md#azure-machine-learning-compute-managed) to remove unused nodes.
+- A read-only lock on a **Log Analytics workspace** prevents **User and Entity Behavior Analytics (UEBA)** from being enabled.
+ - A read-only lock on a **subscription** prevents **Azure Advisor** from working correctly. Advisor is unable to store the results of its queries. - A read-only lock on an **Application Gateway** prevents you from getting the backend health of the application gateway. That [operation uses POST](/rest/api/application-gateway/application-gateways/backend-health), which is blocked by the read-only lock.
azure-resource-manager Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Resource Manager description: Sample Azure Resource Graph queries for Azure Resource Manager showing use of resource types and tables to access Azure Resource Manager related resources and properties. Previously updated : 12/20/2021 Last updated : 01/20/2022
azure-resource-manager Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Resource Manager description: Lists Azure Policy Regulatory Compliance controls available for Azure Resource Manager. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
azure-resource-manager Child Resource Name Type https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/child-resource-name-type.md
Title: Child resources in templates description: Describes how to set the name and type for child resources in an Azure Resource Manager template (ARM template). Previously updated : 05/07/2021 Last updated : 01/19/2022 # Set name and type for child resources
Each parent resource accepts only certain resource types as child resources. The
In an Azure Resource Manager template (ARM template), you can specify the child resource either within the parent resource or outside of the parent resource. The values you provide for the resource name and resource type vary based on whether the child resource is defined inside or outside of the parent resource.
+> [!TIP]
+> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [child resources](../bicep/child-resource-name-type.md).
+ ## Within parent resource The following example shows the child resource included within the resources property of the parent resource.
The following example shows a virtual network and subnet that are both defined a
## Next steps * To learn about creating ARM templates, see [Understand the structure and syntax of ARM templates](./syntax.md).
-* To learn about the format of the resource name when referencing the resource, see the [reference function](template-functions-resource.md#reference).
+* To learn about the format of the resource name when referencing the resource, see the [reference function](template-functions-resource.md#reference).
azure-resource-manager Conditional Resource Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/conditional-resource-deployment.md
Title: Conditional deployment with templates description: Describes how to conditionally deploy a resource in an Azure Resource Manager template (ARM template). Previously updated : 05/07/2021 Last updated : 01/19/2022 # Conditional deployment in ARM templates
Sometimes you need to optionally deploy a resource in an Azure Resource Manager
> [!NOTE] > Conditional deployment doesn't cascade to [child resources](child-resource-name-type.md). If you want to conditionally deploy a resource and its child resources, you must apply the same condition to each resource type.
+> [!TIP]
+> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [conditional deployments](../bicep/conditional-resource-deployment.md).
+ ## Deploy condition You can pass in a parameter value that indicates whether a resource is deployed. The following example conditionally deploys a DNS zone.
If you deploy a template with [complete mode](deployment-modes.md) and a resourc
* For a Microsoft Learn module that covers conditional deployment, see [Manage complex cloud deployments by using advanced ARM template features](/learn/modules/manage-deployments-advanced-arm-template-features/). * For recommendations about creating templates, see [ARM template best practices](./best-practices.md).
-* To create multiple instances of a resource, see [Resource iteration in ARM templates](copy-resources.md).
+* To create multiple instances of a resource, see [Resource iteration in ARM templates](copy-resources.md).
azure-resource-manager Deploy To Management Group https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-to-management-group.md
Title: Deploy resources to management group description: Describes how to deploy resources at the management group scope in an Azure Resource Manager template. Previously updated : 11/22/2021 Last updated : 01/19/2022
As your organization matures, you can deploy an Azure Resource Manager template (ARM template) to create resources at the management group level. For example, you may need to define and assign [policies](../../governance/policy/overview.md) or [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) for a management group. With management group level templates, you can declaratively apply policies and assign roles at the management group level.
+> [!TIP]
+> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [management group deployments](../bicep/deploy-to-management-group.md).
+ ## Supported resources Not all resource types can be deployed to the management group level. This section lists which resource types are supported.
azure-resource-manager Deploy To Resource Group https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-to-resource-group.md
Title: Deploy resources to resource groups description: Describes how to deploy resources in an Azure Resource Manager template. It shows how to target more than one resource group. Previously updated : 10/01/2021 Last updated : 01/19/2022
This article describes how to scope your deployment to a resource group. You use an Azure Resource Manager template (ARM template) for the deployment. The article also shows how to expand the scope beyond the resource group in the deployment operation.
+> [!TIP]
+> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [resource group deployments](../bicep/deploy-to-resource-group.md).
+ ## Supported resources Most resources can be deployed to a resource group. For a list of available resources, see [ARM template reference](/azure/templates).
azure-resource-manager Deploy To Subscription https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-to-subscription.md
Title: Deploy resources to subscription description: Describes how to create a resource group in an Azure Resource Manager template. It also shows how to deploy resources at the Azure subscription scope. Previously updated : 11/22/2021 Last updated : 01/19/2022
To simplify the management of resources, you can use an Azure Resource Manager t
To deploy templates at the subscription level, use Azure CLI, PowerShell, REST API, or the portal.
+> [!TIP]
+> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [subscription deployments](../bicep/deploy-to-subscription.md).
+ ## Supported resources Not all resource types can be deployed to the subscription level. This section lists which resource types are supported.
azure-resource-manager Deploy To Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-to-tenant.md
Title: Deploy resources to tenant description: Describes how to deploy resources at the tenant scope in an Azure Resource Manager template. Previously updated : 11/22/2021 Last updated : 01/19/2022
As your organization matures, you may need to define and assign [policies](../../governance/policy/overview.md) or [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) across your Azure AD tenant. With tenant level templates, you can declaratively apply policies and assign roles at a global level.
+> [!TIP]
+> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [tenant deployments](../bicep/deploy-to-tenant.md).
+ ## Supported resources Not all resource types can be deployed to the tenant level. This section lists which resource types are supported.
azure-resource-manager Outputs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/outputs.md
Title: Outputs in templates description: Describes how to define output values in an Azure Resource Manager template (ARM template). Previously updated : 05/18/2021 Last updated : 01/19/2022
This article describes how to define output values in your Azure Resource Manage
The format of each output value must resolve to one of the [data types](data-types.md).
+> [!TIP]
+> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [outputs](../bicep/outputs.md).
+ ## Define output values The following example shows how to return a property from a deployed resource.
az deployment group show \
## Next steps
-* To learn about the available properties for outputs, see [Understand the structure and syntax of ARM templates](./syntax.md).
+* To learn about the available properties for outputs, see [Understand the structure and syntax of ARM templates](./syntax.md).
azure-resource-manager Parameters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/parameters.md
Title: Parameters in templates description: Describes how to define parameters in an Azure Resource Manager template (ARM template). Previously updated : 05/14/2021 Last updated : 01/19/2022 # Parameters in ARM templates
Resource Manager resolves parameter values before starting the deployment operat
Each parameter must be set to one of the [data types](data-types.md).
+> [!TIP]
+> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [parameters](../bicep/parameters.md).
+ ## Minimal declaration At a minimum, every parameter needs a name and type.
azure-resource-manager Resource Declaration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/resource-declaration.md
Title: Declare resources in templates description: Describes how to declare resources to deploy in an Azure Resource Manager template (ARM template). Previously updated : 05/11/2021 Last updated : 01/19/2022 # Resource declaration in ARM templates To deploy a resource through an Azure Resource Manager template (ARM template), you add a resource declaration. Use the `resources` array in a JSON template.
+> [!TIP]
+> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [resource declaration](../bicep/resource-declaration.md).
+ ## Set resource type and version When adding a resource to your template, start by setting the resource type and API version. These values determine the other properties that are available for the resource.
Use intellisense or [template reference](/azure/templates/) to determine which p
## Next steps * To conditionally deploy a resource, see [Conditional deployment in ARM templates](conditional-resource-deployment.md).
-* To set resource dependencies, see [Define the order for deploying resources in ARM templates](./resource-dependency.md).
+* To set resource dependencies, see [Define the order for deploying resources in ARM templates](./resource-dependency.md).
azure-resource-manager Variables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/variables.md
Title: Variables in templates description: Describes how to define variables in an Azure Resource Manager template (ARM template). Previously updated : 06/24/2021 Last updated : 01/19/2022 # Variables in ARM templates
This article describes how to define and use variables in your Azure Resource Ma
Resource Manager resolves variables before starting the deployment operations. Wherever the variable is used in the template, Resource Manager replaces it with the resolved value.
+> [!TIP]
+> For an improved authoring experience, you can use Bicep rather than JSON to develop templates. For more information about Bicep syntax, see [variables](../bicep/variables.md).
+ ## Define variable When defining a variable, you don't specify a [data type](data-types.md) for the variable. Instead provide a value or template expression. The variable type is inferred from the resolved value. The following example sets a variable to a string.
You can define variables that hold related values for configuring an environment
* To learn about the available properties for variables, see [Understand the structure and syntax of ARM templates](./syntax.md). * For recommendations about creating variables, see [Best practices - variables](./best-practices.md#variables).
-* For an example template that assigns security rules to a network security group, see [network security rules](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/multiplesecurityrules.json) and [parameter file](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/multiplesecurityrules.parameters.json).
+* For an example template that assigns security rules to a network security group, see [network security rules](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/multiplesecurityrules.json) and [parameter file](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/multiplesecurityrules.parameters.json).
azure-signalr Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure SignalR description: Lists Azure Policy Regulatory Compliance controls available for Azure SignalR. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
azure-signalr Signalr Concept Authorize Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md
You can scope access to Azure SignalR resources at the following levels, beginni
## Azure built-in roles for SignalR resources -- [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server-preview)
+- [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)
Access to Websocket connection creation API and Auth APIs.
azure-sql Active Geo Replication Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/active-geo-replication-overview.md
Previously updated : 10/25/2021 Last updated : 1/19/2022 # Active geo-replication
To create a geo-secondary in a subscription different from the subscription of t
> [!NOTE] > Cross-subscription geo-replication operations including setup and geo-failover are only supported using T-SQL commands. >
-> Adding a geo-secondary using T-SQL is not supported when the primary and/or secondary servers have a [private endpoint](private-endpoint-overview.md) configured, and [public network access is denied](connectivity-settings.md#deny-public-network-access). If private endpoint is configured but public network access is allowed, adding a geo-secondary when connected to the primary server from a public IP address is supported. Once a geo-secondary is added, public access can be denied.
+> Adding a geo-secondary using T-SQL is not supported when connecting to the primary server over a [private endpoint](private-endpoint-overview.md). If a private endpoint is configured but public network access is allowed, adding a geo-secondary is supported when connected to the primary server from a public IP address. Once a geo-secondary is added, public access can be [denied](connectivity-settings.md#deny-public-network-access).
> > Creating a geo-secondary on a logical server in a different Azure tenant is not supported when [Azure Active Directory only](https://techcommunity.microsoft.com/t5/azure-sql/azure-active-directory-only-authentication-for-azure-sql/ba-p/2417673) authentication for Azure SQL is active (enabled) on either primary or secondary logical server.
azure-sql Authentication Aad Service Principal Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/authentication-aad-service-principal-tutorial.md
Previously updated : 12/15/2021 Last updated : 01/20/2022
In this tutorial, you learn how to:
> If an Azure AD Identity is set up for the Azure SQL logical server, the [**Directory Readers**](../../active-directory/roles/permissions-reference.md#directory-readers) permission must be granted to the identity. We will walk through this step in following section. **Do not** skip this step as Azure AD authentication will stop working. > > With [Microsoft Graph](/graph/overview) support for Azure SQL, the Directory Readers role can be replaced with using lower level permissions. For more information, see [User-assigned managed identity in Azure AD for Azure SQL](authentication-azure-ad-user-assigned-managed-identity.md).
+ >
+ > If a system-assigned or user-assigned managed identity is used as the server or instance identity, deleting the identity will result in the server or instance inability to access Microsoft Graph. Azure AD authentication and other functions will fail. To restore Azure AD functionality, a new SMI or UMI must be assigned to the server with appropriate permissions.
- If you used the [New-AzSqlServer](/powershell/module/az.sql/new-azsqlserver) command with the parameter `AssignIdentity` for a new SQL server creation in the past, you'll need to execute the [Set-AzSqlServer](/powershell/module/az.sql/set-azsqlserver) command afterwards as a separate command to enable this property in the Azure fabric.
azure-sql Database Copy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/database-copy.md
Previously updated : 03/10/2021 Last updated : 1/19/2022 # Copy a transactionally consistent copy of a database in Azure SQL Database
Start copying the source database with the [CREATE DATABASE ... AS COPY OF](/sql
> [!NOTE] > Terminating the T-SQL statement does not terminate the database copy operation. To terminate the operation, drop the target database. >
-> Database copy is not supported when the source and/or destination servers have a [private endpoint](private-endpoint-overview.md) configured and [public network access is denied](connectivity-settings.md#deny-public-network-access). If private endpoint is configured but public network access is allowed, initiating database copy when connected to the destination server from a public IP address is supported. Once the copy operation completes, public access can be denied.
+> Database copy using T-SQL is not supported when connecting to the destination server over a [private endpoint](private-endpoint-overview.md). If a private endpoint is configured but public network access is allowed, database copy is supported when connected to the destination server from a public IP address. Once the copy operation completes, public access can be [denied](connectivity-settings.md#deny-public-network-access).
> [!IMPORTANT] > Selecting backup storage redundancy when using T-SQL CREATE DATABASE ... AS COPY OF command is not supported yet.
azure-sql Ledger Create A Single Database With Ledger Enabled https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/ledger-create-a-single-database-with-ledger-enabled.md
Previously updated : "09/09/2021" Last updated : "01/20/2022"
You need an active Azure subscription. If you don't have one, [create a free acc
Create a single ledger database in the [serverless compute tier](serverless-tier-overview.md), and configure uploading ledger digests to an Azure Storage account.
-### Use the Azure portal
+# [Portal](#tab/azure-portal)
To create a single database in the Azure portal, this quickstart starts at the Azure SQL page.
To create a single database in the Azure portal, this quickstart starts at the A
1. On the **Review + create** page, after you review, select **Create**.
+# [The Azure CLI](#tab/azure-cli)
+
+You'll create a resource group, a logical database server, a single ledger database, and configure uploading ledger digests using The Azure CLI.
+
+## Launch Azure Cloud Shell
+
+The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
+
+To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com](https://shell.azure.com). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press **Enter** to run it.
+
+### Set parameter values
+
+The following values are used in subsequent commands to create the database and required resources. Server names and storage account names need to be globally unique across all of Azure so the $RANDOM function is used to create the server name and the storage account name.
+
+The resource name must be unique in your subscription. Replace `<your resource group name>` with a unique name, and `<your subscription ID>` with your Subscription ID.
+
+Replace the 0.0.0.0 values in the ip address range to match your specific environment.
+
+Replace **westeurope** with your preferred Azure region name.
+
+```azurecli-interactive
+resourceGroupName="<your resource group name>"
+location="westeurope"
+serverName="mysqlserver"-$RANDOM
+databaseName="myLedgerDatabase"
+storageAccountName="mystorage"$RANDOM
+subscription="<your subscription ID>"
+adminLogin=azureuser
+adminPassword=Azure1234567!
+serverResourceId="/subscriptions/$subscription/resourceGroups/$resourceGroupName/providers/Microsoft.Sql/servers/$serverName"
+
+# The ip address range that you want to allow to access your server
+startIP=0.0.0.0
+endIP=0.0.0.0
+
+# Set variables for your digest storage location
+storageAccountName="mystorage"$RANDOM
+storageAccountURL1="https://"
+storageAccountURL3=".blob.core.windows.net"
+storageAccountURL=$storageAccountURL1$storageAccountName$storageAccountURL3
+storageAccountResourceId="/subscriptions/$subscription/resourceGroups/$resourceGroupName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"
+
+# Show resource names
+echo "Resource group name is" $resourceGroupName
+echo "Server name is" $serverName
+echo "Database name is" $databaseName
+echo "Storage account name is" $storageAccountName
+```
+
+### Create a resource group
+
+Create a resource group with the [az group create](/cli/azure/group) command. An Azure resource group is a logical container into which Azure resources are deployed and managed.
+
+```azurecli-interactive
+az group create --name $resourceGroupName --location $location
+```
+
+### Create a server with a managed identity
+
+Create a server with the [az sql server create](/cli/azure/sql/server) command. The command creates the server with a managed identity assigned.
+
+```azurecli-interactive
+az sql server create \
+ --name $serverName \
+ --resource-group $resourceGroupName \
+ --location $location \
+ --admin-user $adminLogin \
+ --admin-password $adminPassword \
+ --assign-identity
+```
+
+This command stores the ID in a variable, which will later be used to grant the server permissions to upload ledger digests.
+
+```azurecli-interactive
+# Retrieves the assigned identity to be used when granting the server access to the storage account
+principalId=`az sql server show \
+ --name $serverName \
+ --resource-group $resourceGroupName \
+ --query identity.principalId \
+ --output tsv`
+```
+
+### Configure a firewall rule for the server
+
+Create a firewall rule with the [az sql server firewall-rule create](/cli/azure/sql/server/firewall-rule) command.
+
+```azurecli-interactive
+az sql server firewall-rule create \
+ --resource-group $resourceGroupName \
+ --server $serverName \
+ -n AllowYourIp \
+ --start-ip-address $startIP \
+ --end-ip-address $endIP
+```
+
+### Create a single ledger database
+
+Create a ledger database with the [az sql db create](/cli/azure/sql/db) command. The following command creates a serverless database with ledger enabled.
+
+```azurecli-interactive
+az sql db create \
+ --resource-group $resourceGroupName \
+ --server $serverName \
+ --name $databaseName \
+ --edition GeneralPurpose \
+ --family Gen5 \
+ --capacity 2 \
+ --compute-model Serverless \
+ --ledger-on
+```
+
+### Create a storage account
+
+Create a storage account to store ledger digests with the [az storage account create](/cli/azure/sql/db) command.
+
+```azurecli-interactive
+az storage account create \
+ --name $storageAccountName \
+ --resource-group $resourceGroupName \
+ --location $location \
+ --sku Standard_GRS \
+ --kind StorageV2
+```
+
+### Grant the server permissions to write ledger digests
+
+Assign the managed identity of the server to the [Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) role with the [az role assignment create](/cli/azure/sql/db) command. This gives the SQL server the appropriate permissions to publish database digests to the storage account.
+
+```azurecli-interactive
+az role assignment create \
+ --assignee-object-id $principalId \
+ --assignee-principal-type "ServicePrincipal" \
+ --role "Storage Blob Data Contributor" \
+ --scope $storageAccountResourceId
+```
+
+### Enable database digest uploads
+
+Update the database to start uploading ledger digests to the storage account by using the [az sql db ledger-digest-uploads enable](/cli/azure/sql/db) command.
+
+```azurecli-interactive
+az sql db ledger-digest-uploads enable \
+ --name $databaseName \
+ --resource-group $resourceGroupName \
+ --server $serverName \
+ --endpoint $storageAccountURL
+```
+
+### Configure a time-based retention policy
+
+To protect the digests from being deleted or updated, it is recommended you configure a time-based retention policy on the **sqldbledgerdigests** container by using the [az storage container immutability-policy create](/cli/azure/sql/db) and [az storage container immutability-policy lock](/cli/azure/sql/db) commands. The policy must allow protected append blobs writes. This ensures the database server can add blocks containing new digests to an existing blob, while deleting or updating the digests is disabled for the specified immutability period.
+
+> [!IMPORTANT]
+> The below example uses the immutability period value of 1 day. In a production environment, you should use a much larger value.
+
+> [!NOTE]
+> Once database digests begin to be uploaded to the storage account, you will not be able to delete the storage account until the immutability policy expires. Setting the immutability policy can be skipped if you plan to clean-up resources immediatly after this QuickStart.
+
+For more information about time-based retention policy for containers, see [Configure immutability policies for containers](../../storage/blobs/immutable-policy-configure-container-scope.md).
+
+```azurecli-interactive
+az storage container immutability-policy create \
+ --resource-group $resourceGroupName \
+ --account-name $storageAccountName \
+ --container-name sqldbledgerdigests \
+ --period 1 \
+ --allow-protected-append-writes true
+```
+
+```azurecli-interactive
+# Retrieves the etag value of the policy to be used when the policy is locked
+etag=`az storage container immutability-policy show \
+ --account-name $storageAccountName \
+ --container-name sqldbledgerdigests \
+ --query etag \
+ --output tsv`
+etag="${etag/$'\r'/}"
+```
+
+```azurecli-interactive
+az storage container immutability-policy lock \
+ --resource-group $resourceGroupName \
+ --account-name $storageAccountName \
+ --container-name sqldbledgerdigests \
+ --if-match $etag
+```
+
+# [PowerShell](#tab/azure-powershell)
+
+You'll create a resource group, a logical database server, a single ledger database, and configure uploading ledger digests using Windows PowerShell.
+
+### Launch Azure Cloud Shell
+
+The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
+
+To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to [https://shell.azure.com](https://shell.azure.com). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and press **Enter** to run it.
+
+### Set parameter values
+
+The following values are used in subsequent commands to create the database and required resources. Server names and storage account names need to be globally unique across all of Azure so the Get-Random cmdlet is used to create the server name and the storage account name.
+
+The resource name must be unique in your subscription. Replace `<your resource group name>` with a unique name.
+
+Replace the 0.0.0.0 values in the ip address range to match your specific environment.
+
+Replace **westeurope** with your preferred Azure region name.
+
+```azurepowershell-interactive
+# Set variables for your server and database
+$resourceGroupName = "<your resource group name>"
+$location = "westeurope"
+$serverName = "mysqlserver-$(Get-Random)"
+$databaseName = "myLedgerDatabase"
+$storageAccountName = "mystorage$(Get-Random)"
+
+# The ip address range that you want to allow to access your server
+$startIP = "0.0.0.0"
+$endIP = "0.0.0.0"
+
+# Show resource names
+Write-host "Resource group name is" $resourceGroupName
+Write-host "Server name is" $serverName
+Write-host "Storage account name is" $storageAccountName
+```
+
+### Create a resource group
+
+Create an Azure resource group with [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup). A resource group is a logical container into which Azure resources are deployed and managed.
+
+```azurepowershell-interactive
+Write-host "Creating resource group..."
+$resourceGroup = New-AzResourceGroup `
+ -Name $resourceGroupName `
+ -Location $location
+$resourceGroup
+```
+
+### Create a server
+
+Create a server with the [New-AzSqlServer](/powershell/module/az.sql/new-azsqlserver) cmdlet.
+
+The cmdlet creates the server with a managed identity assigned, which you will need later to grant the server permissions to upload ledger digests.
+
+When prompted, enter your SQL administrator username and a password.
+
+```azurepowershell-interactive
+Write-host "Creating primary server..."
+$server = New-AzSqlServer `
+ -ResourceGroupName $resourceGroupName `
+ -ServerName $serverName `
+ -Location $location `
+ -AssignIdentity `
+ -SqlAdministratorCredentials (Get-Credential)
+$server
+```
+
+### Create a firewall rule
+
+Create a server firewall rule with the [New-AzSqlServerFirewallRule](/powershell/module/az.sql/new-azsqlserverfirewallrule) cmdlet.
+
+```azurepowershell-interactive
+Write-host "Configuring server firewall rule..."
+$serverFirewallRule = New-AzSqlServerFirewallRule -ResourceGroupName $resourceGroupName `
+ -ServerName $serverName `
+ -FirewallRuleName "AllowedIPs" -StartIpAddress $startIP -EndIpAddress $endIP
+$serverFirewallRule
+```
+
+### Create a single ledger database
+
+Create a single ledger database with the [New-AzSqlDatabase](/powershell/module/az.sql/new-azsqldatabase) cmdlet.
+
+The below example creates a serverless database.
+
+```azurepowershell-interactive
+Write-host "Creating a gen5 2 vCore serverless ledger database..."
+$database = New-AzSqlDatabase -ResourceGroupName $resourceGroupName `
+ -ServerName $serverName `
+ -DatabaseName $databaseName `
+ -Edition GeneralPurpose `
+ -ComputeModel Serverless `
+ -ComputeGeneration Gen5 `
+ -VCore 2 `
+ -MinimumCapacity 2 `
+ -EnableLedger
+$database
+```
+
+### Create a storage account
+
+Create a storage account to store ledger digests with the [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount) cmdlet.
+
+```azurepowershell-interactive
+Write-host "Creating a storage account for ledger digests..."
+$storage = New-AzStorageAccount -ResourceGroupName $resourceGroupName `
+ -Name $storageAccountName `
+ -Location $location `
+ -SkuName Standard_RAGRS `
+ -Kind StorageV2 `
+ -AccessTier Hot
+$storage
+```
+
+### Grant the server permissions to write ledger digests
+
+Assign the managed identity of the server to the [Storage Blob Data Contributor](/azure/role-based-access-control/built-in-roles#storage-blob-data-contributor) role with the [New-AzRoleAssignment](/powershell/module/az.Resources/New-azRoleAssignment) cmdlet. This gives the SQL server the appropriate permissions to publish database digests to the storage account.
+
+```azurepowershell-interactive
+Write-host "Granting the server access to the storage account..."
+$assignment = New-AzRoleAssignment `
+ -ObjectId $server.Identity.PrincipalId `
+ -RoleDefinitionName "Storage Blob Data Contributor" `
+ -ResourceGroupName $resourceGroupName `
+ -ResourceType "Microsoft.Storage/storageAccounts" `
+ -ResourceName $storageAccountName
+$assignment
+```
+
+### Enable database digest uploads
+
+Update the database to start uploading ledger digests to the storage account, by using the [Enable-AzSqlDatabaseLedgerDigestUpload](/powershell/module/az.sql/enable-azsqldatabaseledgerdigestupload) cmdlet. The database server will create a new container, named **sqldbledgerdigests**, within the storage account and it will start writing ledger digests to the container.
+
+```azurepowershell-interactive
+Write-host "Enabling ledger digest upload..."
+$ledgerDigestUploadConfig = Enable-AzSqlDatabaseLedgerDigestUpload `
+ -ResourceGroupName $resourceGroupName `
+ -ServerName $serverName `
+ -DatabaseName $databaseName `
+ -Endpoint $storage.PrimaryEndpoints.Blob
+$ledgerDigestUploadConfig
+```
+
+### Configure a time-based retention policy
+
+To protect the digests from being deleted or updated, it is recommended you configure a time-based retention policy on the **sqldbledgerdigests** container by using the [Set-AzRmStorageContainerImmutabilityPolicy](/powershell/module/az.storage/set-azrmstoragecontainerimmutabilitypolicy) and [Lock-AzRmStorageContainerImmutabilityPolicy](/powershell/module/az.storage/lock-azrmstoragecontainerimmutabilitypolicy) cmdlets. The policy must allow protected append blobs writes. This ensures the database server can add blocks containing new digests to an existing blob, while deleting or updating the digests is disabled for the specified immutability period.
+
+> [!IMPORTANT]
+> The below example uses the immutability period value of 1 day. In a production environment, you should use a much larger value.
+
+> [!NOTE]
+> You will not be able to delete the container or the storage account during the specified immutability period.
+
+For more information about time-based retention policy for containers, see [Configure immutability policies for containers](../../storage/blobs/immutable-policy-configure-container-scope.md).
+
+```azurepowershell-interactive
+Write-host "Configuring a time-based retention policy..."
+$immutabilityPerdiod = 1
+$containerName = "sqldbledgerdigests"
+$policy = Set-AzRmStorageContainerImmutabilityPolicy `
+ -ResourceGroupName $resourceGroupName `
+ -StorageAccountName $storageAccountName `
+ -ContainerName $containerName `
+ -AllowProtectedAppendWrite $true `
+ -ImmutabilityPeriod $immutabilityPerdiod
+
+Lock-AzRmStorageContainerImmutabilityPolicy `
+ -ResourceGroupName $resourceGroupName `
+ -StorageAccountName $storageAccountName `
+ -ContainerName $containerName `
+ -Etag $policy.Etag
+```
+++ ## Clean up resources Keep the resource group, server, and single database for the next steps. You'll learn how to use the ledger feature of your database with different methods.
-When you're finished using these resources, delete the resource group you created. This action also deletes the server and single database within it.
+When you're finished using these resources, delete the resource group you created. This action also deletes the server and single database within it, and the storage account.
+
+> [!NOTE]
+> If you've configured and locked a time-based retention policy on the container, you need to wait until the specified immutability period ends before you can delete the storage account.
-### Use the Azure portal
+# [Portal](#tab/azure-portal)
To delete **myResourceGroup** and all its resources by using the Azure portal:
To delete **myResourceGroup** and all its resources by using the Azure portal:
1. On the resource group page, select **Delete resource group**. 1. Under **Type the resource group name**, enter **myResourceGroup**, and then select **Delete**.
+# [The Azure CLI](#tab/azure-cli)
+
+To delete the resource group and all its resources, run the following Azure CLI cmdlet, using the name of your resource group:
+
+```azurecli-interactive
+az group delete -n resourceGroupName
+```
+
+# [PowerShell](#tab/azure-powershell)
+
+To delete the resource group and all its resources, run the following PowerShell cmdlet, using the name of your resource group:
+
+```azurepowershell-interactive
+Remove-AzResourceGroup -Name $resourceGroupName
+```
+++ ## Next steps Connect and query your database by using different tools and languages:
azure-sql Private Endpoint Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/private-endpoint-overview.md
Previously updated : 03/09/2020 Last updated : 01/20/2022 # Azure Private Link for Azure SQL Database and Azure Synapse Analytics
To establish connectivity from an on-premises environment to the database in SQL
- [Site-to-Site VPN connection](../../vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell.md) - [ExpressRoute circuit](../../expressroute/expressroute-howto-linkvnet-portal-resource-manager.md)
+Consider [DNS configuration scenarios](/azure/private-link/private-endpoint-dns#dns-configuration-scenarios) as well, as the FQDN of the service can resolve to the public IP address.
+ ## Connecting from Azure Synapse Analytics to Azure Storage using Polybase and the COPY statement PolyBase and the COPY statement is commonly used to load data into Azure Synapse Analytics from Azure Storage accounts. If the Azure Storage account that you're loading data from limits access only to a set of virtual network subnets via Private Endpoints, Service Endpoints, or IP-based firewalls, the connectivity from PolyBase and the COPY statement to the account will break. For enabling both import and export scenarios with Azure Synapse Analytics connecting to Azure Storage that's secured to a virtual network, follow the steps provided [here](vnet-service-endpoint-rule-overview.md#impact-of-using-virtual-network-service-endpoints-with-azure-storage).
azure-sql Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure SQL Database description: Sample Azure Resource Graph queries for Azure SQL Database showing use of resource types and tables to access Azure SQL Database related resources and properties. Previously updated : 12/20/2021 Last updated : 01/20/2022
azure-sql Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure SQL Database description: Lists Azure Policy Regulatory Compliance controls available for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
azure-sql Single Database Create Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/single-database-create-quickstart.md
The following values are used in subsequent commands to create the database and
# Show randomized variables Write-host "Resource group name is" $resourceGroupName Write-host "Server name is" $serverName++ ``` ### Create resource group
azure-video-analyzer Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/cloud/troubleshoot.md
If you get an 'Access Forbidden' error in the Video Analyzer widget, then you sh
## Collect logs for submitting a support ticket
-When self-guided troubleshooting steps don't resolve your problem and there are any more issues that you may need help with, please open a support ticket using the Azure portal with the relevant details & logs. You can also reach out to us by sending an email at videoanalyzerhelp@microsoft.com.
+When self-guided troubleshooting steps doesnt resolve your problem and there are more issues that you may need help with, please open a support ticket using the Azure portal with the relevant details about the issue & attach the [diagnostic](#view-diagnostics) JSON log files downloaded from your storage account. You can also reach out to us by sending an email at videoanalyzerhelp@microsoft.com.
> [!WARNING] > The logs may contain personally identifiable information (PII) such as your IP address. All local copies of the logs will be deleted as soon as we complete examining them and close the support ticket.
backup Backup Azure Data Protection Use Rest Api Backup Postgresql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-data-protection-use-rest-api-backup-postgresql.md
ms.assetid: 55fa0a81-018f-4843-bef8-609a44c97dcd
-# Back up Azure PostgreSQL databases using Azure data protection via REST API
+# Back up Azure PostgreSQL databases using Azure data protection via REST API (preview)
This article describes how to manage backups for Azure PostgreSQL databases via REST API.
backup Backup Azure Data Protection Use Rest Api Create Update Postgresql Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-data-protection-use-rest-api-create-update-postgresql-policy.md
ms.assetid: 759ee63f-148b-464c-bfc4-c9e640b7da6b
-# Create Azure Data Protection backup policies for Azure PostgreSQL databases using REST API
+# Create Azure Data Protection backup policies for Azure PostgreSQL databases using REST API (preview)
A backup policy governs the retention and schedule of your backups. Azure PostgreSQL database Backup offers long-term retention and supports a backup per day.
backup Backup Postgresql Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-postgresql-cli.md
-# Back up Azure PostgreSQL databases using Azure CLI
+# Back up Azure PostgreSQL databases using Azure CLI (preview)
This article explains how to back up [Azure PostgreSQL database](../postgresql/overview.md#azure-database-for-postgresqlsingle-server) using Azure CLI.
backup Backup Postgresql Ps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-postgresql-ps.md
Last updated 10/14/2021
-# Back up Azure PostgreSQL databases using Azure PowerShell
+# Back up Azure PostgreSQL databases using Azure PowerShell (preview)
This article explains how to back up [Azure PostgreSQL database](../postgresql/overview.md#azure-database-for-postgresqlsingle-server) using Azure PowerShell.
backup Manage Azure Database Postgresql https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/manage-azure-database-postgresql.md
Last updated 09/21/2021
-# Manage Azure Database for PostgreSQL server
+# Manage Azure Database for PostgreSQL server (preview)
This article describes how to manage Azure Database for PostgreSQL servers that are backed up with the Azure Backup service.
backup Manage Monitor Sql Database Backup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/manage-monitor-sql-database-backup.md
Title: Manage and monitor SQL Server DBs on an Azure VM description: This article describes how to manage and monitor SQL Server databases that are running on an Azure VM. Previously updated : 01/14/2022 Last updated : 01/20/2022
Sometimes, the workload extension on the VM may become impacted for one reason o
Use this option with caution. When triggered on a VM with an already healthy extension, this operation will cause the extension to get restarted. This may cause all the in-progress jobs to fail. Check for one or more of the [symptoms](backup-sql-server-azure-troubleshoot.md#re-registration-failures) before triggering the re-register operation.
+## Manage database backup when backed-up VM is moved/deleted
+
+The backed-up SQL VM is deleted or moved using Resource move. The experience depends on the following characteristics of the new VM.
+
+New VM subscription | New VM Name | New VM Resource group | New VM Region | Experience
+- | -- | | - |
+Same | Same | Same | Same | **What will happen to backups of _old_ VM?** <br><br> YouΓÇÖll receive an alert that backups will be stopped on the _old_ VM. The backup data will be retained as per the last active policy. You can choose to stop protection and delete data and unregister the old VM once all backup data is cleaned up as per policy. <br><br> **How to get backup data from _old_ VM to _new_ VM?** <br><br> No SQL backups will be triggered automatically on the _new_ virtual machine. You must re-register the VM to the same vault. Then itΓÇÖll appear as a valid target, and SQL data can be restored to the latest available point-in-time via the alternate location recovery capability. After restoring SQL data, SQL backups will continue on this machine. VM backup will continue as-is, if previously configured.
+Same | Same | Different | Same | **What will happen to backups of _old_ VM?** <br><br> YouΓÇÖll receive an alert that backups will be stopped on the _old_ VM. The backup data will be retained as per the last active policy. You can choose to stop protection and delete data and unregister the old VM once all backup data is cleaned up as per policy. <br><br>**How to get backup data from _old_ VM to _new_ VM?** <br><br> As the new virtual machine is in a different resource group, itΓÇÖll be treated as a new machine and you have to explicitly configure SQL backups (and VM backup too, if previously configured) to the same vault. Then proceed to restore the SQL backup item of the old VM to latest available point-in-time via the _alternate location recovery_ to the new VM. The SQL backups will now continue.
+Same | Same | Same or different | Different | **What will happen to backups of _old_ VM?** <br><br> YouΓÇÖll receive an alert that backups will be stopped on the _old_ VM. The backup data will be retained as per the last active policy. You can choose to stop protection and delete data and unregister the old VM once all backup data is cleaned up as per policy. <br><br> **How to get backup data from _old_ VM to _new_ VM? <br><br> As the new virtual machine is in a different region, youΓÇÖve to configure SQL backups to a vault in the new region. <br><br> If the new region is a paired region, you can choose to restore SQL data to latest available point-in-time via the ΓÇÿcross region restoreΓÇÖ capability from the SQL backup item of the _old_ VM. <br><br> If the new region is a non-paired region, direct restore from the previous SQL backup item is not supported. However, you can choose restore as files option, from the SQL backup item of the ΓÇÿoldΓÇÖ VM, to get the data to a mounted share in a VM of the old region, and then mount it to the new VM.
+Different | Same or different | Same or different | Same or different | **What will happen to backups of _old_ VM?** <br><br> YouΓÇÖll receive an alert that backups will be stopped on the _old_ VM. The backup data will be retained as per the last active policy. You can choose to stop protection + delete data and unregister the old VM once all backup data is cleaned up as per policy. <br><br> **How to get backup data from _old_ VM to _new_ VM?** <br><br> As the new virtual machine is in a different subscription, youΓÇÖve to configure SQL backups to a vault in the new subscription. If it is a new vault in different subscription, direct restore from the previous SQL backup item is not supported. However, you can choose restore as files option, from the SQL backup item of the _old_ VM, to get the data to a mounted share in a VM of the old subscription, and then mount it to the new VM.
+ ## Next steps For more information, see [Troubleshoot backups on a SQL Server database](backup-sql-server-azure-troubleshoot.md).
backup Restore Postgresql Database Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/restore-postgresql-database-cli.md
-# Restore Azure PostgreSQL databases using Azure CLI
+# Restore Azure PostgreSQL databases using Azure CLI (preview)
This article explains how to restore [Azure PostgreSQL databases](../postgresql/overview.md#azure-database-for-postgresqlsingle-server) to an Azure PostgreSQL server backed-up by Azure Backup.
For an archive-based recovery point, you need to:
1. Specify the duration for which the rehydrated recovery point should be retained in the vault data store. 1. Restore as a database from this recovery point.
-Use the following command to prepare the request for all the above mentioned operations, at once.
+Use the following command to prepare the request for all the above-mentioned operations, at once.
```azurecli az dataprotection backup-instance restore initialize-for-data-recovery --datasource-type AzureDatabaseForPostgreSQL --restore-location {location} --source-datastore ArchiveStore --target-resource-id $targetOssId --recovery-point-id 9da55e757af94261afa009b43cd3222a --secret-store-type AzureKeyVault --secret-store-uri "https://restoreoss-test.vault.azure.net/secrets/dbauth3" --rehydration-priority Standard --rehydration-duration 12 > OssRestoreFromArchiveReq.JSON
backup Restore Postgresql Database Ps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/restore-postgresql-database-ps.md
-# Restore Azure PostgreSQL databases using Azure PowerShell
+# Restore Azure PostgreSQL databases using Azure PowerShell (preview)
This article explains how to restore [Azure PostgreSQL databases](../postgresql/overview.md#azure-database-for-postgresqlsingle-server) to an Azure PostgreSQL server backed-up by Azure Backup.
backup Restore Postgresql Database Use Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/restore-postgresql-database-use-rest-api.md
-# Restore Azure PostgreSQL databases using Azure data protection REST API
+# Restore Azure PostgreSQL databases using Azure data protection REST API (preview)
This article explains how to restore [Azure PostgreSQL databases](../postgresql/overview.md#azure-database-for-postgresqlsingle-server) to an Azure PostgreSQL server backed-up by Azure Backup.
backup Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Backup description: Lists Azure Policy Regulatory Compliance controls available for Azure Backup. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
batch Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Batch description: Lists Azure Policy Regulatory Compliance controls available for Azure Batch. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
cloud-services Cloud Services Guestos Msrc Releases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-guestos-msrc-releases.md
na Previously updated : 1/18/2022 Last updated : 1/19/2022 # Azure Guest OS The following tables show the Microsoft Security Response Center (MSRC) updates applied to the Azure Guest OS. Search this article to determine if a particular update applies to the Guest OS you are using. Updates always carry forward for the particular [family][family-explain] they were introduced in.
+>[!NOTE]
+
+>The January Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the January Guest OS. This list is subject to change.
+
+## January 2022 Guest OS
+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |
+| | | | | |
+| Rel 22-01 | [5009557] | Latest Cumulative Update(LCU) | 6.39 | Jan 11, 2022 |
+| Rel 22-01 | [5006671] | IE Cumulative Updates | 2.118, 3.105, 4.98 | Oct 12, 2021 |
+| Rel 22-01 | [5009555] | Latest Cumulative Update(LCU) | 7.7 | Jan 11, 2022 |
+| Rel 22-01 | [5009546] | Latest Cumulative Update(LCU) | 5.63 | Jan 11, 2022 |
+| Rel 22-01 | [5008867] | .NET Framework 3.5 Security and Quality Rollup | 2.118 | Jan 11, 2022 |
+| Rel 22-01 | [5008860] | .NET Framework 4.5.2 Security and Quality Rollup | 2.118 | Jan 11, 2022 |
+| Rel 22-01 | [5008868] | .NET Framework 3.5 Security and Quality Rollup | 4.98 | Jan 11, 2022 |
+| Rel 22-01 | [5008870] | .NET Framework 4.5.2 Security and Quality Rollup | 4.98 | Jan 11, 2022 |
+| Rel 22-01 | [5008865] | .NET Framework 3.5 Security and Quality Rollup | 3.105 | Jan 11, 2022 |
+| Rel 22-01 | [5008869] | . NET Framework 4.5.2 Security and Quality Rollup | 3.105 | Jan 11, 2022 |
+| Rel 22-01 | [5008873] | . NET Framework 3.5 and 4.7.2 Cumulative Update | 6.39 | Jan 11, 2022 |
+| Rel 22-01 | [5009610] | Monthly Rollup | 2.118 | Jan 11, 2022 |
+| Rel 22-01 | [5009586] | Monthly Rollup | 3.105 | Jan 11, 2022 |
+| Rel 22-01 | [5009624] | Monthly Rollup | 4.98 | Jan 11, 2022 |
+| Rel 22-01 | [5001401] | Servicing Stack update | 3.105 | Apr 13, 2021 |
+| Rel 22-01 | [5001403] | Servicing Stack update | 4.98 | Apr 13, 2021 |
+| Rel 22-01OOB | [4578013] | Standalone Security Update | 4.98 | Aug 19, 2020 |
+| Rel 22-01 | [5005698] | Servicing Stack update | 5.63 | Sep 14, 2021 |
+| Rel 22-01 | [5006749] | Servicing Stack update | 2.118 | July 13, 2021 |
+| Rel 22-01 | 5008287 | Servicing Stack update | 6.39 | Aug 10, 2021 |
+| Rel 22-01 | [4494175] | Microcode | 5.63 | Sep 1, 2020 |
+| Rel 22-01 | [4494174] | Microcode | 6.39 | Sep 1, 2020 |
+
+[5009557]: https://support.microsoft.com/kb/5009557
+[5006671]: https://support.microsoft.com/kb/5006671
+[5009555]: https://support.microsoft.com/kb/5009555
+[5009546]: https://support.microsoft.com/kb/5009546
+[5008867]: https://support.microsoft.com/kb/5008867
+[5008860]: https://support.microsoft.com/kb/5008860
+[5008868]: https://support.microsoft.com/kb/5008868
+[5008870]: https://support.microsoft.com/kb/5008870
+[5008865]: https://support.microsoft.com/kb/5008865
+[5008869]: https://support.microsoft.com/kb/5008869
+[5008873]: https://support.microsoft.com/kb/5008873
+[5009610]: https://support.microsoft.com/kb/5009610
+[5009586]: https://support.microsoft.com/kb/5009586
+[5009624]: https://support.microsoft.com/kb/5009624
+[5001401]: https://support.microsoft.com/kb/5001401
+[5001403]: https://support.microsoft.com/kb/5001403
+[4578013]: https://support.microsoft.com/kb/4578013
+[5005698]: https://support.microsoft.com/kb/5005698
+[5006749]: https://support.microsoft.com/kb/5006749
+[4494175]: https://support.microsoft.com/kb/4494175
+[4494174]: https://support.microsoft.com/kb/4494174
++ ## December 2021 Guest OS | Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced | | | | | | |
cognitive-services Define Custom Suggestions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Bing-Custom-Search/define-custom-suggestions.md
Last updated 02/12/2019-+ # Configure your custom autosuggest experience
cognitive-services Luis Language Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-language-support.md
LUIS understands utterances in the following languages:
| *[Chinese](#chinese-support-notes) |`zh-CN` | Γ£ö | Γ£ö |Γ£ö|-| | Dutch |`nl-NL` |Γ£ö|-|-|Γ£ö| | English (United States) |`en-US` | Γ£ö | Γ£ö |Γ£ö|Γ£ö|
+| English (Brtish) |`en-GB` | Γ£ö | Γ£ö |Γ£ö|Γ£ö|
| French (Canada) |`fr-CA` |-|-|-|Γ£ö| | French (France) |`fr-FR` |Γ£ö| Γ£ö |Γ£ö |Γ£ö| | German |`de-DE` |Γ£ö| Γ£ö |Γ£ö |Γ£ö|
To perform machine learning, LUIS breaks an utterance into [tokens](luis-glossar
|Chinese||Γ£ö|| |Dutch|Γ£ö||Γ£ö| |English (en-us)|Γ£ö |||
+|English (en-GB)|Γ£ö |||
|French (fr-FR)|Γ£ö||| |French (fr-CA)|Γ£ö||| |German|Γ£ö||Γ£ö|
Tokenizer JSON for version 1.0.1. Notice the property value for `tokenizerVersi
Tokenization happens at the app level. There is no support for version-level tokenization.
-[Import the file as a new app](luis-how-to-start-new-app.md), instead of a version. This action means the new app has a different app ID but uses the tokenizer version specified in the file.
+[Import the file as a new app](luis-how-to-start-new-app.md), instead of a version. This action means the new app has a different app ID but uses the tokenizer version specified in the file.
cognitive-services Luis Reference Prebuilt Entities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-reference-prebuilt-entities.md
Unless otherwise noted, prebuilt entities are available in all LUIS application
|Chinese|[zh-CN](#chinese-entity-support)|| |Dutch|[nl-NL](#dutch-entity-support)|| |English|[en-US (American)](#english-american-entity-support)||
+|English|[en-GB (British)](#english-british-entity-support)||
|French|[fr-CA (Canada)](#french-canadian-entity-support), [fr-FR (France)](#french-france-entity-support), || |German|[de-DE](#german-entity-support)|| |Italian|[it-IT](#italian-entity-support)||
The following entities are supported:
[Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, V3 | [URL](luis-reference-prebuilt-url.md) | V2, V3 |
+## English (British) entity support
+
+The following entities are supported:
+
+| Prebuilt entity | en-GB |
+| | :: |
+[Age](luis-reference-prebuilt-age.md):<br>year<br>month<br>week<br>day | V2, V3 |
+[Currency (money)](luis-reference-prebuilt-currency.md):<br>dollar<br>fractional unit (ex: penny) | V2, V3 |
+[DatetimeV2](luis-reference-prebuilt-datetimev2.md):<br>date<br>daterange<br>time<br>timerange | V2, V3 |
+[Dimension](luis-reference-prebuilt-dimension.md):<br>volume<br>area<br>weight<br>information (ex: bit/byte)<br>length (ex: meter)<br>speed (ex: mile per hour) | V2, V3 |
+[Email](luis-reference-prebuilt-email.md) | V2, V3 |
+[GeographyV2](luis-reference-prebuilt-geographyV2.md) | V2, V3 |
+[KeyPhrase](luis-reference-prebuilt-keyphrase.md) | V2, V3 |
+[Number](luis-reference-prebuilt-number.md) | V2, V3 |
+[Ordinal](luis-reference-prebuilt-ordinal.md) | V2, V3 |
+[OrdinalV2](luis-reference-prebuilt-ordinal-v2.md) | V2, V3 |
+[Percentage](luis-reference-prebuilt-percentage.md) | V2, V3 |
+[PersonName](luis-reference-prebuilt-person.md) | V2, V3 |
+[Phonenumber](luis-reference-prebuilt-phonenumber.md) | V2, V3 |
+[Temperature](luis-reference-prebuilt-temperature.md):<br>fahrenheit<br>kelvin<br>rankine<br>delisle<br>celsius | V2, V3 |
+[URL](luis-reference-prebuilt-url.md) | V2, V3 |
+ ## French (France) entity support The following entities are supported:
cognitive-services Whats New https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/whats-new.md
Learn what's new in the service. These items include release notes, videos, blog
## Release notes
+### January 2022
+* [Updated text recognizer](https://github.com/microsoft/Recognizers-Text/releases/tag/dotnet-v1.8.2) to v1.8.2
+* Added [English-British](luis-language-support.md) to supported languages.
+ ### December 2021 * [Updated text recognizer](https://github.com/microsoft/Recognizers-Text/releases/tag/dotnet-v1.8.1) to v1.8.1 * Jio India west [publishing region](luis-reference-regions.md#other-publishing-regions)
cognitive-services Speech Container Howto https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-container-howto.md
Speech containers enable customers to build a speech application architecture th
| Container | Features | Latest | Release status | |--|--|--|--|
-| Speech-to-text | Analyzes sentiment and transcribes continuous real-time speech or batch audio recordings with intermediate results. | 2.18.0 | Generally Available |
-| Custom Speech-to-text | Using a custom model from the [Custom Speech portal](https://speech.microsoft.com/customspeech), transcribes continuous real-time speech or batch audio recordings into text with intermediate results. | 2.17.0 | Generally Available |
+| Speech-to-text | Analyzes sentiment and transcribes continuous real-time speech or batch audio recordings with intermediate results. | 3.0.0 | Generally Available |
+| Custom Speech-to-text | Using a custom model from the [Custom Speech portal](https://speech.microsoft.com/customspeech), transcribes continuous real-time speech or batch audio recordings into text with intermediate results. | 3.0.0 | Generally Available |
| Text-to-speech | Converts text to natural-sounding speech with plain text input or Speech Synthesis Markup Language (SSML). | 1.15.0 | Generally Available | | Speech Language Identification | Detect the language spoken in audio files. | 1.5.0 | preview | | Neural Text-to-speech | Converts text to natural-sounding speech using deep neural network technology, allowing for more natural synthesized speech. | 1.12.0 | Generally Available |
Once the container is on the [host computer](#host-computer-requirements-and-rec
Use the [docker run](https://docs.docker.com/engine/reference/commandline/run/) command to run the container. Refer to [gathering required parameters](#gathering-required-parameters) for details on how to get the `{Endpoint_URI}` and `{API_Key}` values. Additional [examples](speech-container-configuration.md#example-docker-run-commands) of the `docker run` command are also available.
+## Run the container in disconnected environments
+
+Starting in container version 3.0.0, select customers can run speech-to-text containers in an environment without Internet accessibility. See [Run Cognitive Services containers in disconnected environments](../containers/disconnected-containers.md) for more information.
++ # [Speech-to-text](#tab/stt) To run the Standard *Speech-to-text* container, execute the following `docker run` command.
cognitive-services How To Create Project https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/how-to-create-project.md
# Create a project
-A project is a container for models, documents, and tests. Each project automatically includes all documents that are uploaded into that workspace that have the correct language pair.
+A project contains translation models for one language pair. Each includes all documents that are uploaded into that workspace that have the correct language pair.
Creating project is the first step toward building a model.
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/overview.md
# What is Custom Translator?
-[Custom Translator](https://portal.customtranslator.azure.ai) is a feature of the Microsoft Translator service, which enables Translator enterprises, app developers, and language service providers to build customized neural machine translation (NMT) systems. The customized translation systems seamlessly integrate into existing applications, workflows, and websites.
+Custom Translator is a feature of the Microsoft Translator service, which enables Translator enterprises, app developers, and language service providers to build customized neural machine translation (NMT) systems. The customized translation systems seamlessly integrate into existing applications, workflows, and websites.
Translation systems built with [Custom Translator](https://portal.customtranslator.azure.ai) are available through the same cloud-based, secure, high performance, highly scalable Microsoft Translator [Text API V3](../reference/v3-0-translate.md?tabs=curl), that powers billions of translations every day.
Using the secure [Custom Translator](https://portal.customtranslator.azure.ai) p
[Custom Translator](https://portal.customtranslator.azure.ai) can also be programmatically accessed through a [dedicated API](https://custom-api.cognitive.microsofttranslator.com/swagger/) (currently in preview). The API allows users to manage creating or updating training through their own app or webservice.
-The cost of using a custom model to translate content is based on the userΓÇÖs Translator Text API pricing tier. See the Cognitive Services [Translator Text API pricing webpage](https://azure.microsoft.com/pricing/details/cognitive-services/translator-text-api/)
+The cost of using a custom model to translate content is based on the user's Translator Text API pricing tier. See the Cognitive Services [Translator Text API pricing webpage](https://azure.microsoft.com/pricing/details/cognitive-services/translator-text-api/)
for pricing tier details. ## Securely translate anytime, anywhere on all your apps and services
cognitive-services Quickstart Build Deploy Custom Model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/quickstart-build-deploy-custom-model.md
Title: "Quickstart: Build, deploy, and use a custom model - Custom Translator"
+ Title: "Quickstart: Build, deploy, and use a custom model"
-description: In this quickstart, you go through step-by-step process of building a translation system using the Custom Translator.
+description: A step-by-step guide to building a translation system using the Custom Translator Legacy.
cognitive-services Beginners Guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/v2-preview/beginners-guide.md
+
+ Title: Custom Translator for beginners
+
+description: A user guide for understanding the end-to-end customized machine translation process.
++++ Last updated : 01/20/2022+++
+# Custom Translator for beginners | Preview
+
+ [Custom Translator](../overview.md) enables you to a build translation system that reflects your business, industry, and domain-specific terminology and style. Training and deploying a custom system is easy and does not require any programming skills. The customized translation system seamlessly integrates into your existing applications, workflows, and websites and is available on Azure through the same cloud-based [Microsoft Text Translator API](../../reference/v3-0-translate.md?tabs=curl) service that powers billions of translations every day.
+
+## Is a custom translation model the right choice for me?
+
+A well-trained custom translation model provides more accurate domain-specific translations. This is because it relies on previously translated in-domain documents to learn preferred translations. Translator uses these terms and phrases in context to produce fluent translations in the target language while respecting context-dependent grammar.
+
+Training a full custom translation model requires a substantial amount of data. If you do not have at least 10,000 sentences of previously trained documents, you will not be able to train a full-language translation model. However, you can either train a dictionary-only model or use the high-quality, out-of-the-box translations available with the Text Translator API.
++
+## What does training a custom translation model involve?
+
+Building a custom translation model requires:
+
+* Understanding your use-case.
+
+* Obtaining in-domain translated data (preferably human translated).
+
+* The ability to assess translation quality or target language translations.
+
+## How do I evaluate my use-case?
+
+Having clarity on your use-case and what success looks like is the first step towards sourcing proficient training data. Here are a few considerations:
+
+* What is your desired outcome and how will you measure it?
+
+* What is your business domain?
+
+* Do you have in-domain sentences of similar terminology and style?
+
+* Does your use-case involve multiple domains? If yes, should you build one translation system or multiple systems?
+
+* Do you have requirements impacting regional data residency at-rest and in-transit?
+
+* Are the target users in one or multiple regions?
+
+## How should I source my data?
+
+Finding in-domain quality data is often a challenging task that varies based on user classification. Here are some questions you can ask yourself as you evaluate what data may be available to you:
+
+* Enterprises often have a wealth of translation data that has accumulated over many years of using human translation. Does your company have previous translation data available that you can use?
+
+* Do you have a vast amount of monolingual data? Monolingual data is data in only one language. If so, can you get translations for this data?
+
+* Can you crawl online portals to collect source sentences and synthesize target sentences?
+
+## What should I use for training material?
+
+| Source | What it does | Rules to follow |
+||||
+| Bilingual training documents | Teaches the system your terminology and style. | **Be liberal**. Any in-domain human translation is better than machine translation. Add and remove documents as you go and try to improve the [BLEU score](/azure/cognitive-services/translator/custom-translator/what-is-bleu-score?WT.mc_id=aiml-43548-heboelma). |
+| Tuning documents | Trains the Neural Machine Translation parameters. | **Be strict**. Compose them to be optimally representative of what you are going to translation in the future. |
+| Test documents | Calculate the [BLEU score](/azure/cognitive-services/translator/custom-translator/what-is-bleu-score?WT.mc_id=aiml-43548-heboelma).| **Be strict**. Compose test documents to be optimally representative of what you plan to translate in the future. |
+| Phrase dictionary | Forces the given translation 100% of the time. | **Be restrictive**. A phrase dictionary is case-sensitive and any word or phrase listed is translated in the way you specify. In many cases, it is better to not use a phrase dictionary and let the system learn. |
+| Sentence dictionary | Forces the given translation 100% of the time. | **Be strict**. A sentence dictionary is case-insensitive and good for common in domain short sentences. For a sentence dictionary match to occur, the entire submitted sentence must match the source dictionary entry. If only a portion of the sentence matches, the entry won't match. |
+
+## What is a BLEU score?
+
+BLEU (Bilingual Evaluation Understudy) is an algorithm for evaluating the precision or accuracy of text that has been machine translated from one language to another. Custom Translator uses the BLEU metric as one way of conveying translation accuracy.
+
+A BLEU score is a number between zero and 100. A score of zero indicates a low quality translation where nothing in the translation matched the reference. A score of 100 indicates a perfect translation that is identical to the reference. It's not necessary to attain a score of 100 - a BLEU score between 40 and 60 indicates a high-quality translation.
+
+[Read more](/azure/cognitive-services/translator/custom-translator/what-is-bleu-score?WT.mc_id=aiml-43548-heboelma)
+
+## What happens if I don't submit tuning or testing data?
+
+Tuning and test sentences are optimally representative of what you plan to translate in the future. If you don't submit any tuning or testing data, Custom Translator will automatically exclude sentences from your training documents to use as tuning and test data.
+
+| System-generated | Manual-selection |
+|||
+| Convenient. | Enables fine-tuning for your future needs.|
+| Good, if you know that your training data is representative of what you are planning to translate. | Provides more freedom to compose your training data.|
+| Easy to redo when you grow or shrink the domain. | Allows for more data and better domain coverage.|
+|Changes each training run.| Remains static over repeated training runs|
+
+## How is training material processed by Custom Translator?
+
+When you submit documents for training a custom translation system, the documents undergo a series of processing and filtering steps to prepare for training. These steps are explained below. Knowledge of the filtering process may help with understanding the sentence count displayed as well as the steps you can take to prepare training documents for training with Custom Translator.
+
+* ### Sentence alignment
+
+ If your document isn't in XLIFF, XLSX, TMX, or ALIGN format, Custom Translator aligns the sentences of your source and target documents to each other, sentence-by-sentence. Translator doesn't perform document alignmentΓÇöit follows your naming convention for the documents to find a matching document in the other language. Within the source text, Custom Translator tries to find the corresponding sentence in the target language. It uses document markup like embedded HTML tags to help with the alignment.
+
+ If you see a large discrepancy between the number of sentences in the source and target documents, your source document may not be parallel or couldn't be aligned. The document pairs with a large difference (>10%) of sentences on each side warrant a second look to make sure they're indeed parallel.
+
+* ### Extracting tuning and testing data
+
+ Tuning and testing data is optional. If you don't provide it, the system will remove an appropriate percentage from your training documents to use for tuning and testing. The removal happens dynamically as part of the training process. Since this step occurs as part of training, your uploaded documents are not affected. You can see the final used sentence counts for each category of dataΓÇötraining, tuning, testing, and dictionaryΓÇöon the Model details page after training has succeeded.
+
+* ### Length filter
+
+ * Removes sentences with only one word on either side.
+ * Removes sentences with more than 100 words on either side. Chinese, Japanese, Korean are exempt.
+ * Removes sentences with fewer than three characters. Chinese, Japanese, Korean are exempt.
+ * Removes sentences with more than 2000 characters for Chinese, Japanese, Korean.
+ * Removes sentences with less than 1% alphanumeric characters.
+ * Removes dictionary entries containing more than 50 words.
+
+* ### White space
+
+ * Replaces any sequence of white-space characters including tabs and CR/LF sequences with a single space character.
+ * Removes leading or trailing space in the sentence.
+
+* ### Sentence end punctuation
+
+ * Replaces multiple sentence-end punctuation characters with a single instance. Japanese character normalization.
+
+ * Converts full width letters and digits to half-width characters.
+
+* ### Unescaped XML tags
+
+ Transforms unescaped tags into escaped tags:
+
+ | Tag | Becomes |
+ |||
+ | \&lt; | \&amp;lt; |
+ | \&gt; | \&amp;gt; |
+ | \&amp; | \&amp;amp; |
+
+* ### Invalid characters
+
+ Custom Translator removes sentences that contain Unicode character U+FFFD. The character U+FFFD indicates a failed encoding conversion.
+
+## What steps should I take before uploading data?
+
+* Remove sentences with invalid encoding.
+* Remove Unicode control characters.
+* If feasible, align sentences (source-to-target).
+* Remove source and target sentences that do not match the source and target languages.
+* When source and target sentences have mixed languages, ensure that untranslated words are intentional, for example, names of organizations and products.
+* Correct grammatical and typographical errors to prevent teaching these errors to your model.
+* Though our training process handles source and target lines containing multiple sentences, it's better to have one source sentence mapped to one target sentence.
+
+## How do I evaluate the results?
+
+After your model is successfully trained, you can view the model's BLEU score and baseline model BLEU score on the model details page. We use the same set of test data to generate both the model's BLEU score and the baseline BLEU score to help you make an informed decision regarding which model would be better for your use-case.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Try our Quickstart](quickstart.md)
cognitive-services Create Manage Project https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/v2-preview/how-to/create-manage-project.md
+
+ Title: Create and manage a project
+
+description: How to create and manage a project in the Azure Cognitive Services Custom Translator Preview.
++++ Last updated : 01/20/2022++++
+# Create and manage a project | Preview
+
+> [!IMPORTANT]
+> Custom Translator v2.0 is currently in public preview. Some features may not be supported or have constrained capabilities.
+
+A project contains translation models for one language pair. Each project includes all documents that were uploaded into that workspace with the correct language pair.
+
+Creating a project is the first step in building and publishing a model.
+
+## Create a project
+
+1. After you sign-in, your default workspace is loaded. To create a project in different workspace, select **My workspaces**, then select a workspace name.
+
+1. Select **Create project**.
+
+1. Enter the following details about your project in the creation dialog:
+
+ - **Project name (required):** Give your project a unique, meaningful name. It's not necessary to mention the languages within the title.
+
+ - **Language pair (required):** Select the source and target languages from the dropdown list
+
+ - **Domain (required):** Select the domain from the dropdown list that's most appropriate for your project. The domain describes the terminology and style of the documents you intend to translate.
+
+ >[!Note]
+ >Select **Show advanced options** to add project label, project description, and domain description
+
+ - **Project label:** The project label distinguishes between projects with the same language pair and domain. As a best practice, here are a few tips:
+
+ - Use a label *only* if you're planning to build multiple projects for the same language pair and same domain and want to access these projects with a different Domain ID.
+
+ - Don't use a label if you're building systems for one domain only.
+
+ - A project label is not required and not helpful to distinguish between language pairs.
+
+ - You can use the same label for multiple projects.
+
+ - **Project description:** A short summary about the project. This description has no influence over the behavior of the Custom Translator or your resulting custom system, but can help you differentiate between different projects.
+
+ - **Domain description:** Use this field to better describe the particular field or industry in which you're working. or example, if your category is medicine, you might add details about your subfield, such as surgery or pediatrics. The description has no influence over the behavior of the Custom Translator or your resulting custom system.
+
+1. Select **Create project**.
+
+ :::image type="content" source="../media/how-to/create-project-dialog.png" alt-text="Screenshot illustrating the create project fields.":::
+
+## Edit a project
+
+To modify the project name, project description, or domain description:
+
+1. Select the workspace name.
+
+1. Select the project name, for example, *English-to-German*.
+
+1. The **Edit and Delete** buttons should now be visible.
+
+ :::image type="content" source="../media/how-to/edit-project-dialog-1.png" alt-text="Screenshot illustrating the edit project fields":::
+
+1. Select **Edit** and fill in or modify existing text.
+
+ :::image type="content" source="../media/how-to/edit-project-dialog-2.png" alt-text="Screenshot illustrating detailed edit project fields.":::
+
+1. Select **Edit project** to save.
+
+## Delete a project
+
+1. Follow the [**Edit a project**](#edit-a-project) steps 1-3 above.
+
+1. Select **Delete** and read the delete message before you select **Delete project** to confirm.
+
+ :::image type="content" source="../media/how-to/delete-project-1.png" alt-text="Screenshot illustrating delete project fields.":::
+
+ >[!Note]
+ >If your project has a published model or a model that is currently in training, you will only be able to delete your project once your model is no longer published or training.
+ >
+ > :::image type="content" source="../media/how-to/delete-project-2.png" alt-text="Screenshot illustrating the unable to delete message.":::
+
+## Next steps
+
+- Learn [how to manage project documents](create-manage-training-documents.md).
+- Learn [how to train a model](train-custom-model.md).
+- Learn [how to test and evaluate model quality](view-model-test-translation.md).
+- Learn [how to publish model](publish-model.md).
+- Learn [how to translate with custom models](translate-with-custom-model.md).
cognitive-services Create Manage Training Documents https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/v2-preview/how-to/create-manage-training-documents.md
+
+ Title: Build and upload training documents
+
+description: How to build and upload parallel documents (two documents where one is the origin and the other is the translation) using Custom Translator.
++++ Last updated : 01/20/2022++++
+# Build and manage training documents | Preview
+
+> [!IMPORTANT]
+> Custom Translator v2.0 is currently in public preview. Some features may not be supported or have constrained capabilities.
+
+[Custom Translator](../../overview.md) enables you to build translation models that reflect your business, industry, and domain-specific terminology and style. Training and deploying a custom model is easy and does not require any programming skills. Custom Translator allows you to upload parallel files, translation memory files, or zip files.
+
+[Parallel documents](../../what-are-parallel-documents.md) are pairs of documents where one (target) is a translation of the other (source). One document in the pair contains sentences in the source language and the other document contains those sentences translated into the target language.
+
+Before uploading your documents, review the [document formats and naming convention guidance](../../document-formats-naming-convention.md) to make sure your file format is supported by Custom Translator.
+
+## How to create document sets
+
+Finding in-domain quality data is often a challenging task that varies based on user classification. Here are some questions you can ask yourself as you evaluate what data may be available to you:
+
+- Enterprises often have a wealth of translation data that has accumulated over many years of using human translation. Does your company have previous translation data available that you can use?
+
+- Do you have a vast amount of monolingual data? Monolingual data is data in only one language. If so, can you get translations for this data?
+
+- Can you crawl online portals to collect source sentences and synthesize target sentences?
+
+### Training material for each document types
+
+| Source | What it does | Rules to follow |
+||||
+| Bilingual training documents | Teaches the system your terminology and style. | **Be liberal**. Any in-domain human translation is better than machine translation. Add and remove documents as you go and try to improve the [BLEU score](/azure/cognitive-services/translator/custom-translator/what-is-bleu-score?WT.mc_id=aiml-43548-heboelma). |
+| Tuning documents | Trains the Neural Machine Translation parameters. | **Be strict**. Compose them to be optimally representative of what you are going to translation in the future. |
+| Test documents | Calculate the [BLEU score](../beginners-guide.md#what-is-a-bleu-score).| **Be strict**. Compose test documents to be optimally representative of what you plan to translate in the future. |
+| Phrase dictionary | Forces the given translation 100% of the time. | **Be restrictive**. A phrase dictionary is case-sensitive and any word or phrase listed is translated in the way you specify. In many cases, it is better to not use a phrase dictionary and let the system learn. |
+| Sentence dictionary | Forces the given translation 100% of the time. | **Be strict**. A sentence dictionary is case-insensitive and good for common in domain short sentences. For a sentence dictionary match to occur, the entire submitted sentence must match the source dictionary entry. If only a portion of the sentence matches, the entry won't match. |
+
+## How to upload documents
+
+Document types are associated with the language pair selected when you create a project.
+
+1. Sign-in to [Custom Translator](https://portal.customtranslator.azure.ai) portal. Your default workspace is loaded and a list of previously created projects are displayed.
+
+1. Select the desired project **Name**. By default, the **Manage documents** blade is selected and a list of previously uploaded documents is displayed.
+
+1. Select **Add document set** and choose the document type:
+
+ - Training set
+ - Testing set
+ - Tuning set
+ - Dictionary set:
+ - Phrase Dictionary
+ - Sentence Dictionary
+
+1. Select **Next**.
+
+ :::image type="content" source="../media/how-to/upload-1.png" alt-text="Screenshot illustrating the document upload link.":::
+
+ >[!Note]
+ >Choosing **Dictionary set** launches **Choose type of dictionary** dialog.
+ >Choose one and select **Next**
+
+1. Select your documents format from the radio buttons.
+
+ :::image type="content" source="../media/how-to/upload-2.png" alt-text="Screenshot illustrating the upload document page.":::
+
+ - For **Parallel documents**, fill in the `Document set name` and select **Browse files** to select source and target documents.
+ - For **Translation memory (TM)** file or **Upload multiple sets with ZIP**, select **Browse files** to select the file
+
+1. Select **Upload**.
+
+At this point, Custom Translator is processing your documents and attempting to extract sentences as indicated in the upload notification. Once done processing, you will see the upload successful notification.
+
+ :::image type="content" source="../media/quickstart/document-upload-notification.png" alt-text="Screenshot illustrating the upload document processing dialog window.":::
+
+## Next steps
+
+- Learn [how to train a model](train-custom-model.md).
+- Learn [how to test and evaluate model quality](view-model-test-translation.md).
+- Learn [how to publish model](publish-model.md).
+- Learn [how to translate with custom models](translate-with-custom-model.md).
cognitive-services Create Manage Workspace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/v2-preview/how-to/create-manage-workspace.md
+
+ Title: Create and manage a workspace
+
+description: How to create and manage workspaces
++++ Last updated : 01/20/2022+++++
+# Create and manage a workspace | Preview
+
+> [!IMPORTANT]
+> Custom Translator v2.0 is currently in public preview. Some features may not be supported or have constrained capabilities.
+
+ Workspaces are places to manage your documents, projects, and models. When you create a workspace, you can choose to use the workspace independently or share it with teammates to divide up the work.
+
+## Create workspace
+
+1. After you sign in to Custom Translator, you will be asked for permission to read your profile from the Microsoft identity platform to request your user access token and refresh token. Both tokens are needed for authentication and to ensure that you aren't signed out during your live session or while training your models. </br>Select **Yes**.
+
+ :::image type="content" source="../media/quickstart/first-time-user.png" alt-text="Screenshot illustrating first-time sign-in.":::
+
+1. Select **My workspaces**
+
+1. Select **Create a new workspace**
+
+1. Type a **Workspace name** and select **Next**
+
+1. Select "Global" for **Select resource region** from the dropdown list.
+
+1. Copy/paste your Translator Services key.
+
+1. Select **Next**.
+
+1. Select **Done**
+
+ >[!Note]
+ > Region must match the region that was selected during the resource creation. You can use **KEY 1** or **KEY 2.**
+
+ :::image type="content" source="../media/quickstart/resource-key.png" alt-text="Screenshot illustrating the resource key.":::
+
+ :::image type="content" source="../media/quickstart/create-workspace-1.png" alt-text="Screenshot illustrating workspace creation.":::
+
+## Manage workspace settings
+
+Select a workspace and navigate to **Workspace settings**. You can manage the following workspace settings:
+
+* Change the resource key for global regions. If you are using a regional specific resource, you cannot change your resource key.
+
+* Change the workspace name.
+
+* [Share the workspace with others](#share-workspace-for-collaboration).
+
+* Delete the workspace.
+
+### Share workspace for collaboration
+
+The person who created the workspace is the owner. Within **Workspace settings**, an owner can designate three different roles for a collaborative workspace:
+
+* **Owner**. An owner has full permissions within the workspace.
+
+* **Editor**. An editor can add documents, train models, and delete documents and projects. They cannot modify who the workspace is shared with, delete the workspace, or change the workspace name.
+
+* **Reader**. A reader can view (and download if available) all information in the workspace.
+
+1. Select **Share**.
+
+1. Complete the **email address** field for collaborators.
+
+1. Select **role** from the dropdown list.
+
+1. Select **Share**.
+++
+### Remove somebody from a workspace
+
+1. Select **Share**.
+
+2. Select the **X** icon next to the **Role** and email address that you want to remove.
++
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to manage projects](create-manage-project.md)
cognitive-services Publish Model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/v2-preview/how-to/publish-model.md
+
+ Title: Publish a custom model
+
+description: This article explains how to publish a custom model using the Azure Cognitive Services Custom Translator Preview.
++++ Last updated : 01/20/2022+++
+# Publish a custom model | Preview
+
+> [!IMPORTANT]
+> Custom Translator v2.0 is currently in public preview. Some features may not be supported or have constrained capabilities.
+
+Publishing your model makes it available for use with the Translator API. A project might have one or many successfully trained models. You can only publish one model per project; however, you can publish a model to one or multiple regions depending on your needs. For more information, see [Translator pricing](https://azure.microsoft.com/pricing/details/cognitive-services/translator/#pricing).
+
+## Publish your trained model
+
+You can publish one model per project to one or multiple regions.
+1. Select the **Publish model** blade.
+
+1. Select *en-de with sample data* and select **Publish**.
+
+1. Check the desired region(s).
+
+1. Select **Publish**. The status should transition from _Deploying_ to _Deployed_.
+
+ :::image type="content" source="../media/quickstart/publish-model.png" alt-text="Screenshot illustrating the publish model blade.":::
+
+## Replace a published model
+
+To replace a published model, you can exchange the published model with a different model in the same region(s):
+
+1. Select the replacement model.
+
+1. Select **Publish**.
+
+1. Select **publish** once more in the **Publish model** dialog window.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to translate documents with custom models](translate-with-custom-model.md)
cognitive-services Train Custom Model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/v2-preview/how-to/train-custom-model.md
+
+ Title: Train model
+
+description: How to train a custom model
++++ Last updated : 01/20/2022+++
+# Train a custom model | Preview
+
+> [!IMPORTANT]
+> Custom Translator v2.0 is currently in public preview. Some features may not be supported or have constrained capabilities.
+
+A model provides translations for a specific language pair. The outcome of a successful training is a model. When training a model, three mutually exclusive document types are required: training, tuning, and testing. If only training data is provided when queuing a training, Custom Translator will automatically assemble tuning and testing data. It will use a random subset of sentences from your training documents, and exclude these sentences from the training data itself. A minimum of 10,000 parallel training sentences are required to train a full model.
+
+## Create model
+
+1. Select the **Train model** blade.
+
+1. Type the **Model name**.
+
+1. Keep the default **Full training** selected or select **Dictionary-only training**.
+
+ >[!Note]
+ >Full training displays all uploaded document types. Dictionary-only displays dictionary documents only.
+
+1. Under **Select documents**, select the documents you want to use to train the model, for example, `sample-English-German` and review the training cost associated with the selected number of sentences.
+
+1. Select **Train now**.
+
+1. Select **Train** to confirm.
+
+ >[!Note]
+ >**Notifications** displays model training in progress, e.g., **Submitting data** state. Training model takes few hours, subject to the number of selected sentences.
+
+ :::image type="content" source="../media/quickstart/train-model.png" alt-text="Screenshot illustrating the train model blade.":::
+
+## When to select dictionary-only training
+
+For better results, we recommended letting the system learn from your training data. However, when you don't have enough parallel sentences to meet the 10,000 minimum requirements, or sentences and compound nouns must be rendered as-is, use dictionary-only training. Your model will typically complete training much faster than with full training. The resulting models will use the baseline models for translation along with the dictionaries you have added. You won't see BLEU scores or get a test report.
+
+> [!Note]
+>Custom Translator doesn't sentence-align dictionary files. Therefore, it is important that there are an equal number of source and target phrases/sentences in your dictionary documents and that they are precisely aligned. If not, the document upload will fail.
+
+## Model details
+
+1. After successful model training, select the **Model details** blade.
+
+1. Select the **Model Name** to review training date/time, total training time, number of sentences used for training, tuning, testing, dictionary, and whether the system generated the test and tuning sets. You will use `Category ID` to make translation requests.
+
+1. Evaluate the model [BLEU score](../beginners-guide.md#what-is-a-bleu-score). Using the test set, **BLEU score** is the custom model score and **Baseline BLEU** is the pre-trained baseline model used for customization. A higher **BLEU score** means higher translation quality using the custom model.
+
+ :::image type="content" source="../media/quickstart/model-details.png" alt-text="Screenshot illustrating model details fields.":::
+
+## Duplicate model
+
+1. Select the **Model details** blade.
+
+1. Hover over the model name and check the selection button.
+
+1. Select **Duplicate**.
+
+1. Fill in **New model name**.
+
+1. Keep **Train immediately** checked if no additional data will be selected or uploaded, otherwise, check **Save as draft**
+
+1. Select **Save**
+
+ > [!Note]
+ >
+ > If you save the model as `Draft`, **Model details** is updated with the model name in `Draft` status.
+ >
+ > To add more documents, select on the model name and follow `Create model` section above.
+
+ :::image type="content" source="../media/how-to/duplicate-model.png" alt-text="Screenshot illustrating the duplicate model blade.":::
+
+## Next steps
+
+- Learn [how to test and evaluate model quality](view-model-test-translation.md).
+- Learn [how to publish model](publish-model.md).
+- Learn [how to translate with custom models](translate-with-custom-model.md).
cognitive-services Translate With Custom Model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/v2-preview/how-to/translate-with-custom-model.md
+
+ Title: Translate text with a custom model
+
+description: How to make translation requests using custom models published with the Azure Cognitive Services Custom Translator.
++++ Last updated : 01/20/2022+++
+# Translate text with a custom model | Preview
+
+> [!IMPORTANT]
+> Custom Translator v2.0 is currently in public preview. Some features may not be supported or have constrained capabilities.
+
+After you publish your custom model you can access it with the Translator API by using the `Category ID` parameter. To retrieve, choose the copy icon:
+
+ :::image type="content" source="../media/how-to/publish-model.png" alt-text="{alt-text}":::
+
+## How to translate
+
+1. Use the `Category ID` when making a custom translation request via Microsoft Translator [Text API V3](../../../reference/v3-0-translate.md?tabs=curl). The `Category ID` is created by concatenating the WorkspaceID, project label, and category code. Use the `CategoryID` with the Text Translator API to get custom translations.
+
+ ```http
+ https://api.cognitive.microsofttranslator.com/translate?api-version=3.0&to=de&category=a2eb72f9-43a8-46bd-82fa-4693c8b64c3c-TECH
+
+ ```
+
+ More information about the Translator Text API can be found on the [Translator API Reference](../../../reference/v3-0-translate.md) page.
+
+1. You may also want to download and install our free [DocumentTranslator app for Windows](https://github.com/MicrosoftTranslator/DocumentTranslator/releases/tag/V2.9.4).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn more about building and publishing custom models](../beginners-guide.md)
cognitive-services View Model Test Translation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/v2-preview/how-to/view-model-test-translation.md
+
+ Title: View custom model details and test translation
+
+description: How to test custom model BLEU score and model translation
++++ Last updated : 01/20/2022
+1.
++
+# View custom model details and test translation | Preview
+
+> [!IMPORTANT]
+> Custom Translator v2.0 is currently in public preview. Some features may not be supported or have constrained capabilities.
+
+Once your model has successfully trained, you can use translations to evaluate the quality of your model. In order to make an informed decision about whether to use our standard model or your custom model, you should evaluate the delta between your custom model [**BLEU score**](#bleu-score) and our standard model **Baseline BLEU**. If your models have been trained on a narrow domain, and your training data is consistent with the test data, you can expect a high BLEU score.
+
+## BLEU score
+
+BLEU (Bilingual Evaluation Understudy) is an algorithm for evaluating the precision or accuracy of text that has been machine translated from one language to another. Custom Translator uses the BLEU metric as one way of conveying translation accuracy.
+
+A BLEU score is a number between zero and 100. A score of zero indicates a very low quality translation where nothing in the translation matched the reference. A score of 100 indicates a perfect translation that is identical to the reference. It's not necessary to attain a score of 100ΓÇöa BLEU score between 40 and 60 indicates a high quality translation.
+
+[Read more](/azure/cognitive-services/translator/custom-translator/what-is-bleu-score?WT.mc_id=aiml-43548-heboelma)
+
+## Model details
+
+1. Select the **Model details** blade.
+
+1. Select the model name to review the training date/time, total training time, number of sentences used for training, tuning, testing, dictionary, and whether the system generated the test and tuning sets. You will use the `Category ID` to make translation requests.
+
+1. Evaluate the model [BLEU](../beginners-guide.md#what-is-a-bleu-score) score. Using the test set, **BLEU score** is the custom model score and **Baseline BLEU** is the pre-trained baseline model used for customization. A higher **BLEU score** means there is high translation quality using the custom model.
+
+ :::image type="content" source="../media/quickstart/model-details.png" alt-text="Screenshot illustrating the model detail.":::
+
+## Test quality of your model's translation
+
+1. Select **Test model** blade.
+
+1. Select model **Name**.
+
+1. Human evaluate translation from your **Custom model** and the **Baseline model** (our pre-trained baseline used for customization) against **Reference** (target translation from the test set).
+
+1. If you're satisfied with the training results, place a deployment request for the trained model.
+
+## Next steps
+
+- Learn [how to publish/deploy a custom model](publish-model.md).
+- Learn [how to translate documents with a custom model](translate-with-custom-model.md).
cognitive-services Project Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/v2-preview/project-overview.md
+
+ Title: What is a project? - Custom Translator
+
+description: This article will explain the project categories and labels for the Custom Translator service.
+++++ Last updated : 01/20/2022++
+#Customer intent: As a Custom Translator user, I want to concept of a project, so that I can use it efficiently.
+
+# What is a Custom Translator project?
+
+A project contains translation models for one language pair. Each project
+initially includes all documents that are uploaded to a workspace with the correct language pair. For example, if you have both an English-to-Spanish project and a Spanish-to-English project, the same documents will be included in both projects. Each project has an associated `CategoryID` that is used when querying the [V3 API](../../reference/v3-0-translate.md?tabs=curl) for translations. The `CategoryID` is parameter used to get translations from a customized system built with Custom Translator.
+
+## Project category
+
+The project `Category ID` identifies the domainΓÇöthe area of terminology and style you want to use for your project. Choose the category most relevant to the contents of your documents.
+
+In the same workspace, you may create projects for the same language pair in
+different categories. Custom Translator prevents creation of a duplicate project
+with the same language pair and category. Applying a label to your project
+allows you to avoid this restriction. Don't use labels unless you're building translation systems for multiple clients, because adding a unique label to your project will be reflected in your projects `Category ID`.
+
+## Project label
+
+Custom Translator allows you to assign a project label to your project. The
+project label distinguishes between multiple projects with the same language
+pair and category. As a best practice, avoid using project labels unless
+necessary.
+
+The project label is used as part of the `Category ID`. If the project label is
+left unset or is set identically across projects, then, projects with the same
+category and *different* language pairs will share the same `Category ID`. This approach is advantageous because it allows you or your customer to switch between
+languages when using the Text Translator API without worrying about which `Category ID` to use.
+
+For example, if you want to enable translations in the technology domain from
+English-to-French and French-to-English, create two projects: one for English → French, and one for French → English. Specify the same category (technology) for both and leave the project label blank. The `Category ID` for both projects will be the same. When you call the Text API to translate from both models, only change the _from_ and _to_ languages without modifying the CategoryID.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to manage projects](how-to/create-manage-project.md)
cognitive-services Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/custom-translator/v2-preview/quickstart.md
+
+ Title: "Quickstart: Build, deploy, and use a custom model - Custom Translator"
+
+description: A step-by-step guide to building a translation system using the Custom Translator portal v2.
++++ Last updated : 01/20/2022+++
+# Quickstart: Build, publish, and translate with custom models
+
+> [!IMPORTANT]
+> Custom Translator v2.0 is currently in public preview. Some features may not be supported or have constrained capabilities.
+
+Translator is a cloud-based neural machine translation service that is part of the Azure Cognitive Services family of REST APIs. Translator can be used with any operating system and powers many Microsoft products and services used by thousands of businesses worldwide to perform language translation and other language-related operations. In this quickstart, you'll learn to build custom solutions for your applications across all [supported languages](../../language-support.md).
+
+## Prerequisites
+
+To use the [Custom Translator](https://preview.portal.customtranslator.azure.ai/) preview portal, you will need the following:
+
+* A [Microsoft account](https://signup.live.com).
+
+* Azure subscription - [Create one for free](https://azure.microsoft.com/free/cognitive-services/)
+* Once you have an Azure subscription, [create a Translator resource](https://ms.portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) in the Azure portal to get your key and endpoint. After it deploys, select **Go to resource**.
+ * You'll need the key and endpoint from the resource to connect your application to the Translator service. You'll paste your key and endpoint into the code below later in the quickstart. You can find these values on the Azure portal **Keys and Endpoint** page:
+
+ :::image type="content" source="../../media/keys-and-endpoint-portal.png" alt-text="Screenshot: Azure portal keys and endpoint page.":::
+
+ See [how to create a Translator resource](../../translator-how-to-signup.md).
+
+Once you have the above prerequisites, sign in to the [Custom Translator](https://preview.portal.customtranslator.azure.ai/) preview portal to create workspaces, build projects, upload files, train models, and publish your custom solution.
+
+You can read an overview of translation and custom translation, learn some tips, and watch a getting started video in the [Azure AI technical blog](https://techcommunity.microsoft.com/t5/azure-ai/customize-a-translation-to-make-sense-in-a-specific-context/ba-p/2811956).
+
+>[!Note]
+>Custom Translator does not support creating workspace for a Translator Text API resource created inside an [Enabled VNet](/azure/api-management/api-management-using-with-vnet?tabs=stv2).
+
+## Process summary
+
+1. [**Create a workspace**](#create-a-workspace). A workspace is a work area for composing and building your custom translation system. A workspace can contain multiple projects, models, and documents. All the work you do in Custom Translator is done inside a specific workspace.
+
+1. [**Create a project**](#create-a-project). A project is a wrapper for models, documents, and tests. Each project includes all documents that are uploaded into that workspace with the correct language pair. For example, if you have both an English-to-Spanish project and a Spanish-to-English project, the same documents will be included in both projects.
+
+1. [**Upload parallel documents**](#upload-documents). Parallel documents are pairs of documents where one (target) is the translation of the other (source). One document in the pair contains sentences in the source language and the other document contains sentences translated into the target language. It doesn't matter which language is marked as "source" and which language is marked as "target"ΓÇöa parallel document can be used to train a translation system in either direction.
+
+1. [**Train your model**](#train-your-model). A model is the system that provides translation for a specific language pair. The outcome of a successful training is a model. When training a model, three mutually exclusive document types are required: training, tuning, and testing. If only training data is provided when queuing a training, Custom Translator will automatically assemble tuning and testing data. It will use a random subset of sentences from your training documents, and exclude these sentences from the training data itself. A 10,000 parallel sentence is the minimum requirement to train a model.
+
+1. [**Test (human evaluate) your model**](#test-your-model). The testing set is used to compute the [BLEU](beginners-guide.md#what-is-a-bleu-score) score. This score indicates the quality of your translation system.
+
+1. [**Publish (deploy) your trained model**](#publish-your-model). Your custom model is made available for runtime translation requests.
+
+1. [**Translate text**](#translate-text). Use the cloud-based, secure, high performance, highly scalable Microsoft Translator [Text API V3](../../reference/v3-0-translate.md?tabs=curl) to make translation requests.
+
+## Create a workspace
+
+1. After you sign-in to Custom Translator, you will be asked for permission to read your profile from the Microsoft identity platform to request your user access token and refresh token. Both tokens are needed for authentication and to ensure that you aren't signed out during your live session or while training your models. </br>Select **Yes**.
+
+ :::image type="content" source="media/quickstart/first-time-user.png" alt-text="Screenshot illustrating how to create a workspace.":::
+++
+1. Select **My workspaces**
+
+1. Select **Create a new workspace**
+
+1. Type _Contoso MT models_ for **Workspace name** and select **Next**
+
+1. Select "Global" for **Select resource region** from the dropdown list.
+
+1. Copy/paste your Translator Services key.
+
+1. Select **Next**.
+
+1. Select **Done**
+
+ >[!Note]
+ > Region must match the region that was selected during the resource creation. You can use **KEY 1** or **KEY 2.**
+
+ :::image type="content" source="media/quickstart/resource-key.png" alt-text="Screenshot illustrating the resource key.":::
+
+ :::image type="content" source="media/quickstart/create-workspace-1.png" alt-text="Screenshot illustrating workspace creation.":::
+
+## Create a project
+
+Once the workspace is created successfully, you will be taken to the **Projects** page.
+
+You will create English-to-German project to train a custom model with only a [training](../training-and-model.md#training-document-type-for-custom-translator) document type.
+
+1. Select **Create project**.
+
+1. Type *English-to-German* for **Project name**.
+
+1. Select *English (en)* as **Source language** from the dropdown list.
+
+1. Select *German (de)* as **Target language** from the dropdown list.
+
+1. Select *General* for **Domain** from the dropdown list.
+
+1. Select **Create project**
+
+ :::image type="content" source="media/quickstart/create-project.png" alt-text="Screenshot illustrating how to create a project.":::
+
+## Upload documents
+
+In order to create a custom model, you need to upload all or a combination of [training](../training-and-model.md#training-document-type-for-custom-translator), [tuning](../training-and-model.md#tuning-document-type-for-custom-translator), [testing](../training-and-model.md#testing-dataset-for-custom-translator), and [dictionary](../what-is-dictionary.md) document types.
+
+In this quickstart, you will upload [training](../training-and-model.md#training-document-type-for-custom-translator) documents for customization.
+
+>[!Note]
+> You can use our sample training, phrase and sentence dictionaries dataset, [Customer sample English-to-German datasets](https://github.com/MicrosoftTranslator/CustomTranslatorSampleDatasets), for this quickstart. However, for production, it's better to upload your own training dataset.
+
+1. Select *English-to-German* project name.
+
+1. Select the **Manage documents** blade.
+
+1. Select **Add document set**.
+
+1. Check the **Training set** box and select **Next**.
+
+1. Keep **Parallel documents** checked and type *sample-English-German*.
+
+1. Under the **Source (English - EN) file**, select **Browse files** and select *sample-English-German-Training-en.txt*.
+
+1. Under **Target (German - EN) file**, select **Browse files** and select *sample-English-German-Training-de.txt*.
+
+1. Select **Upload**
+
+ >[!Note]
+ >You can upload the sample phrase and sentence dictionaries dataset. This step is left for you to complete.
+
+ :::image type="content" source="media/quickstart/upload-model.png" alt-text="Screenshot illustrating how to upload documents.":::
+
+## Train your model
+
+Now you are ready to train your English-to-German model.
+
+1. Select the **Train model** blade.
+
+1. Type *en-de with sample data* for **Model name**.
+
+1. Keep **Full training** checked.
+
+1. Under **Select documents**, check *sample-English-German* and review the training cost associated with the selected number of sentences.
+
+1. Select **Train now**.
+
+1. Select **Train** to confirm.
+
+ >[!Note]
+ >**Notifications** displays model training in progress, e.g., **Submitting data** state. Training model takes few hours, subject to the number of selected sentences.
+
+ :::image type="content" source="media/quickstart/train-model.png" alt-text="Screenshot illustrating how to create a model.":::
+
+1. After successful model training, select the **Model details** blade.
+
+1. Select the model name *en-de with sample data* to review training date/time, total training time, number of sentences used for training, tuning, testing, dictionary, and whether the system generated the test and tuning sets. You will use the `Category ID` to make translation requests.
+
+1. Evaluate the model [BLEU](beginners-guide.md#what-is-a-bleu-score) score. Using the test set, **BLEU score** is the custom model score and **Baseline BLEU** is the pre-trained baseline model used for customization. A higher **BLEU score** means higher translation quality using the custom model.
+
+ >[!Note]
+ >If you train with our shared customer sample datasets, BLEU score will be different than the image.
+
+ :::image type="content" source="media/quickstart/model-details.png" alt-text="Screenshot illustrating model details.":::
+
+## Test your model
+
+Once your training has completed successfully, inspect the test set translated sentences.
+
+1. Select **Test model** blade
+2. Select "en-de with sample data"
+3. Human evaluate translation from **New model** (custom model), and **Baseline model** (our pre-trained baseline used for customization) against **Reference** (target translation from the test set)
+
+## Publish your model
+
+Publishing your model makes it available for use with the Translator API. A project might have one or many successfully trained models. You can only publish one model per project; however, you can publish a model to one or multiple regions depending on your needs. For more information, see [Translator pricing](https://azure.microsoft.com/pricing/details/cognitive-services/translator/#pricing).
+
+1. Select the **Publish model** blade.
+
+1. Select *en-de with sample data* and select **Publish**.
+
+1. Check the desired region(s).
+
+1. Select **Publish**. The status should transition from _Deploying_ to _Deployed_.
+
+ :::image type="content" source="media/quickstart/publish-model.png" alt-text="Screenshot illustrating how to deploy a trained model.":::
+
+## Translate text
+
+1. Developers should use the `Category ID` when making translation requests using Microsoft Translator [Text API V3](../../reference/v3-0-translate.md?tabs=curl). More information about the Translator Text API can be found on the [API Reference](../../reference/v3-0-reference.md) webpage.
+
+1. Business users may want to download and install our free [DocumentTranslator app for Windows](https://github.com/MicrosoftTranslator/DocumentTranslator/releases/tag/V2.9.4).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Learn how to manage workspaces](how-to/create-manage-workspace.md)
cognitive-services Disconnected Containers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/containers/disconnected-containers.md
Previously updated : 01/14/2022 Last updated : 01/20/2022
docker pull mcr.microsoft.com/azure-cognitive-services/form-recognizer/invoice:l
## Configure the container to be run in a disconnected environment
-Now that you've downloaded your container, you will need to run the container with the `DownloadLicense=True` parameter in your `docker run` command. This parameter will download a license file that will enable your Docker container to run when it isn't connected to the internet. It also contains an expiration date, after which the license file will be invalid to run the container.
+Now that you've downloaded your container, you will need to run the container with the `DownloadLicense=True` parameter in your `docker run` command. This parameter will download a license file that will enable your Docker container to run when it isn't connected to the internet. It also contains an expiration date, after which the license file will be invalid to run the container. You can only use a license file with the appropriate container that you've been approved for. For example, you cannot use a license file for a speech-to-text container with a form recognizer container.
> [!IMPORTANT]
-> * You can only use a license file with the appropriate container that you've been approved for. For example, you cannot use a license file for a speech-to-text container with a form recognizer container.
-> * If you're using the [Translator container](../translator/containers/translator-how-to-install-container.md), using the example below will generate a docker `run` template that you can use to run the container, containing parameters you will need for the downloaded models and configuration file. Make sure you save this template.
+> * [**Translator container only**](../translator/containers/translator-how-to-install-container.md):
+> * You must include a parameter to download model files for the [languages](../translator/language-support.md) you want to translate. For example: `-e Languages=en,es`
+> * The container will generate a `docker run` template that you can use to run the container, containing parameters you will need for the downloaded models and configuration file. Make sure you save this template.
The following example shows the formatting of the `docker run` command you'll use, with placeholder values. Replace these placeholder values with your own values.
cognitive-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/language-service/custom-classification/how-to/call-api.md
First you will need to get your resource key and endpoint
4. After you've installed the client library, use the following samples on GitHub to start calling the API.
- Single category:
- * [C#](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/textanalytics/Azure.AI.TextAnalytics/tests/samples/Sample10_SingleCategoryClassify.cs)
+ Single label classification:
+ * [C#](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/textanalytics/Azure.AI.TextAnalytics/samples/Sample10_SingleCategoryClassify.md)
* [Java](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics/lro/ClassifyDocumentSingleCategory.java) * [JavaScript](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/textanalytics/ai-text-analytics/samples/v5/javascript/customText.js) * [Python](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/textanalytics/azure-ai-textanalytics/samples/sample_single_category_classify.py)
- Multiple category:
- * [C#](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/textanalytics/Azure.AI.TextAnalytics/tests/samples/Sample11_MultiCategoryClassify.cs)
+ Multiple label classification:
+ * [C#](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/textanalytics/Azure.AI.TextAnalytics/samples/Sample11_MultiCategoryClassify.md)
* [Java](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics/lro/ClassifyDocumentMultiCategory.java) * [JavaScript](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/textanalytics/ai-text-analytics/samples/v5/javascript/customText.js) * [Python](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/textanalytics/azure-ai-textanalytics/samples/sample_multi_category_classify.py)
cognitive-services Call Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/language-service/custom-named-entity-recognition/how-to/call-api.md
First you will need to get your resource key and endpoint
4. After you've installed the client library, use the following samples on GitHub to start calling the API.
- * [C#](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/textanalytics/Azure.AI.TextAnalytics/tests/samples/Sample9_RecognizeCustomEntitiesConvenience.cs)
+ * [C#](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/textanalytics/Azure.AI.TextAnalytics/samples/Sample9_RecognizeCustomEntities.md)
* [Java](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics/lro/RecognizeCustomEntities.java) * [JavaScript](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/textanalytics/ai-text-analytics/samples/v5/javascript/customText.js) * [Python](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/textanalytics/azure-ai-textanalytics/samples/sample_recognize_custom_entities.py)
cognitive-services Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/language-service/custom-named-entity-recognition/overview.md
Using Custom NER typically involves several different steps.
## Next steps
-* Use the [quickstart article](quickstart.md) to start using custom text classification.
+* Use the [quickstart article](quickstart.md) to start using custom named entity recognition.
* As you go through the application development lifecycle, review the [glossary](glossary.md) to learn more about the terms used throughout the documentation for this feature.
cognitive-services Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cognitive Services description: Lists Azure Policy Regulatory Compliance controls available for Azure Cognitive Services. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
communication-services Calling Sdk Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/voice-video-calling/calling-sdk-features.md
The following list presents the set of features which are currently available in
| Screen sharing | Share the entire screen from within the application | ✔️ | ❌ | ❌ | ❌ | | | Share a specific application (from the list of running applications) | ✔️ | ❌ | ❌ | ❌ | | | Share a web browser tab from the list of open tabs | ✔️ | ❌ | ❌ | ❌ |
+| | Share system audio during screen sharing | ❌ | ❌ | ❌ | ❌ |
| | Participant can view remote screen share | ✔️ | ✔️ | ✔️ | ✔️ | | Roster | List participants | ✔️ | ✔️ | ✔️ | ✔️ | | | Remove a participant | ✔️ | ✔️ | ✔️ | ✔️ |
container-registry Container Registry Java Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/container-registry-java-quickstart.md
Title: Quickstart - Build and push Java container images to Azure Container Registry using Maven and Jib
-description: Build a containerized Java app and push it to Azure Container Registry using the Maven Jib plugin.
+ Title: Quickstart - Build and push container images of the Java Spring Boot App to Azure Container Registry
+description: Learn to build and push a containerized Java Spring Boot app to the Azure Container Registry using Maven and Jib plugin.
Previously updated : 02/26/2020 Last updated : 01/18/2022
-# Quickstart: Build and push Java container images to Azure Container Registry
+# Quickstart: Build and push container images of the Java Spring Boot app to Azure Container Registry
-This quickstart shows you how to build a containerized Java app and push it to Azure Container Registry using the Maven Jib plugin. The use of Maven and Jib is one example of using developer tooling to interact with an Azure container registry.
+You can use this Quickstart to build container images of Java Spring Boot app and push it to Azure Container Registry using Maven and Jib. Maven and Jib are one way of using developer tooling to interact with an Azure container registry.
## Prerequisites
-* An Azure subscription; if you don't already have an Azure subscription, you can activate your [MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details) or sign up for a [free Azure account](https://azure.microsoft.com/pricing/free-trial).
+* An Azure subscription; Sign up for a [free Azure account](https://azure.microsoft.com/pricing/free-trial) or activate [MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details) if you don't already have an Azure subscription.
+* A supported Java Development Kit (JDK); For more information on available JDKs when developing on Azure, see [Java support on Azure and Azure Stack](/azure/developer/java/fundamentals/java-support-on-azure).
* The [Azure CLI](/cli/azure/overview).
-* A supported Java Development Kit (JDK). For more information about the JDKs available for use when developing on Azure, see [Java support on Azure and Azure Stack](/azure/developer/java/fundamentals/java-support-on-azure).
-* Apache's [Maven](http://maven.apache.org) build tool (Version 3 or above).
+* The Apache's [Maven](http://maven.apache.org) build tool (Version 3 or above).
* A [Git](https://git-scm.com) client. * A [Docker](https://www.docker.com) client. * The [ACR Docker credential helper](https://github.com/Azure/acr-docker-credential-helper).
-## Create the Spring Boot on Docker Getting Started web app
+## Create and build a Spring Boot application on Docker
-The following steps walk you through building a Spring Boot web application and testing it locally.
+The following steps walk you through building a containerized Java Spring Boot web application and testing it locally.
1. From the command prompt, use the following command to clone the [Spring Boot on Docker Getting Started](https://github.com/spring-guides/gs-spring-boot-docker) sample project.
The following steps walk you through building a Spring Boot web application and
git clone https://github.com/spring-guides/gs-spring-boot-docker.git ```
-1. Change directory to the completed project.
+1. Change directory to the complete project.
```bash cd gs-spring-boot-docker/complete
Finally, you'll update your project configuration and use the command prompt to
</properties> ```
-1. Update the `<plugins>` collection in the *pom.xml* file so that the `<plugin>` element contains and entry for the `jib-maven-plugin`, as shown in the following example. Note that we are using a base image from the Microsoft Container Registry (MCR): `mcr.microsoft.com/java/jdk:8-zulu-alpine`, which contains an officially supported JDK for Azure. For other MCR base images with officially supported JDKs, see [Java SE JDK](https://hub.docker.com/_/microsoft-java-jdk), [Java SE JRE](https://hub.docker.com/_/microsoft-java-jre), [Java SE Headless JRE](https://hub.docker.com/_/microsoft-java-jre-headless), and [Java SE JDK and Maven](https://hub.docker.com/_/microsoft-java-maven).
+1. Update the `<plugins>` collection in the *pom.xml* file so that the `<plugin>` element contains and an entry for the `jib-maven-plugin`, as shown in the following example. Note that we are using a base image from the Microsoft Container Registry (MCR): `mcr.microsoft.com/java/jdk:8-zulu-alpine`, which contains an officially supported JDK for Azure. For other MCR base images with officially supported JDKs, see [Java SE JDK](https://hub.docker.com/_/microsoft-java-jdk), [Java SE JRE](https://hub.docker.com/_/microsoft-java-jre), [Java SE Headless JRE](https://hub.docker.com/_/microsoft-java-jre-headless), and [Java SE JDK and Maven](https://hub.docker.com/_/microsoft-java-maven).
```xml <plugin>
Finally, you'll update your project configuration and use the command prompt to
</plugin> ```
-1. Navigate to the completed project directory for your Spring Boot application and run the following command to build the image and push the image to the registry:
+1. Navigate to the complete project directory for your Spring Boot application and run the following command to build the image and push the image to the registry:
```bash az acr login && mvn compile jib:build
container-registry Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Container Registry description: Sample Azure Resource Graph queries for Azure Container Registry showing use of resource types and tables to access Azure Container Registry related resources and properties. Previously updated : 12/20/2021 Last updated : 01/20/2022
container-registry Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Container Registry description: Lists Azure Policy Regulatory Compliance controls available for Azure Container Registry. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
cosmos-db Continuous Backup Restore Introduction https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/continuous-backup-restore-introduction.md
To restore Azure Cosmos DB live accounts that are not deleted, it is a best prac
## Restore scenarios
-The following are some of the key scenarios that are addressed by the point-in-time-restore feature. Scenarios [a] through [c] demonstrate how to trigger a restore if the restore timestamp is known beforehand.
-However, there could be scenarios where you don't know the exact time of accidental deletion or corruption. Scenarios [d] and [e] demonstrate how to _discover_ the restore timestamp using the new event feed APIs on the restorable database or containers.
+The following are some of the key scenarios that are addressed by the point-in-time-restore feature. Scenarios [1] through [3] demonstrate how to trigger a restore if the restore timestamp is known beforehand.
+However, there could be scenarios where you don't know the exact time of accidental deletion or corruption. Scenarios [4] and [5] demonstrate how to _discover_ the restore timestamp using the new event feed APIs on the restorable database or containers.
:::image type="content" source="./media/continuous-backup-restore-introduction/restorable-account-scenario.png" alt-text="Life-cycle events with timestamps for a restorable account." lightbox="./media/continuous-backup-restore-introduction/restorable-account-scenario.png" border="false"::: 1. **Restore deleted account** - All the deleted accounts that you can restore are visible from the **Restore** pane. For example, if *Account A* is deleted at timestamp T3. In this case the timestamp just before T3, location, target account name, resource group, and target account name is sufficient to restore from [Azure portal](restore-account-continuous-backup.md#restore-deleted-account), [PowerShell](restore-account-continuous-backup.md#trigger-restore-ps), or [CLI](restore-account-continuous-backup.md#trigger-restore-cli).
+ :::image type="content" source="./media/continuous-backup-restore-introduction/restorable-container-database-scenario.png" alt-text="Life-cycle events with timestamps for a restorable database and container." lightbox="./media/continuous-backup-restore-introduction/restorable-container-database-scenario.png" border="false":::
2. **Restore data of an account in a particular region** - For example, if *Account A* exists in two regions *East US* and *West US* at timestamp T3. If you need a copy of account A in *West US*, you can do a point in time restore from [Azure portal](restore-account-continuous-backup.md#restore-deleted-account), [PowerShell](restore-account-continuous-backup.md#trigger-restore-ps), or [CLI](restore-account-continuous-backup.md#trigger-restore-cli) with West US as the target location.
Azure Cosmos DB allows you to isolate and restrict the restore permissions for c
Azure Cosmos DB accounts that have continuous backup enabled will incur an additional monthly charge to *store the backup* and to *restore your data*. The restore cost is added every time the restore operation is initiated. If you configure an account with continuous backup but don't restore the data, only backup storage cost is included in your bill.
-The following example is based on the price for an Azure Cosmos account deployed in a non-government region in the US. The pricing and calculation can vary depending on the region you are using, see the [Azure Cosmos DB pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/) for latest pricing information.
+The following example is based on the price for an Azure Cosmos account deployed in West US. The pricing and calculation can vary depending on the region you are using, see the [Azure Cosmos DB pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/) for latest pricing information.
* All accounts enabled with continuous backup policy incur an additional monthly charge for backup storage that is calculated as follows:
cosmos-db Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Azure Cosmos DB description: Sample Azure Resource Graph queries for Azure Cosmos DB showing use of resource types and tables to access Azure Cosmos DB related resources and properties. Previously updated : 12/20/2021 Last updated : 01/20/2022
cosmos-db Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Cosmos DB description: Lists Azure Policy Regulatory Compliance controls available for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
data-factory Create Self Hosted Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/create-self-hosted-integration-runtime.md
Here is a high-level summary of the data-flow steps for copying with a self-host
- The supported versions of Windows are: - Windows 8.1 - Windows 10
+ - Windows 11
- Windows Server 2012 - Windows Server 2012 R2 - Windows Server 2016
For example, to copy from an on-premises data store to a SQL Database sink or an
> [!NOTE] > If your firewall doesn't allow outbound port 1433, the self-hosted integration runtime can't access the SQL database directly. In this case, you can use a [staged copy](copy-activity-performance.md) to SQL Database and Azure Synapse Analytics. In this scenario, you require only HTTPS (port 443) for the data movement.
+## Credentials store
+There are two ways to store the credentials when using self-hosted integration runtime:
+1. Use Azure Key Vault.
+This is the recommended way to store your credentials in Azure. The self-hosted integration runtime can directly get the credentials from Azure Key Vault which can highly avoid some potential security issues or any credential in-sync problems between self-hosted integration runtime nodes.
+2. Store credentials locally.
+The credentials will be push to the machine of your self-hosted integration runtime and be encrypted.
+When your self-hosted integration runtime is recovered from crash, you can either recover credential from the one you backup before or edit linked service and let the credential be pushed to self-hosted integration runtime again. Otherwise, the pipeline doesn't work due to the lack of credential when running via self-hosted integration runtime.
+> [!NOTE]
+> If you prefer to store the credential locally, your need to put the domain for interactive authoring in the allowlist of your firewall
+> and open the port. This channel is also for the self-hosted integration runtime to get the credentials.
+> For the domain and port needed for interactive authoring, refer to [Ports and firewalls](#ports-and-firewalls)
+ ## Installation best practices You can install the self-hosted integration runtime by downloading a Managed Identity setup package from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=39717). See the article [Move data between on-premises and cloud](tutorial-hybrid-copy-powershell.md) for step-by-step instructions.
data-factory Data Flow Assert https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-assert.md
Select ```fail data flow``` if you wish to have your data flow activity fail imm
### Assert ID
-Assert ID is a property where you will enter a (string) name for your assertion. You will be able to use the identifier later downstream in your data flow using ```hasError()``` or to output the assertion failure code.
+Assert ID is a property where you will enter a (string) name for your assertion. You will be able to use the identifier later downstream in your data flow using ```hasError()``` or to output the assertion failure code. Assert IDs must be unique within each dataflow.
### Assert description
data-factory Data Flow Conditional Split https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-conditional-split.md
Previously updated : 09/09/2021 Last updated : 01/20/2022 # Conditional split transformation in mapping data flow
CleanData
split( year < 1960, year > 1980,
- disjoint: false
+ disjoint: true
) ~> SplitByYear@(moviesBefore1960, moviesAfter1980, AllOtherMovies) ```
data-factory Data Flow Parse https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-parse.md
Previously updated : 05/10/2021 Last updated : 01/19/2022 # Parse transformation in mapping data flow
Last updated 05/10/2021
[!INCLUDE[data-flow-preamble](includes/data-flow-preamble.md)]
-Use the Parse transformation to parse columns in your data that are in document form. The current supported types of embedded documents that can be parsed are JSON, XML, and delimited text.
+Use the Parse transformation to parse text columns in your data that are strings in document form. The current supported types of embedded documents that can be parsed are JSON, XML, and delimited text.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWykdO]
In the parse transformation configuration panel, you will first pick the type of
### Column
-Similar to derived columns and aggregates, this is where you will either modify an exiting column by selecting it from the drop-down picker. Or you can type in the name of a new column here. ADF will store the parsed source data in this column. In most cases, you will want to define a new column that parses the incoming embedded document field.
+Similar to derived columns and aggregates, this is where you will either modify an exiting column by selecting it from the drop-down picker. Or you can type in the name of a new column here. ADF will store the parsed source data in this column. In most cases, you will want to define a new column that parses the incoming embedded document string field.
### Expression
data-lake-analytics Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-analytics/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Analytics description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
data-lake-store Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-store/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Storage Gen1 description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
databox Data Box Deploy Copy Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-deploy-copy-data.md
Previously updated : 11/10/2021 Last updated : 01/20/2022 # Customer intent: As an IT admin, I need to be able to copy data to Data Box to upload on-premises data from my server onto Azure.
Once you're connected to the Data Box shares, the next step is to copy data. Bef
After you connect to the SMB share, begin the data copy. You can use any SMB-compatible file copy tool, such as Robocopy, to copy your data. Multiple copy jobs can be initiated using Robocopy. Use the following command: ```console
-robocopy <Source> <Target> * /e /r:3 /w:60 /is /nfl /ndl /np /MT:32 or 64 /fft /Log+:<LogFile>
+robocopy <Source> <Target> * /e /r:3 /w:60 /is /nfl /ndl /np /MT:32 or 64 /fft /B /Log+:<LogFile>
``` The attributes are described in the following table.
The attributes are described in the following table.
|/np |Specifies that the progress of the copying operation (the number of files or directories copied so far) will not be displayed. Displaying the progress significantly lowers the performance. | |/MT | Use multithreading, recommended 32 or 64 threads. This option not used with encrypted files. You may need to separate encrypted and unencrypted files. However, single threaded copy significantly lowers the performance. | |/fft | Use to reduce the time stamp granularity for any file system. |
-|/b | Copies files in Backup mode. |
+|/B | Copies files in Backup mode. |
|/z | Copies files in Restart mode, use this if the environment is unstable. This option reduces throughput due to additional logging. | | /zb | Uses Restart mode. If access is denied, this option uses Backup mode. This option reduces throughput due to checkpointing. | |/efsraw | Copies all encrypted files in EFS raw mode. Use only with encrypted files. |
databox Data Box File Acls Preservation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-file-acls-preservation.md
Previously updated : 07/16/2021 Last updated : 01/20/2022
To transfer the ACLs, timestamps, and attributes for your data, use the followin
To copy data to your Data Box via SMB, use an SMB-compatible file copy tool such as `robocopy`. The following sample command copies all files and directories, transferring metadata along with the data.
-When using the `/copyall` or `/dcopy:DAT` option, make sure the required Backup Operator privileges aren't disabled. For more information, see [Use the local web UI to administer your Data Box and Data Box Heavy](./data-box-local-web-ui-admin.md).
+When using the `/copyall` or `/dcopy:DAT` option, make sure the required Backup Operator privileges aren't disabled. For more information, see [Use the local web UI to administer your Data Box and Data Box Heavy](./data-box-local-web-ui-admin.md).
```console
-robocopy <Source> <Target> * /copyall /e /dcopy:DAT /r:3 /w:60 /is /nfl /ndl /np /MT:32 or 64 /fft /log+:<LogFile>
+robocopy <Source> <Target> * /copyall /e /dcopy:DAT /B /r:3 /w:60 /is /nfl /ndl /np /MT:32 or 64 /fft /log+:<LogFile>
``` where
where
|`/copyall` |Copies all attributes.| |`/e` |Copies subdirectories, including empty directories. | |`/dcopy:DAT` |Copies data, attributes, and timestamps. Note: The /dcopy:DAT option must be used to transfer `CreationTime` on directories. |
+|`/B` |Copies files in Backup mode. |
|`/r:3` |Specifies 3 retries on failed copies. | |`/w:60` |Specifies a wait time of 60 seconds between retries. | |`/is` |Includes the same files. |
databox Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Data Box description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Box. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
ddos-protection Ddos Protection Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/ddos-protection-overview.md
Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.
-Every property in Azure is protected by Azure's infrastructure DDoS (Basic) Protection at no additional cost. The scale and capacity of the globally deployed Azure network provides defense against common network-layer attacks through always-on traffic monitoring and real-time mitigation. DDoS Protection Basic requires no user configuration or application changes. DDoS Protection Basic helps protect all Azure services, including PaaS services like Azure DNS.
-
-Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes. It has several advantages over the basic service, including logging, alerting, and telemetry.
-
-![Azure DDoS Protection Service Comparison](./media/ddos-protection-overview/ddos-comparison.png)
+Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes.
Azure DDoS protection does not store customer data.
To learn about Azure DDoS Protection Standard pricing, see [Azure DDoS Protectio
## Reference architectures
-DDoS Protection Standard is designed for [services that are deployed in a virtual network](../virtual-network/virtual-network-for-azure-services.md). For other services, the default DDoS Protection Basic service applies. To learn more about supported architectures, see [DDoS Protection reference architectures](./ddos-protection-reference-architectures.md).
+DDoS Protection Standard is designed for [services that are deployed in a virtual network](../virtual-network/virtual-network-for-azure-services.md). For other services, the default infrastructure-level DDoS protection applies, which defends against common network-layer attacks. To learn more about supported architectures, see [DDoS Protection reference architectures](./ddos-protection-reference-architectures.md).
## Next steps
ddos-protection Ddos Protection Reference Architectures https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/ddos-protection-reference-architectures.md
# DDoS Protection reference architectures
-DDoS Protection Standard is designed [for services that are deployed in a virtual network](../virtual-network/virtual-network-for-azure-services.md). For other services, the default DDoS Protection Basic service applies. The following reference architectures are arranged by scenarios, with architecture patterns grouped together.
+DDoS Protection Standard is designed [for services that are deployed in a virtual network](../virtual-network/virtual-network-for-azure-services.md). The following reference architectures are arranged by scenarios, with architecture patterns grouped together.
> [!NOTE] > Protected resources include public IPs attached to an IaaS VM, Load Balancer (Classic & Standard Load Balancers), Application Gateway (including WAF) cluster, Firewall, Bastion, VPN Gateway, Service Fabric or an IaaS based Network Virtual Appliance (NVA). PaaS services (multitenant) are not supported at present. This includes Azure App Service Environment for PowerApps or API management in a virtual network with a public IP.
ddos-protection Ddos Protection Standard Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/ddos-protection-standard-features.md
DDoS protection drops attack traffic and forwards the remaining traffic to its i
## Adaptive real time tuning
-The Azure DDoS Protection Basic service helps protect customers and prevent impacts to other customers. For example, if a service is provisioned for a typical volume of legitimate incoming traffic that's smaller than the *trigger rate* of the infrastructure-wide DDoS Protection policy, a DDoS attack on that customerΓÇÖs resources might go unnoticed. More generally, the complexity of recent attacks (for example, multi-vector DDoS) and the application-specific behaviors of tenants call for per-customer, tailored protection policies. The service accomplishes this by using two insights:
+The complexity of attacks (for example, multi-vector DDoS attacks) and the application-specific behaviors of tenants call for per-customer, tailored protection policies. The service accomplishes this by using two insights:
-- Automatic learning of per-customer (per- Public IP) traffic patterns for Layer 3 and 4.
+- Automatic learning of per-customer (per-Public IP) traffic patterns for Layer 3 and 4.
- Minimizing false positives, considering that the scale of Azure allows it to absorb a significant amount of traffic.
defender-for-cloud Asset Inventory https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-cloud/asset-inventory.md
The asset management possibilities for this tool are substantial and continue to
|Release state:|General availability (GA)| |Pricing:|Free*<br>* Some features of the inventory page, such as the [software inventory](#access-a-software-inventory) require paid solutions to be in-place| |Required roles and permissions:|All users|
-|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)|
+|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Azure China 21Vianet)|
||| ## What are the key features of asset inventory?
defender-for-cloud Custom Dashboards Azure Workbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-cloud/custom-dashboards-azure-workbooks.md
Title: Workbooks gallery in Microsoft Defender for Cloud description: Learn how to create rich, interactive reports of your Microsoft Defender for Cloud data with the integrated Azure Monitor Workbooks gallery Previously updated : 11/09/2021 Last updated : 01/20/2022 # Create rich, interactive reports of Defender for Cloud data
With the integrated Azure Workbooks functionality, Microsoft Defender for Cloud
- ['System Updates' workbook](#use-the-system-updates-workbook) - View missing system updates by resources, OS, severity, and more - ['Vulnerability Assessment Findings' workbook](#use-the-vulnerability-assessment-findings-workbook) - View the findings of vulnerability scans of your Azure resources - ['Compliance Over Time' workbook](#use-the-compliance-over-time-workbook) - View the status of a subscription's compliance with the regulatory or industry standards you've selected
+- [`Active Alerts` workbook](#use-the-active-alerts-workbook) - view active alerts by severity, type, tag, MITRE ATT&CK tactics, and location.
:::image type="content" source="media/custom-dashboards-azure-workbooks/workbooks-gallery-microsoft-defender-for-cloud.png" alt-text="Gallery of built-in workbooks in Microsoft Defender for Cloud.":::
You can keep drilling down - right down to the recommendation level - to view th
> > :::image type="content" source="media/custom-dashboards-azure-workbooks/export-workbook-data.png" alt-text="Exporting compliance workbook data to Excel.":::
+### Use the 'Active Alerts' workbook
+
+This workbook displays the active security alerts for your subscriptions on one dashboard. Security alerts are the notifications that Defender for Cloud generates when it detects threats on your resources. Defender for Cloud prioritizes, and lists the alerts, along with information needed for quick investigation and remediation.
+
+This workbook benefits you by letting you understand the active threats on your environment, and allows you to prioritize between the active alerts.
+
+> [!NOTE]
+> Most workbooks use Azure Resource Graph (ARG) to query their data. For example, to display the Map View, Log Analytics workspace is used to query the data. [Continuous export](continuous-export.md) should be enabled, and export the security alerts to the Log Analytics workspace.
+
+You can view the active alerts by severity, resource group, or tag.
++
+You can also view your subscription's top alerts by attacked resources, alert types, and new alerts.
++
+You can get more details on any of these alerts by selecting it.
++
+The MITRE ATT&CK tactics displays by the order of the kill-chain, and the number of alerts the subscription has at each stage.
++
+You can see all of the active alerts in a table with the ability to filter by columns. By selecting an alert, the alert view button appears.
++
+By selecting the Open Alert View button, you can see all the details of that specific alert.
++
+By selecting Map View, you can also see all alerts based on their location.
++
+By selecting a location on the map you will be able to view all of the alerts for that location.
++
+You can see the details for that alert with the Open Alert View button.
## Import workbooks from other workbook galleries
defender-for-cloud Deploy Vulnerability Assessment Vm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-cloud/deploy-vulnerability-assessment-vm.md
Defender for Cloud regularly checks your connected machines to ensure they're ru
When a machine is found that doesn't have vulnerability assessment solution deployed, Defender for Cloud generates the following security recommendation:
-**A vulnerability assessment solution should be enabled on your virtual machines**
+**Machines should have a vulnerability assessment solution**
Use this recommendation to deploy the vulnerability assessment solution to your Azure virtual machines and your Azure Arc-enabled hybrid machines.
Some of the ways you can automate deployment at scale of the integrated scanner:
:::image type="content" source="./media/deploy-vulnerability-assessment-vm/deploy-at-scale-remediation-logic.png" alt-text="The remediation script includes the relevant ARM template you can use for your automation." lightbox="./media/deploy-vulnerability-assessment-vm/deploy-at-scale-remediation-logic.png"::: - **DeployIfNotExists policy** ΓÇô [A custom policy](https://github.com/Azure/Azure-Security-Center/tree/master/Remediation%20scripts/Enable%20the%20built-in%20vulnerability%20assessment%20solution%20on%20virtual%20machines%20(powered%20by%20Qualys)/Azure%20Policy) for ensuring all newly created machines receive the scanner. Select **Deploy to Azure** and set the relevant parameters. You can assign this policy at the level of resource groups, subscriptions, or management groups. - **PowerShell Script** ΓÇô Use the ```Update qualys-remediate-unhealthy-vms.ps1``` script to deploy the extension for all unhealthy virtual machines. To install on new resources, automate the script with [Azure Automation](../automation/automation-intro.md). The script finds all unhealthy machines discovered by the recommendation and executes an Azure Resource Manager call.-- **Azure Logic Apps** ΓÇô Build a logic app based on [the sample app](https://github.com/Azure/Azure-Security-Center/tree/master/Workflow%20automation/Install-VulnAssesmentAgent). Use Defender for Cloud's [workflow automation](workflow-automation.md) tools to trigger your logic app to deploy the scanner whenever the **A vulnerability assessment solution should be enabled on your virtual machines** recommendation is generated for a resource.
+- **Azure Logic Apps** ΓÇô Build a logic app based on [the sample app](https://github.com/Azure/Azure-Security-Center/tree/master/Workflow%20automation/Install-VulnAssesmentAgent). Use Defender for Cloud's [workflow automation](workflow-automation.md) tools to trigger your logic app to deploy the scanner whenever the **Machines should have a vulnerability assessment solution** recommendation is generated for a resource.
- **REST API** ΓÇô To deploy the integrated vulnerability assessment solution using the Defender for Cloud REST API, make a PUT request for the following URL and add the relevant resource ID: ```https://management.azure.com/<resourceId>/providers/Microsoft.Security/serverVulnerabilityAssessments/default?api-Version=2015-06-01-previewΓÇï```
defender-for-cloud Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-cloud/release-notes.md
Title: Release notes for Microsoft Defender for Cloud description: A description of what's new and changed in Microsoft Defender for Cloud Previously updated : 01/18/2022 Last updated : 01/20/2022 # What's new in Microsoft Defender for Cloud?
Updates in January include:
- ['Copy alert JSON' button added to security alert details pane](#copy-alert-json-button-added-to-security-alert-details-pane) - [Renamed two recommendations](#renamed-two-recommendations) - [Deprecate Kubernetes cluster containers should only listen on allowed ports policy](#deprecate-kubernetes-cluster-containers-should-only-listen-on-allowed-ports-policy)
+- [Added 'Active Alerts' workbook](#added-active-alert-workbook)
+- ['System update' recommendation added to government cloud](#system-update-recommendation-added-to-government-cloud)
### Microsoft Defender for Resource Manager updated with new alerts and greater emphasis on high-risk operations mapped to MITRE ATT&CK® Matrix
We have deprecated the **Kubernetes cluster containers should only listen on all
The **[Services should listen on allowed ports only](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/add45209-73f6-4fa5-a5a5-74a451b07fbe)** recommendation should be used to limit ports that an application exposes to the internet.
+### Added 'Active Alert' workbook
+
+To assist our users in their understanding of the active threats to their environments, and prioritize between active alerts during the remediation process, we have added the Active Alerts workbook.
++
+The active alerts workbook allows users to view a unified dashboard of their aggregated alerts by severity, type, tag, MITRE ATT&CK tactics, and location. Learn more in [Use the 'Active Alerts' workbook](custom-dashboards-azure-workbooks.md#use-the-active-alerts-workbook).
+
+### 'System update' recommendation added to government cloud
+
+The 'System updates should be installed on your machines' recommendation is now available on all government clouds.
+
+It's likely that this change will impact your government cloud subscription's secure score. We expect the change to lead to a decreased score, but it's possible the recommendation's inclusion might result in an increased score in some cases.
+ ## December 2021 Updates in December include:
defender-for-cloud Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-cloud/resource-graph-samples.md
Title: Azure Resource Graph sample queries for Microsoft Defender for Cloud description: Sample Azure Resource Graph queries for Microsoft Defender for Cloud showing use of resource types and tables to access Microsoft Defender for Cloud related resources and properties. Previously updated : 12/20/2021 Last updated : 01/20/2022
devtest-labs Devtest Lab Concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/devtest-labs/devtest-lab-concepts.md
This article lists key DevTest Labs concepts and definitions:
A lab is the infrastructure that encompasses a group of resources, such as Virtual Machines (VMs), that lets you better manage those resources by specifying limits and quotas. ## Virtual machine
-An Azure VM is one type of [on-demand, scalable computing resources](/azure/architecture/guide/technology-choices/compute-decision-tree) that Azure offers. Azure VMs give you the flexibility of virtualization without having to buy and maintain the physical hardware that runs it.
+An Azure VM is one type of [on-demand, scalable computing resource](/azure/architecture/guide/technology-choices/compute-decision-tree) that Azure offers. Azure VMs give you the flexibility of virtualization without having to buy and maintain the physical hardware that runs it.
[Overview of Windows virtual machines in Azure](../virtual-machines/windows/overview.md) gives you information to consider before you create a VM, how you create it, and how you manage it.
A VM that is claimable isn't initially assigned to any particular user, but will
In DevTest Labs, an environment refers to a collection of Azure resources in a lab. [Create an environment](./devtest-lab-create-environment-from-arm.md) discusses how to create multi-VM environments from your Azure Resource Manager templates. ## Base images
-Base images are VM images with all the tools and settings preinstalled and configured. You can create a VM by picking an existing base and adding an artifact to install your test agent. The use of bases images reduces VM creation time.
+Base images are VM images with all the tools and settings preinstalled and configured. You can create a VM by picking an existing base and adding an artifact to install your test agent. The use of base images reduces VM creation time.
## Artifacts Artifacts are used to deploy and configure your application after a VM is provisioned. Artifacts can be:
Within the scope of DevTest Labs, there are two types of roles to define user pe
|Lab&nbsp;Owner| Has access to any resources within the lab. A lab owner can modify policies, read and write any VMs, change the virtual network, and so on.| |Lab User | Can view all lab resources, such as VMs, policies, and virtual networks, but can't modify policies or any VMs created by other users.|
-To see how to create custom roles in DevTest Labs, refer to the article, [Grant user permissions to specific lab policies](devtest-lab-grant-user-permissions-to-specific-lab-policies.md).
+To see how to create custom roles in DevTest Labs, refer to the article [Grant user permissions to specific lab policies](devtest-lab-grant-user-permissions-to-specific-lab-policies.md).
-Since scopes are hierarchical, when a user has permissions at a certain scope, they also have permissions at every lower-level scope. Subscription owners have access to all resources in a subscription, which include virtual machines, virtual networks, and labs. A subscription owner automatically inherits the role of lab owner. However, the opposite isn't true. A lab owner has access to a lab, which is a lower scope than the subscription level. So, a lab owner can't see virtual machines or virtual networks or any resources that are outside of the lab.
+Since scopes are hierarchical, when a user has permissions at a certain scope, they also have permissions at every lower-level scope. Subscription owners have access to all resources in a subscription, which include virtual machines, virtual networks, and labs. A subscription owner automatically inherits the role of lab owner. However, the opposite isn't true; a lab owner has access to a lab, which is a lower scope than the subscription level. So, a lab owner can't see virtual machines or virtual networks or any resources that are outside of the lab.
## Azure Resource Manager templates The concepts discussed in this article can be configured by using Azure Resource Manager (ARM) templates. ARM templates let you define the infrastructure/configuration of your Azure solution and repeatedly deploy it in a consistent state.
The concepts discussed in this article can be configured by using Azure Resource
## Next steps
-[Create a lab in DevTest Labs](devtest-lab-create-lab.md)
+[Create a lab in DevTest Labs](devtest-lab-create-lab.md)
dms Tutorial Mysql Azure Mysql Offline Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/dms/tutorial-mysql-azure-mysql-offline-portal.md
Last updated 04/11/2021
You can use Azure Database Migration Service to perform a one-time full database migration on-premises MySQL instance to [Azure Database for MySQL](../mysql/index.yml) with high speed data migration capability. In this tutorial, we will migrate a sample database from an on-premises instance of MySQL 5.7 to Azure Database for MySQL (v5.7) by using an offline migration activity in Azure Database Migration Service. Although the articles assumes the source to be a MySQL database instance and target to be Azure Database for MySQL, it can be used to migrate from one Azure Database for MySQL to another just by changing the source server name and credentials. Also, migration from lower version MySQL servers (v5.6 and above) to higher versions is also supported. > [!IMPORTANT]
-> For online migrations, you can use open-source tools such as [MyDumper/MyLoader](https://centminmod.com/mydumper.html) with [data-in replication](../mysql/concepts-data-in-replication.md).
+> For online migrations, you can use open-source tools such as [MyDumper/MyLoader](https://github.com/maxbube/mydumper) with [data-in replication](../mysql/concepts-data-in-replication.md).
> [!NOTE] > For a PowerShell-based scriptable version of this migration experience, see [scriptable offline migration to Azure Database for MySQL](./migrate-mysql-to-azure-mysql-powershell.md).
event-grid Secure Webhook Delivery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/secure-webhook-delivery.md
Title: Secure WebHook delivery with Azure AD in Azure Event Grid description: Describes how to deliver events to HTTPS endpoints protected by Azure Active Directory using Azure Event Grid Previously updated : 12/08/2021 Last updated : 01/20/2022 # Deliver events to Azure Active Directory protected endpoints
Back in **Tenant A**, do the following steps:
## Next steps
+* For conceptual information, see [WebHook event delivery](webhook-event-delivery.md).
* For information about monitoring event deliveries, see [Monitor Event Grid message delivery](monitor-event-delivery.md). * For more information about the authentication key, see [Event Grid security and authentication](security-authentication.md).
-* For more information about creating an Azure Event Grid subscription, see [Event Grid subscription schema](subscription-creation-schema.md).
+* For more information about creating an Azure Event Grid subscription, see [Event Grid subscription schema](subscription-creation-schema.md).
event-grid Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Event Grid description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Grid. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
event-hubs Monitor Event Hubs Reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/monitor-event-hubs-reference.md
Azure Event Hubs supports the following dimensions for metrics in Azure Monitor.
[!INCLUDE [event-hubs-diagnostic-log-schema](./includes/event-hubs-diagnostic-log-schema.md)]
+## Runtime Audit Logs
+Runtime Audit Logs captures aggregated diagnostic logs for all data plane access operations (such as send or receive events) in Dedicated SKU.
+
+> [!NOTE]
+> Runtime audit logs are currently available in *Dedicated* tier only.
+
+Runtime Audit Logs include the elements listed in the following table:
+
+Name | Description
+- | -
+`ActivityId` | A randomly generated UUID that ensures uniqueness for the audit activity.
+`ActivityName` | Runtime operation name.
+`ResourceId` | Resource associated with the activity.
+`Timestamp` | Aggregation time.
+`Status` | Status of the activity (success or failure).
+`Protocol` | Type of the protocol associated with the operation.
+`AuthType` | Type of authentication (AAD or SAS Policy).
+`AuthKey` | AAD application Id or SAS policy name which is used to authenticate to a resource.
+`NetworkType` | Type of the network: PublicNetworkAccess, PrivateNetworkAccess.
+`ClientIP` | IP address of client application.
+`Count` | Total number of operations performed during the aggregated period of 1 minute.
+`Properties` | Metadata that are specific to the data plane operation.
+`Category` | Log category
+
+The following code is an example of a runtime audit log JSON string:
+
+Example:
+
+```json
+{
+ "ActivityId": "<activity id>",
+ "ActivityName": "ConnectionOpen | Authenticate | SendMessage | ReceiveMessage | GetRuntimeInfo",
+ "ResourceId": "/SUBSCRIPTIONS/xxx/RESOURCEGROUPS/<Resource Group Name>/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/<Event Hubs namespace>/eventhubs/<event hub name>",
+ "Time": "1/1/2021 8:40:06 PM +00:00",
+ "Status": "Success | Failure",
+ "Protocol": "AMQP | KAFKA | HTTP | Web Sockets",
+ "AuthType": "SAS | AAD",
+ "AuthId": "<app name | SAS policy name>",
+ "NetworkType": "PublicNetworkAccess | PrivateNetworkAccess",
+ "ClientIp": "x.x.x.x",
+ "Count": 1,
+ "Properties": {
+ "key1": "value1",
+ "key2": "value2"
+ },
+ "Category": "RuntimeAuditLogs"
+ }
+
+```
+
+## Application Metrics Logs
+Application Metrics Logs captures the aggregated information on certain metrics related data plane operations. This includes following runtime metrics.
+
+Name | Description
+- | -
+ConsumerLag | Indicate the lag between the consumers and producers.
+NamespaceActiveConnections | Details of the active connections established from a client to Event Hub.
+GetRuntimeInfo | Obtain run time information from Event Hubs.
+GetPartitionRuntimeInfo | Obtain the approximate runtime information for a logical partition of an Event Hub.
+ ## Azure Monitor Logs tables Azure Event Hubs uses Kusto tables from Azure Monitor Logs. You can query these tables with Log Analytics. For a list of Kusto tables the service uses, see [Azure Monitor Logs table reference](/azure/azure-monitor/reference/tables/tables-resourcetype#event-hubs).
event-hubs Monitor Event Hubs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/monitor-event-hubs.md
Following are sample queries that you can use to help you monitor your Azure Eve
| where ResourceProvider =="MICROSOFT.EVENTHUB" | where Category == "OperationalLogs" | summarize count() by "EventName"+++ Get runtime audit logs during last hour. +
+ ```Kusto
+ AzureDiagnostics
+ | where TimeGenerated > ago(1h)
+ | where ResourceProvider =="MICROSOFT.EVENTHUB"
+ | where Category == "RuntimeAuditLogs"
``` + + Get access attempts to a key vault that resulted in "key not found" error. ```Kusto
event-hubs Security Controls Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/security-controls-policy.md
Title: Azure Policy Regulatory Compliance controls for Azure Event Hubs description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Hubs. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 12/17/2021 Last updated : 01/19/2022
firewall Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/overview.md
Title: What is Azure Firewall? description: Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. + Previously updated : 01/19/2022- Last updated : 01/20/2022+ # Customer intent: As an administrator, I want to evaluate Azure Firewall so I can determine if I want to use it.
To learn what's new with Azure Firewall, see [Azure updates](https://azure.micro
## Known issues
-Azure Firewall has the following known issues:
+### Azure Firewall Standard
+
+Azure Firewall Standard has the following known issues:
|Issue |Description |Mitigation | ||||
Azure Firewall has the following known issues:
| Firewall logs (Resource specific tables - Preview) | Resource specific log queries are in preview mode and aren't currently supported. | A fix is being investigated.| |Availability Zones for Firewall Premium in the Southeast Asia region|You can't currently deploy Azure Firewall Premium with Availability Zones in the Southeast Asia region.|Deploy the firewall in Southeast Asia without Availability Zones, or deploy in a region that supports Availability Zones.|
+### Azure Firewall Premium
+
+Azure Firewall Premium has the following known issues:
++
+|Issue |Description |Mitigation |
+||||
+|ESNI support for FQDN resolution in HTTPS|Encrypted SNI isn't supported in HTTPS handshake.|Today only Firefox supports ESNI through custom configuration. Suggested workaround is to disable this feature.|
+|Client Certificates (TLS)|Client certificates are used to build a mutual identity trust between the client and the server. Client certificates are used during a TLS negotiation. Azure firewall renegotiates a connection with the server and has no access to the private key of the client certificates.|None|
+|QUIC/HTTP3|QUIC is the new major version of HTTP. It's a UDP-based protocol over 80 (PLAN) and 443 (SSL). FQDN/URL/TLS inspection won't be supported.|Configure passing UDP 80/443 as network rules.|
+Untrusted customer signed certificates|Customer signed certificates are not trusted by the firewall once received from an intranet-based web server.|A fix is being investigated.
+|Wrong source IP address in Alerts with IDPS for HTTP (without TLS inspection).|When plain text HTTP traffic is in use, and IDPS issues a new alert, and the destination is a public IP address, the displayed source IP address is wrong (the internal IP address is displayed instead of the original IP address).|A fix is being investigated.|
+|Certificate Propagation|After a CA certificate is applied on the firewall, it may take between 5-10 minutes for the certificate to take effect.|A fix is being investigated.|
+|TLS 1.3 support|TLS 1.3 is partially supported. The TLS tunnel from client to the firewall is based on TLS 1.2, and from the firewall to the external Web server is based on TLS 1.3.|Updates are being investigated.|
+|KeyVault Private Endpoint|KeyVault supports Private Endpoint access to limit its network exposure. Trusted Azure Services can bypass this limitation if an exception is configured as described in the [KeyVault documentation](../key-vault/general/overview-vnet-service-endpoints.md#trusted-services). Azure Firewall is not currently listed as a trusted service and can't access the Key Vault.|A fix is being investigated.|
+|IDPS Bypass list|IDPS Bypass list doesn't support IP Groups.|A fix is being investigated.|
++ ## Next steps - [Quickstart: Create an Azure Firewall and a firewall policy - ARM template](../firewall-manager/quick-firewall-policy.md)
firewall Premium Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall/premium-features.md
Under the **Web Categories** tab in **Firewall Policy Settings**, you can reques
For the supported regions for Azure Firewall, see [Azure products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-firewall).
-## Known issues
-
-Azure Firewall Premium has the following known issues:
--
-|Issue |Description |Mitigation |
-||||
-|ESNI support for FQDN resolution in HTTPS|Encrypted SNI isn't supported in HTTPS handshake.|Today only Firefox supports ESNI through custom configuration. Suggested workaround is to disable this feature.|
-|Client Certificates (TLS)|Client certificates are used to build a mutual identity trust between the client and the server. Client certificates are used during a TLS negotiation. Azure firewall renegotiates a connection with the server and has no access to the private key of the client certificates.|None|
-|QUIC/HTTP3|QUIC is the new major version of HTTP. It's a UDP-based protocol over 80 (PLAN) and 443 (SSL). FQDN/URL/TLS inspection won't be supported.|Configure passing UDP 80/443 as network rules.|
-Untrusted customer signed certificates|Customer signed certificates are not trusted by the firewall once received from an intranet-based web server.|A fix is being investigated.
-|Wrong source IP address in Alerts with IDPS for HTTP (without TLS inspection).|When plain text HTTP traffic is in use, and IDPS issues a new alert, and the destination is a public IP address, the displayed source IP address is wrong (the internal IP address is displayed instead of the original IP address).|A fix is being investigated.|
-|Certificate Propagation|After a CA certificate is applied on the firewall, it may take between 5-10 minutes for the certificate to take effect.|A fix is being investigated.|
-|TLS 1.3 support|TLS 1.3 is partially supported. The TLS tunnel from client to the firewall is based on TLS 1.2, and from the firewall to the external Web server is based on TLS 1.3.|Updates are being investigated.|
-|KeyVault Private Endpoint|KeyVault supports Private Endpoint access to limit its network exposure. Trusted Azure Services can bypass this limitation if an exception is configured as described in the [KeyVault documentation](../key-vault/general/overview-vnet-service-endpoints.md#trusted-services). Azure Firewall is not currently listed as a trusted service and can't access the Key Vault.|A fix is being investigated.|
-|IDPS Bypass list|IDPS Bypass list doesn't support IP Groups.|A fix is being investigated.|
## Next steps
governance Resource Graph Samples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/management-groups/resource-graph-samples.md
Title: Azure Resource Graph sample queries for management groups description: Sample Azure Resource Graph queries for management groups showing use of resource types and tables to access management group details. Previously updated : 12/20/2021 Last updated : 01/20/2022
governance Effects https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/concepts/effects.md
definitions as `constraintTemplate` is deprecated.
- **apiGroups** (required when using _templateInfo_) - An _array_ that includes the [API groups](https://kubernetes.io/docs/reference/using-api/#api-groups) to match. An empty
- array (`[""]`) is the core API group while `["*"]` matches all API groups.
+ array (`[""]`) is the core API group.
+ - Defining `["*"]` for _apiGroups_ is disallowed.
- **kinds** (required when using _templateInfo_) - An _array_ that includes the [kind](https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields) of Kubernetes object to limit evaluation to.
+ - Defining `["*"]` for _kinds_ is disallowed.
- **values** (optional) - Defines any parameters and values to pass to the Constraint. Each value must exist in the Constraint template CRD.
definitions as `constraintTemplate` is deprecated.
- **apiGroups** (required when using _templateInfo_) - An _array_ that includes the [API groups](https://kubernetes.io/docs/reference/using-api/#api-groups) to match. An empty
- array (`[""]`) is the core API group while `["*"]` matches all API groups.
+ array (`[""]`) is the core API group.
+ - Defining `["*"]` for _apiGroups_ is disallowed.
- **kinds** (required when using _templateInfo_) - An _array_ that includes the [kind](https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/#required-fields) of Kubernetes object to limit evaluation to.
+ - Defining `["*"]` for _kinds_ is disallowed.
- **values** (optional) - Defines any parameters and values to pass to the Constraint. Each value must exist in the Constraint template CRD.
governance Australia Ism https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/australia-ism.md
Title: Regulatory Compliance details for Australian Government ISM PROTECTED description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 12/17/2021 Last updated : 01/19/2022
The following mappings are to the **Australian Government ISM PROTECTED** contro
navigation on the right to jump directly to a specific **compliance domain**. Many of the controls are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.
-Then, find and select the **Australian Government ISM PROTECTED** Regulatory Compliance built-in
+Then, find and select the **[Preview]: Australian Government ISM PROTECTED** Regulatory Compliance built-in
initiative definition. > [!IMPORTANT]
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
+|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
|[Virtual machines should be connected to a specified workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff47b5582-33ec-4c5c-87c0-b010a6b2e917) |Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json) | ### Events to be logged - 1537
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
+|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
|[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
governance Azure Security Benchmark https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/azure-security-benchmark.md
Title: Regulatory Compliance details for Azure Security Benchmark description: Details of the Azure Security Benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 12/17/2021 Last updated : 01/19/2022
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
+|[\[Preview\]: Azure Key Vault should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: [https://aka.ms/akvprivatelink](../../../key-vault/general/private-link-service.md). |Audit, Deny, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) |
+|[\[Preview\]: Private endpoint should be configured for Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) |Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) |
+|[\[Preview\]: Storage account public access should be disallowed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4fa4b6c0-31ca-4c0d-b10d-24b96f62a751) |Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. |audit, deny, disabled |[3.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json) |
|[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) | |[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](../../../azure-app-configuration/concept-private-endpoint.md). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |
initiative definition.
|[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) | |[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](../../../event-grid/configure-private-endpoints.md). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Domains_PrivateEndpoint_Audit.json) | |[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](../../../event-grid/configure-private-endpoints.md). |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/Topics_PrivateEndpoint_Audit.json) |
-|[Azure Key Vault should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: [https://aka.ms/akvprivatelink](../../../key-vault/general/private-link-service.md). |Audit, Deny, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) |
|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F40cec1dd-a100-4920-b15b-3024fe8901ab) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link](../../../machine-learning/how-to-configure-private-link.md). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateEndpoint_Audit.json) | |[Azure SignalR Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53503636-bcc9-4748-9663-5348217f160f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks. Learn more about private links at: [https://aka.ms/asrs/privatelink](../../../azure-signalr/howto-private-endpoints.md). |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json) | |[Azure Spring Cloud should use network injection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf35e2a4-ef96-44e7-a9ae-853dd97032c4) |Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Platform/Spring_VNETEnabled_Audit.json) |
initiative definition.
|[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/portal/public-network](../../../container-registry/container-registry-access-selected-networks.md) and here [https://aka.ms/acr/vnet](../../../container-registry/container-registry-vnet.md). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_AuditDeny.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](../../../container-registry/container-registry-private-link.md). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) |
-|[Private endpoint should be configured for Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) |Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) |
|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) | |[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) | |[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
initiative definition.
|[Public network access should be disabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffdccbe47-f3e3-4213-ad5d-ea459b2fa077) |Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json) | |[Public network access should be disabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd9844e8a-1437-4aeb-a32c-0c992f056095) |Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json) | |[Public network access should be disabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb52376f7-9612-48a1-81cd-1ffe4b61032c) |Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json) |
-|[Storage account public access should be disallowed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4fa4b6c0-31ca-4c0d-b10d-24b96f62a751) |Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. |audit, deny, disabled |[3.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json) |
|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) | |[Storage accounts should restrict network access using virtual network rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) |Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json) | |[Storage accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - [https://aka.ms/azureprivatelinkoverview](../../../private-link/private-link-overview.md) |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
+|[\[Preview\]: All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
|[IP Forwarding on your virtual machine should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd352bd5-2853-4985-bf0d-73806b4a5744) |Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) | |[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) | |[Management ports should be closed on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) |Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/cosmosdb-cmk](../../../cosmos-db/how-to-setup-cmk.md). |audit, deny, disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |
-|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](../../../machine-learning/how-to-create-workspace-template.md#deploy-an-encrypted-workspace). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |
+|[Azure Machine Learning workspaces should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/azureml-workspaces-cmk](/azure/machine-learning/how-to-create-workspace-template#deploy-an-encrypted-workspace"). |Audit, Deny, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |
|[Cognitive Services accounts should enable data encryption with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about customer-managed keys at [https://go.microsoft.com/fwlink/?linkid=2121321](../../../cognitive-services/encryption/cognitive-services-encryption-keys-portal.md). |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json) | |[Container registries should be encrypted with a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/acr/CMK](../../../container-registry/container-registry-customer-managed-keys.md). |Audit, Deny, Disabled |[1.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) | |[MySQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83cef61d-dbd1-4b20-a4fc-5fbc7da10833) |Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, deny, disabled |[2.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) |
+|[\[Preview\]: Certificates should have the specified maximum validity period](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a075868-4c26-42ef-914c-5bc007359560) |Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |audit, deny, disabled |[2.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_ValidityPeriod.json) |
### Ensure security of key and certificate repository
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
+|[\[Preview\]: Azure Key Vault should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: [https://aka.ms/akvprivatelink](../../../key-vault/general/private-link-service.md). |Audit, Deny, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) |
+|[\[Preview\]: Private endpoint should be configured for Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) |Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) |
|[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) |
-|[Azure Key Vault should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: [https://aka.ms/akvprivatelink](../../../key-vault/general/private-link-service.md). |Audit, Deny, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) |
|[Key vaults should have purge protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) |Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) | |[Key vaults should have soft delete enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d) |Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json) |
-|[Private endpoint should be configured for Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) |Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) |
|[Resource logs in Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf820ca0-f99e-4f3e-84fb-66e913812d21) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json) | ## Asset Management
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) |Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). |AuditIfNotExists, Disabled |[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) |
+|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) |Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). |AuditIfNotExists, Disabled |[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) |
+|[\[Preview\]: Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-introduction](/azure/security-center/defender-for-kubernetes-introduction) |Audit, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) |
|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) | |[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) | |[Azure Defender for DNS should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbdc59948-5574-49b3-bb91-76b7c986428d) |Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at [https://aka.ms/defender-for-dns](../../../defender-for-cloud/defender-for-dns-introduction.md) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnDns_Audit.json) |
initiative definition.
|[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) |
-|[Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-introduction](/azure/security-center/defender-for-kubernetes-introduction) |Audit, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) |
|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) |Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). |AuditIfNotExists, Disabled |[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) |
+|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8dfab9c4-fe7b-49ad-85e4-1e9be085358f) |Azure Defender's extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis. Learn more in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-azure-arc](/azure/security-center/defender-for-kubernetes-azure-arc). |AuditIfNotExists, Disabled |[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_Arc_Extension_Audit.json) |
+|[\[Preview\]: Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-introduction](/azure/security-center/defender-for-kubernetes-introduction) |Audit, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) |
|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) | |[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) | |[Azure Defender for DNS should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbdc59948-5574-49b3-bb91-76b7c986428d) |Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer. Learn more about the capabilities of Azure Defender for DNS at [https://aka.ms/defender-for-dns](../../../defender-for-cloud/defender-for-dns-introduction.md) . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: [https://aka.ms/pricing-security-center](https://aka.ms/pricing-security-center) . |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAzureDefenderOnDns_Audit.json) |
initiative definition.
|[Azure Defender for SQL should be enabled for unprotected Azure SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for SQL should be enabled for unprotected SQL Managed Instances](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) |
-|[Azure Kubernetes Service clusters should have Defender profile enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa1840de2-8088-4ea8-b153-b4c723e9cb01) |Microsoft Defender for Containers provides cloud-native Kubernetes security capabilities including environment hardening, workload protection, and run-time protection. When you enable the SecurityProfile.AzureDefender on your Azure Kubernetes Service cluster, an agent is deployed to your cluster to collect security event data. Learn more about Microsoft Defender for Containers in [https://docs.microsoft.com/azure/security-center/defender-for-kubernetes-introduction](/azure/security-center/defender-for-kubernetes-introduction) |Audit, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ASC_Azure_Defender_Kubernetes_AKS_SecurityProfile_Audit.json) |
|[Microsoft Defender for Containers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c988dd6-ade4-430f-a608-2a3e5b0a6d38) |Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainers_Audit.json) | |[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) |Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. |AuditIfNotExists, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) |
-|[Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) |Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. |AuditIfNotExists, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) |
+|[\[Preview\]: Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) |Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. |AuditIfNotExists, Disabled |[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) |
+|[\[Preview\]: Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) |Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. |AuditIfNotExists, Disabled |[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) |
### Centralize security log management and analysis
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
+|[\[Preview\]: Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) |This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) |
+|[\[Preview\]: Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) |This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) |
|[Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F475aae12-b88a-4572-8b36-9b712b2b3a17) |To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) | |[Linux machines should have Log Analytics agent installed on Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1e7fed80-8321-4605-b42c-65fc300f23a3) |Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled Linux server. |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxLogAnalyticsAgentInstalled_AINE.json) | |[Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4fe33eb-e377-4efb-ab31-0784311bc499) |This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json) | |[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) |Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) |
-|[Log Analytics extension should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) |This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) |
-|[Log Analytics extension should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) |This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. |AuditIfNotExists, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) |
|[Windows machines should have Log Analytics agent installed on Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4078e558-bda6-41fb-9b3c-361e8875200d) |Machines are non-compliant if Log Analytics agent is not installed on Azure Arc enabled windows server. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentInstalled_AINE.json) | ### Configure log storage retention
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
+|[\[Preview\]: Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b2122c1-8120-4ff5-801b-17625a355590) |The Azure Policy extension for Azure Arc provides at-scale enforcements and safeguards on your Arc enabled Kubernetes clusters in a centralized, consistent manner. Learn more at [https://aka.ms/akspolicydoc](../concepts/policy-for-kubernetes.md). |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ArcPolicyExtension_Audit.json) |
+|[\[Preview\]: Kubernetes clusters should gate deployment of vulnerable images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759) |Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. |Audit, Deny, Disabled |[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockVulnerableImages.json) |
|[Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a15ec92-a229-4763-bb14-0ea34a568f8d) |Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) | |[CORS should not allow every resource to access your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F358c20a6-3f9e-4f0e-97ff-c6ce485e2aac) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json) | |[CORS should not allow every resource to access your Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |
initiative definition.
|[Function apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feaebaea7-8013-4ceb-9d14-7eb32271373c) |Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json) | |[Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[7.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) | |[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[3.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) |
-|[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) |
+|[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) |
|[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) | |[Kubernetes cluster containers should only use allowed images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[7.0.4](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) | |[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) |
initiative definition.
|[Kubernetes cluster services should listen only on allowed ports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F233a2a17-77ca-4fb1-9b6b-69223d272a44) |Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[6.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json) | |[Kubernetes cluster should not allow privileged containers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95edb821-ddaf-4404-9732-666045e056b4) |Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[7.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json) | |[Kubernetes clusters should disable automounting API credentials](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F423dd1ba-798e-40e4-9c4d-b6902674b423) |Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[2.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json) |
-|[Kubernetes clusters should gate deployment of vulnerable images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F13cd7ae3-5bc0-4ac4-a62d-4f7c120b9759) |Protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerable software components. Use Azure Defender CI/CD scanning (https://aka.ms/AzureDefenderCICDscanning) and Azure defender for container registries (https://aka.ms/AzureDefenderForContainerRegistries) to identify and patch vulnerabilities prior to deployment. Evaluation prerequisite: Policy Addon and Azure Defender Profile. Only applicable for private preview customers. |Audit, Deny, Disabled |[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockVulnerableImages.json) |
|[Kubernetes clusters should not allow container privilege escalation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c6e92c9-99f0-4e55-9cf2-0c234dc48f99) |Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[4.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json) | |[Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd2e7ea85-6b44-4317-a0be-1b951587f626) |To reduce the attack surface of your containers, restrict CAP_SYS_ADMIN Linux capabilities. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[3.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json) | |[Kubernetes clusters should not use the default namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9f061a12-e40d-4183-a00e-171812443373) |Prevent usage of the default namespace in Kubernetes clusters to protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types. For more information, see [https://aka.ms/kubepolicydoc](../concepts/policy-for-kubernetes.md). |audit, deny, disabled |[2.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Guest Attestation extension should be installed on supported Linux virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F672fe5a1-2fcd-42d7-b85d-902b6e28c6ff) |Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines. |AuditIfNotExists, Disabled |[5.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLinuxGAExtOnVm_Audit.json) |
-|[Guest Attestation extension should be installed on supported Linux virtual machines scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa21f8c92-9e22-4f09-b759-50500d1d2dda) |Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets. |AuditIfNotExists, Disabled |[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLinuxGAExtOnVmss_Audit.json) |
-|[Guest Attestation extension should be installed on supported Windows virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1cb4d9c2-f88f-4069-bee0-dba239a57b09) |Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines. |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallWindowsGAExtOnVm_Audit.json) |
-|[Guest Attestation extension should be installed on supported Windows virtual machines scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff655e522-adff-494d-95c2-52d4f6d56a42) |Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets. |AuditIfNotExists, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallWindowsGAExtOnVmss_Audit.json) |
+|[\[Preview\]: Guest Attestation extension should be installed on supported Linux virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F672fe5a1-2fcd-42d7-b85d-902b6e28c6ff) |Install Guest Attestation extension on supported Linux virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machines. |AuditIfNotExists, Disabled |[5.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLinuxGAExtOnVm_Audit.json) |
+|[\[Preview\]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa21f8c92-9e22-4f09-b759-50500d1d2dda) |Install Guest Attestation extension on supported Linux virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled Linux virtual machine scale sets. |AuditIfNotExists, Disabled |[4.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLinuxGAExtOnVmss_Audit.json) |
+|[\[Preview\]: Guest Attestation extension should be installed on supported Windows virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1cb4d9c2-f88f-4069-bee0-dba239a57b09) |Install Guest Attestation extension on supported virtual machines to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machines. |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallWindowsGAExtOnVm_Audit.json) |
+|[\[Preview\]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff655e522-adff-494d-95c2-52d4f6d56a42) |Install Guest Attestation extension on supported virtual machines scale sets to allow Azure Security Center to proactively attest and monitor the boot integrity. Once installed, boot integrity will be attested via Remote Attestation. This assessment only applies to trusted launch enabled virtual machine scale sets. |AuditIfNotExists, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallWindowsGAExtOnVmss_Audit.json) |
+|[\[Preview\]: Secure Boot should be enabled on supported Windows virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F97566dd7-78ae-4997-8b36-1c7bfe0d8121) |Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines. |Audit, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableWindowsSB_Audit.json) |
+|[\[Preview\]: vTPM should be enabled on supported virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c30f9cd-b84c-49cc-aa2c-9288447cc3b3) |Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. |Audit, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableVTPM_Audit.json) |
|[Guest Configuration extension should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fae89ebca-1c92-4898-ac2c-9f63decb045c) |To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'. Learn more at [https://aka.ms/gcpol](../concepts/guest-configuration.md). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVm.json) | |[Linux machines should meet requirements for the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |AuditIfNotExists, Disabled |[1.3.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json) |
-|[Secure Boot should be enabled on supported Windows virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F97566dd7-78ae-4997-8b36-1c7bfe0d8121) |Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment only applies to trusted launch enabled Windows virtual machines. |Audit, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableWindowsSB_Audit.json) |
|[Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd26f7642-7545-4e18-9b75-8c9bbdee3a9a) |The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity. Learn more at [https://aka.ms/gcpol](../concepts/guest-configuration.md) |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_GCExtOnVmWithNoSAMI.json) |
-|[vTPM should be enabled on supported virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c30f9cd-b84c-49cc-aa2c-9288447cc3b3) |Enable virtual TPM device on supported virtual machines to facilitate Measured Boot and other OS security features that require a TPM. Once enabled, vTPM can be used to attest boot integrity. This assessment only applies to trusted launch enabled virtual machines. |Audit, Disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableVTPM_Audit.json) |
|[Windows machines should meet requirements of the Azure compute security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F72650e9f-97bc-4b2a-ab5f-9781a9fcecbc) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](../concepts/guest-configuration.md). Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureWindowsBaseline_AINE.json) | ### Perform vulnerability assessments
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
+|[Container registry images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
|[Ensure that 'Java version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F88999f4c-376a-45c8-bcb3-4058f713cf39) |Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json) | |[Ensure that 'Java version' is the latest, if used as a part of the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json) | |[Ensure that 'Java version' is the latest, if used as a part of the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F496223c3-ad65-4ecd-878a-bae78737e9ed) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json) |
initiative definition.
|[Ensure that 'Python version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F74c3584d-afae-46f7-a20a-6f8adba71a16) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json) | |[Ensure that 'Python version' is the latest, if used as a part of the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7238174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json) | |[Ensure that 'Python version' is the latest, if used as a part of the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7008174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json) |
+|[Running container images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) |
|[SQL databases should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[SQL servers on machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ba6d016-e7c3-4842-b8f2-4992ebc0d72d) |SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerSQLVulnerabilityAssessment_Audit.json) | |[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) | |[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
-|[Vulnerabilities in Azure Container Registry images should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in running images should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) |
|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) | |[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Vulnerabilities in Azure Container Registry images should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
+|[Container registry images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
+|[Running container images should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) |
|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in running images should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fc39691-5a3f-4e3e-94ee-2e6447309ad9) |Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_KuberenetesRuningImagesVulnerabilityAssessment_Audit.json) |
## Next steps
governance Azure Security Benchmarkv1 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/azure-security-benchmarkv1.md
Title: Regulatory Compliance details for Azure Security Benchmark v1 description: Details of the Azure Security Benchmark v1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 12/17/2021 Last updated : 01/19/2022
The following mappings are to the **Azure Security Benchmark v1** controls. Use
navigation on the right to jump directly to a specific **compliance domain**. Many of the controls are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.
-Then, find and select the **Azure Security Benchmark v1** Regulatory Compliance built-in
+Then, find and select the **[Deprecated]: Azure Security Benchmark v1** Regulatory Compliance built-in
initiative definition. > [!IMPORTANT]
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
+|[\[Preview\]: All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
+|[\[Preview\]: Container Registry should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc4857be7-912a-4c75-87e6-e30292bcdf78) |This policy audits any Container Registry not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ContainerRegistry_Audit.json) |
|[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) |
-|[All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
|[App Service should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |This policy audits any App Service not configured to use a virtual network service endpoint. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) | |[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |
-|[Container Registry should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc4857be7-912a-4c75-87e6-e30292bcdf78) |This policy audits any Container Registry not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ContainerRegistry_Audit.json) |
|[Cosmos DB should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe0a2b1a3-f7f9-4569-807f-2a9edebdf4d9) |This policy audits any Cosmos DB not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json) | |[Event Hub should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd63edb4a-c612-454d-b47d-191a724fcbf0) |This policy audits any Event Hub not configured to use a virtual network service endpoint. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json) | |[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](../../../virtual-network/network-security-groups-overview.md) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
+|[\[Preview\]: All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
|[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) |
-|[All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
|[Azure DDoS Protection Standard should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa7aca53f-2ed4-4466-a25e-0b45ade68efd) |DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json) | |[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
+|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) | |[Resource logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F91a78b24-f231-4a8a-8da9-02c35b2b6510) |Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ResourceLoggingMonitoring_Audit.json) | |[Resource logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) |Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) |
initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
+|[\[Deprecated\]: Unattached disks should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c89a2e5-7285-40fe-afe0-ae8654b92fb2) |This policy audits any unattached disk without encryption enabled. |Audit, Disabled |[1.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json) |
|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) | |[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) | |[SQL managed instances should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac01ad65-10e5-46df-bdd9-6b0cad13e1d2) |Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Deny.json) | |[SQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a370ff3-6cab-4e85-8995-295fd854c5b8) |Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |Audit, Deny, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Deny.json) | |[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
-|[Unattached disks should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c89a2e5-7285-40fe-afe0-ae8654b92fb2) |This policy audits any unattached disk without encryption enabled. |Audit, Disabled |[1.0.0-deprecated](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json) |
|[Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: [https://aka.ms/disksse,](https://aka.ms/disksse,) Different disk encryption offerings: [https://aka.ms/diskencryptioncomparison](../../../virtual-machines/disk-encryption-overview.md#comparison) |AuditIfNotExists, Disabled |[2.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) | ### Log and alert on changes to critical Azure resources
governance Canada Federal Pbmm https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/canada-federal-pbmm.md
Title: Regulatory Compliance details for Canada Federal PBMM description: Details of the Canada Federal PBMM Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 12/17/2021 Last updated : 01/19/2022
This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Log Analytics Extension should be enabled for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) |Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. |AuditIfNotExists, Disabled |[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) |
+|[\[Preview\]: Log Analytics Extension should be enabled for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) |Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. |AuditIfNotExists, Disabled |[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) |
|[Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) |Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) | |[Virtual machines should be connected to a specified workspace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff47b5582-33ec-4c5c-87c0-b010a6b2e917) |Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. |AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json) |
This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicro